Skip to content

Google Auth Linking overwrites other auth providers. #25

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
shubhendu1 opened this issue Sep 18, 2018 · 4 comments
Closed

Google Auth Linking overwrites other auth providers. #25

shubhendu1 opened this issue Sep 18, 2018 · 4 comments
Assignees
@malcolmdeck

Comments

@shubhendu1
Copy link

  • Android Studio version: 3.1.4
  • Firebase Component: Authentication
  • Component version: 16.0.3

I am trying to link multiple auth providers for a user, everything is working fine but when user tries to connect google account to other auth providers account, google account seems to overwrite every other account.

Steps to reproduce:

Created account using email and password.
Linked with facebook and twitter account.
And after linking to Google account, it overwrites all the other accounts.

Relevant Code:

AuthCredential credential = GoogleAuthProvider.getCredential(account.getIdToken(), null);
FirebaseUser user = mAuth.getCurrentUser();
user.linkWithCredential(credential);
@bojeil-google
Copy link

That should not be the case. Google would overwrite existing providers if you sign in with it. Check this post for more on this behavior. However, if you link the credential, the existing providers should remain.

@shubhendu1
Copy link
Author

I was trying to link user's accounts on FirebaseAuthUserCollisionException, but in case of Google Auth this exception is not returned, Firebase overwrites the existing accounts with google account and let the user login .
Although, I have only tested this on the accounts created with the same gmail id, don't know what will happen if different accounts have different emails associated with them.
And also, is google overwriting is the intended flow?
And if it is, then how to handle my specific use case?

@bojeil-google
Copy link

Your example and your follow up answer contradict each other. You are in fact signing in with Google to an existing unverified email account. This is the intended behavior. If a user signs up with an unverified provider (eg. email/password without verification) and then signs in with a verified provider, the account is overwritten and the unverified provider is unlinked. This is done for security reasons as anyone can claim an unverified email and we cannot confirm they are the same user.

@samtstern
Copy link
Contributor

Closing as @bojeil-google has identified this as intended behavior. Thanks for clarifying!

@saurabhdtu saurabhdtu mentioned this issue Nov 20, 2018
Closed
@firebase firebase locked and limited conversation to collaborators Oct 14, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@malcolmdeck malcolmdeck

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@samtstern @bojeil-google @malcolmdeck @shubhendu1