Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Should social accounts auto-link on email address? #477
Currently when logging in with a social account it will only allow login if the account is linked to a user. If a matching email is found it will not auto-link based on email address but advise the user should link their account in settings.
Similarly, When registering via a social account it will display an error if the user already exists and they're required to log in to link their account.
It would be a nicer user experience to simply always link on email address if possible.
Really I suppose it comes down to the security of the oAuth service but if it's trusted for new registrations it might as well be trusted for linking to existing contacts?
My current thinking is that it could be circumvented by updating a random account on the OAuth provider side to the desired email address, and if that email address (despite it's pending verification status on the provider end), is passed to Bookstack, could be used to gain entry if auto-linking is enabled.
That being said, what I would like is the option to auto-create and auto-link for Google users that are in a specified G Suite organisation, as well as memberships based on G Suite groups so the user is just presented with a 'Log in with Google' button that works regardless of whether they've visited it before
referenced this issue
Nov 6, 2017
I would also like to see this behaviour and a registration/login flow as described by @jordankueh. Combined with "remember me" working for social logins (#847), all the users of a linked domain would have to do is click "Log in with Google", once, to log in securely. The first time would require them to confirm their email address.
@ffub why confirming the email address is required when the email was already verified by Google? I think the email verification should be skipped for users authenticating with Google. i.e. you cannot use someone else's email to login with Google so there is no need to verify the identity (that was the purpose of the Google Auth).
Do you guys have an update on these automatic signup features for social login? That is a blocker on my side to fully use the tool.