New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Should social accounts auto-link on email address? #477

Closed
ssddanbrown opened this Issue Aug 17, 2017 · 6 comments

Comments

4 participants
@ssddanbrown
Member

ssddanbrown commented Aug 17, 2017

Currently when logging in with a social account it will only allow login if the account is linked to a user. If a matching email is found it will not auto-link based on email address but advise the user should link their account in settings.

Similarly, When registering via a social account it will display an error if the user already exists and they're required to log in to link their account.

It would be a nicer user experience to simply always link on email address if possible.
Just wondering if anyone has any thoughts on the security of linking based on email address?

Really I suppose it comes down to the security of the oAuth service but if it's trusted for new registrations it might as well be trusted for linking to existing contacts?

@ssddanbrown

This comment has been minimized.

Member

ssddanbrown commented Aug 17, 2017

Additional thought, By doing this some of the social auth code could be cleaned up quite a bit since the registration/login actions could essentially have the same logic.

@jordankueh

This comment has been minimized.

jordankueh commented Aug 18, 2017

My current thinking is that it could be circumvented by updating a random account on the OAuth provider side to the desired email address, and if that email address (despite it's pending verification status on the provider end), is passed to Bookstack, could be used to gain entry if auto-linking is enabled.

That being said, what I would like is the option to auto-create and auto-link for Google users that are in a specified G Suite organisation, as well as memberships based on G Suite groups so the user is just presented with a 'Log in with Google' button that works regardless of whether they've visited it before 🙃

@ffub

This comment has been minimized.

ffub commented May 18, 2018

I would also like to see this behaviour and a registration/login flow as described by @jordankueh. Combined with "remember me" working for social logins (#847), all the users of a linked domain would have to do is click "Log in with Google", once, to log in securely. The first time would require them to confirm their email address.

@ibrahimennafaa

This comment has been minimized.

Contributor

ibrahimennafaa commented Aug 15, 2018

@ffub why confirming the email address is required when the email was already verified by Google? I think the email verification should be skipped for users authenticating with Google. i.e. you cannot use someone else's email to login with Google so there is no need to verify the identity (that was the purpose of the Google Auth).
Does it make sense?

Do you guys have an update on these automatic signup features for social login? That is a blocker on my side to fully use the tool.

@ibrahimennafaa

This comment has been minimized.

Contributor

ibrahimennafaa commented Aug 16, 2018

Attempt of PR here #966
Let me know what you think :)

@ssddanbrown ssddanbrown added this to the BookStack Beta v0.24.0 milestone Sep 21, 2018

@ssddanbrown

This comment has been minimized.

Member

ssddanbrown commented Sep 21, 2018

This flow is now optionally possible as described here: #966 (comment)

Therefore I'll now close this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment