Multiple providers authentication

[iamzozo]

Hi! First thanks for this great library! Absolutely easy to use, as you mentioned! :)

I would like to offer two authentication (ex. Google & Facebook) if it's possible. Now I implemented both. But when the "same" user using another provider, another user record will be created. Is it possible to lookup in the users table by a field (ex. email) and set the oauth_identities user_id to that if it's exists? (One user to Many provider)

[adamwathan]

Hey thanks man!

I've thought about this before too but it's a bit tricky. I think with the supported providers it's not a problem, but this sort of functionality does introduce a security vulnerability if you're not careful.

Imagine someone has an account with your system that they created using their Google account, and they have the email johndoe@gmail.com associated with that account. This person doesn't have a Facebook account.

If a malicious user signs up for a Facebook account using johndoe@gmail.com as their email address, they can login to your system using Facebook, and get access to the real John Doe's data, since the email addresses are the same.

I don't think I would want to add this as the default behavior, but I am trying to think of interesting ways to support by maybe adding an extension point where the package determines if it should create a new user or if it should use an existing user. Perhaps by adding an extra optional callback argument to do the comparison.

The other use case that is similar to what you mentioned is if you want to link accounts, which is something I've had to implement on systems before. Like if someone is already logged in with Google and they want to add their Twitter account so that they can log in with either. In this case there's no real security risk since you are saying they must be logged in with Google already in order to link their Twitter account.

I'm gonna pour over some code for a bit and see how easy this would be, I haven't looked at this package in a few months so maybe I'll be pleasantly surprised and it'll be very simple, hehe...

[adamwathan]

Started working on a new branch to add support for this, it actually looks like it might be fairly simple to do.

What's going to end up happening is you will need to provide your own implementation of IdentityStore that overrides the userExists method to add your own logic to determine whether or not they exist, as well as override the getByProvider method to return the user even if they don't match that particular provider but do match your own custom logic.

You'll just have to bootstrap it manually instead of using the default service provider. Easiest thing to do is copy the existing service provider and just replace the instantiation of the IdentityStore with your own implementation.

Once I've got it fully baked I'll add an example, hopefully it doesn't sound like too much work 👍

[iamzozo]

Thanks! I didn't think about this case, you are right :) Currently I think I'm going to implement one provider for now, but your guide is very clear.

[adamwathan]

Cool! I'm gonna close this for now, but I'm gonna use the work I started the other day to work towards a "link accounts" feature to support this sort of thing using the 2nd strategy I mentioned above.

[VasquezSRE]

Thanks for the reply,

The idea is that if I am already regsitrado with GitHub with 123@demo.com corrre and wish to add an account more like Facebook as well with e 123@demo.com.

This can be performed without the system thinks it is a fact doubled the email, just a new beginning is associated.