Reputation: 476
Security on linking multiple oAuth2 services by email to the same user
My problem is as follows:
I want to associate multiple oauth2 accounts to the same user by email (e.g. the design of medium.com or slant.co). I need to understand the security consequences about this scenario.
- user User_A registers to my website using email Email_A
- user User_B registers to Facebook using Email_A (let's say by mistake) where User_A doesn't have a Facebook account.
- User_B logs in on my website using his Facebook account.
- My website associates User_B to the account User_A.
This scenario is really impossible for something like Google, but it's possible for Facebook or Twitter backends. There is no way to make sure that User_A really owns all services using the same email, right? If I am right, what are the measures to make sure that a user cannot login to another user's account?
Upvotes: 4
Views: 776
Answers (2)
Reputation: 2063
Great question and many developers don't do the right things in these cases. When we built Firebase Auth (previously knows as Google Identity Toolkit and you can see some detail on that page ) we spent a lot of time to analyze these cases. It will be hard to describe in detail here but a few concepts will help.
- Authoritative IDP: Understand who is authoritative for a particular identifier. e.g. @gmail.com Google is authoritative and for @yahoo.com emails Yahoo is authoritative. This means when Google returns that someone has [email protected] email you can safely assume that they definitely have control of it.
Depending on the sensitivity of the data on your site and how you allow "account recovery", you could always allow sign-in through an authoritative IDP but when if the user tries to sign-in with another IDP that is not authoritative, you should require them to confirm original account credential at the time of merging (e.g. ask for pw or ask to for assertion from Google before allowing to take over the account with just facebook sign-in).
Hopefully that helps. It is complicated so being careful is better and unmerging is going to be almost impossible.
Upvotes: 5
Reputation: 5770
- user User_A registers to my website using email Email_A
- user User_B registers to Facebook using Email_A (let's say by mistake) where User_A doesn't have a Facebook account.
This is usually avoided by enforcing email uniqueness across all the accounts (User_B would get an error while registering informing him that there already is an account with Email_A). And even so, there's the concept of "confirming" the account by checking your email - User_B could never verify his account given he can't access Email_A.
Upvotes: 1
Related Questions
- How to allow signing-up through multiple authentication-providers, while sharing the same email-address?
- Google OAuth2 with Service Account - specifying the user email to act on behalf of
- Multiple OAuth2 access tokens for single application?
- OAuth and shared email addresses
- Multiple identities + single sign on security
- Can Google Account auth tokens be shared between services?
- Single oauth token and secret to access multiple services from google
- Can I log my users in to multiple services with OAuth?
- multiple oauth providers and implicit user account creation
- Linking several oauth accounts to a single user: what's considered safe practice and what's not?