Reputation: 2960
Inform User Account Exists
On my application, I have standard email authentication, as well as two oauth services (say Google and Facebook)
If a user has signed up with Facebook, but then they try to log in through regular email authentication, should I tell them to use Facebook?
At first, I thought this was straightforward, but realized this might have potential security ramifications.
What do you all think?
(Also, is this fine to ask on Stack Overflow, or should I repost to Software Engineering?)
Upvotes: 1
Views: 70
Answers (1)
Reputation: 1982
There is a chance that a user has disabled the Facebook (or some other service's) option to be looked up by his/her e-mail. Therefore, it is probably not a good solution to give a message that suggests to log-in via Facebook, because an attacker can get information that the user has marked as private.
What I would do is, I would change the message shown when a user does not exist to something along the lines of "Invalid user (if you have already signed up using some other service (e.g. Facebook), please log-in using that service)". I would present this message both to users that do not exist, and to users who have signed up using some service. This way an attacker cannot distinguish between a user who has not signed up and a user who signed up using some service, while the legitimate user is getting a hint of what might be wrong. I believe that some usability problems will come up, but this way the privacy of the users is much better respected.
Upvotes: 1
Related Questions
- Oauth2.0 and user registration and sign in
- How to inform OAuth2 API clients about missing credentials?
- OAuth and authentication
- oAuth 2.0 - Acting on behalf of the user
- Oauth authentication with a known user?
- oauth2 server user registration
- OAuth2 Client Authentication Spring
- Google OAUTH2 - how to detect user is already logged in
- OAuth2 User Credentials Grant Security
- how to identity a person when login with oauth2