Association of OAuth between providers

Question

I was looking at Khan Academy and I'm wondering how their authentication works (probably many other websites have it the same).

When you login with facebook account that has email "aaa@gmail.com", you completely logout, open another anonymous window, and login with google account that has the same "aaa@gmail.com" email, you log into the previously created account.

My questions are :

1. Do they make association to account based on email your social account has ?
2. I'm sure their solution is secure, but is this common and normally doable so there won't be any possible exploitations ?

Answer 1

I'm using a system of Oauth2 to grant access to my app, dvouch

First you have a registered user in your website, with an unique email.

So what basically happens is:

1. User visits your website (website doesn't know who the user is)
2. User clicks to login through one of the Oauth2 providers
3. Your website proceeds to start a "OAuth2" handshake, it redirects the user to the provider oauth endpoint, along with some information, like what scopes you're asking for (email, personal info, public info, etc), the url to send back the user after the authentication is done, your application tokens (that are registered in the providers app dashboard), and so on.
4. Let's say the provider you chose was facebook. Facebook receives your request for an OAuth2 authentication. It also receives the scopes you're asking for, which url you want the user to go to after being authenticated, and your application credentials
5. It checks that the credentials you're sending are valid, that the callback url you're asking the user to be sent after also matches what they have registered for your app (so that someone can't simply steal your app credentials and have users redirected somewhere else) and if everything is fine and dandy, it will then present the login window to the user. This login is happening on the provider's page. Not on your website.
6. The user logs in (inside facebook or google not your website). The provider sends them back to the call back url you specified in the beginning of the handshake.
7. You (your website) receives the user back with a bunch of information, such as the email of the user who just completed the Oauth2 flow.
8. At this point you use the email that came in the callback and identify the user through the email. Since all emails are unique, and since your user had to be registered with that email on the provider, you are safe to assume he's the owner of the email.

(technically things might happen a bit differently)

It's basically very secure as long as the website has the regular security measures. Of course if someone has access to your Facebook(wtv) account or email they can login as if they were you, but that would happen either way they offered Oauth or not.

Then as long as you verify you're logging in the correct provider's website (like facebook's or google and not something else) you'll be fine since no one else will be able to see your login. Since a "scope" of authorizations has to be passed as well you as a user can also see what the application is asking for (email, access to your inbox, wtv) and decide if you want to grant those scopes or not, if you decide not to grant access then facebook will not pass back that information, which in turn renders the process safe.

The only way it wouldn't be safe would be if you had malicious software installed in your computer to log your activity and in this case you would be screwed either way.