Creating multiple Firebase accounts for the same email, though it is disabled in the settings.

[sandeep5193]

[REQUIRED] Step 2: Describe your environment

• Android Studio version: Android Studio Jellyfish | 2023.3.1 Patch 1
• Firebase Component: Auth
• Component version: firebase-bom:32.0.0, firebase-ui-auth:8.0.2

[REQUIRED] Step 3: Describe the problem

I have enabled the settings to link accounts that use the same email. So there must not be 2 firebase accounts with same email.

I have used firebase-ui-auth in my android client.

Steps to reproduce:

1. sign in using Google account. this creates new firebase account
2. reinstall the app, sign in using Facebook account, but do not give email permission. this creates another firebase account.
3. reinstall the app, sign in using Facebook account, but give email permission this time. this will use firebase account created in step number 2 and updates email in that firebase account.

so now the user have 2 firebase accounts with same email.

Relevant Code:

AuthUI.getInstance()
    .createSignInIntentBuilder()
    .setAvailableProviders(providersList)
    .setIsSmartLockEnabled(false)
    .setLogo(R.mipmap.ic_launcher)
    .setTheme(R.style.FirebaseAuthTheme)
    .setLogo(R.drawable.ic_login_logo)
    .setTosAndPrivacyPolicyUrls("https:example.com/policy.html", "https://example.com/privacy.html")
    .build();

[google-oss-bot]

I found a few problems with this issue:

• I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
• This issue does not seem to follow the issue template. Make sure you provide all the required information.

[lehcar09]

Hi @sandeep5193, thank you for reaching out. I tried reproducing the issue, however, I did not use the FirebaseUI and I did not encounter the behavior you reported.

Can you elaborate on what you mean by "do not give email permission/ give email permission"? By any chance, can you share an MCVE to help us reproduce the issue?

[sandeep5193]

Hi @lehcar09, thanks for replying.

When login through Facebook, FirebaseUI is asking for public_profile and email permissions by default. While public_profile is mandatory, email is optional.

In steps I mentioned in my first post, in step-2, user is not giving email permission, but in step-3 he is giving it.

Currently I do not have any sample app to share, but am sure demo app present in FirebaseUI-Android repo can be used for simulation.

[lehcar09]

Thank you for that clarification @sandeep5193. The behavior you’re experiencing is working as intended. Accounts created with different identity providers can be automatically linked, or replace each other. These vary depending on the verification status of the accounts. Accounts with some identity providers are automatically verified, and others are not.

Based on our documentation,

In some situations, Firebase will automatically link accounts when a user signs in with different providers using the same email address. This can only happen when specific criteria are met, however. To understand why, consider the following situation: a user signs in using Google with a @gmail.com account and a malicious actor creates an account using the same @gmail.com address, but signing in via Facebook. If these two accounts were automatically linked, the malicious actor would gain access to the user's account.

That being said, I'll be closing this issue now. Let me know if there's any misunderstanding and/ or we need to re-open issue for further investigation.