Background:
I wish to auto login my local users if they choose logging in via google with same email address. However, during social login validation on serializers there is a condition:
if not login.is_existing:
# We have an account already signed up in a different flow
# with the same email address: raise an exception.
# This needs to be handled in the frontend. We can not just
# link up the accounts due to security constraints
The security concern is valid however google does provide, email_verified value in their response, and one can argue that it would be safe to let the social login continue if the email is verfied.
I wish to propose such configuration as to let devs working on project themselves decide whether or not to let the auto-link be done.
The configuration might only be limited to such providers who return email_verified property.
Background: I wish to auto login my local users if they choose logging in via google with same email address. However, during social login validation on serializers there is a condition:
The security concern is valid however google does provide,
email_verified
value in their response, and one can argue that it would be safe to let the social login continue if the email is verfied. I wish to propose such configuration as to let devs working on project themselves decide whether or not to let the auto-link be done. The configuration might only be limited to such providers who returnemail_verified
property.