search

pow-auth / pow_assent

Multi-provider authentication for your Pow enabled app
https://powauth.com
MIT License
321 stars 50 forks source link

Question, is it possible to allow a single user to authenticate via multiple providers? #174

Closed joelbyler closed 4 years ago

joelbyler commented 4 years ago

Scenario, building an app and adding standard pow authentication, then later I add facebook and google auth via pow_assent, now users who forget their password or don't realize that they're already signed up try to register using facebook or google auth and get an error that the email has already been taken.

Are there concerns with associating a user with mutliple providers? I'm planning to use email confirmation as well, so it seems relatively safe but I couldn't find a documented way to configure this so thought I would ask. If it helps, I can create a PR to add to docs if this is already possible but hard to figure out.

Thanks!

danschultzer commented 4 years ago

Are there concerns with associating a user with mutliple providers?

Yeah, I'm planning to resolve it with https://github.com/pow-auth/pow_assent/issues/115.

More in: https://github.com/pow-auth/pow_assent/issues/113#issuecomment-562876018 https://github.com/pow-auth/pow_assent/issues/154#issuecomment-600264418

it seems relatively safe

It's only safe if you can trust that the email from the provider has been verified. See: https://github.com/pow-auth/pow_assent/issues/79#issuecomment-504524160

There're also some examples in https://github.com/pow-auth/pow_assent/issues/18 for how to circumvent the logic.

If it helps, I can create a PR to add to docs if this is already possible but hard to figure out.

I always appreciate any help!

In this case I think something like https://github.com/pow-auth/pow_assent/issues/115 will solve it. It makes sense to me that before you can add a new auth method, you must be authenticated. So displaying a page that requires user auth before linking a new provider would be a good way to deal with.

Depending on the current auth methods that user has, the page could either ask for the current password, or that the user has to sign in with an existing provider first. There might be some information leak here I'll have to look into.

And as a FYI now that I'm talking about information leak, PowEmailConfirmation will suppress information leaks so in case you try to sign in with a provider where the email already exists in the system, it'll redirect to show that you need to confirm the account as to not reveal whether the account already existed for the provided email. This is only the case for unverified email from the provided.

My current idea for how to implement #115 would be to differentiate between invalid and taken user id and redirect according in the authorization controller. I would prefer if we could just redirect the user to the Pow sign in page, with a flash message, maybe prepopulated user id field, and a request_path to redirect the user back to completely the callback flow after sign in, but UX wise it might be necessary to set up a new controller and action to handle this auth flow.

joelbyler commented 4 years ago

Yes, this all makes sense and sounds like a much more safe approach than just trusting that the accounts on the two separate providers are linked to the same user. Thanks for the background, I should have done a more thorough job of looking through the other open issues. Feel free to close this one and I’ll watch the older / original issues.