edjiang
commented
7 years ago Are you able to do this on an app w/o multi-tenancy? It was my impression that accounts wouldn't automatically link if you did it in this order, unless the email was verified.
The risk here is that an attacker could register for an email based account w/o verifing the email. The real user then signs in with social login, and goes into the attacker's account. Since the attacker knows the password from the sign up process, the attacker now has access to all of the user's data.
oshalygin
I've tested this one a few times and it seems that it works fine without multi tenancy but with multi tenancy the link based on
MATCHING PROPERTYdoes not work. I'm not sure where this is on the road map but if I'm doing something wrong please let me know, I'd love to update the config on my end :)Replicating:
Using the following settings on the organization:
These are the account stores in this organization
Creating an account in the SPCloud directory results in the following:
Later I come along in the application and create an account via social login. I get the following results in the Google directory:
Coming back to the SPCloud directory to see if the link persisted:
There is likely a disconnect somewhere and I realize MT on subdomain is still fairly new. I looked through the codebase of
express-stormpathand I don't see any reference to account linking. If it's there, I'm open to diving in further.Thanks gents.