Multiple accounts with same mail handling

[ziedHamdi]

Description 📓

When a user signs in from two OAuth providers where he used the same mail to subscribe (e.g. a Facebook account using a Google Mail): The user can't sign in with both accounts: as soon as he subscribed with one of them, he will get a user error when attempting to connect with the second: "To confirm your identity, sign in with the same account you used originally."

If the app proposes many providers, the situation is uncomfortable for the user : he might have forgotten with which provider he subscribed initially. (see image)
Where the user may have forgotten which provider he previously used to subscribe (especially if more than two providers are available, unlike in the picture)

)

The actual behavior is justified by the following document: https://next-auth.js.org/faq#security.

What could be done? ☕️

There should be a possibility for apps to highlight which account provider was originally used to subscribe. Some other apps may consider that information as sensible information and want to keep the current behavior.

To satisfy both use cases, there could be a boolean parameter in the configuration file activating the provider_highlight

Furthermore, the current error message could be replaced with a feature consisting of a two phase validation: on an attempt to connect with a different provider (using the same mail) the following could happen:

• The user receives a warning message saying: "You originally signed in with your XYZ account. We added ABC to your account list, but you need to validate that account in your profile settings to be able to sign in with it"
• He then signs in with XYZ, and activates or rejects the ABC provider in his profile settings.

Contributing 🙌🏽

Yes, I am willing to help implement this feature in a PR

[ziedHamdi]

Ok I just found the answer in the section:
When I sign in with another account with the same email address, why are accounts not linked automatically?
https://next-auth.js.org/faq

[ziedHamdi]

However, the error text is not clear for the end user: he might have forgotten which account he used to subscribe.

Also the provider could be added in a pending state. The user can then connect with his 'original account' then confirm he owns that secondary account too.

[balazsorban44]

For accounts to be linked together securely, you have to be logged in with an account with the same email while linking the new account. it's a design choice, outlined in https://next-auth.js.org/faq#security

we don't intend to chnahe this behavior, but we plan to make it easier to implement account linking in the future

[gavinadams1]

@dossy did you figure it out?

[dossy]

@dossy did you figure it out?

@gavinadams1 Unfortunately, no, I decided to just leave things as-is, and hope that eventually the implementation improves and I can revisit it in the future.

[gavinadams1]

Thanks for your reply. I am taking same approach.

[daniellin215]

I noticed that, if the user signs in first using email sign in, then they try to use say Google Provider to sign in. They would receive OauthAccountNotLinked error. And the proper solution would be to turn on allowDangerousEmailAccountLinking and set it in your GoogleProvider?

[gmcamposano]

Most known auth providers already have verified emails, you can even check it under account in the signIn callback as email_verified (at least with google). Most people will either use GitHub, Google or Microsoft. Those are all secure, so enabling allowDangerousEmailAccountLinking=true is not considered as bad practice.

[ziedHamdi]

I saw that, and I closed the issue before reopening it to say the error message is user unfriendly, since it doesn't tell which provider he signed in with, and the provider can be put in a 'pending' state until it is validated by the user (logged in regularly).

[balazsorban44]

I mean they just clicked the "sign in with..." button, no? 🤷‍♂️ And we cannot leak which other providers that email address is associated with.

[ziedHamdi]

I think this can be subject to discussion, knowing that some email that ends with @gmail.com is a Google account :-) (or simply exists) is a risk some businesses might be ready to take in exchange of their users churning less because it's easier to sign in.
I think that knowing an email has an account on Facebook is not a dangerous leak.

Finally, I think a company could allow its users to reveal this type of info or not in their security settings.

What are your thoughts?

[balazsorban44]

I converted this to an idea.

If you could work this out in a more detailed feature request format and update the top description, how the implementation would look like, how could we highlight the security concerns to the developers, etc., we can see if this gets traction.

[ziedHamdi]

Ok, I just updated the description. Thanks for moving the discussion here

[ivan-kleshnin]

I've noticed one issue with multi-provider flows:

1. If the user was registered via Github and then signs-in with Email (without logging out) updateUser is called and emailVerified field can be updated.
2. If the user was registered via Email and then signs-in with Github (without logging out) updateUser is not called. Only linkAccount. So it's not possible to enrich empty fields of the users table with the data from Github.

[lienista]

How can I linkAccount? I see that this is a callback, but what fields/columns do i make sure to match? I see that next-auth uses the accounts to save data, but the userId fields are null there? Do I have to update these fields with specific info from my users table? There are no instructions on what each of the fields need to match. Is this even relevant or am I missing something?

[mohammed-bahumaish]

How can I linkAccount? I see that this is a callback, but what fields/columns do i make sure to match? I see that next-auth uses the accounts to save data, but the userId fields are null there? Do I have to update these fields with specific info from my users table? There are no instructions on what each of the fields need to match. Is this even relevant or am I missing something?

you can link account only when the user is logged in. is that what you're looking for?
you don't need to update fields manually. it takes care of itself.
if you're looking for auto linking that is not possible. but you can make a fork and enable it.

[lienista]

The linkAccount method only contains the account object, it doesn't contain the user object, which contains the name or email. How can I save this to database and how can I check if these users exists?

If I want to save these users to database, what should I do?

[lienista]

The minute I manually add an user to the users table, I get errors like this,

I have to delete the user from both table (account and user), restart the call, in order for it to work. There are not instructions on how to link this. I'm doing this on the callback method signIn. I feel like I'm shooting in the dark, trying to check which method I'm supposed to use and what field I'm supposed to update, between the 2 tables. Do you have any sample code you could share?

[GGBoi2]

Were you ever able to figure this out? This is the path that I think would work with prisma, but I do not know how to find the userId of the 2nd OAUTH2 user. That would allow me to find the Account ID tied to that specific user & transfer it to the user that logged in first.

I have tested this manually in the prisma database, and it works. I am able to login to the same account with both Google & Discord OAUTH2. However, I am unable to write a script to handle this for me

[DZuz14]

Linking accounts while someone is logged in really makes no sense at all. I will gladly put on my best Winston Churchill impression and carry the troops to victory on this one. What do we need to do to get this done? Is it really impossible to not be able to auto link accounts? For me, this makes reconsider using nextauth @mohammed-bahumaish @balazsorban44 @ziedHamdi @lienista

[andrewgbliss]

Yeah, my managers are looking into different packages to use. They said why can't I login with Google and have it find my account and link it, like it does on other websites. I told them you have to login first to link it and they said, that is not what we want.

[DZuz14]

We are surrounded by a bunch of smart people on here. I am sure that we could figure this one out. Maybe the security is a little too overengineered, thus sacrificing user experience? I had to remove all OAuth logins and use plain email for now because I would immediately lose users if they couldn't login/sign up with whatever option they wanted.

There are some good things they have done with this library, but I feel that in order to succeed, it needs to get over this hurdle. I like plenty of things about nextauth, for example, the modularity of being able to bring your own database. I was able to create my own adapter with Postsgres (although I feel like it needs to have an official adapter seeing as in how popular it is, lol).

Glad to work with anyone on this.

[ziedHamdi]

I suggested that the library can propose an opt-out from this restriction if they consider defaults must have this security constraint. Even if they consider it is important, each company is responsible for their own security implementation, so they should decide whether they want that.

Besides that, I cannot understand where is the danger: a person who created an OAuth account with gmail, loggs out, then tries to login with facebook. What could happen? if a hacker created a facebook account with that same email, he could not login to facebook as long as he doesn't click on a link in his mails to prove he really owns that mail.

Sure, we rely on facebook, twitter or other providers to verify the person really owns that email. But is it really a risk?

I mean my example.com app would not trust facebook, twitter or other providers and would want to verify itself that the user is really logged in, and has access to that mail? We know he has access to it since he subscribed through a provider that checked that for us.

Last point, to show how illogical it seems to me: We can put a provider in a PENDING state and send a mail to the user to verify he really owns it (and therefore, he owns that account he's trying to link). But wait, we should already know he has access to that mail, since we logged him in with another provider using that same mail. In other words: should we recheck he has access to the mail each time he links an additional account with that same mail???

@DZuz14 I'd love to help you on that, but I'm launching weally.org and getting very busy with making it widely adopted

[ziedHamdi]

I undrestand the it is better for the user to be loggedIn when he links accounts example:
If a user subscribes in OAuth through a LinkedIn account created with a@mail.com, then links his account with a facebook account where he uses a@othermail.com. He will have one same user in the platfrom.

If the same person had logged out, before relogging with facebook. He would have two accounts. And now if one of the accounts (eg. the one logged with facebook) tries to link the other account (the one created with LinkedIn Auth), he would get an error (user already exists)

Merging the two accounts is a lot of work, as all contributions should change userId to one of the two previous.

However! if the user now wants to log in with Twitter, and that account is linked to a@mail.com, the platform forbids him to enter. From the user perspective, it is a mess: why was he able to create two accounts by logging with LinkedIn and facebook, and now he cannot even enter the platform? (for consistency: the platform should either create him a third account, or log him with the LinkedIn one. Understanding why the platform refuses him is hard to 'debug' for him as a user)

[DZuz14]

@ziedHamdi @andrewgbliss So taking what zied has said into account, is something like the following a suitable flow for a user?

• User logs in with Facebook.
• User signs out.
• User attempts to sign in with another OAuth provider.
• User receives a message that the system recognizes that their email is already in the system, and a sends a verification email.
• User clicks link and is immediately brought to the OAuth consent screen for the provider they chose.
• User accepts the consent screen and is logged in and goes along their merry way.

I see a minor flaw with this, as you'll receive this message for every OAuth provider that you haven't received a verification email for. That might be annoying, but would probably be mitigated due to the fact that the sessions don't expire as long as the user is using the app, and users aren't likely to have to sign in again.

The other case of a user already being logged in with an OAuth provider and signing with another one is already handled by the library. However, I have no clue why you would want to allow access to the sign in page when a user is logged in, that is confusing. In my app, I do a server side redirect on the sign in page if it detects their is a session, and redirects to the home page.

[ziedHamdi]

To me, the process you are proposing has steps I don't understand: it seems weird to send emails to the same email address over and over again (with each new provider) to check if the user has access to that mail (although you know he has, since he signed up/in with a third party provider who checked that for you).

I was talking about the user signing in from different devices and forgetting which provider he chose, or not being logged in for a long time and trying to sign back in (forgetting which provider he used at signup).

Another example, a user signs up to the app through Twitter, then he loses his password (or he is banned, broken phone, etc...), now he wants to access the app, but he cannot do it through Twitter anymore, so he thinks : "I have the same mail with LinkedIn" and tries to log in with it.

I agree that the use case of a logged-out user is not very common. But it's very important when a user comes back, not to expel him by making his login process painful.

About the other case, I didn't mean to sign in a person who is already signed in, I meant linking another provider. So I'm not sure to understand what you meant

[DZuz14]

You make some very good points. I will respond back as soon as I can with my thoughts. I want to test a few things first. =)

[andrewgbliss]

Is there a way I can hook into the linkAccount code and write the link logic myself? It should just be an easy lookup, does email match. I don't understand the complex discussion.

[nbouvrette]

I want to call out that you can also use allowDangerousEmailAccountLinking: true - while the config might look dangerous, most well-known providers are already secure and will only allow using verified emails.

Doing this should solve most of the errors around account linking. Now if you use a 3rd party providers that you do not trust, you can probably handle the logic yourself.

I think if next-auth starts offering these features it goes beyond its scope.. just like for us the default pages are not useful and we found it actually was complex to override them (in my opinion that should be the default but it's not)

[helderjbe]

Thank you, that solution was perfect. Especially if you can do it per provider, it looks pretty safe.

[benquan]

That would be the simplest and would still be an opt in solution which should not be difficult to program.

[ijohnpaul2000]

I want to call out that you can also use allowDangerousEmailAccountLinking: true - while the config might look dangerous, most well-known providers are already secure and will only allow using verified emails.

Doing this should solve most of the errors around account linking. Now if you use a 3rd party providers that you do not trust, you can probably handle the logic yourself.

I think if next-auth starts offering these features it goes beyond its scope.. just like for us the default pages are not useful and we found it actually was complex to override them (in my opinion that should be the default but it's not)

Gosh you saved my life. been finding too many solution and this is just the solution. lmao

[mcnaveen]

What is the current behaviour?

I signed up using Google oauth. Signed out. Then tried via Email magic link. It allows me to login into the same account. I didn't change any configuration.

[mohammed-bahumaish]

if you sign in with email, then with google it won't allow. i don't know if that changed.

[steven-tey]

Hey everyone! Just FYI – NextAuth now has automatic account linking!

All you need to do is specify the allowDangerousEmailAccountLinking option in your provider (but make sure it's a trustworthy provider, e.g. GoogleProvider): https://next-auth.js.org/configuration/providers/oauth#allowdangerousemailaccountlinking-option

[mcnaveen]

Thanks for the update @steven-tey 🎉

[RahimGuerfi]

This discussion is really intersting!

[adriangalilea]

Hello,

I want to store info from each provider that is relevant to my application.

I used a custom adapter, and I extend the createUser to grab the data that it receives and store it, and that works perfect for me,

Now I want to use multiple providers:

Google({
      allowDangerousEmailAccountLinking: true,
    }),
    GitHub({
      allowDangerousEmailAccountLinking: true,

The problem is that I don't see any documentation on how to extend the linking process to also grab the data from the provider.

adapter.linkAccount = async (rawAccount): Promise<any> => {
    console.log(rawAccount);
    const updatedAccount = await db
      .insert(accounts)
      .values(rawAccount)
      .returning()
      .get();

    const account: any = {
      ...updatedAccount,
      type: updatedAccount.type,
      access_token: updatedAccount.access_token ?? undefined,
      token_type: updatedAccount.token_type ?? undefined,
      id_token: updatedAccount.id_token ?? undefined,
      refresh_token: updatedAccount.refresh_token ?? undefined,
      scope: updatedAccount.scope ?? undefined,
      expires_at: updatedAccount.expires_at ?? undefined,
      session_state: updatedAccount.session_state ?? undefined,
    };

    return account;
  };

rawAccount doesn't contain anything relevant, and I don't know any other method that may serve me, where is the linking by email being performed?

Alternatively I can do this through the signIn callback and check every time someone logs in if the data is already stored, but it would be more a hack than a proper solution,

Any idea?

[mziii]

I have the same problem. did you find any solution?