This is a recurrent topic. Login errors are difficult to handle when we want to let user sign up / log in different ways. Just read this Email account linked with social media Hot topic.
At the other end, there are serious limitations due to secrity concerns (see last part). Nevertheless @Neerja @DavidS and @emmanuel I dig this thread out to try to propose solutions.
There some very concrete exemples :
Scenario 1 : OAuth > OAuth
- User SIGNS UP with Google, then, logs out.
- Later on, he tries to LOG IN with Facebook (same associated email address).
This email is already in use : 'email' (USED_EMAIL)
This is a bit helpless and confusing for the user. Instead of saying that AN account already exists, I think the user needs to know HE HAS ALREADY created an account using this email. Only someone ill-intentioned would try to log in with an email he does not own.
Solution #1 : Indicate the social login the user must use to log in
Return a new error such as EMAIL_OTHER_SOCIAL_NETWORK_USED and display something like
To log in, please use the service you used when you signed up : Google. I don’t see any security concern about dispaying this.
Then the USED_EMAIL error is not used against the Log in action but only when a user try to create an account with the Sign up action (which is email only).
Scenario 2 : OAuth > Email
- User SIGNS UP using Google, then, logs out.
- Later on, he tries to use his email to log in.
Sorry, that's not the right password (WRONG_PASSWORD error) !!
The user may think he’s not using the right password, since this is what it is said ! So he will try to reset his password. Fortunately, he won’t be able to. With Solution #1, the user knows the issue is not his password but the login provider he uses !
Finally, the hardest to address so far for me :
Scenario 3 : Email > OAuth
- User SIGNS UP using an email+password, then, logs out.
- Later on, he wants to quickly login using his Google account (same email, same access he thinks…)
He get again
This email is already in use : 'email' (USED_EMAIL).
But I do trust accounts from Google or Facebook. So I would assume the Google account with the same email is the user himself.
Feature request #2 : Let us linking user’s social account on sign up
Fully aware of the risk, you could enable us to let this happen adding a checkbox in the action Signup/login with a social network such as Log in the user if the user already exists.
And if you think it’s too risky, you could restrict it to safe social providers such as Google/Facebook/Microsoft/LinkedIn/etc. I also thought about an activation token sent to the linked email but I guess it would imply to add a field like User’s email confirmed for each User’s Oauth_provider, with a more complex process.
Note that Solution#2 would avoid Scenario 1 issue.
Is there here anything doable ?
Good weekend everyone after this emotional week