10

... if you don't allow multiple accounts with the same email address, a user cannot create a new account that signs in using a Google Account with the email address ex@gmail.com if there already is an account that signs in using the email address ex@gmail.com and a password.

I was able to sign in with Google provider for the same email that was already registered via Email provider, so Google provider replaced Email provider and latter then fails to sign in with FirebaseAuthInvalidCredentialsException: The password is invalid or the user does not have a password..

Steps to reproduce:

Sign up with Email provider -> Sign out -> Sign in with Google provider -> Sign out

Basically it should not allow to replace one provider with another and throw FirebaseAuthUserCollisionException: The email address is already in use by another account.

Some code that I use for sign in/sign out:

  public void signUpEmail(String email, String password) {
    mFirebaseAuth.createUserWithEmailAndPassword(email, password)
        .addOnCompleteListener(this, task -> {
          if (!task.isSuccessful()) {
            Log.e("signUpWithEmail", task.getException());
          }
        });
  }

  private void firebaseAuthWithGoogle(GoogleSignInAccount acct) {
    AuthCredential credential = GoogleAuthProvider.getCredential(acct.getIdToken(), null);
    mFirebaseAuth.signInWithCredential(credential)
        .addOnCompleteListener(this, new OnCompleteListener<AuthResult>() {
          @Override public void onComplete(@NonNull Task<AuthResult> task) {
          if (!task.isSuccessful()) {
            Log.e("signInWithCredential", task.getException());
          }
        }
    });
  }

  public void signInEmail(String email, String password) {
    mFirebaseAuth.signInWithEmailAndPassword(email, password)
        .addOnCompleteListener(this, task -> {
          if (!task.isSuccessful()) {
            Log.e("signInWithEmail", task.getException());
          }
      });
  }

  public void signOut() {
    Auth.GoogleSignInApi.signOut(mGoogleApiClient);
    mFirebaseAuth.signOut();
    startSignInActivity();
  }

Thank you!

Ivan V
  • 3,024
  • 4
  • 26
  • 36

2 Answers2

5

To optimize the login UI steps and enhance account security, Firebase Authentication has a concept of 'trusted provider', where the identity provider is also the email service provider. For example, Google is the trusted provider for @gmail.com addresses, Yahoo is the trusted provider for @yahoo.com addresses, and Microsoft for @outlook.com addresses.

In the "One Account per Email address" mode, Firebase Authentication tries to link account based on email address. If a user logins from trusted provider, the user immediately signs into the account since we know the user owns the email address.

If there is an existing account with the same email address but created with other credentials (e.g. password or non-trusted provider), the previous credentials are removed for security reasons.

A phisher (who is not the email address owner) might create the initial account - removing the initial credential would prevent the phisher from accessing the account afterwards. The legit user can set up a password by going through the password reset flow, where she would need to prove she owns the email address.

Jin Liu
  • 2,203
  • 15
  • 13
2

Multiple accounts per email address will create a new user with a different uid for different providers using the same email.

To recreate:

  1. Sign in with google email x@x
  2. Sign in with facebook email x@x
  3. Create email password account x@x

Now you'll get 3 different users.

If you use the strongly recommended single accounts per email, the 3 providers above would be within the same user (one uid).

When you first create the google account x@x and try to sign in with new facebook account with email x@x, you will get an error that linking is required to proceed. You will then have to sign in the first google user and link the new facebook user to it.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
bojeil
  • 29,642
  • 4
  • 69
  • 76
  • Thank you, the thing is that I was getting FirebaseAuthInvalidCredentialsException instead of linking required error so it was not clear what's wrong – Ivan V Jun 04 '16 at 17:16
  • I see, I understand your question now. I think in the one account per email, this may be intended. Typically linking would be triggered when you sign in with the same email using a different provider. However this is a special case. Since Google emails are verified and email password providers in this case are not, you will sign in directly without linking to your email account. However, I will check if the password provider being deleted is also part of this intended behavior. – bojeil Jun 05 '16 at 18:33
  • @bojeil It really deletes the password when you sign-in with Google. I get the security reasons behind that. The problem is that it's done silently. And you can't alert the user that his password will be deleted. As a workaround, I was thinking about changing my authentication to allow multiple accounts per email. But since every pair of email/sign-in-method will be considered a different account and thus have a different UID, I would have to use the user's email as the userID to store user data inside my Firestore. Would that cause any troube in some Firestore security rules cases? – cbdeveloper Jan 28 '19 at 10:23
  • Yes that would be a problem. The problem is someone could camp on your email. I can setup an account with your email and my password. I then wait for you to create your account (imagine it's a popular app). If my password remains on the account, then I have full access to your account. If you bypass this measure and allow access to both accounts via security rule (keying account by email), then the attacker will have access to the real user's data too. – bojeil Jan 29 '19 at 02:38