38

There doesn't seem to be any mention of this in the documentation, and all I found was this and this, where I would like to confirm this:

If there is an existing account with the same email address but created with other credentials (e.g. password or non-trusted provider), the previous credentials are removed for security reasons.

If a user signs in through Facebook or email/password and later through Google, their account sign in method is converted to Google. It only happens with Google and the setting for one account only is active.

Is it intended to be like this and is there any way to stop it?

Community
  • 1
  • 1
Aubtin Samai
  • 1,281
  • 13
  • 24
  • I found a way to stop it. I have already posted an answer here https://stackoverflow.com/questions/71717099/ideal-solution-for-firebase-google-provider-login-overriding-other-sign-in-provi/71730017#71730017 – pvs Apr 03 '22 at 22:13

1 Answers1

21

As the documentation says: certain email domains have a trusted provider. Most prominently: Google is the trusted provider for @gmail.com addresses, since it's the only issuer of these email addresses.

If a user first registers their gmail address with say Facebook, and later there is a registration with that same gmail address from the Google provider, the latter registration is considered to overrule the former. If the user later signs in with Facebook again, the two accounts can be linked.

As far as I know, the only way to prevent this is to allow multiple accounts per email address.

Also see these posts by some of the Firebase Authentication engineers:

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • 2
    So this is a feature? Support just sent me: Thank you for letting us know about your concern. We are aware of this issue, and I have communicated your concern to the team. This has been brought to the attention of the right people and is being prioritized appropriately. I can't share any details or timelines at this time, but we'll keep your feedback in consideration. – Aubtin Samai Nov 23 '16 at 15:57
  • Also, if I understood correctly, I'm not using account linking right now. I only allow one account per email in the Firebase Console. – Aubtin Samai Nov 23 '16 at 16:06
  • 1
    is there a way to actually alert the user and stop google sign-in to precede over other sign-ins? – Michele La Ferla Jan 12 '17 at 21:09
  • 2
    There's a function you can call `FIRAuth.auth()?.fetchProviders(forEmail: email` – MarksCode May 06 '17 at 10:48
  • 6
    It's not really intuitive that `getRedirectResult` only throws an `"auth/account-exists-with-different-credential"` error when your login flow is Google and then Facebook. If you do it then other way around, there is no error, and the google auth just replaces the facebook one. :( – DarkNeuron Nov 07 '17 at 13:30
  • 1
    That depends on the email address. Google is considered a trusted provider for `@gmail.com` addresses, so gets special treatment there. – Frank van Puffelen Nov 07 '17 at 13:35
  • Verified email address will be not be replaced. As far as other providers: https://firebase.google.com/docs/auth/web/account-linking – Jonathan Sep 03 '18 at 04:21
  • 1
    What is the reasoning behind this? It would be trivial to link multiple social accounts with the same account by email, and this would be a better user experience. – Dominic Apr 08 '19 at 20:03
  • 2
    This is still a problem today, almost four years after. So I reported an issue once again - https://github.com/firebase/firebase-ios-sdk/issues/5344 @FrankvanPuffelen do you know why it is that Google doesn't trust the email verification at Facebook, because they do now trust the emails given in Apple Sign In, even gmail addresses. So why is Facebook emails not trusted? – dynamokaj Apr 11 '20 at 12:07