1

I've been using django-rest-auth, which has been great for email signup flow. I've been trying to implement social login (via FB), and in the latest version (v.0.9.3), it seems if someone has already created an account via email, they just raise an error if that user tries to login via social. This comment is in the commit:

# We have an account already signed up in a different flow
+            # with the same email address: raise an exception.
+            # This needs to be handled in the frontend. We can not just
+            # link up the accounts due to security constraints

Couple of questions (posted this in the github issues as well): Why is this a security issue? Isn't the whole point of social authentication that you trust the OAuth provider (FB in this case)? Second, how is one supposed to handle this in the frontend? It's a common occurrence that people sign up for email first (often simply because a site or app adds social login later in the development cycle). It seems to me the only option this leaves me with is to tell the user "Sorry, you can only login with your email account." Or to simply choose to have FB Login or email (or Twitter or etc), but only one of them. Am I missing something here? It seems extremely limiting to me.

Evan Zamir
  • 8,059
  • 14
  • 56
  • 83

1 Answers1

2

The security issue comes from the fact that it's impossible to verify that the social account is exactly the same user who registered before.

In order to attach social account to existing user in django-rest-auth you need to use a social connect view. Here's example in docs: http://django-rest-auth.readthedocs.io/en/latest/installation.html#additional-social-connect-views.

Social connect views are similar to regular social login except for, you have to be already authenticated as a regular user, so the app would know it is you, before it can attach a social account.

So the example flow is the following:

  1. Login as existing user (registered before as a non-social account)

  2. Access /rest-auth/facebook/connect/ to attach Facebook social account to this existing user.

Maxim Kukhtenkov
  • 734
  • 1
  • 7
  • 20
  • 1
    If the user email is verified upon the original account creation, seems to me that is just as secure. – Evan Zamir Feb 08 '18 at 16:17
  • 1
    Discussion in allauth github regarding the issue https://github.com/pennersr/django-allauth/issues/191. Here's explanation of security issue: https://stackoverflow.com/questions/13140021/django-allauth-linking-multiple-social-accounts-to-a-single-user/13896207#13896207 – Maxim Kukhtenkov Feb 08 '18 at 16:59
  • Some providers might not have email verification setup, so a malicious user could use someone else's email to register and attach their social account to existing user account. – Maxim Kukhtenkov Feb 08 '18 at 17:25
  • 1
    Ok, I understand the security issue. It would be my preference if the library allowed me to make that choice, but I'm not the author, so there's not much I can do about that. I will accept your answer. Thanks. – Evan Zamir Feb 08 '18 at 17:37
  • @EvanZamir you can add this feature by checking if the email is verified here: https://github.com/Tivix/django-rest-auth/blob/a3057b7aa1963da834ffc33edaf188b0e0e4556d/rest_auth/registration/serializers.py#L127 – Rani Feb 10 '18 at 19:17
  • This is a security problem only if the provider is completely untrusted. If the Oauth provider is Google or Microsoft where only your gmail (or Microsoft apps) account is authenticated by them, the security issue doesn't exist. – Rohit May 19 '20 at 19:01
  • @MaximKukhtenkov how to send crediential? it says "Authentication credentials were not provided." – Bhuban ghimire Mar 03 '22 at 09:54