If logged in using email and password, user can't log in with OAuth2 provider

[PredragPeranovic]

Hi,

If a user account already exists, and the account is created with email and password,
user will get an error "account with the same email already exists", when tries to identify itself using OAuth2 provider associated with the same email address.

Maybe the better behavior will be to just let the user log in, regardless if he uses oauth2 provider or email/password combination to identify himself. In both cases, we have enough proof that he owns the email address.

All best

[frankie567]

Yes, that's a wanted behavior. We did this for security purposes.

There are scenarios where a malicious user could take control of an account if we automatically link the OAuth account based on email address.

For example, let's say our Fief workspace allows user to authenticate with password and an OAuth2 Provider (let's call it ACME). ACME does not verify emails when registering users.

• The user [email protected] registers with their email/password on our Fief workspace. This user does not have an ACME account.
• A malicious user wants to take over John's account on our Fief workspace. To do so, he registers an ACME account with the email [email protected].
• Now, all he needs to do is to use the Login with ACME button on our Fief workspace. If we automatically link accounts, he would take control of John's account.

To make this work, we would need to make sure the OAuth provider has validated the email address. This could be done for trustable services like Google or Facebook, but dangerous in the general case. As I mentioned in #266, we do not have (yet) specific paths depending on the provider.

[PredragPeranovic]

Thanks again :)