Firebase authentication provider silently changes from password to google.com - firebase-authentication

I use firebase authentication for my web app with three providers: email-password, google, or facebook. I have enabled the option "One account per email address".
When a user signs up using email-password (with a gmail address), then later uses google sign-in, I expect to receive an exception "auth/account-exists-with-different-credential", but I do not. His providerId is changed to google.com and he cannot use his password anymore (throws "auth/wrong-password").
Is this normal behaviour?

Firebase Authentication has a concept of a preferred provider for certain email addresses. The most common one is that google.com is the preferred provider for #gmail.com addresses, but I think they also exist for Facebook and Microsoft accounts.
If an existing account later signs up again from a preferred provider, that provider overwrites the existing user account. There is no way to change this behavior (that I know of).
Also see:
Github issue Facebook provider overwritten by Google provider
Mailing list Firebase Social Authentication Issue with fb and gmail flow
Authentication using Facebook at first and then Google causes an error in Firebase for Android

This is how I'm solving it:
https://firebase.google.com/docs/auth/android/account-linking
Just link the "accounts".

Update 2023:
You can now choose if you want to allow 'User account linking'. For example, if you don't allow multiple accounts with the same email address, a user cannot create a new account that signs in using a Google Account with the email address ex#gmail.com if there already is an account that signs in using the email address ex#gmail.com and a password.
If you do allow multiple accounts with the same email address, your app's sign-in flow cannot rely on an email address to identify a user account.
You can find this under settings within Firebase Authentication.
There are some caveats to using this feature, please read about it here

Related

Changing account security to create app password through API

I'd like to at least automate some of this process:
https://forwardemail.net/en/faq#how-to-send-mail-as-using-gmail
It asks for an app password to forward emails under a different email username. Can either the app password generation part or the email username part be automated?
No apps password must be created by the user in their google account after enabling 2fa.
Im not sure about googles TOS though using an apps password in a third party system like this. It should not be something that is shared in my opinion.

How to fix login process to dialogflow after I have attached gmail to my non-gmail account?

I had a Google account based on not-GMail-account. I had another email company's email as a login to my Google Account (myemailhere#ukr.net). And I used this Google account to login the dialogflow.cloud.google.com.
Today Google suggested me to create a #gmail.com account and attcach it to my myemailhere#ukr.net Google Account. I have confirmed and created the myemailhere#gmail.com.
Using both of this logins (myemailhere#gmail.com and myemailhere#ukr.net) I am still able to login my cloud.google.com Profile. But when I try to login the Dialogflow Profile (dialogflow.cloud.google.com) - I see the eternal loading animation (or a totally blank page). There is no errors about password or something like this. Just login process after I submit the password and then white page. This behavior I see on all my devices, while I trying to login with myemailhere#gmail.com or myemailhere#ukr.net
And I see some 400 errors in web console (if it matters).
Could you please help me to fix this and get access to DialogFlow?
Screen that I see after the login and password entering
Do you have the project owner role for the mentioned username that is registered on your project in the GCP console (not Dalogflow Console)? Here is a list of roles related to Dialogflow that grant access to its Console.
Note that some of these roles give full access or edit access while other roles have permissions that simply gives view access to the Dialogflow Console.
If you are missing any of these then simply assign on your GCP project's console.
Assigning roles as described above did not work for me. Solution was to delete gmail email service from the account.
Instructions here
If you would like to use gmail, do NOT add gmail to your existing google account. You should instead create a seperate google account and use gmail from this seperate account

Cognito email verification

I'm working on building a mobile / web app and would like to utilize AWS Cognito for authentication.
I wanted to do a Proof Of concept before implementing it completely. As part of that, I have setup a user pool and used Amplify to Signup, SignIn users.
As part of Sign up I was able to verify the user using verification code to either a phone (or) email.
Also as part of Sign In, I received the MFA tokens in my phone/email and validated the MFA before logging in.
My question is, I would like to differentiate email/phone verification methodology(SignUp) vs MFA Token methodology(SignIn).
Is it possible to verify user email via a verification link (SignUp) and utilize token based MFA for SignIn ?
I tried changing the user pool MFA message from code to link. I m getting a verification link in my email, however I m not getting an MFA - because I have used email as my verification method.
Per the documentation, email verification doesn't trigger MFA as part of SignIn.
In your user pool, if you have selected both email and phone as required,phone is given more priority. At the time of sign up and sign in, you are just given a MFA code via sms but not email.
But if you want to use Email for sign up and phone MFA sms code for signing in, please read this-
You need to call 3 methods(GetUser,GetUserAttributeVerificationCode and VerifyUserAttribute) from the AWS SDK to verify the other attribute.
Referfence Article - AWS Docs
Hope it helps.

Login without password via link with authentication token

To make the experience for our users more convenient we implemented a feature with allowed a user to automatically get logged in when he clicks on a link he received via email.
In the past he had to click on the link and then had to enter his password. By providing a special security token in the link, we can now automatically login the user without the need for entering his password.
A few days after we went live with this feature, internal pages (which can only be accessed via password or via the special email link) appeared in the google search results. We are using Gmail as a Email provider for sending emails from our system.
The only explanation I have for this behaviour is, that google is crawling the links in the emails. Which is not very nice from them if those are "private" links.
Is there a safe way to still allow users to login without password via a special link they receive in their email, without google being able to crawl the internal pages?

integrate login to my sites with OpenId or OAuth

i have a few site developed with zend framework 1 and zend framework 2,i wanna users register in main site and in other sites i want to have a login button ,if user click on login:
1- if user logged in in main site ago , user login without enter any information.
2- if user not logged in in main site a popup open and ask his username/password of main site ,then login to site.
i don't understand is that possible with OpenId or OAuth.
in OpenId user must generate a OpenId Id for example:
http://www.example.com/USERNAME
but i prefer user don't enter any additional information.
for example in the Stackoverflow you can use Google or Yahoo account.
if you wanna use yahoo account it asked your OpenId,but i don't know what system Google use that it not asked for any id and just user enter his email and password if is not logged in to his Google account,
I prefer Google System that user do not enter any Url to login.
sincerely
Clicking the Google button on the Stackoverflow login screen secretly fills the URL
https://www.google.com/accounts/o8/id
as OpenID URL. This is an XRDS file which tells the OpenID library where the auth server can be found.
The OpenID spec defines this in section 7.3.1:
If the end user entered an OP Identifier, there is no Claimed Identifier. For the purposes of making OpenID Authentication requests, the value "http://specs.openid.net/auth/2.0/identifier_select" MUST be used as both the Claimed Identifier and the OP-Local Identifier when an OP Identifier is entered.