How to handle multiple social accounts with different emails? - authentication

I have an application that allows users to sign up with google and facebook. Both provides email information when sign in.
My problem is that facebook account is associated with an different email than google, so its creating two accounts to the "same" user.
How to solve this problem?
I was thinking about this flow:
User sign up with email and password
In user profile user can associate its account with facebook, google, etc..
From now on user can sign in with facebook, google, etc...
Is this the best way to solve the problem?

Yes, that is a good way to solve the problem.
You can also let him authorize with Google+ and Facebook before registration, check if the user is in the database already with that account (Facebook or Google+ ID), and if he is NOT in the database you redirect him to the registration form.

Related

How to deal with social login flow in my site - problematic flow and best practices

So I read a lot about social login on the web.
The problematic flow is:
1) User sign up with regular email
2) User sign in with Social (Facebook, Google, etc.)
What should I do?
If the social email is different from its original email, that's ok, for me it's a different account.
But, if the email is the same, I'm acting like it's the same user.
The problem is the following scenario:
1) User signup with regular email
2) An attacker signup to Social with the user email (without email verification)
3) The attacker can log in to my system as the User.
So the question here is, are there main socials (facebook, google, ...) that allow social login to other site, without verify the user's email?
What do you think? Thanks!
Most sites actually just map social snowflake values to user ids. For example the flows would go like this:
Here is the flow if the user signs up with email
User signs up with regular email
User can now link their social to regular account to login with social (email doesnt have to match)
Profit
Here is the flow if the user signs up with a social
User signs up with social
Use social to autofill normal account fields
Ask for any additional fields needed (leave password null if you like to require social login)
Link social snowflake value to existing account.
If you need any clarification ask but I tried my best to explain :)
Current providers that are considered 'safe' for the problematic flow you are mentioning would be Google and Microsoft (including Azure AD) to my current knowledge.

Sending notifications for website users signed via Facebook or Twitter. How?

Let's imagine that we have ecommerce website that suggests 3 way for user registration:
regular email
via facebook
via twitter
Now let's imagine that we have user signed via facebook/twitter account and we need send him notification about his order (order complete or s/t like that). How can we do this? It is absolutely clear for regular email users - we should just email them notification, but what about Facebook/Twitter users?
Thank you!
With Facebook when they authenticate with your application, you can request email permissions to be able to access the email address they have nominated to use with their facebook account. At the point of registeration you could then store this address in your database and all order flow could follow the existing email path.
You could probably re-use this methodology for twitter too.
I can understand the need to differentiate on registration processes however I think you want to streamline post order notification as much as possible for consistency across users.

Twitter doesn't provide email address for Rails integration

I've integrated social logins (Facebook, Twitter, etc.) with a Rails app using Devise and OAuth. The requests and callbacks all work great and users are able to authenticate the app and login efficiently.
My problem is this:
With Devise, my site has the user's email address as the username. So, whenever a user logs in through a social site for the first time, a 'connection' record is stored for their account to show which social sites they've logged in with. If they don't already have an account on my site, one is created with the email address from the callback array. The connection is then stored along with the returned tokens and secrets for later use (FB posts, tweets, etc.).
Unfortunately, Twitter doesn't provide the email address. To circumvent this, I'm asking first-time users that login with Twitter to simply provide an email address so an account can be created. However, I can't figure out what to do if they already have an account on my site. I can't check if they already do since I'm not given an email address to match up. This could ultimately cause a user to have multiple accounts.
So, I'm a bit at a loss, and if anyone has any suggestions, it would be extremely helpful.
Thanks! :)
You'll need to store some oauth provider info like {provider, twitter identifier} too to your database and then check twitter oauths based on that instead of the email ID.
The simplest thing to do would be to add a slightly different flow for if the login was via twitter. Ask a first time Twitter login user for the email ID. In your users table, add a column called tw_id and add the users twitter identifier. Next time, if the login is via Twitter, you check the tw_id instead of the provider email and proceed with the normal app flow.

Single login (facebook, twitter, linkedin) services: how to combine accounts

The problem I see with single login services, is that if you login once using Facebook, once using Twitter, and once using LinkedIn - you have three different accounts. Everything would be fine, if Twitter was giving an email address. So, how do you fix it?
I have the same problem and I was hoping the clever folks on SO would have an elegant solution. All I can think of doing is :
User logs in with LinkedIn
Check the user table to see if they have an account using their LinkedIn id
If not, ask them for their email address before logging them in
When we have the email address, check to see if they already have an account using their email address
If they do, add their LinkedIn ID to this record and log them in
If they don't, create a new record and log them in
This means that each user record needs fields for every possible account, or more correctly use a link table connected to their local user id with a record for each account they log in with.
It also defeats the benefit of a simple OpenId login because the user has to register their email the first time they login with a new OpenId account.
Like I said, elegant it ain't, but it is the best I can think of.

is it possible to get the email of a user who logs in using open id providers?

i want to know if its possible to get the email of the people who are using open id to authenticate to my site [of course with the user knowing that i am getting their email]?
this email will be the user id of the user and i want the user to be able to loggin using any provider and then i will set this email as the user identity.
i need this information in order to design the structure of my site.
i am looking into the following open id providers.
Gmail
Yahoo
Facebook Connect
Hotmail
thanks
Use open social API's...
OpenSocial defines a common API for social applications across multiple websites. With standard JavaScript and HTML, developers can create apps that access a social network's friends and update feeds.
Refer to this link for more:-
http://code.google.com/apis/opensocial/
Who says the OpenID provider has the user's e-mail to give to you? I can get an OpenID identity that's accessed only by my fingerprint.