top | item 42393660

(no title)

Agreed, I have seen some sites check the email used and link the account instead of creating a new one. I much prefer this.

discuss

merb|1 year ago

only works with email validation. Sadly some providers don’t do this (not even Microsoft azure ad in some cases…)

dotancohen|1 year ago

Some OAuth users, e.g. from Facebook, don't even have an email address associated with the account. Just a phone number.

eastbound|1 year ago

Security breach: For a target with a Gmail account, create an account on an unsecured OAuth provider, login to such sites with the unsecured email, access their data because it allows auth with any OAuth provider.

portaouflop|1 year ago

Easily preventable. Ask the user to supply a credential before linking the accounts or only allow account linking if the email is verified at the idp (as someone else noted this is not possible for all idps but for google it is)

ascorbic|1 year ago

Do any sites allow login from any OAuth provider? How would that even work? Providers need client IDs and client secrets.

lxgr|1 year ago

On one hand I like that feature – on the other hand it somewhat terrifies me, since it essentially delegates email verification to any of their accepted OAuth providers, unless they make you re-authenticate using your existing credentials, or redo email verification, upon linking the accounts. And not nearly all sites do.