Changing email address of an open_id authenticated account can lock you out


(Nathan Rijksen) #1

One user on our forums has signed up using his google account and afterwards changed his email address in his preferences. This effectively locks him out of his account as logging in with google no longer connects him to the account he was using.

His post on the matter: http://forum.komodoide.com/t/wheres-my-account/45

Ideally SSO accounts should not dictate any profile fields that can be changed by the user.


(Kane York) #2

I think the correct solution here is to use the Forgot Password link, or start signing in with a different service that does map to that email address.


(Sam Saffron) #3

I am meant to be storing the link, got a repro of the issue.


(Nathan Rijksen) #4

Correct workaround perhaps, definitely not the correct solution. The current behavior can easily be remedied and I personally see no reason why you would want to keep it the way it is.


(Sam Saffron) #5

You know, its the cost of outsourcing your abstractions, we outsourced our open id abstraction to the openid gem and omniauth-openid … at some point the internal implementation changed.

Working on a fix.


(Sam Saffron) #6

Fixed now:

https://github.com/discourse/discourse/commit/5897d3419cd61a2de633db3f271586043e98ad52

This will correct the issue going forward (it will fix up broken links as users log in)


(Nathan Rijksen) #7

Thanks sam! You guys are quick :slight_smile:


(Sam Saffron) #8

This topic was automatically closed after 24 hours. New replies are no longer allowed.