Issue: user changed google account and can't connect thru his profile

@supermathie now that we’re migrating all the auth providers to use the same logic, this logic will need to be refactored / removed.

A lot has changed in the authentication system since 2017. The main thing is that users can connect/disconnect accounts whenever they want.

As I understand it, this change was added to protect against:

  • User connects google account 00001, with email user@example.com, to their discourse account

  • User tries to log into discourse using google account 00002, with email user@example.com

  • Error is shown, must be resolved on the console

Under the new “ManagedAuthenticator”, this would happen:

  • User connects google account 00001, with email user@example.com, to their discourse account

  • User tries to log into discourse using google account 00002, with email user@example.com

  • User logged in, reference to 00001 is scrubbed and replaced with 00002

I believe this is also the same method we follow with core Discourse SSO.

This seems fine to me. If a user is in control of a google account with a matching email address, then we should trust them. Was there a specific attack vector you were trying to protect against with this error message, or can we go ahead and make it match the other authenticators?

6 Likes

There was, see:

Wearing my paranoid hat, I felt it was best to at least make someone look into this situation when it happens.

5 Likes

But in that case they could just resend their password and log in that way instead of using OAuth?

This change feels user-hostile, in our corporate environment, the scenario (user leaves company, email is deactivated; user is re-hired and email is re-instanced) is relatively common when we hire freelancers.

Fair enough, after some thought I don’t think there’s any benefit here. What do you think @david?

Prior to this change the result was “error”, functionality didn’t change.

If the email is deactivated, the Google account won’t change and you won’t run into this. Only if you delete the user.

3 Likes

Fair enough :smiley:

“Deactivated, don’t know how our IT-department implements that, might be that they delete the google account”
We just encountered this yesterday and I found this recent thread, wanted to share my feedback :slight_smile:

1 Like

Yeah, the protection here is certainly more ‘cautious’, but as @bas says we put so much trust in email=identity elsewhere that I think it’s fine to clean things up automatically. I’ll be migrating Google over to the new system this week so will make this change.

Also, note that @supermathie’s change was made well over a year ago - I just bumped a very old topic. Things have changed a lot in our authentication system since then.

4 Likes

I did not notice that, thank you :slight_smile:

3 Likes