Linking custom OAuth providers with existing Firebase user

any updates? following up

tldr; Yes it is possible to “Link” an official OAuth provider with a Custom token sign in mechanism. However it’s not really “linking” but you can do something that looks like it.

For the custom providers that we’re demonstrating in this repo we’re generating a custom token that allow to sign-in with an account of the given UID. I think there is some confusion with what a custom token allows you to do. Let me try to explain by going through the 2 scenarios and how you could implement something that is similar than “linking”:

Official Provider first

Let’s go through the flow of when a user first creates an account using an official provider (e.g. Facebook/Google) and THEN signs-in with a custom provider:

The user has signed in with Google/Facebook First in the past. This creates an account that is “marked” as being enabled for Google/Facebook for a specific Google/Facebook User ID.

Normally when a user want to link an account (e.g. Links a Google with a Facebook account) he will first have to sign in with the Existing provider (e.g. Google) and also provide a Facebook Credentials then we’ll mark the two as being linked. We need to try to replicate this behavior for a custom provider.

In this scenario the user will sign in with a custom auth provider (e.g. Line). Since we are signing-in the user by generating a custom token it can simply work right away by generating a custom token for the existing user with the same email address (e.g. search for existing users with (getUserByEmail())[https://firebase.google.com/docs/reference/admin/node/admin.auth.Auth#getUserByEmail]). The admin SDK allows you to simply generate the custom token without any checks. However this is not the recommended path for a user security perspective. Because you should not trust that both account are controlled by the same person you should first ask the user to sign-in with his existing account:

1. On the server side you check if an account with the same email already exists using (getUserByEmail)[https://firebase.google.com/docs/reference/admin/node/admin.auth.Auth#getUserByEmail]
2. An account exists: If the user is not marked as being enabled for the custom Provider (e.g. Line, see next step) you must ask the user to sign-in using the existing account first to prove ownership (e.g. Facebook or Google)
3. Now the user is signed-in via Facebook/Google you can “mark” the account to be enabled for the custom provider too (e.g. Line) and save the Line User ID. You can use any sort of database you want to save that information but I think the best is to set a custom user claim (see setCustomUserClaim()) this ways the info stays attached to the user object directly and this saves requests. setCustomUserClaim({lineUID: lineMid})

Effectively you implemented your own “Linking” by checking Line is enabled on the account and making sure the Line User ID match what you have saved.

Custom Provider first

If a user creates an account using a custom provider first (e.g. Line) and tries to sign-in using a Google/Facebook account that has the same email things are easier since you can use the JS SDK to link the accounts by:

1. User signs in Using Google/Facebook. You get an error that a user already exists. Keep the AuthCredential object in memory.
2. Prompt the user to sign-in using the custom provider (e.g. Line). You get back a Custom token which you use to sign-in via signInWithCustomToken()
3. Now the user is signed in via a custom token you can link the two accounts using linkWithCredential().

The current samples are mono-providers for simplicity.

By the way just a reminder: using the Firebase Console, you have the option to allow multiple accounts with the same email address which gets rid of all the issues related to Linking. In this case a Google account aaa@bbb.com will be different from a Facebook account with the same email address aaa@bbb.com, they will have different Firebase UID.