Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

For some reason google oauth2 can signup into same user with different gmail emails

See original GitHub issue

Sometimes when user signups with his gmail account to my service and then he signups with his G Suite account, both emails create record in UserSocialAuth model but to same django User. Can someone help me understand why this happens and how to avoid it? I need both gmail accounts have separate django accounts.

SOCIAL_AUTH_PIPELINE = [
    'social_core.pipeline.social_auth.social_details',
    'social_core.pipeline.social_auth.social_uid',
    'social_core.pipeline.social_auth.auth_allowed',
    'social_core.pipeline.social_auth.social_user',

    # request consent if no refresh_token
    'contrib.pipelines.redirect_if_no_refresh_token',

    'social_core.pipeline.user.get_username',
    # http://python-social-auth.readthedocs.io/en/latest/use_cases.html#associate-users-by-email
    'social_core.pipeline.social_auth.associate_by_email',
    'social_core.pipeline.user.create_user',
    'social_core.pipeline.social_auth.associate_user',
    'social_core.pipeline.social_auth.load_extra_data',
    'social_core.pipeline.user.user_details',

    'contrib.pipelines.get_avatar',
    # create default data for user
    'contrib.pipelines.dummy_data.create',
]

Here is how it looks in my db

In [7]: for uu in UserSocialAuth.objects.filter(user__email='me@mydomain.com').values():
   ...:     print(uu)
   ...:
{'user_id': 133, 'uid': 'me@mydomain.com', 'provider': 'google-oauth2', 'id': 125, 'extra_data': {'auth_time': 1523347209, 'access_token': '...', 'expires': 3600, 'token_type': 'Bearer', 'refresh_token': '...'}}
{'user_id': 133, 'uid': 'me@gmail.com', 'provider': 'google-oauth2', 'id': 401, 'extra_data': {'auth_time': 1522379769, 'access_token': '...', 'expires': 3598, 'token_type': 'Bearer'}}

Issue Analytics

State:
Created 5 years ago
Comments:6 (3 by maintainers)

Top GitHub Comments

1reaction

omabcommented, May 21, 2018

@imomaliev, if the user doesn’t logout from your app, and then proceeds to login with the second GSuit account, then the new social account is associated to the currently logged in user. If you want to enforce separated accounts, then you need to force that no user is currently logged in in your site.

0reactions

omabcommented, May 25, 2018

@imomaliev, yes, it can be implemented on a single framework, but for these kind of features that have such impact on the user experience, I prefer to have them implemented on each supported framework, or at least have the corresponding placeholders in the codebase for them to be implemented at some point or for the developer to extend with the desired functionality.

Top Results From Across the Web

For some reason google oauth2 can signup into same user ...

The issue seems to be with associate_by_email config in the pipeline. Removing that config would create a new user for all new social...

Account linking with OAuth-based Google Sign-in ...

The OAuth-based Google Sign-in "Streamlined" linking type adds Google Sign-In on top of OAuth-based account linking.

Avoid sharing an account among users - Google Support

Google Accounts, such as maria@solarmora.com, are intended for use by only one person. If multiple people in your organization frequently use the same...

One account. All of Google. - Sign in - Google Accounts

One account. All of Google. Sign in with your Google Account. Enter your email. Find my account · Sign in with a different...

Setting Up Google OAuth2 for your Gmail account for Email to ...

Google is switching off its support for basic authentications for free Gmail accounts used on third-party applications. · Similar things are ...