OAuth2 Authentication Flow (Signup/Login) needs work

tankerkiller125

Currently the OAuth2 authentication flow will register a completely new account if the email address for the 3rd party account doesn't match any emails currently in the Flarum database. In my opinion if an email address isn't found an option should appear that allows the user to sign into an already existing account so that it can link the 3rd party account to the Flarum account even if the email addresses don't match.

Currently pressing the login button underneath the sign up form after OAuth2 does not create this connection. This can lead to confusion, and sometimes duplicate accounts. Instead of taking the user directly to the signup form it should ask if they already have an account first before taking them to a sign up form. This would reduce confusion, reduce duplicate accounts and it also has the benefit that the emails of the 3rd party site doesn't need to match up with the one used on the Flarum forum.

matteocontrini

On my forum I've had at least 5 users that created duplicate accounts (unintentionally), and each time they replied to their discussions with a different account 🤦‍♂️

tankerkiller125

matteocontrini Flarum is pretty much the only software I've ever seen that has a login flow like this. I'm really hoping one of their Devs sees this post and looks into fixing the problem. I think I actually have a duplicate account somewhere on this forum in fact because of this exact issue.

clarkwinkelmann

Note: this response is based on my previous knowledge of Flarum authentication, but I have a feeling I'm not up to date. Please correct me if needed.

Until recently Flarum only had email-based accounts. We didn't save which social login you used to login into the account. So a social login could only be used to authenticate into an account with the same email.

There was some change recently including this PR https://github.com/flarum/core/pull/1514 but I'm not sure if it allows connecting providers with different emails or just store additional data.

If it's not already implemented the feature could easily be implemented as a third-party extension until core integrates it.

Sanguine

FWIW I would find it quite confusing if an email - defacto primary identifier for pretty much every authenticated service out there - wasn't considered a primary identifier anymore. But maybe that's my developer bias speaking.

[deleted]

Sanguine I agree. It's actually an accepted standard to use email addresses rather than just plain usernames. WordPress has been doing this for some time - it gives you the choice to force the user to login using their email address, or a plain usernames. I ashtrays usually opt for the former.

tankerkiller125

Sanguine I still think it should be the primary identifier for regular login. What I'm saying though is that the OAuth2 implementation shouldn't rely on the email addresses matching in order to authenticate a user. For example I might sign up to a university forum using my personal email, but then maybe they switch to Google for email and stuff and add Google as an Oauth2 provider to the forum. In which case I might decide to connect my university Google account instead of my personal one for easier future authentication. Currently this doesn't work because my university email would be different than the email I used to sign up to the forum, thus making a brand new account instead of connecting my old one.

The other problem with using email as the primary identifyer for OAuth2 is the people who choose to tag emails (emailaddress+forum@website.tld) in which case the OAuth2 provider might have a diffrent email of emailaddress+oauth2@website.tld which would cause issues with flarum in it's current configuration.

[deleted]

tankerkiller125 Couldn't you simply change the email address before logging in with the new OAUTH provider ?

tankerkiller125

[deleted] Sure, I might know to do that as someone who's been using flarum for a long time. But how many regular everyday users are going to know that? Especially if it's their first experience with flarum? Especially since 99% of all other websites I've seen allow you to sign in using an old account before making the assumption that you want a new account.

[deleted]

tankerkiller125 I do agree - just trying to find a balance. It's a point that will be raised - 100%

tankerkiller125

[deleted] Personally I've always done it in one particular way on my own sites:

User Has Account Already (E-Mail Matches)

User chooses to sign in using OAuth2 for the first time
Server detects that the email from OAuth2 matches that of a current user
Server request password for the found user account
User enters the password correctly
Server connects the accounts and never request a password going forward

User Has Account Already (E-Mail Doesn't Match)

User chooses to sign in using OAuth2 for the first time
Server can not find a pre-existing account
Server displays a prompt asking if user wants to sign in using existing account or register a new one
User chooses to sign into account
User successfully enters credentials
server makes the association and never prompts for forum credentials again when using OAuth2

User Does Not Have Account

User chooses to sign in using OAuth2
Server can not find pre-existing account
Server displays a prompt asking if user wants to sign in using existing account or register new one
User chooses to register new account
Server request required information not provided by OAuth2
User completes sign up
Server makes association between the newly registered account and the OAuth2 provider

Using this method I've never had a user complain about confusion or duplicate accounts being created. I'm not saying that this is the exact method that Flarum should use but I do know that it's a tried a proven method that seems to work really well. I understand that there are hundreds of ways to implement OAuth2 and this is just one of them.

[deleted]

tankerkiller125 I agree 100%. This in fact is how it works in WordPress.

Bone

how is this going, i can only recode myself to reach this goal ? ☹️