3

I'm using python-social-auth with django. I want to authorize via facebook, but before, I already registered in default way (email, password) with email that facebook use. Can I associate facebook account with registered account? I tried to search, but nothing

streamride
  • 567
  • 4
  • 16

1 Answers1

6

Check Associate users by email, that should explain how to do it.

Associate users by email

Sometimes it’s desirable that social accounts are automatically associated if the email already matches a user account.

For example, if a user signed up with his Facebook account, then logged out and next time tries to use Google OAuth2 to login, it could be nice (if both social sites have the same email address configured) that the user gets into his initial account created by Facebook backend.

This scenario is possible by enabling the associate_by_email pipeline function, like this:

SOCIAL_AUTH_PIPELINE = (
    'social_core.pipeline.social_auth.social_details',
    'social_core.pipeline.social_auth.social_uid',
    'social_core.pipeline.social_auth.auth_allowed',
    'social_core.pipeline.social_auth.social_user',
    'social_core.pipeline.user.get_username',
    'social_core.pipeline.social_auth.associate_by_email',  # <--- enable this one
    'social_core.pipeline.user.create_user',
    'social_core.pipeline.social_auth.associate_user',
    'social_core.pipeline.social_auth.load_extra_data',
    'social_core.pipeline.user.user_details',
)

This feature is disabled by default because it’s not 100% secure to automate this process with all the backends. Not all the providers will validate your email account and others users could take advantage of that.

Take for instance User A registered in your site with the email foo@bar.com. Then a malicious user registers into another provider that doesn’t validate his email with that same account. Finally this user will turn to your site (which supports that provider) and sign up to it, since the email is the same, the malicious user will take control over the User A account.

EDIT: Link fixed and copied docs details into this answer.

omab
  • 3,721
  • 19
  • 23
  • you need to be logged in right? Otherwise it create a new account and you end up with duplicate email addresses which will raise exception. – Val Neekman Apr 01 '14 at 03:58
  • @ValNeekman, no, association by email works on logged out users only. The exception is raised when the given email is already used by more than one account because PSA doesn't know which one use to associate. – omab Apr 01 '14 at 04:52
  • are you sure?, I looked at the code for associate_by_email, it returns None for zero email, raises an AuthException for more than one email and returns the user if exactly one email is found. In my case, I signup with google, logout, then signup with facebook that has my gmail account, and boom, I get the second account created with the same email address. I'm catching AuthException, but is not raise in my case. When user is logged in, everything works properly, but I want to avoid duplicate email entry in my DB if not logged in. thx – Val Neekman Apr 01 '14 at 13:38
  • How's your pipeline setting defined? `associate_by_email` won't work on logged in users (basically because merging user accounts is highly tied to the project), won't return a user if there's no account with that email registered, it will raise an exception if more than 1 user account shares the same email address (because doesn't which one to pick, the first? the second? the third?). – omab Apr 02 '14 at 07:08
  • Whilst this may theoretically answer the question, [it would be preferable](//meta.stackoverflow.com/q/8259) to include the essential parts of the answer here, and provide the link for reference. The site is gone now, so this answer is as good as empty :( – Nanne Aug 11 '17 at 21:13
  • @Nanne, changed – omab Aug 11 '17 at 22:58