3

Sometimes when user signups with his gmail account to my service and then he signups with his G Suite account, both emails create record in UserSocialAuth model but to same django User. Can someone help me understand why this happens and how to avoid it? I need both gmail accounts have separate django accounts.

I am using social-auth-app-django https://github.com/python-social-auth/social-app-django

My pipeline

SOCIAL_AUTH_PIPELINE = [
    'social_core.pipeline.social_auth.social_details',
    'social_core.pipeline.social_auth.social_uid',
    'social_core.pipeline.social_auth.auth_allowed',
    'social_core.pipeline.social_auth.social_user',

    # request consent if no refresh_token
    'contrib.pipelines.redirect_if_no_refresh_token',

    'social_core.pipeline.user.get_username',
    # http://python-social-auth.readthedocs.io/en/latest/use_cases.html#associate-users-by-email
    'social_core.pipeline.social_auth.associate_by_email',
    'social_core.pipeline.user.create_user',
    'social_core.pipeline.social_auth.associate_user',
    'social_core.pipeline.social_auth.load_extra_data',
    'social_core.pipeline.user.user_details',

    'contrib.pipelines.get_avatar',
    # create default data for user
    'contrib.pipelines.dummy_data.create',
]

Here is how it looks in my db

In [7]: for uu in UserSocialAuth.objects.filter(user__email='me@mydomain.com').values():
   ...:     print(uu)
   ...:
{'user_id': 133, 'uid': 'me@mydomain.com', 'provider': 'google-oauth2', 'id': 125, 'extra_data': {'auth_time': 1523347209, 'access_token': '...', 'expires': 3600, 'token_type': 'Bearer', 'refresh_token': '...'}}
{'user_id': 133, 'uid': 'me@gmail.com', 'provider': 'google-oauth2', 'id': 401, 'extra_data': {'auth_time': 1522379769, 'access_token': '...', 'expires': 3598, 'token_type': 'Bearer'}}
Sardorbek Imomaliev
  • 14,861
  • 2
  • 51
  • 63
  • This sounds quite implausible to me... there must be some issue with the way you have configured your pipeline, or the way you are testing it. – solarissmoke May 01 '18 at 06:58
  • @solarissmoke I updated my question with my pipeline configuration – Sardorbek Imomaliev May 01 '18 at 07:01
  • I cannot see how this would happen. Think you're going to have to provide more details to reproduce this before anyone can help - i.e., specific details of what steps you are taking to log in, and what the results are in terms of users being created, and how you are sure that it is indeed one user being authenticated for two different social users. – solarissmoke May 04 '18 at 04:22
  • @solarissmoke provided data from my database – Sardorbek Imomaliev May 04 '18 at 07:13

2 Answers2

3

The issue seems to be with associate_by_email config in the pipeline. Removing that config would create a new user for all new social logins.

According to the doc:

if a user signed up with his Facebook account, then logged out and next time tries to use Google OAuth2 to login, it could be nice (if both social sites have the same email address configured) that the user gets into his initial account created by Facebook backend.

Read more here: http://python-social-auth.readthedocs.io/en/latest/use_cases.html#associate-users-by-email

scene_contra
  • 627
  • 4
  • 6
  • 1
    It says about different backends, not about the same – Sardorbek Imomaliev May 10 '18 at 02:42
  • That's as per the example. `associate_by_email` doesn't create a new user if a user with the same email id already exists irrespective of the provider. You can [refer the code](https://github.com/python-social-auth/social-core/blob/1eadf8fa7b13a79363e4fa51ce06e0ae1cc3ca63/social_core/pipeline/social_auth.py#L51) – scene_contra May 12 '18 at 08:30
  • Yes, I know that, but in my example user has 2 different emails – Sardorbek Imomaliev May 12 '18 at 16:25
0

Got an answer from @omab himself https://github.com/python-social-auth/social-core/issues/232

if the user doesn't logout from your app, and then proceeds to login with the second GSuit account, then the new social account is associated to the currently logged in user. If you want to enforce separated accounts, then you need to force that no user is currently logged in in your site.

Sardorbek Imomaliev
  • 14,861
  • 2
  • 51
  • 63