How can I configure my Google identity platform to enforce 'single account per email address' rule without automatically linking credentials?

3
votes

How can I configure my Google identity platform to enforce 'single account per email address' rule without automatically linking credentials?

Expected (desired) behaviour:

  1. User login with Google
  2. User login with 3rd party authentication using the same email address
  3. Firebase auth should throw an error with code 'auth/account-exists-with-different-credential'
  4. Web application catches the error and asks the user to login with an existing provider before linking the user with the new credential from the SSO. (See: https://firebase.google.com/docs/reference/js/firebase.auth.Auth)

Actual behaviour:

  1. User login with Google
  2. User login with 3rd party provider using the same email address
  3. Google automatically links the user with the existing account

Note: this is a problem because 3rd party admin can potentially create a credential with any email address to hijack any account on our platform.

Background:

I'm using Firebase with Google Identity Platform enabled to integrate with 3rd party SSO. The identity platform has the following providers enabled:

  1. Anonymous
  2. Email / Password
  3. Facebook
  4. Google
  5. 3rd party authentication via OKTA

The identity platform does not have any tenant enabled.

In the firebase authentication, the 'One account per email address' option is enabled. This option appears to link to 'User account linking - link accounts with the same email address' option in Identity platform.

1
firebasegoogle-cloud-platformfirebase-authenticationgoogle-identity
Try to do it with the Firebase console: (change the PROJECT ID in the URL) console.firebase.google.com/project/MY_PROJECT_ID/… Let me know if it works! - guillaume blaquiere
Thanks for the reply. The firebase console let you choose between "Allow creation of multiple accounts with the same email address" or "Prevent creation of multiple accounts with the same email address". If I choose the second option, it will automatically configure the Google Identity platform to "User account linking - link accounts with the same email address". The two options are linked even tho they mean very different thing. I need the ability to enforce one account per email without the auto-linking feature. - Fnop

1 Answers

0
votes

Account linking will fail if the credentials are already linked to another user account. Looking at this documentation [1], merging accounts in this situation is handled by the code (link-multiple-accounts.js) and can be prevented by modifying it.

[1] https://firebase.google.com/docs/auth/web/account-linking