Firebase authentication provider silently changes from password to google.com

0
votes

I use firebase authentication for my web app with three providers: email-password, google, or facebook. I have enabled the option "One account per email address".

When a user signs up using email-password (with a gmail address), then later uses google sign-in, I expect to receive an exception "auth/account-exists-with-different-credential", but I do not. His providerId is changed to google.com and he cannot use his password anymore (throws "auth/wrong-password").

Is this normal behaviour?

1
firebase-authentication

1 Answers

2
votes

Firebase Authentication has a concept of a preferred provider for certain email addresses. The most common one is that google.com is the preferred provider for @gmail.com addresses, but I think they also exist for Facebook and Microsoft accounts.

If an existing account later signs up again from a preferred provider, that provider overwrites the existing user account. There is no way to change this behavior (that I know of).

Also see: