1

This is the my web-app "User Settings" page. I have simplified it to a minimum to better highlight the problem.

To authenticate users I use Auth0, I wanted to use the sub claim user_id to identify the users inside my MySQL database for update and retrieve user's info. Unfortunately the user_id is different for each provider, for example, if the same user with the same e-mail logs-in via Auth0 he gets a user_id if he does it via google he gets another one.

I thought about using email to link logged user to his info. The problem is in my API. Before the change it was "localhost: 8080 / api / users /: id" each time it created a new id and in any case it was impossible to recover the data of the single user. Now that I have replaced "id" with "email" my API has also changed in "localhost: 8080 / api / users /: [email protected]".
Before:
enter image description here

After: enter image description here In a few words, the request url on the client side has also changed.

I would like to make sure that the GET and PUT requests are made based on the e-mail of the logged user without going to modify the whole back-end.

Improve this question

1 Answer 1

Reset to default
1

Sounds like something is wrong with how you authenticate users. If you have multiple ways to authenticate a user, those methods need to be in a one to many relation with the user. For example each user has a list of auth-methods, and whenever an authentication is made you check your table of authentication methods and find the one user it maps to.

Im not sure if you are doing this yourself or if the framework you are using is handling that, but it sounds like you need to change the model to allow many Auth methods for a single account.

Also you could use email, but that is also an "old" way of uniquely identifying users almost every single person has multiple active email accounts nowadays, so you should also have a one-to-many relation for users to emails. What if the user has different email accounts for their Facebook and Google accounts?

See account linking here: https://auth0.com/docs/users/user-account-linking

It is dangerous to trust that the external providers are truthful about what email belongs to who. What if I open a new account using someone else's email on one of the providers? Then I can log into that users account in your application, which is a pretty big security risk.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

So I have to use the user_id that the provider gives me. I'm following the guide for linking accounts. In the link you left you see the token structure, I'm interested in this: "identities": [ { "provider": "google-oauth2", "user_id": "115015401343387192604", "connection": "google-oauth2", "isSocial": true } How can I change the code so that it first looks for the provider column in my tables and then identifies the user_id? Check my sandbox file UserInfo.js 56-86.
If you first sign in with Google, then sign in with Facebook, you will get two ids. What you need to do is give the user that link to connect the two accounts the way they are describing in the documentation. So when a user is logged in with Google, they can see a couple of links to also connect that account to another provider. It doesn't look like a problem on your end, you just need to let users connect their two oauth logins somehow. Seems like it's just a link and oauth will deal with it for you.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.