Multi-provider authentication for a same account

[binajmen]

Hello everyone,

I'd like to allow users to sign in to their account with different providers. A simple example would be:

1. Bob subscribes to a website with his email [email protected] and a p4ssw0rd!.
2. One week later, coming back to the same website, Bob forgot he has already an account.
3. He "subscribes" (in reality, he will sign in to his existing account) with his Google account. Same address, but using OAuth protocol.

My first question would be: does that makes sense to allow Bob to use multiple providers to log in to the same account, or should he be restricted to the first method chosen?

In the case that would be allowed, how would you implement that data model-wise?

I have the feeling I should clearly separate the unique info (id + email + roles) from the rest: different providers exposed different info (Google vs Twitter vs Facebook).

My first thoughts (in prisma terms) would be the following:

enum Role {
  user
  manager
  admin
}

model User {
  id             String           @id @default(uuid()) @db.Uuid
  email          String           @unique
  role           Role
  FormProvider   FormProvider[]
  GoogleProvider GoogleProvider[]
}

model FormProvider {
  User     User   @relation(fields: [userId], references: [id])
  userId   String @id @db.Uuid
  password String
}

model GoogleProvider {
  User         User   @relation(fields: [userId], references: [id])
  userId       String @id @db.Uuid
  accessToken  String
  refreshToken String
  //...
}

But I have the feeling I'm over/wrong-thinking everything..

Any examples how you would/have design(ed) that? Any experience to share?

🙏

[sergiodxa]

This is a really interesting questions, and the answer can depend on how you build your data. I'll mention two options.

The first option is the simples, create your User model

enum Role {
  user
  manager
  admin
}

model User {
  id             String           @id @default(uuid()) @db.Uuid
  email          String           @unique
  password       String
  role           Role
}

Then use the email to find the user in every strategy, in the FormStrategy you will also check the password, but on Google/Facebook/etc you can find the user using the email.

---

Another option, is to keep the providers the user used

model Identity {
  id            String  @id @default(uuid())
  provider      String
  providerId    String  @unique
}

Something like this, a user should have many identities, the identity should have the provider name (e.g. Facebook) and the provider ID which is the profile.id you receive from the provider.

This way, you match the user in your DB with the user in the provider DB, without depending on the user email. This let the user change the email on the provider without changing the email on your app.

This also means if the user used Facebook first and then it tries to login with Google it will not use the same user unless you allowed the user to connect the Google account after the first sign in. In my experience most apps do this.