How to distinguish between Google Logins and traditional email+pwd logins?
-
Did you have a fix on this issue?
-
And look, how much a security hole it is, if email and password registration is NOT verified (non-premium plans). For example, if somebody (evil person) registers the email identical with another person's Google login.
Then suddenly server cannot differentiate this person's session from another one, of the person using Google login, because req.session.user has no Identity Provider ID....
-
@admin-8 To distinguish between Google logins and traditional email and password logins, you can look for the presence of the Google logo or the "Sign in with Google" button on the login page. Another way to distinguish between the two types of logins is by checking the authentication process: Google logins use OAuth 2.0 protocol to authenticate users, while traditional email and password logins require users to enter their email address and password.
In addition, Google logins can often provide additional information about the user, such as their name, profile picture, and email address, which can be useful for personalizing the user experience. On the other hand, traditional email and password logins may only provide a unique identifier, such as an email address, to identify the user.
It's worth noting that some websites may offer both options for users to sign in, giving them the choice to either use their Google account or their traditional email and password.
-
@admin-8
Google Login and traditional email and password login are two different methods of authentication.
Google Login, also known as Google Sign-In, is a secure way to log into websites and apps using your Google account credentials. When you sign in with Google, you are asked to grant access to your Google account information, and you are then logged into the website or app using that information.
Traditional email and password login, on the other hand, requires you to create an account with a unique email address and password. When you sign in, you enter your email and password to access your account. -
@admin-8 Please look in the id token or use the introspection endpoint with the access token. Both of these should include an
authenticationTypeclaim.More details here: https://fusionauth.io/docs/v1/tech/oauth/tokens#id-token
There is an issue where this claim is not persisted after you refresh a token, so you should capture it on first authentication if you need it. The issue is slated to be fixed in 1.44, though it could change in priority based on other needs and feedback.
-
Distinguishing between Google Logins and traditional email + password logins involves the following:
User Input:
Traditional Login: Email + password manually entered.
Google Login: Authentication using Google credentials.
Authentication Protocol:Traditional Login: HTTPS and direct password verification.
Google Login: OAuth or OpenID Connect for secure, third-party authentication.
User Experience:Traditional Login: Password entry and recovery mechanisms.
Google Login: Streamlined process without password entry.
Security:Traditional Login: Relies on password strength.
Google Login: Enhanced security with Google's features.
In summary, traditional logins use manual email + password entry, while Google Logins leverage Google credentials and advanced authentication protocols for a more streamlined and secure process. -
-
@ghstahl FusionAuth does have a few "reconcile" lambda's. This might be what you are looking for.
https://fusionauth.io/docs/extend/code/lambdas/google-reconcile. -
@mark-robustelli said in How to distinguish between Google Logins and traditional email+pwd logins?:
FusionAuth does have a few "reconcile" lambda's. This might be what you are looking for.
https://fusionauth.io/docs/extend/code/lambdas/google-reconcile.This is what I'm looking for. Thanks!
-
M mark.robustelli has marked this topic as solved on
-
It sounds like you're experiencing some confusion with the authentication setup in your FusionAuth application. When using traditional email + password authentication alongside Google login, you're expecting to see distinct information in the user session to differentiate between the two authentication methods.
In the context of your Express.js application, the req.session.user object should ideally provide some form of identity provider identification to distinguish between users authenticated via traditional email + password versus Google login. However, it appears that you're not seeing this distinction reflected in the session information.
This behavior could be due to how FusionAuth handles user authentication and session management. It's possible that FusionAuth is not explicitly adding information about the identity provider to the user session, leading to ambiguity when accessing the session data in your Express.js application.
To address this issue, you may need to customize your FusionAuth setup or modify your Express.js application logic to explicitly capture and store information about the identity provider used during authentication. This could involve updating your authentication middleware or incorporating additional FusionAuth API calls to retrieve and store identity provider information alongside user session data.
In summary, while the lack of distinction between authentication methods in the user session may not be the expected behavior, it's likely a result of how FusionAuth is configured or how session information is managed in your application. By exploring customization options and making adjustments to your application logic, you should be able to achieve the desired differentiation between traditional email + password and Google login authentication methods.
