Attempt to login with a username password after account created with a social login

This is a general question regarding linking users. I am using auth0.js v8 with a custom login page (I can’t use the hosted login for UX reasons). I use an SQL database for storing my users.

At the moment if a user logins in with a social account for the first time I create a user in my SQL database which stores their auth0 user id along with their email etc.

What would be the recommended messaging in the UI if user tried to login with a username/password instead of their social account?

Would I simply display a standard ‘username or password’ incorrect message or could I display a message saying something like ‘login in with your Google account’ if they have a social account but no username/password account?

I guess one way to work around this is to force the user to create a username and password they first time they login with a social account but I kind of feel this defeats the purpose of using a social account to login.

Welcome your thoughts.

We do not recommend messaging that may indicate the existence/non-existence of a user account (e.g. Login with your Google account), as this could introduce user enumeration risk:
https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002)

You could try using a generic message regardless of existence/idP, e.g.

An email has been sent to you if your
user account exists. If you do not
receive an email, please ensure you
are logging in with the same method as
you signed up (Google, Facebook,
Email).

@prashant Thank you kindly for your answer, the user enumeration risk makes a lot of sense.

So I was I just about to implement this approach and I noticed that when use try and use the signup method of auth0.js if you try and signup with an existing username it returns:

{“name”:“BadRequestError”,“code”:“user_exists”,“description”:“The user already exists.”,“statusCode”:400}

Obviously this introduces the user enumeration risk. Is there a way to fix this so that is returns a more benign message?

I guess one solution could be to have my own signup method on the server which uses the management API to signup users and returns a benign message if it fails.

Welcome your thoughts?

1 Like