Authorise social accounts before first login

mattan-teza · July 30, 2020, 1:35pm

Hi,

We are running in invite only mode and we would like to keep the option of signing in with social (Google), but limit the option to users that already exists in the system only - which were created using api (DB connection)

In my tests, if we disable social signups using rules and add the linking extension, users cannot login with Google (gets Signup disable error). otherwise, if disable social signup rules disabled, users basically signs up when signin in.

Anyway around this? Can we link user account to their “potential” google account before they log in for the first time?

john.gateley · July 30, 2020, 7:20pm

Hi @mattan-teza

Allow social logins and use a rule that declines the login if a social user logs in but there is no DB user corresponding.

However, you should require users to verify their DB password before linking a social and DB account, otherwise there is an attack vector.

John

mattan-teza · August 2, 2020, 5:22pm

Hi John, thanks for the quick response. We tried to implement your solution for few hours, but ran into problems with the api call to the database, do you have any suggestions or reference to similar rule?

Thanks again,
Mattan

john.gateley · August 3, 2020, 4:26pm

Hi @mattan-teza

If you create a custom DB connection (create a database connection and then set the “Use my own Database” on the Custom Database tab, you can create lots of samples for how to connect to various APIs (mostly DB APIs). There might be a sample there you can follow.

In short, you’ll have to call the MGMT API (which requires getting an access token), search for the user, and verify they are there.

John