Auth0 Home Blog Docs

Is there a difference between login & signup for social?

signup
social

#1

Hi,

Our application is configured with log-in and sign-up Loc.
for social users - How can my system tell that the signed up for the service (i.e. click on sign up tab and click on “Sign up with Google”) or just performed log-in with google?

I would like to avoid cases which users mistakenly logged in with a new Google user, and my system will translate it to a new signup.

My expectation is that Auth0 LOC will reject social login of non-existing users


#3

Hey there @assaf.shlomi! I want to make sure I am understanding the question correctly so please let me know if I missed your desired result.

If you would like to allow social sign ups and merge them into username/password accounts we have a useful document here on linking the accounts:

If you would like to disable social signup, we have go into those details in this document:

or if you want to allow signups only for those users that already have a exisiting username/password account you can leverage rules with a combination of linking users by email https://auth0.com/rules/link-users-by-email and https://auth0.com/rules/disable-social-signup in a single rule and use the first as a condition for the disabled social signup.

Once again, if I missed the mark of the desired goal please let me know and I would be happy to take another look!


#4

Hi,
I’ll describe the problem again:

Scenario:

  • A user has two google accounts - Account-X and account-Y.
  • He open Gmail of Account X on his browser
  • Account X does not exist in the system -only Account Y
  • He would like to log in with his Google Account Y
  • He Clicks on the Google icon at the LOCK
  • Since his browser was already logged in to Account X, Google does not ask for credentials and logs him immediately with account X
  • Our application gets from Auth0 the information that this account passed authentication
  • Since this account does not exist in the system, our app treat it as a new signup and provision tenant to the user instead of erroring out as “non-existing user”

I was expecting that if I’m in the login tab of the LOCK and logging in with Google, Auth0 will not pass the login if the user doesn’t exist.
Google will approve the authentication, but Auth0 should reject it.


#5

I wanted to follow up with you @assaf.shlomi after working with our TSE team.

In the event you would like to disable social sign-ups, you can use the disable social sign up rule as we previously spoke about in this doc here. However there is not a way for Auth0 to determine if the end user has another account. In example there might be people with the same name or similar email addresses, and auto-logging in people for another account could pose a security risk.

Of course as we previously spoke, if you want to add social logins for username/password accounts, this can be accomplished through the linking user accounts feature found here.


#6

No. I do not want to disable social signup. I want that Auth0 will distinguish between social signup and social login.
If a new user tries to log in with social before signing up, AUTH0 should response with Error and will ask the user to signup first.
Today, when a user logs in with Social without signing up, AUTH0 treats it as signup.


#7

I tried testing what I believe is the use case you are referring to and you are correct, there is no difference between “Log In” and “Sign Up” for a Social user. I used the Auth0 default python demo app and “logged in” using a google account that was not already in my tenant and I was both “signed up” and “logged in” at the same time. Maybe there is a technical difference but it appears there’s no functional difference between “log in with google” vs “sign up with google”.

You should however still get a pop up asking for permission to access your user details at the social provider if you have not used the given social account before.

Aside: When I tried “sign up with google” I got a CSRF error, but that may be a configuration issues. This was just using the 01-login demo app.


#8

Hey @assaf.shlomi I wanted to touch base and see if Mark’s response was able to help give you some added insight? Please let me know if you still have any questions on the subject!


#9

Hi,
Thanks. I understand from the response that Auth0 do not have any solution for my problem - If a new user will log-in using social, Auth0 will treat is as “sign up” instead of rejecting the log-in.


#10

I’m bumping this because I think it’s a bug, and I think Assaf just gave up. :wink:

To re-iterate the problem I am seeing, which is a slightly different scenario but has the same underlying issue:

  • User without an account clicks the opens the Lock modal
  • User without an account clicks the “login” button for a social service (e.g. Google)
  • A new account is automatically created for that user, and the user is logged in with that account.

The problem is that there should be a separation between SIGNUP and LOGIN. If a user tries to LOGIN with an account that does not exist (social or otherwise) I would expect that Auth0 should return an error message (in the Lock UI or to the native client) and message the user something like:

There is no active account associated with that {{email account|Google profile|Microsoft profile|etc}}. Would you like to Sign Up?

Like Assaf, I want to keep Social Signup enabled… but I want to force users through a signup workflow. Should this work in Auth0?


#12

You should be able to force any such user through a signup process with a rule:

IF user.app_metadata.onboarded != true THEN redirect to onboarding flow

(^^^ not a developer!)