Auth0 Home Blog Docs

Is there a difference between login & signup for social?

signup
social

#1

Hi,

Our application is configured with log-in and sign-up Loc.
for social users - How can my system tell that the signed up for the service (i.e. click on sign up tab and click on “Sign up with Google”) or just performed log-in with google?

I would like to avoid cases which users mistakenly logged in with a new Google user, and my system will translate it to a new signup.

My expectation is that Auth0 LOC will reject social login of non-existing users


#3

Hey there @assaf.shlomi! I want to make sure I am understanding the question correctly so please let me know if I missed your desired result.

If you would like to allow social sign ups and merge them into username/password accounts we have a useful document here on linking the accounts:

If you would like to disable social signup, we have go into those details in this document:

or if you want to allow signups only for those users that already have a exisiting username/password account you can leverage rules with a combination of linking users by email https://auth0.com/rules/link-users-by-email and https://auth0.com/rules/disable-social-signup in a single rule and use the first as a condition for the disabled social signup.

Once again, if I missed the mark of the desired goal please let me know and I would be happy to take another look!


#4

Hi,
I’ll describe the problem again:

Scenario:

  • A user has two google accounts - Account-X and account-Y.
  • He open Gmail of Account X on his browser
  • Account X does not exist in the system -only Account Y
  • He would like to log in with his Google Account Y
  • He Clicks on the Google icon at the LOCK
  • Since his browser was already logged in to Account X, Google does not ask for credentials and logs him immediately with account X
  • Our application gets from Auth0 the information that this account passed authentication
  • Since this account does not exist in the system, our app treat it as a new signup and provision tenant to the user instead of erroring out as “non-existing user”

I was expecting that if I’m in the login tab of the LOCK and logging in with Google, Auth0 will not pass the login if the user doesn’t exist.
Google will approve the authentication, but Auth0 should reject it.


#5

I wanted to follow up with you @assaf.shlomi after working with our TSE team.

In the event you would like to disable social sign-ups, you can use the disable social sign up rule as we previously spoke about in this doc here. However there is not a way for Auth0 to determine if the end user has another account. In example there might be people with the same name or similar email addresses, and auto-logging in people for another account could pose a security risk.

Of course as we previously spoke, if you want to add social logins for username/password accounts, this can be accomplished through the linking user accounts feature found here.


#6

No. I do not want to disable social signup. I want that Auth0 will distinguish between social signup and social login.
If a new user tries to log in with social before signing up, AUTH0 should response with Error and will ask the user to signup first.
Today, when a user logs in with Social without signing up, AUTH0 treats it as signup.


#7

I tried testing what I believe is the use case you are referring to and you are correct, there is no difference between “Log In” and “Sign Up” for a Social user. I used the Auth0 default python demo app and “logged in” using a google account that was not already in my tenant and I was both “signed up” and “logged in” at the same time. Maybe there is a technical difference but it appears there’s no functional difference between “log in with google” vs “sign up with google”.

You should however still get a pop up asking for permission to access your user details at the social provider if you have not used the given social account before.

Aside: When I tried “sign up with google” I got a CSRF error, but that may be a configuration issues. This was just using the 01-login demo app.