Should social accounts auto-link on email address? #408

New Issue

Closed

opened 2026-02-04 19:40:11 +03:00 by OVERLORD · 6 comments

OVERLORD commented 2026-02-04 19:40:11 +03:00

Owner

Copy Link

Originally created by @ssddanbrown on GitHub (Aug 17, 2017).

Currently when logging in with a social account it will only allow login if the account is linked to a user. If a matching email is found it will not auto-link based on email address but advise the user should link their account in settings.

Similarly, When registering via a social account it will display an error if the user already exists and they're required to log in to link their account.

It would be a nicer user experience to simply always link on email address if possible.
Just wondering if anyone has any thoughts on the security of linking based on email address?

Really I suppose it comes down to the security of the oAuth service but if it's trusted for new registrations it might as well be trusted for linking to existing contacts?

Originally created by @ssddanbrown on GitHub (Aug 17, 2017). Currently when logging in with a social account it will only allow login if the account is linked to a user. If a matching email is found it will not auto-link based on email address but advise the user should link their account in settings. Similarly, When registering via a social account it will display an error if the user already exists and they're required to log in to link their account. It would be a nicer user experience to simply always link on email address if possible. Just wondering if anyone has any thoughts on the security of linking based on email address? Really I suppose it comes down to the security of the oAuth service but if it's trusted for new registrations it might as well be trusted for linking to existing contacts?

OVERLORD added the ☕ Open to discussion❓ Question labels 2026-02-04 19:40:11 +03:00

OVERLORD closed this issue 2026-02-04 19:40:18 +03:00

OVERLORD commented 2026-02-04 19:40:38 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Aug 17, 2017):

Additional thought, By doing this some of the social auth code could be cleaned up quite a bit since the registration/login actions could essentially have the same logic.

@ssddanbrown commented on GitHub (Aug 17, 2017): Additional thought, By doing this some of the social auth code could be cleaned up quite a bit since the registration/login actions could essentially have the same logic.

OVERLORD commented 2026-02-04 19:40:48 +03:00

Author

Owner

Copy Link

@jkueh commented on GitHub (Aug 18, 2017):

My current thinking is that it could be circumvented by updating a random account on the OAuth provider side to the desired email address, and if that email address (despite it's pending verification status on the provider end), is passed to Bookstack, could be used to gain entry if auto-linking is enabled.

That being said, what I would like is the option to auto-create and auto-link for Google users that are in a specified G Suite organisation, as well as memberships based on G Suite groups so the user is just presented with a 'Log in with Google' button that works regardless of whether they've visited it before 🙃

@jkueh commented on GitHub (Aug 18, 2017): My current thinking is that it could be circumvented by updating a random account on the OAuth provider side to the desired email address, and if that email address (despite it's pending verification status on the provider end), is passed to Bookstack, could be used to gain entry if auto-linking is enabled. That being said, what I would like is the option to auto-create and auto-link for Google users that are in a specified G Suite organisation, as well as memberships based on G Suite groups so the user is just presented with a 'Log in with Google' button that works regardless of whether they've visited it before 🙃

OVERLORD commented 2026-02-04 19:40:59 +03:00

Author

Owner

Copy Link

@ffub commented on GitHub (May 18, 2018):

I would also like to see this behaviour and a registration/login flow as described by @jordankueh. Combined with "remember me" working for social logins (#847), all the users of a linked domain would have to do is click "Log in with Google", once, to log in securely. The first time would require them to confirm their email address.

@ffub commented on GitHub (May 18, 2018): I would also like to see this behaviour and a registration/login flow as described by @jordankueh. Combined with "remember me" working for social logins (#847), all the users of a linked domain would have to do is click "Log in with Google", once, to log in securely. The first time would require them to confirm their email address.

OVERLORD commented 2026-02-04 19:41:03 +03:00

Author

Owner

Copy Link

@ibrahimennafaa commented on GitHub (Aug 15, 2018):

@ffub why confirming the email address is required when the email was already verified by Google? I think the email verification should be skipped for users authenticating with Google. i.e. you cannot use someone else's email to login with Google so there is no need to verify the identity (that was the purpose of the Google Auth).
Does it make sense?

Do you guys have an update on these automatic signup features for social login? That is a blocker on my side to fully use the tool.

@ibrahimennafaa commented on GitHub (Aug 15, 2018): @ffub why confirming the email address is required when the email was already verified by Google? I think the email verification should be skipped for users authenticating with Google. i.e. you cannot use someone else's email to login with Google so there is no need to verify the identity (that was the purpose of the Google Auth). Does it make sense? Do you guys have an update on these automatic signup features for social login? That is a blocker on my side to fully use the tool.

OVERLORD commented 2026-02-04 19:41:18 +03:00

Author

Owner

Copy Link

@ibrahimennafaa commented on GitHub (Aug 17, 2018):

Attempt of PR here #966
Let me know what you think :)

@ibrahimennafaa commented on GitHub (Aug 17, 2018): Attempt of PR here #966 Let me know what you think :)

OVERLORD commented 2026-02-04 19:41:23 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Sep 21, 2018):

This flow is now optionally possible as described here: https://github.com/BookStackApp/BookStack/pull/966#issuecomment-423610250

Therefore I'll now close this.

@ssddanbrown commented on GitHub (Sep 21, 2018): This flow is now optionally possible as described here: https://github.com/BookStackApp/BookStack/pull/966#issuecomment-423610250 Therefore I'll now close this.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

development

l10n_development

further_theme_development

release

llm_only

vectors

v25-11

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels

🎨 Design

📖 Docs Update

🐛 Bug

🐛 Bug

:cat2:🐈 Possible duplicate

💿 Database

☕ Open to discussion

💻 Front-End

🐕 Support

🚪 Authentication

🌍 Translations

🔌 API Task

🏭 Back-End

⛲ Upstream

🔨 Feature Request

🛠️ Enhancement

🛠️ Enhancement

🛠️ Enhancement

❤️ Happy feedback

🔒 Security

🔍 Pending Validation

💆 UX

📝 WYSIWYG Editor

🌔 Out of scope

🔩 API Request

:octocat: Admin/Meta

🖌️ View Customization

❓ Question

🚀 Priority

🛡️ Blocked

🚚 Export System

♿ A11y

🔧 Maintenance

> Markdown Editor

No Label ☕ Open to discussion ❓ Question

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#408