Users unable to login via social account (Google) when using multiple Google accounts #829

New Issue

OVERLORD · 2026-02-04T22:25:27+03:00

OVERLORD commented

2026-02-04 22:25:27 +03:00

Originally created by @nekromoff on GitHub (Sep 27, 2018).

Describe the bug
When user is using multiple active Google accounts and switches between them, they are unable to login into Bookstack, because Bookstack only gives general message saying that account is not linked.

Steps To Reproduce
Steps to reproduce the behavior:

Login into Google using two different accounts, where one is registered with Bookstack
Switch to account that does not use Bookstack
Go to Bookstack and try to login
Generic message is given without any hint as to switch between accounts

Expected behavior
A clear and concise error message that switch of account is required (e.g. "You can not log in with account@gmail.com, only accounts under @domain.com are allowed. Please, switch your account to @domain.com and try to login again."

Screenshots

Your Configuration (please complete the following information):

Exact BookStack Version (Found in settings):
BookStack v0.22.0
PHP Version: 7.2.9
Hosting Method (Nginx/Apache/Docker): Apache

Additional context
Add any other context about the problem here.

Originally created by @nekromoff on GitHub (Sep 27, 2018). **Describe the bug** When user is using multiple active Google accounts and switches between them, they are unable to login into Bookstack, because Bookstack only gives general message saying that account is not linked. **Steps To Reproduce** Steps to reproduce the behavior: 1. Login into Google using two different accounts, where one is registered with Bookstack 2. Switch to account that does not use Bookstack 3. Go to Bookstack and try to login 4. Generic message is given without any hint as to switch between accounts **Expected behavior** A clear and concise error message that switch of account is required (e.g. "You can not log in with account@gmail.com, only accounts under @domain.com are allowed. Please, switch your account to @domain.com and try to login again." **Screenshots** - **Your Configuration (please complete the following information):** - Exact BookStack Version (Found in settings): BookStack v0.22.0 - PHP Version: 7.2.9 - Hosting Method (Nginx/Apache/Docker): Apache **Additional context** Add any other context about the problem here.

OVERLORD closed this issue

2026-02-04 22:25:30 +03:00

OVERLORD commented

2026-02-04 22:25:32 +03:00

@ssddanbrown commented on GitHub (Sep 27, 2018):

Thanks for this request.

The complex part of this is recognizing when this event could occur. How do we know if the user is an existing user that's using a different account?

In addition, I'm not sure exposing the allowed restricted domains is something that everyone would want since it's technically leaking security information that could be used for more targeted social engineering.

@ssddanbrown commented on GitHub (Sep 27, 2018): Thanks for this request. The complex part of this is recognizing when this event could occur. How do we know if the user is an existing user that's using a different account? In addition, I'm not sure exposing the allowed restricted domains is something that everyone would want since it's technically leaking security information that could be used for more targeted social engineering.

OVERLORD commented

2026-02-04 22:25:38 +03:00

@nekromoff commented on GitHub (Sep 27, 2018):

I have used this solution in similar project with social login with one domain allowed:

if account is not under @ alloweddomain, display message that only accounts @ alloweddomain are able to log in
if account is under @ alloweddomain, log user in

Is there real security threat in displaying the domain? As far as I understand, even if you know the domain, there is now way to log in. You must have access to remote service (OAuth provider) and be able to log in via them.

Maybe instead of exposing the whole domain, few characters could be used or just generic message stating that logins are domain restricted and you should try it with different social account...

@nekromoff commented on GitHub (Sep 27, 2018): I have used this solution in similar project with social login with one domain allowed: 1) if account is not under @ alloweddomain, display message that only accounts @ alloweddomain are able to log in 2) if account is under @ alloweddomain, log user in Is there real security threat in displaying the domain? As far as I understand, even if you know the domain, there is now way to log in. You must have access to remote service (OAuth provider) and be able to log in via them. Maybe instead of exposing the whole domain, few characters could be used or just generic message stating that logins are domain restricted and you should try it with different social account...

OVERLORD commented

2026-02-04 22:25:44 +03:00

@ssddanbrown commented on GitHub (May 18, 2019):

Looking back at this, I don't want to go too far out of the way to support an edge-case flow like this. Since this comment chain functionality has been added to allow the following in the .env file:

GOOGLE_SELECT_ACCOUNT=true

This will prompt the user to select their google account, which would probably work well for this scenario since they'll have to think about what account to choose.

@ssddanbrown commented on GitHub (May 18, 2019): Looking back at this, I don't want to go too far out of the way to support an edge-case flow like this. Since this comment chain functionality has been added to allow the following in the `.env` file: ```bash GOOGLE_SELECT_ACCOUNT=true ``` This will prompt the user to select their google account, which would probably work well for this scenario since they'll have to think about what account to choose.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#829