Multiple authentication providers per user | Security

Multiple authentication providers per user

Aurélien Georget

The current implementation only supports one provider by user. This feature will allow your user to support multiple authentication providers like Google and Twitter for the same user.

February 3, 2022

Сафа Лабаш

i found solution for strapi 4 using passwordless and providers like google and facebook :
file:/node_modules/@strapi/plugin-users-permissions/server/controllers/auth.js
if (provider === 'local') {
.....
}else {
try {
let user = await getService('providers').connect(provider, ctx.query);
// Check if the user exists based on email
const existingUser = await strapi
.query('plugin::users-permissions.user')
.findOne({ where: { email: user.email } });
if (existingUser) {
// Check if the existing user is linked to another provider
if (existingUser.provider !== provider) {
// Link accounts
try{user = await strapi.query('plugin::users-permissions.user').update({data:{ provider},where:{ id: existingUser.id}}
)}catch(e){console.log("error updating",e)}
}
}  
if (user.blocked) {
throw new ForbiddenError('Your account has been blocked by an administrator');
}
return ctx.send({
jwt: getService('jwt').issue({ id: user.id }),
user: await sanitizeUser(user, ctx),
});
} catch (error) {
throw new ApplicationError(error.message);
}
}
file:/node_modules/@strapi/plugin-users-permissions/server/services/providers.js
@@ -67,8 +67,15 @@ module.exports = ({ strapi }) => {
const advancedSettings = await strapi
.store({ type: 'plugin', name: 'users-permissions', key: 'advanced' })
.get();
+    let user = _.find(users, { provider });
+    if(_.isEmpty(user)){
+      user = _.find(users);
+    }
   const user = _.find(users, { provider });
if (_.isEmpty(user) && !advancedSettings.allow_register) {
throw new Error('Register action is actually not available.');
use patch-package to save the changes.
hope it works for you

Orhan Bayram

any updates ??? I was about to use strapi for my production until bumping this issue

Florian Séran

It's the most important feature, and IMO should be THE priority. It look like crazy to start a new project with a CMS who can't handle multiple login providers for one user account. Strapi is wonderful, but as is, I can't choose Strapi for serious project because of that. It's a really big blocker...

Jonas Haefele

We REALLY need a more stable user/permissions model. 
An extendible provider system like the email/storage providers would be great.
And at the very least we need to be able to assign multiple providers per user ID. 
Currently, there are very strange behaviors like duplicated accounts with the same email address (one account per provider),  even if "One account per email address" is set in Advanced Settings.

Fabian Skarmeta

Oh man we really need this

ali coskun

any update on this ?