stackoom
  简体   繁体   中英

Can Facebook Omniauth email address be securely trusted?

 原文  2013-11-20 23:28:01       facebook/ security/ devise/ omniauth

Question

I have a traditional Devise user authentication system that simple uses email and password to login. I want to add login with Facebook. I have this mostly working, but I am curious about the security implications of handling an edge case.

Let's say this stuff here happens:

  1. User is currently unauthenticated, but has an existing account with email "foo@bar.com"
  2. User clicks "Login with Facebook", authorizes access from Facebook
  3. Facebook calls back to my server showing email as "foo@bar.com"

At this point we have a user account with no attached Facebook credentials, and we have a Facebook credential with no attached user, but they both have the same email.

So at this point there are two options:

  1. Complain at the user that that email address is already in use by another user, and that to add Facebook to their account they must first login (with their password) and associate the Facebook account.
  2. Or simply sign them in to the account that had the same email, and then attach the facebook credential to their account.

Option 2 is preferred as it's easier for the user, but it means giving access to an account via Facebook that has never before been linked Facebook. If the email address the server gets from Facebook can be spoofed or altered in any way, this is a huge security issue.

But my server trusts that a user is secure for an email, and so does Facebook. But can I trust the communication between them?

1 answers

solution1
 1 ACCPTED  2013-11-21 02:48:20

You can only link the accounts if the email has been confirmed on both services.

On your side, you should be confirming the user's email (using Devise's Confirmable module ).

On Facebook's side, they should send a verified_email field that confirms that that account's email address has been confirmed. Unfortunately, Facebook only returns a verified field which is affected not only by email but also by SMS confirmation and by entering a valid credit card.

However, it seems that the email will only be returned if it has been confirmed. See this SO question for more information. The problem is I can't find the official documentation that confirms this ( this is as close as I could get ), so in the meantime I recommend testing this on your own just to be absolutely sure. If you do find the right documentation, don't forget to add a comment here.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question omniauth-facebook cannnot get email address Omniauth-Facebook giving error in callback - Email can't be blank? Facebook login - can not retrieve email address Rails Facebook Omniauth get user address Omniauth-facebook & Devise: if email exists Rails omniauth-facebook generate random email Facebook connect, email address? Can't get Email address through Facebook Android SDK Can't get email address using facebook sdk for IOS Can openID and facebook connect be used to get user email address?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM