XF 2.2 Simplifying access through social accounts on Xenforo

[Miri]

When users attempt to login or register on Xenforo using their social accounts such as Facebook, they may encounter the error

Oops! We ran into some problems. This account's email is already associated with another member. Please log into that account to associate this account.

While this solution prevents the creation of duplicate accounts, it can create difficulties for users who want to login using their social accounts but already have an account on Xenforo with the same email. Moreover, users may be confused about the need to "associate" their social accounts with the existing Xenforo account, discouraging the use of social accounts as a method of access.

To address these issues, it would be possible to automatically create an account for users who login using their social accounts and do not yet have a Xenforo account. Additionally, users who already have a Xenforo account should be able to login using their social account, even if it has not yet been associated.

This solution would simplify the login and registration process on Xenforo and make the use of social accounts as a method of access more intuitive and convenient for users.

 

[Paul B]

To address these issues, it would be possible to automatically create an account for users who login using their social accounts and do not yet have a Xenforo account.

If they register via social media then they have an XF account.
That's what registering via social media does.

In this case, all the member needs to do is associate their social media account with the existing XF account.

 

[Miri]

Perhaps I used too many words to express my idea and went on too long, losing the point of my request. I am aware that there is a registration mode through social media and that xenforo creates a new account.

My proposal is to automatically associate the social media account with the existing XF account, without requiring the user to manually perform this action. This would greatly simplify the login process for users who want to use social media login.

Currently if a user already has a registered account, they cannot log in through social media accounts without first manually associating their social media account with XF. I wonder if there is a particular logic behind this method.

I may be wrong but I believe this method is not found in other websites that use social media accounts for login.

 

[digitalpoint]

It could be problematic because you are giving too much trust at various points. You are trusting the third party connected account provider to have verified the email they present to you for example. There are some cases where a user can login with something like Facebook without a verified email in Facebook. So what happens if I create a Facebook account with your email address you have registered here and didn’t verify the email in Facebook? XenForo automatically links the accounts and I now control your XenForo account.


From a development standpoint, you need to assume all parties are lying in the “transaction”. You can’t trust a user to be who they say they are and you also can’t trust third party connected account providers to be 100% the user on their side is who they say they are either (at least not as far as basing it on email address).

 

[Kirby]

@digitalpoint pretty much already explained why the it is unfortunately unavaoidable to associate in order to prevent unauthorized access to XenForo accounts.

Scenario
I register a Facebook accout with email address info@miri.com in 2018 and verify that this email address is correct.
In 2021 I let domain miri.com expire but forget to also change my email address in Facebook; as I don't use Facebook frequently I don't notice this mistake.
In 2022 @Miri registers miri.com (which hasn't been re-registered since it expired in 2021) and signs up to xenforo.com using info@miri.com.
In 2023 I dicide to use my Facebook account again, stumble upon xenforo.com and decide to login with my Facebook account.

Now we've got two accounts from two different persons with the same email address - if XenForo would just assign my social login to an existing XenForo account with the same email address I would gain access to your account (without anybody intentionally "lying" at any point).

The only way to avoid this is for the existing account to prove authorized acccess by logging in.

The associate process could be streamlined though, eg. instead of just giving an error message XenForo could directly ask for the account credentials to complete the association.

 

[digitalpoint]

The associate process could be streamligned though, eg. instead of just giving an error message XenForo could directly ask for the account crendentials to complete association.

Yep… was just coming back to mention that.