Sign in with: Google

Akesson

Member
I suggest making the "Sign in with: Google" button on the log in page to work even if you are already a member but not logged in.

Right now, an error message is displayed instead of saving the connection to Google and sign in the user to the forum.
"The email address linked to this Google account belongs to another member's account on X. Please log into that X account to associate with Google."

I think this would improve the user experience for these cases.

With this update: 1 click
Today: Click "Sign in with: Google" -> error message -> click "Forgot password" -> check your email -> login -> click "Connected accounts" -> click "Associate with Google"
 
Upvote 0

Arantor

Active member
The reason for doing this is security. If you somehow happen to get a session going, you could escalate that into an account takeover with the method as proposed.

The whole point of 'there's already an account' is to verify that you actually are the account holder linking the account. Especially since there's no real reason why you couldn't do something very iffy with a different provider (that isn't Google but using the OAuth) where you create an account with that service, change your email to someone else's, and then use that to actively take over an account that isn't yours...
 

Kirby

Well-known member
Although security considerations are valid, I don't think this suggesstion needs to be tossed completely and tehre are options to improve usability whild keeping the current security level:

Instead of just giving an error, XenForo could directly offer the possibility to associate the account, eg. ask for username and password of the existing account.
This would make this usecase a bit easier while keeping the account secure.
 
Top