Search code examples
javastormpath

Is there a way to check if Stormpath Account with a particular email exist on Social Login?

Using Stormpath, an application can be checked for existence of an email by doing the following;

application.getAccounts(Accounts.where(Accounts.email().eqIgnoreCase(email)));

What I have noticed however is that Stormpath Social signin is directory based and doesn't check for duplicates in other directories.

For instance, if there's a User who signs-up with facebook with email address [email protected] and then same user attempts to signup again with his gmail still being [email protected], what stormpath currently does is to save both users in my two different directories (e.g facebook directory & google directory). This is not what I want.

I want to be able to ensure that if [email protected] exists in any directory, it should never be registered into any other directory. The associated Account should simply be picked up and should represent the same User.

Problem is that Stormpath retrieves a Social signed-up Account in the following way;

ProviderAccountRequest request = Providers.GOOGLE.account().setAccessToken(token).build();
ProviderAccountResult result = application.getAccount(request);

What this does is that it checks only the specified directory (google) for an associated Account Object (it doesn't check the entire application), and if none exists within that directory, it automatically creates one and returns the new Account Object, hence not giving the opportunity to do the check and decide whether the Account should be created or not.

Is there an alternative way to achieve this flow in stormpath??

Solution

  • There are a couple different ways that developers use Stormpath, and it is totally based on their application:

    1. They want the application to treat Google / Facebook / username password authentication differently. A user that logs in through social means is treated differently.
    2. They want the application to treat Google / Facebook / username password authentication the same. A user that logs in through any means will be treated as the same user.

    Out of the box, Stormpath supports #1, but we do have a mix of customers that have requirements around #2 and they accomplish this by leveraging a feature in Stormpath called custom data. Using custom data, a developer can create a uni or bi directional link between the Google or Facebook directory to the actual 'master' account in another directory.

    How this works:

    • A user signs up for your application using user name / password and an account is created in a Cloud Directory.
    • At a later time, a user decides to login using Google/Facebook
    • On successful login to Facebook or Google, the developer get's the email address from the Facebook or Google Account (which is verified by either Facebook or Google) and search for the Account by email in the Cloud Directory.
    • If the account is found in the Cloud directory, the href off the account is stored in the custom data of the Facebook / Google account
    • On an additional login, you can check the Facebook or Google account for the custom data, and follow the href to the actual account in the Cloud Directory.

    I hope this makes sense.