I've been using django-rest-auth, which has been great for email signup flow. I've been trying to implement social login (via FB), and in the latest version (v.0.9.3), it seems if someone has already created an account via email, they just raise an error if that user tries to login via social. This comment is in the commit:
# We have an account already signed up in a different flow
+ # with the same email address: raise an exception.
+ # This needs to be handled in the frontend. We can not just
+ # link up the accounts due to security constraints
Couple of questions (posted this in the github issues as well): Why is this a security issue? Isn't the whole point of social authentication that you trust the OAuth provider (FB in this case)? Second, how is one supposed to handle this in the frontend? It's a common occurrence that people sign up for email first (often simply because a site or app adds social login later in the development cycle). It seems to me the only option this leaves me with is to tell the user "Sorry, you can only login with your email account." Or to simply choose to have FB Login or email (or Twitter or etc), but only one of them. Am I missing something here? It seems extremely limiting to me.
The security issue comes from the fact that it's impossible to verify that the social account is exactly the same user who registered before.
In order to attach social account to existing user in django-rest-auth you need to use a social connect view. Here's example in docs: http://django-rest-auth.readthedocs.io/en/latest/installation.html#additional-social-connect-views.
Social connect views are similar to regular social login except for, you have to be already authenticated as a regular user, so the app would know it is you, before it can attach a social account.
So the example flow is the following:
Login as existing user (registered before as a non-social account)
Access /rest-auth/facebook/connect/ to attach Facebook social account to this existing user.