Sometimes when user signups with his gmail account to my service and then he signups with his G Suite account, both emails create record in UserSocialAuth model but to same django User. Can someone help me understand why this happens and how to avoid it? I need both gmail accounts have separate django accounts.
I am using social-auth-app-django https://github.com/python-social-auth/social-app-django
My pipeline
SOCIAL_AUTH_PIPELINE = [
'social_core.pipeline.social_auth.social_details',
'social_core.pipeline.social_auth.social_uid',
'social_core.pipeline.social_auth.auth_allowed',
'social_core.pipeline.social_auth.social_user',
# request consent if no refresh_token
'contrib.pipelines.redirect_if_no_refresh_token',
'social_core.pipeline.user.get_username',
# http://python-social-auth.readthedocs.io/en/latest/use_cases.html#associate-users-by-email
'social_core.pipeline.social_auth.associate_by_email',
'social_core.pipeline.user.create_user',
'social_core.pipeline.social_auth.associate_user',
'social_core.pipeline.social_auth.load_extra_data',
'social_core.pipeline.user.user_details',
'contrib.pipelines.get_avatar',
# create default data for user
'contrib.pipelines.dummy_data.create',
]
Here is how it looks in my db
In [7]: for uu in UserSocialAuth.objects.filter(user__email='[email protected]').values():
...: print(uu)
...:
{'user_id': 133, 'uid': '[email protected]', 'provider': 'google-oauth2', 'id': 125, 'extra_data': {'auth_time': 1523347209, 'access_token': '...', 'expires': 3600, 'token_type': 'Bearer', 'refresh_token': '...'}}
{'user_id': 133, 'uid': '[email protected]', 'provider': 'google-oauth2', 'id': 401, 'extra_data': {'auth_time': 1522379769, 'access_token': '...', 'expires': 3598, 'token_type': 'Bearer'}}
Got an answer from @omab himself https://github.com/python-social-auth/social-core/issues/232
if the user doesn't logout from your app, and then proceeds to login with the second GSuit account, then the new social account is associated to the currently logged in user. If you want to enforce separated accounts, then you need to force that no user is currently logged in in your site.