Firebase Overwrites Signin with Google Account
There doesn't seem to be any mention of this in the documentation, and all I found was this and this, where I would like to confirm this:
If there is an existing account with the same email address but created with other credentials (e.g. password or non-trusted provider), the previous credentials are removed for security reasons.
If a user signs in through Facebook or email/password and later through Google, their account sign in method is converted to Google. It only happens with Google and the setting for one account only is active.
Is it intended to be like this and is there any way to stop it?
Solution 1:
As the documentation says: certain email domains have a trusted provider. Most prominently: Google is the trusted provider for @gmail.com addresses, since it's the only issuer of these email addresses.
If a user first registers their gmail address with say Facebook, and later there is a registration with that same gmail address from the Google provider, the latter registration is considered to overrule the former. If the user later signs in with Facebook again, the two accounts can be linked.
As far as I know, the only way to prevent this is to allow multiple accounts per email address.
Also see these posts by some of the Firebase Authentication engineers:
- Firebase, login by same email different provider
- https://github.com/firebase/FirebaseUI-Android/issues/1180
- https://groups.google.com/d/msg/firebase-talk/ms_NVQem_Cw/8g7BFk1IAAAJ