Firebase authentication provider silently changes from password to google.com

Question

I use firebase authentication for my web app with three providers: email-password, google, or facebook. I have enabled the option "One account per email address".

When a user signs up using email-password (with a gmail address), then later uses google sign-in, I expect to receive an exception "auth/account-exists-with-different-credential", but I do not. His providerId is changed to google.com and he cannot use his password anymore (throws "auth/wrong-password").

Is this normal behaviour?

Answer 1

Firebase Authentication has a concept of a preferred provider for certain email addresses. The most common one is that google.com is the preferred provider for @gmail.com addresses, but I think they also exist for Facebook and Microsoft accounts.

If an existing account later signs up again from a preferred provider, that provider overwrites the existing user account. There is no way to change this behavior (that I know of).

Also see:

• Github issue Facebook provider overwritten by Google provider
• Mailing list Firebase Social Authentication Issue with fb and gmail flow
• Authentication using Facebook at first and then Google causes an error in Firebase for Android

Answer 2

This is how I'm solving it: https://firebase.google.com/docs/auth/android/account-linking

Just link the "accounts".