auth icon indicating copy to clipboard operation
auth copied to clipboard
verified publisher icon supabase

Unable to signIn with OpenIDConnect when already signed Up with email and password

Open DanMossa opened this issue 3 years ago • 18 comments

Bug report

Describe the bug

I am unable to link/sign in with OpenID using the same email as an account signed up with email and password. When looking at supabase logs I see, duplicate key value violates unique constraint "users_email_key"

To Reproduce

  1. I sign up with email and password and I then click the verification email. I verify that the row looks good in auth.users.
  2. I then create an account using OpenIDConnect. The error I get back is GotrueError(message: Database error saving new user) 
let response = await supabase.auth.signUp({
  email: '[email protected]',
  password: 'RQTFSUtvkVqRfzemYsPI'
})

let response = await supabase.auth.signIn({
  oidc:{
      id_token: 'valid_id_token',
      nonce: 'valid_nonce',
      provider: 'google'
  }
})

They work separately, but they fail when called after each other.

Expected behavior

I expect that I can sign in with oidc when the email is the same as an account that has already same up with email and password.

DanMossa avatar Mar 30 '22 22:03 DanMossa

Hey, due to issues with the quality of implementation for OIDC we've decided to stop supporting it and removed it from the v2 version of the client library all together.

It's been a while, but if you could attach some logs from the failing operation we may be able to look into this issue further. Until then, I'll close it.

hf avatar Sep 26 '22 09:09 hf

@hf Wait really? What about my and other's production apps that are currently using OIDC? This seems very bizarre to just get rid of. I was working on making a PR to fix the issue with it involving iOS.

What does this mean for https://github.com/supabase/gotrue/issues/412 ?

DanMossa avatar Sep 28 '22 07:09 DanMossa

Forgive my ignorance, but if OIDC is removed what happens to users who've created their account using Apple/Google auth? How will they sign in to the app if they can't use their email and password? And, how will we do native sign-in?

WJimmyCook avatar Sep 30 '22 14:09 WJimmyCook

Exactly. It seems like not much thought may have gone into the decision to remove OIDC. There's also not that many bugs that exist. Adding OIDC was a long process but we're slowly getting there. Most things are fixed and all that's left is a little bug fixing. PLEASE don't remove code for this.

DanMossa avatar Oct 01 '22 00:10 DanMossa

@DanMossa #689 is now fixed, but in v2 the possibility to log in with oidc is now missing. How to enable native Apple/Google login? (react native)

megacherry avatar Oct 19 '22 17:10 megacherry

I will actually be very upset if the endpoint to support oidc is removed. I and many others have spent a lot of time to support OIDC. It's required for native auth and I really hope we get clarification on what's happening. @hf @kangmingtay

DanMossa avatar Oct 19 '22 20:10 DanMossa

Hey, this was maybe prematurely communicated. We'll discuss with the team tomorrow and give an update. You're right about supporting existing use cases.

hf avatar Oct 19 '22 20:10 hf

Hey everyone, the team and I discussed this at length. Here's our conclusions:

  • We recognize this is being used in the wild and is a hard requirement on iOS.
  • The current implementation has some (serious) known issues and we don't want to encourage people to be using something that is of low quality.
  • Mid-term we do want to add official support for an OIDC login flow (that uses ID tokens), but this is unlikely to be backward compatible with what we have today.

Thus we decided to do the following:

  • Add back support for this flow in v2 of gotrue-js, but under an @experimental annotation. We're going to be allocating some time to do this in the next 2 to 3 weeks.
  • Since Sign-in with Apple is a hard requirement in mobile apps on iOS, we'll try to address some of the known issues in that flow only. Since we're busy with some other priorities, we can't promise a timeline on addressing this.
  • Any PRs from the community on this topic will be considered closely, in an effort to unblock you.
  • Once we address OIDC ID token login flows properly, the existing flow will be deprecated and the existing API is likely to be removed with some prior notice. Prepare your codebase for such an eventuality in the future.

Feel free to let us know how you feel about this or if we should reconsider something. Thank you for your dedication so far!

hf avatar Oct 22 '22 10:10 hf

that sounds promising. thank you very much for the transparent communication.

megacherry avatar Oct 22 '22 10:10 megacherry

So - I’m not familiar with oidc - but I’ve done apple sign in flows a few times. I’ll avoid bloating this ticket with findings - there’s a sample repo I have with nodejs that I’m working on here / it has the official apple sign in sample code bundled together - there’s few tickets that have suggested oidc but it seems obsolete - https://github.com/supabase-community/gotrue-swift/issues/4 My sign in almost sort of works - I’d drop this effort in a heart beat if there was a native sign in flow. But I’m yet to see anything working beyond web flow.

how can I sign in natively using swift code - authorization.code I get back from apple (offical sample code for apple login)?

There’s another ticket which is around using jwt of authorised user to access database with RLS. UPDATE - jwt via signed in session resolved using latest release_candidate branch. https://github.com/supabase-community/supabase-swift/issues/49

johndpope avatar Nov 15 '22 22:11 johndpope

I think adding OIDC in v2 is important. Especially for google one tap login

planktonrobo avatar Nov 20 '22 19:11 planktonrobo

@hf: any news on this? :)

megacherry avatar Dec 06 '22 11:12 megacherry

@megacherry Hey not yet since we've been busy preparing stuff for Launch Week 6. https://supabase.com/launch-week

We're going to start planning our next steps in January and this (OIDC support) is high up on our list.

hf avatar Dec 06 '22 13:12 hf

@megacherry Hey not yet since we've been busy preparing stuff for Launch Week 6. https://supabase.com/launch-week

We're going to start planning our next steps in January and this (OIDC support) is high up on our list.

Hi glad to hear that. I want to implement OIDC for my application but don't want to migrate back to supabase v1 to implement OIDC. It is now January, I just want to remind and hope if the team is working on it.

ZhenFTW avatar Jan 07 '23 10:01 ZhenFTW

also we need some swift / java code examples (not react-native).

johndpope avatar Jan 08 '23 03:01 johndpope

This bug appears to also affect OAuth. (Tested with Google and Azure Specifically)

If you signup with OAuth, and then set a password or use a magic link, everything works as expected, but if you do things the other way around you get the same error (ERROR: duplicate key value violates unique constraint "users_email_partial_key" (SQLSTATE 23505)).

For clarity: Sign Up with Google or Microsoft OAuth -> Add Password/Use Magic Link -> User logs in correctly Sign up with Google OAuth -> Try to Sign-in with Microsoft OAuth (same email) -> User logs in correctly Sign up with Password/Magic Link -> Try to Sign-In with OAuth -> 500: Database error saving new user

Edit: Started issue #911 to track these separately

mchappeldev avatar Jan 17 '23 18:01 mchappeldev

@hf: It is now almost the end of January and I would like to politely ask if you have made any progress in the matter? Is there anything we can do to support you? :)

megacherry avatar Jan 27 '23 09:01 megacherry

Hey everyone! Here's the PR: https://github.com/supabase/gotrue-js/pull/603

Sorry this took so incredibly long!

hf avatar Feb 02 '23 16:02 hf