Error message when registering with decidim

[Ouardaoubahri]

Describe the bug
When I try to sign up on meta decidim via the decidim Oauth, I get an error message.

⚠️ The registration is successfully done

To Reproduce
Steps to reproduce the behavior:

1. Signup on decidim.barcelona
2. Go to https://meta.decidim.org/users/sign_up
3. Click on "Sign in with Decidim"
4. Click on "Autoritza l'aplicació"
5. See error

Expected behavior
If there isn't another account with the same email address, I shouldn't have this error message

Screenshots

Extra data (please complete the following information):

• Device: Desktop
• Device OS: macOS Big Sur
• Browser: Brave
• Decidim Version: 0.26.0.dev

[andreslucena]

If there isn't another account with the same email address, I shouldn't have this error message

I can confirm that in Metadecidim you aren't registered with this email. It's weird.

[andreslucena]

@Ouardaoubahri after further inspection I see that you're not signed up in Decidim Barcelona with that email. Maybe the bug is related to trying to register with an unconfirmed email account or something like that?

[andreslucena]

As this seems like something related to Metadecidim itself and its DB I'm moving it to its repository. Feel free to ping me if you can replicate this in other installation and the steps necessary to replicate it @Ouardaoubahri

[ahukkanen]

This particular error happens when the OAuth sign in returns the same email address that is already reserved for another user account as described in the error message.

So what has happened here I believe in this order:

1. Participant had already registered to MetaDecidim before with the given email address
2. Participant had already registered to Decidim.Barcelona with the given email address
3. Participant was logged out from MetaDecidim
4. Participant tried to log in using "Sign in with Decidim"
5. Participant was already logged in at Decidim.Barcelona as they saw the notification to provide access to their data for the external application (MetaDecidim) that requested it
6. The OAuth authentication was successful at Decidim.Barcelona
7. The OAuth endpoint at MetaDecidim noticed that there was already an existing account using the same email which was not previously linked to the Decidim.Barcelona OAuth method
8. The error was shown to the participant as described in the original post

This is a fundamental problem about how Decidim handles the OAuth logins. If the OAuth method hasn't been linked to the account, it will not be automatically linked to the account during the authorization phase if the account email matches the email returned from the external login (in this case from Decidim.Barcelona).

It may have some security implications in case we automatically just trusted the email returned from the external authentication method and automatically mapped it to the account holding that email in Decidim. The security implication is that not all 3rd party services require the user to confirm their email addresses, so this could lead to hijacking the user accounts unless it is properly handled.

So I'd say this is working as it's working "by design" (intentional or not). But I'd also say that providing the possibility to securely map the OAuth method to the existing account should also be provided during this flow, we have also bumped into the same problem in the past.