I'm looking at offering four log in options on a site
If a user with the email address [email protected] first logs into my site with Google OpenId is it ok to store their email address?
My plan is that if he then came back and logged in with facebook, which he has registered for with the same email address, his account will still be linked.
Is it alright to store users details in my database like this?
This is a minefield. Looking exclusively at Facebook:
In the last Facebook application that I built, I stored only the Facebook user IDs. Facebook though, are a little paranoid about this
Facebook User IDs may be used with external services that you use to build and run your application, such as a web infrastructure service or a distributed computing platform, but only if those services are necessary to running your application and the service has a contractual obligation with you to keep Facebook User IDs confidential.
http://www.insidefacebook.com/2011/02/14/platform-policies-changes-iframe/
In relation to this:
You will only request the data you need to operate your application.
http://www.insidefacebook.com/2011/02/14/platform-policies-changes-iframe/
I'd have thought that storing a user's email address is not essential to the operating of your application, but if you look at Facebook's extended permissions, you will see that it is possible to get the user's email address:
http://developers.facebook.com/docs/authentication/permissions/
You will also see that
Your use of email must comply both with Facebook policies and with the CAN-SPAM Act.
Also, consider if it's really worth requesting the user's email - some users will refuse this extended permission and therefore you have one less user using your application.
As for the other web services you intend using, no doubt a similar analysis is in order.
