How to handle multiple openIDs for the same user

4
votes

For my site I am using a login system much like the one on SO. A user can login with his Facebook, Google (Gmail openID), Twitter account.

This question is not about specific oAuth or openID implementations.

The question is how to know if the same user logins with different providers.

Let me give an example:

Bobo comes to site logins to site by clicking on "Login with Facebook". Because this is his first visit we create an account for him.

Later Bobo comes to the site. This time he clicks on "Login with Google". So how do I know if this is the same person so I can add this provider to his account instead of creating a new (and duplicate) account.

Can I trust solely on email?

What is the best way to handle this. How does SO do it?

Any ideas?

Edit: If I trust on email is there a possibility that the same email can be used by different users? Can this be a security issue?

3
phpmysqlloginoauthopenid

3 Answers

1
votes

I think you can't really know this unless the user explicitly says it's Bobo again. His FB and Google OpenID identities may have completely different info (as do mine). Only Bobo knows that these belong to the same person.

See how it's done here at SO: you log in with OpenID, then you can link another OpenID to your account. Hint your user do so, too. Provide a large enough "I already have an account here" button in the login process.

0
votes

Unless both accounts provide the same email address, you would not be able to reliably determine that they were both the same user.

If you want a user to be able to login with multiple oAuth/OpenID accounts, you could provide a mechanism to allow the user to add additional authentications from their user account.

0
votes

Go to your profile on this site, there, above your details, you will see 2 links: edit | add openid

Usually you will have 1 user = 1 login details (login/password stored together with the rest of info). In this multi-id situation you have to store login details separately (1 user may have more than 1 login id). Simple 1-to-many relation between DB tables.