Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Single account for multiple OAuth providers (Facebook, Google, Windows Live)?

I have a web application that allows registration and authentication through Facebook, Google and Windows Live. Each OAuth request has the required scope to retrieve associated e-mail addresses from the authentication provider.

The current situation is that an account is created based on the provider and the provided identifier. This means that if a user has logged in with multiple providers the user will have multiple accounts on the web application.

I want to have the ideal situation of having a single acccount even when using multiple providers. I was thinking about using the e-mail addresses to see if an account exists for the user. If it exists, use the account based on the e-mail address.

How safe/reliable is this? Do all OAuth providers mentioned validate e-mail addresses? Better ways?

EDIT: Ran a tests and came up with this. Still looking for further advice :)

FaceBook: Cannot authenticate with unvalidated e-mail. Additional e-mail will not appear until validated.
Google: Provides `verified_email`. Additional e-mail will not appear until validated.
Windows Live: Cannot authenticate with unvalidated e-mail. Additional e-mail will not appear until validated.
like image 607
Deathspike Avatar asked Mar 02 '13 10:03

Deathspike


1 Answers

Interesting question. You could try to use e-mail to check if user exists, but the problem is, user could be using different e-mail addresses for different providers.

My suggestion would be asking user (once he/she logs into your application using one of the methods) to attach other providers to to this account, so he/she can use them as well to log into your application.

It doesn't completely solve your problem (I'm not sure if solution exists), but user will have more control that way and you'll reduce the amount of accounts per user.

like image 82
Darvex Avatar answered Oct 14 '22 11:10

Darvex