Geek Answers Handbook

How to handle multiple openIDs for the same user

For my site, I use a login system similar to the one on SO. The user can log in with his Facebook, Google (Gmail openID), Twitter account.

This question does not concern specific implementations of oAuth or openID.

The question is how to find out if the same user is logged in with different providers.

Let me give an example:

Bobo comes to the site to enter the site by clicking "Sign in with Facebook." Since this is his first visit, we are creating a report for him.

Later Bobo will appear on the site. This time he clicks "Sign in to Google." So, how do I know if this is the same person, so I can add this provider to my account, and not create a new (and duplicate) account.

Can I trust exclusively by email?

What is the best way to handle this. How does SO do this?

Any ideas?

Edit: If I trust email, is it possible that the same email address can be used by different users? Could this be a security issue?

+4
source share
3 answers

I think you cannot know this unless the user explicitly tells Bobo about it. Its identifiers FB and Google OpenID can have completely different information (like mine). Only Bobo knows that they belong to the same person.

See how this is done in SO: you log in with OpenID, then you can associate another OpenID with your account. Tell me, please, your user. Provide a sufficiently large button "I already have an account here" in the login process.

+1
source

If both accounts do not provide the same email address, you cannot reliably determine that they are both the same user.

If you want a user to be able to log in with multiple oAuth / OpenID accounts, you could provide a mechanism that allows the user to add additional authentications from their user account.

0
source

Go to your profile on this site, there above your details you will see 2 links: edit | add openid

Usually you will have 1 user number 1 for login (username / password stored with other information). In this situation with multiple identifiers, you must separately store the login information (1 user can have more than one login identifier). A simple one-to-many relationship between database tables.

0
source

More articles:


All Articles