

Ask HN: What's the best way to implement multiple oauth authentication? - kappaknight

My team is working on a new project and we wanted to implement Facebook and Twitter OAuth verifications on top of the traditional email and password verification. We looked around on the web and setting up access keys to Facebook and Twitter are both pretty easy to figure out.<p>My question is, if a user registers via Twitter, adds some data to the system, logs out; and some time later decides to register via Facebook, how would the system know to combine those two separate registrations into one account? Is there a best practice for this exact problem already posted somewhere on the web?<p>Thanks in advance!
======
junto
Separate the concepts of a user account, their identity and authentication.

~~~
bmelton
Despite how terse the parent may be, that's solid advice.

Each user should have 1 account that is created on their first login. With it,
each additional login offering (Twitter, Foursquare, Github, whatever) should
have the ability to associate to that account to add logins.

Profile data should be abstracted into a different model (if using an MVC
framework) or table, for indexing purposes if nothing else.

You might need an additional model/table for holding nonces and the like, but
that will depend on the implementation. I'd recommend a simple key/value store
for these.

Also be aware that you'll probably still need a traditional login mechanism as
well, and a lot of checks (don't let the user disassociate all accounts; if
the user is logged in, don't create a new account, etc.)

Lastly, remember that not all oAuth implementations are created equal.
Linkedin doesn't give out email addresses, for example, so if you intend to
use email for anything substantial, check for that and prompt the user if
needed.

------
kappaknight
So in order to link/associate the accounts, the user would need to be logged
in to at least one of the authentication methods? I guess there's no way to
connect them otherwise...

~~~
cheald
Correct, and you'll have to have a strategy for merging accounts when someone
logs in with A, logs out, logs in with B, and then complains that they're on a
different account.

