Validating Users Authenticated with Oauth
I've got Oauth support in place for an app I'm working on. What I'm trying to work through is the logic for associating Oauth accounts.
Example:
Let's say a user has logged in before. They authenticated using Facebook. I now have an email address which I can safely assume will always be unique to that user. However, Twitter does not provide email addresses through its Oauth implementation, so if someone signs in with Twitter, and then Facebook, how do I correctly associate their account? I can't use user name, or handler, because obviously that could va开发者_开发百科ry per provider. Is there any other way I could do this?
Do I require the user to enter their email address if they use an Oauth provider which omits it? I'm trying to put together the best user experience and the most stable system - so your help is highly appreciated.
If you're looking at working with multiple identity providers then your best solution would be to use an internal ID unique to your system and then associate the external accounts with that ID when the external authentication takes place. Additionally users in FB can change their primary email address so it would be safe to assume it's unique it's probably not safe to assume that it's current.
精彩评论