Ask HN: What's the best way to implement multiple oauth authentication?

7 points by kappaknight ↗ HN
My team is working on a new project and we wanted to implement Facebook and Twitter OAuth verifications on top of the traditional email and password verification. We looked around on the web and setting up access keys to Facebook and Twitter are both pretty easy to figure out.

My question is, if a user registers via Twitter, adds some data to the system, logs out; and some time later decides to register via Facebook, how would the system know to combine those two separate registrations into one account? Is there a best practice for this exact problem already posted somewhere on the web?

Thanks in advance!

4 comments

[ 3.5 ms ] story [ 16.0 ms ] thread
Separate the concepts of a user account, their identity and authentication.
Despite how terse the parent may be, that's solid advice.

Each user should have 1 account that is created on their first login. With it, each additional login offering (Twitter, Foursquare, Github, whatever) should have the ability to associate to that account to add logins.

Profile data should be abstracted into a different model (if using an MVC framework) or table, for indexing purposes if nothing else.

You might need an additional model/table for holding nonces and the like, but that will depend on the implementation. I'd recommend a simple key/value store for these.

Also be aware that you'll probably still need a traditional login mechanism as well, and a lot of checks (don't let the user disassociate all accounts; if the user is logged in, don't create a new account, etc.)

Lastly, remember that not all oAuth implementations are created equal. Linkedin doesn't give out email addresses, for example, so if you intend to use email for anything substantial, check for that and prompt the user if needed.

So in order to link/associate the accounts, the user would need to be logged in to at least one of the authentication methods? I guess there's no way to connect them otherwise...
Correct, and you'll have to have a strategy for merging accounts when someone logs in with A, logs out, logs in with B, and then complains that they're on a different account.