Ask HN: What's the best way to implement multiple oauth authentication?
My team is working on a new project and we wanted to implement Facebook and Twitter OAuth verifications on top of the traditional email and password verification. We looked around on the web and setting up access keys to Facebook and Twitter are both pretty easy to figure out.
My question is, if a user registers via Twitter, adds some data to the system, logs out; and some time later decides to register via Facebook, how would the system know to combine those two separate registrations into one account? Is there a best practice for this exact problem already posted somewhere on the web?
Thanks in advance!
4 comments
[ 3.5 ms ] story [ 16.0 ms ] threadEach user should have 1 account that is created on their first login. With it, each additional login offering (Twitter, Foursquare, Github, whatever) should have the ability to associate to that account to add logins.
Profile data should be abstracted into a different model (if using an MVC framework) or table, for indexing purposes if nothing else.
You might need an additional model/table for holding nonces and the like, but that will depend on the implementation. I'd recommend a simple key/value store for these.
Also be aware that you'll probably still need a traditional login mechanism as well, and a lot of checks (don't let the user disassociate all accounts; if the user is logged in, don't create a new account, etc.)
Lastly, remember that not all oAuth implementations are created equal. Linkedin doesn't give out email addresses, for example, so if you intend to use email for anything substantial, check for that and prompt the user if needed.