For my site I am using a login system much like the one on SO. A user can login with his Facebook, Google (Gmail openID), Twitter account.
This question is not about specific oAuth or openID implementations.
The question is how to know if the same user logins with different providers.
Let me give an example:
Bobo comes to site logins to site by clicking on “Login with Facebook”. Because this is his first visit we create an account for him.
Later Bobo comes to the site. This time he clicks on “Login with Google”. So how do I know if this is the same person so I can add this provider to his account instead of creating a new (and duplicate) account.
Can I trust solely on email?
What is the best way to handle this. How does SO do it?
Any ideas?
Edit:
If I trust on email is there a possibility that the same email can be used by different users? Can this be a security issue?
I think you can’t really know this unless the user explicitly says it’s Bobo again. His FB and Google OpenID identities may have completely different info (as do mine). Only Bobo knows that these belong to the same person.
See how it’s done here at SO: you log in with OpenID, then you can link another OpenID to your account. Hint your user do so, too. Provide a large enough “I already have an account here” button in the login process.