2

I've implemented OpenID on my website and I'm curious how sites such as stackoverflow.com can tell that my gmail account is linked to my facebook account.

E.g. I come to stackoverflow.com for the first time and I sign in using my gmail account. Then I log off, clear cookies from my browser and go back to stackoverflow.com but this time I log in using facebook instead of gmail. Somehow stackoverflow.com knows that my facebook account is linked to my gmail, because all of my user settings are restored from when I first signed in with gmail. So obviously stackoverflow knows that my gmail and facebook accounts are both ME.

Back to my implementation: When I log in my users using gmail or facebook, I get a post back from RPX with some user information such as their name and email address. Is it safe to say that if I have a user that logs into my website with their gmail account, joe@gmail.com, and then logs in with their facebook and their facebook account also uses joe@gmail.com that they are in fact the same person?

Is this how other people accomplish the same goal?

justinl
  • 10,448
  • 21
  • 70
  • 88

1 Answers1

2

I would say that it is safe to assume that two people with the same email address are the same user.

Another way to go about this would be to provide functionality to link the two accounts on your site. What I mean to say is that I've seen social authentication implemented where if you log in using OpenID, or Facebook, each would be a separate entity. Before the user attempts to use a different system to log in, you could prompt them to connect to their Facebook/Twitter/OpenID account. A little bit of social engineering might save you a lot of problems. You'd of course have an issue if they don't connect, and then proceed to log in separately. Off the top of my head, TripIt allows you to join separate accounts into one. You might provide this functionality.

Just some thoughts.

Sri Raghavan
  • 601
  • 1
  • 5
  • 12
  • Your other thought is something I had considered. I was wondering what would happen if they logged in separately using gmail and facebook, and then tried to merge one of the already existing accounts into the other one. I guess I'd just have to figure out what would get overwritten and just connect the two accounts. – justinl Jan 03 '11 at 04:32
  • Precisely. You might make an executive decision that if things come into conflict, the Facebook data will be used, because it's 'more updated' or something. Otherwise, you could do it the way git would do things if you have conflicts during a merge - provide the user with the conflicting data you have, and have him choose which one he wants you to store. – Sri Raghavan Jan 03 '11 at 04:50