openidrpx

How to associate two OpenID providers as being the same user


I've implemented OpenID on my website and I'm curious how sites such as stackoverflow.com can tell that my gmail account is linked to my facebook account.

E.g. I come to stackoverflow.com for the first time and I sign in using my gmail account. Then I log off, clear cookies from my browser and go back to stackoverflow.com but this time I log in using facebook instead of gmail. Somehow stackoverflow.com knows that my facebook account is linked to my gmail, because all of my user settings are restored from when I first signed in with gmail. So obviously stackoverflow knows that my gmail and facebook accounts are both ME.

Back to my implementation: When I log in my users using gmail or facebook, I get a post back from RPX with some user information such as their name and email address. Is it safe to say that if I have a user that logs into my website with their gmail account, joe@gmail.com, and then logs in with their facebook and their facebook account also uses joe@gmail.com that they are in fact the same person?

Is this how other people accomplish the same goal?


Solution

  • I would say that it is safe to assume that two people with the same email address are the same user.

    Another way to go about this would be to provide functionality to link the two accounts on your site. What I mean to say is that I've seen social authentication implemented where if you log in using OpenID, or Facebook, each would be a separate entity. Before the user attempts to use a different system to log in, you could prompt them to connect to their Facebook/Twitter/OpenID account. A little bit of social engineering might save you a lot of problems. You'd of course have an issue if they don't connect, and then proceed to log in separately. Off the top of my head, TripIt allows you to join separate accounts into one. You might provide this functionality.

    Just some thoughts.