Architecture for merging multiple accounts and registering a user account

Question

My question is almost the same as this one

only difference is that users has an option to register (provides his username and password).Users should only have one account registered, if the user has the same email I merged those accounts. and my application has another method for logging in which is via Facebook.

What I basically do is

When The User visits the for site for the first time, he or she then gets created a User Account where the it only has Username ,password and mail address after that third-party identity record is created and then paired with the local account.however the Users table will have an empty Username and password, but the email will be filled with the users email that we have retrieved from the third party service provider

And the Second Scenario

Users attempts Register to the site. check if email exist if the email exist but it is registered using a third party account, Use the user populated form and insert it to the user account paired with the third party account, in short if the users email exist in the database I will just merged the locally created account and the third party account.

Now my question is my approach secure and credible? if not what is the best way to merge accounts and at the same time if the user registers with the same email(the one from the third party account) and he has a third party account, those account would be merge?

Is it something like OpenID that you want to achieve? – Charles-Édouard Coste Apr 26 '13 at 15:10 — Charles-Édouard Coste, Apr 26 '13 at 15:10
@Charles-EdouardCoste yup that is what I am trying to do. – user962206 Apr 26 '13 at 22:36 — user962206, Apr 26 '13 at 22:36

score 3 · Answer 1 · answered Apr 23 '13 at 16:34

The way I look at this, there is only one account. One email, one account period. There might be various attributes associated with that account, like for e.g. linked to a set of OAuth credentials etc. But fundamentally there is only one account. If your user has registered once using a social account and then try to register again on your site, send them over to the social site which they used to register the first time and ask them to login there. Then log them into your site automatically. If the user has an account with your site and then tries to register again with a social account, tell them that you already have an account on the site and ask them to login. IMHO, keeping separate accounts and trying to merge them is a messy idea.

score 3 · Answer 2 · answered Apr 27 '13 at 23:32

3

I would provide two sets of behavior, one when logged in and one when logged out.

When logged in, you provide the ability to link to new third-party accounts. For example, you sign up with email address and password, then log in, then you can link your Facebook account. To link your Facebook account you authorize with Facebook and then store the Facebook information in that user account record.

When logged out, you must log in with existing credentials. If, when logged out, you try to create an account with an existing email address, you either prevent the log in, saying "an account with that email address already exists", or you immediately challenge the user to log in to merge the account (in which case it works like the logged in case when linking an external account, only with the order of authentication operations reversed).

In case it's not clear from the above, I recommend having a single user account and a way to record linkages between that account and external accounts. You can do this in NoSQL buy just adding fields to the user document or you can do this relationally by having a table representing external accounts with a foreign key linking them to the user ID.

answered Apr 27 '13 at 23:32

Old Pro

24,624
7
58
106

With twitter, they don't provide emails. Got any ideas on how to merge twitter and other oauth accounts? – CMCDragonkai Jul 09 '13 at 21:02
@CMCDragonkai, your choices are to forbid creating accounts with Twitter (can only add after logging in some other way), force new Twitter users to provide and email address as part of the sign-up flow, or risk Twitter users creating unintended duplicate accounts. – Old Pro Jul 09 '13 at 21:56
Could you tell me how you would identify unique twitter users? Through their name? That seems the only unique identifier that I can use. I mean like wheb the same twitter user logs in again. – CMCDragonkai Jul 10 '13 at 09:51
@CMCDragonkai, the Twitter handle (their `@name`) is unique, since that's how you follow them. Twitter also provides a numeric ID that is unique. The numeric ID is better because a person can change their Twitter handle but the ID number will stay the same AFAIK. – Old Pro Jul 10 '13 at 19:20
Would you allow user accounts to merge if both accounts have their own activity/history/... on the site? For example: me as a googleplus user has bought something on the website with a certain set of payment credentials. Me as a facebook user also bought something with different payment credentials. How do you merge those 2 ? – jan Jan 27 '14 at 13:14
@jan, yes, I would allow user accounts to merge even if both accounts have their own activity/history/... on the site. Exactly how you merge them depends very much on how you represent accounts and related attributes. You may need to send the user through a manual merge process to resolve some conflicts (e.g. if the two accounts have different home telephone numbers) or you may just be able to transfer the transactions and attributes from one account to another. – Old Pro Jan 28 '14 at 08:07
@OldPro: Is this (manual) conflict-resolving merge irreversible? Do you still know which accounts were merged when? Or is it a matter of replacing user id's troughout the database? – jan Jan 28 '14 at 09:03
1

@jan, it's whatever you build it to be. If it's a (regulated) banking app you need to provide a complete audit trail; you might end up creating a whole new (third) account. In the simplest case you'd just replace user IDs throughout the database. You can look at how StackExchange handles merging duplicate accounts for an intermediate level of complexity. – Old Pro Jan 29 '14 at 00:28

score -1 · Answer 3 · answered May 01 '13 at 08:42

-1

Beware not to use oAuth 2.0 ! The lead author himself resigned as it's not as safe as the 1.0 version.

You should prefer oAuth 1.0 or OpenID.

You can also have a look at Persona from Mozilla

answered May 01 '13 at 08:42

Charles-Édouard Coste

1,604
12
24

Architecture for merging multiple accounts and registering a user account

3 Answers3