I am developing a MVC4 / Razor website for which a client has been asking users to log in using their Facebook / Google accounts. Fortunately, this is pretty simple using forms authentication.
However, I ran into a problem: what if the email address of the user returned by the provider matches the existing username?
For example, tim@rocketeerconsulting.com previously existed as a native. For some reason, the user wants to use Facebook to log in. Facebook returns that tim @rocketeerconsulting is the user's email address. If a user tries to create an account using this information, MVC4 will indicate that the account already exists.
There are several problems:
- Should users be allowed to consolidate accounts if the email address provided by the OAuth provider matches the existing account?
- This poses a potential security risk. Can I rely on an OAuth provider to confirm that the address is valid? Otherwise, an attacker could create a Facebook account and then gain access to another user account.
- How can this be implemented, if at all?
I understand that there is a similar question here , but my question relates specifically to the context of Forms auth in MVC4.
source share