问题
In our system, users can have multiple email addresses, and set one as their primary. They can login with their primary email address and password.
We are looking at adding in a Facebook login.
My question is:
When a fb user 'signs in' and we see that the email for this fb user matches an email address for a user in our internal user database, is it safe to go ahead and 'merge' these accounts so that the fb user can see the data for the internal user? Or is it better practice to give the user some hints that he/she can link their accounts and then guide them through a process of authenticating with the internal account before merging?
The question would also be for the opposite case, where a person first signed up with us using facebook, but now is creating an account using their email address, which matches the email for one of our facebook users. Should we then go ahead and auto merge the users or walk them through an auth process?
I guess I'm a unclear of the oddities that could take place between emails that we manage and ones that facebook manages and I'm concerned about what may be the impacts if one of these oddities hoses some accounts.
Any insights are appreciated.
回答1:
From Facebook login flow documentation:
'After a successful login using Facebook, you will have the person's email address, Facebook ID, and access token. Your app should search for an existing account that has been created with that same email address. If one exists, you should merge the two accounts and add the Facebook info to the existing account - as recommended above.'
To me, this sounds like we should auto merge with matching emails. Feels like there's room for error here... correct me if I'm wrong.
-- EDIT --
We decided against auto merges. Just too much room for error. We decided this a while ago... just now getting around to updating this.
来源:https://stackoverflow.com/questions/44967162/auto-merge-facebook-and-internal-users