I'm trying to find the way to face this situation.
Having these tables in my database related to "native" users and "external" users to log "native" users, and OpenId users:
--native user--
id (primary key)
email (unique)
screen_name (unique)
--external user--
openid_id
native_user_id
When a new user logs with an OpenId account, I create a new "native" user and assign it the OpenId account identifier. Before I automatically create this new "native" user, I try to obtain some information from OpenId, as name and email. If both are present user is registered "magically", but if it lacks some of these fields the user is presented with a form requiring him to fill the info.
Ok, now comes my problem.
If a new OpenId user logs in the site, and OpenId gives me an email that is already assigned to an existing native user, how should I proceed? (Bear in mind that email is a UNIQUE field of my table)
- Ask him to change the email being stored in my system
- Assign this OpenId to the match in my database and log in the user. As probably its the same user trying to log in with a different OpenId
- Deny the login, even that probably is the same user trying to log in with a diferent OpenId.
- Deny the login, and warn the visitor he must assign a new OpenId to its user once its logged in.
Personally I think I should go for 4, as 1 could lead to people creating accidentally a new user for his second OpenId account without being noticed. For path nº2 I think that's dangerous to state that the new OpenId corresponds to the same user. Somebody could create an OpenId account with an email already in my system to gain access to that native-user.
What do you think?
PD: I've readed this question: http://stackoverflow.com/questions/1041413/create-a-new-user-with-new-openid-login-authlogic but is not 100% what I'm looking for.