OAuth and shared email addresses

Question

In our application, we don't use email address as the username/login, and, as a result, we have accumulated a fair amount of accounts that have duplicate email addresses (usually husband/wife pairs who share the same address, but separate accounts in the app).

We'd like to implement OAuth logins (Facebook, Twitter, Google, etc.) as a perk for our users, and we're currently investigating options for refactoring to allow for this.

My question is - is there any way to allow for OAuth logins without forcing each of our accounts to have a unique email address?

Answer 1

I've changed my earlier answer after being provided more insight to the requirement. If I were you, I'd do it like this -

1. User clicks on Login via Facebook, and keys in his credentials.
   
2. My app gets the access token.
   
3. I'll hit the /me endpoint of the FB graph API to retrieve the user info and the unique user ID.
   
4. Once I have the unique user ID, I would then check my own DB if there is an entry for that user. If I have two entries I will give the user another popup to select the account he wishes to log in and enter the password for that.
   (So, my database should have <userID, list of mapped accounts> entries.)

If the user decided to create a new account and logs in via facebook, I'd repeat steps 1-3 and create a new <username, password> pair and add it to the list of mapped accounts.

Add comments if you want me to elaborate.