[ZAuth/OAuth] Merge accounts with same email

[craigh]

Transferred from #2915

Add ability to 'pair' (or merge) two or more accounts so that authenticating via e.g. Github can point to the same ZikulaUser as authenticating via email or any other method.

refs #3720

[craigh]

basically - assuming duplicate emails are not allowed, the process would be this:

when someone logs in with ZAuth or OAuth, it would check emails in users table and see if the email exists. Assuming the authentication succeeds (verifying then that they indeed own the email address), the same UID would be used as the existing email record, instead of creating a new one.

Taking care of existing duplicate accounts would be more challenging. A couple possibilities I can think of:

1. allow a user to manually merge accounts as they see fit
2. on upgrade scan for duplicate emails in mapping tables and users table and merge the accounts.

second option would be easier, but there is possibility of data loss. For example a comment may be created with the 'lost' UID. This comment would be orphaned.

[robbrandt]

I've thought about this for a little while and I am not certain this is a problem that needs to be solved.

I am using alternative authentication methods on 3 different sites, probably 4 soon. In my situation, duplicate emails and usernames aren't normal but are common for administrators. The alternate authentication method is the primary means of authentication, but ZAuth is always there as a fallback.

To me, the biggest issue is identifying which username uses which auth method, when trying to edit them or assign them to groups. I think I saw a solution for this posted or at least suggested?

If we are too strict, the following scenario is problematic: user registers initially as rob.brandt using zuath. Site administrator then adds support for a Facebook login, and naturally rob.brandt wants to start using that. But it won't work because his existing Facebook identity is rob.brandt, and the same email address as used with zauth.

[Kaik]

@robbrandt I think this is what Craigh is talking about if there is an account with the same email then this account is linked to fb user, no new account is created. (I don't think zk account was created before anyway... remember comment in the code "// create new account here"...)

@craigh
while option number 1 will leave duplicates untill these are merged by user

Merging accounts will be/is quite a big problem, maybe creating an event would be a good solution so modules can respond same way as in case of deleting an user... sometimes some users want to merge their different accounts into one so it would be helpful as well.

[craigh]

this issue must be resolved with #3720

[craigh]

@robbrandt please read #3720. the proposal is to disallow registration of a new Authentication type (Facebook in your scenario) because of the duplicate email.

[craigh]

#4197 would - if desired - need to bypass all validation of duplicate emails and implement some kind of 'secondary authorization' method. To do this, the currently logged in user would proceed through a workflow where they authenticate by their new method (e.g. Facebook) and this creates a new mapping for that method and is linked to the current UID. Then the user could login with either method after that. (#4197 could therefore be postponed to a later release as it would not be incumbent on this issue).

[Guite]

closing as won't fix - core 4 is not doing anything related to authentication anymore in favor of vendors