Using email as auth identity is unreliable

[pixobit]

PHP Version

8.1

CodeIgniter4 Version

4.3.2

Shield Version

1.0.0-beta.3

Shield OAuth Version?

dev-develop

Which operating systems have you tested for this bug?

Windows

Which server did you use?

apache

Database

MySQL 5.6

Did you add customize OAuth?

YES. It's not public

What happened?

When signing in with google or github, using the email as authentication identity is fine, but when you add facebook for example, it already breaks, since facebook doesnt always have an email available. A more reliable way would be to use the id, and only pull the email if available

Steps to Reproduce

Use the facebook OAuth available in the discussions, and try signing in with a fb account where you used phone number to sign in

Expected Output

To be able to sign in without unexpected error

Anything else?

I hope i managed to make it as clear as possible, but if not, let me know, and will try to add some sources for explanation

[JamesShaver]

I'm curious if there's been any thought about how to get around this issue? Would it be as simple as changing the Shield Login Identifier to phone?

[Zoly]

How about validated attached authentication accounts?

The user is logged in and in his user profile page he can choose to add additional authentication accounts. After validating that he owns the newly requested account, the two login identifiers are linked, and whichever login method he chooses later on, both are identified as the same account.

In case the requested account is already in existence, by passing the validation process it is confirmed we are dealing with the same user and the two login identifiers can be safely be merged into one account, specifically the account he made the requested from, after notifying the user of the fact that he will loose access to the personalized settings that can't be merged in the account he tries to attach.