Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This. I'm not a big user of SSO in general, but on the few sites that I did use it, I'd forget whether I used SSO or not. Also, using SSO locks you into using that vendor. I've a couple of accounts that I'd like to change to normal uname/pwd but am locked into the SSO vendor (which I'm hoping to move away from)


On all sites/apps I’ve built offering SSO, we’ve gone out of our way to support linking of accounts and detecting existing accounts when claims like emails are found. Also allowing for merges after the fact.

I would consider this a best practice when iffering any “ sign in with...”


This seems like a nice user experience, but I'd be worried about leaking which email address has an account with us.


Wouldn’t the sign in mechanism (which validates e-mail) prevent this, in the sense than they won’t be able to get a third-party account to authenticate with for a particular e-mail without verifying ownership of that e-mail to the third-party provider?


You address this by only linking accounts once a user has successfully signed in with another provider. That way if their email exists from another provider, you're more certain that it's the same account


Would make sense to create package for popular mvc frameworks that does this.


No it doesn’t. All the SSO providers (besides Apple in some cases) provide a verified email address to the site that can use to dedupe.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: