I have an existing application that has standard user accounts, and we've just finished integrating Facebook login as an option. It works quite well, but if someone tries to login using Facebook for an email address that already exists as a user of the system, I'd like to associate them with the existing user account.
Before I go ahead and do that, though, is it safe to just do it, without requiring that the user login first? If Facebook says a user has a certain email address, how confident can I be that it's not fake?
I could, if required, set it so that the user needs to login to my app, then associate the Facebook account manually, but I'd prefer to keep it as simple as possible for them, without adding all kinds of steps.
Thoughts?
I think the best option would be having the user login into their account on your site before associating the Facebook account.
Assume a condition that a user on your site does not have a Facebook account associated with the email address they use to identify themselves on your site. A malicious user creates one using their email address, goes to your site to associate accounts, and takes over the original users account.
I believe Facebook does not require email address authentication to use the account.