Overview
I've implemented successfully oauth2 in my Django project. After the user authorizes my app I receive an access token and, with it, I can access all of his information (username and email). And so far everything is ok.
Problem 1
Now I'd like to use his username to let him log in without asking for his password. But here comes the problem. If A has registered as some_name on my app and B has registered on the authorization server as some_name then B can access A's information on my app.
Problem 2
So, I thought I can use the email provided together with the username to double check the user identity. But here comes another problem. If A has registered on my app with a_name and a_email and the same A has registered on the authorization server as a_name and b_email then A won't be able to access my app using oauth2.
I know this is a theoretical problem and there is no code to review, so if there is another place where I should post this type of question, please let me know.