Google sign-in (OAuth): should I allow to add it to existing accounts?

I am wondering what are the best practices for security.

Let’s say that a user signs up with email and password (using Devise).

Should I allow him to connect a Google account later (using Omniauth)?

I’ve seen websites that treat them as separate users, others that treat them as the same, and others that block saying the user already exists.

Personally, I allow and just add this as a login option to the existing user. I have a reasonably sized production system (4M users) running like that for almost 5 years and never had a problem.

Yes, in the last days I have analyzed different sites and everyone does something different (which is also confusing for users and security).

Personally, I allow and just add this as a login option to the existing user.

Do you simply compare the email when they try to login?

Or they need to explicitly associate a Google account to their account after logging in with email?

Depends on how critical is the data in your app and if you have email confirmation when a user creates an account using password.

If I mistype my email (bruno@example.com instead of breno) and use my a account for some time, then someone comes and oauth with that email (bruno@example.com), how bad would that be?

If you don’t have email confirmation on signup, you should probably make that explicit.

We use Devise with confirmable module, so the emails are verified on sign up.

I’m more concerned with the validation on the other side (identity provider).

I know that I can rely on the uid returned in the callback (as described in the Omniauth docs), but I don’t know if I can trust the email address returned…

You point out an important issue. Like Breno says, I think it depends on how critical correct user identity is for your use-case. OAuth2 isn’t really designed for identity management. OIDC is however, and that would have stronger assertions about the email, I think.

I agree, it would be nice to have a universal best-practice we could follow for most situations though and have it built-in to devise.