Support for SSO/OAuth account registration, authentication and linking.

[JohannesMP]

It would be really convenient if we could use SSO/OAuth to register accounts as well as log into existing ones.

I would like to be able to create and log into accounts without ever needing to type a password that your server is then responsible for keeping secure.

However it would be understandable if a password is always required by your system as a fallback, but I would prefer not having to have one at all.

Useful SSO/OAuth providers would be:

• Google
• Steam
• PS4 Network
• Discord

Standard SSO behavior would be expected:

• The providers would appear as their standard 'log in with ...' buttons on the login screen as well as the register screen.
• Clicking any of these buttons would perform the necessary handshaking with said provider, and automatically return the user to karl.gg
• If an account is associated with the authenticated provider the user would log in as that account.
• If no account is associated with the authenticated provider the user would be redirected to a page where they can enter a display name and finalize their new account. Ideally no password or email entry would be necessary.
  • In the case where the provider allows access to the user's email address and an account exists with that email that currently uses password authentication you could automatically link the provider to that account and log the user in.
  • The exact details of linking-to-existing-account depend on developer preference/requirements: It can be automatic, prompt the user if they want to link, or require the user to enter their existing password once, depending on how much you trust the provider as a source of truth.
• When logged into an account, the user should be able to see what 3rd party accounts they have linked and manage them.
  • If you were to support account registration without ever prompting for a password then at least one linked account would be necessary, perhaps by allowing the user to mark it as 'primary'.

[chaseconey]

One thing I will note is that we will never not have a normal auth (with passwords) as all of our current accounts are currently logged in in that way and migrating them would come at a cost to them. Adding additional ways to authenticate is very do-able.

Thanks for the request!

[JohannesMP]

Makes sense.

If possible I'd like to avoid the scenario of:

• user has account
• user clicks 'Log in with google' for the first time
• user is told "Sorry, you have to log into your account and add the 3rd party integration before you can use it"

Or:

• user has no account
• user clicks 'Log in with google' for the first time
• user is told "Sorry, no account exists under that email address. Please create an account first"

Basically I'd like to be able to click the SSO buttons whether I have an account or not, and have the process be as painless as possible.