Implementing social login is simple enough at first but there are a bunch of weird cases to think about with a lot of different potential ways to handle them.
For example, I am developing a web app where users can register with an email address, or certain social accounts. Users should be able to freely link or unlink any social accounts, right? I'm struggling to think of a way to handle a couple of cases without being too complicated for the user.
Suppose a user registered with an email address, and now they want to link their Facebook account. However that Facebook account is already used on another account (most likely the same user clicked login with Facebook once and created a new account without meaning to.)
Would you prompt the user in this case to merge their accounts? (tricky to implement and destructive -- maybe they could merge the wrong account and you can't fix the mistake) Or would you tell the user "you must log on to the other account and unlink it first"? (difficult/time-consuming for the user)
A user first registered with a social account, but now wants to unlink that account. There must be a way to verify the user's identity, so they'll need to provide an email address. It seems wrong to require the user to give up personal information in order to delete other information. But the only alternative I can see is giving the option to delete their account entirely which also seems hostile (you want to remove Facebook? Give me your email or kiss your account goodbye 😨) Or I could prompt them to set a username only to log on with, but that could be confusing too and they risk locking themselves out of their account with no way to recover it. They will need to provide a valid email for verification anyway so it seems like a pointless extra step.
Seems like there are no good answers! Social login is supposed to make things easier, isn't it? What to do?