Map multiple authentication methods to same user
in progress
Nicolas Giard
Merged in a post:
Support multiple login options
Andrei Jiroh Eugenio Halili
In case users want to login using multiple login options such as Username-Passowrd, GitHub, GitLab, etc. without creating a bunch of accounts for the ame user.
Nicolas Giard
Merged in a post:
More than one Auth provider
PuffySkate
Ability to connect your account to more than one Auth provider, For example.
If your using the Local Provider you can connect your account with something like discord as well.
Nicolas Giard
in progress
Nathan Green
I think this is already in the roadmap for 3.x, at "Account Linking" (https://docs.requarks.io/releases/roadmap#h-3x)
David Dearden
Just a note: I recently debated this exact feature with a team for a project I'm working on. In general we loved the idea, but it left a bit of a vulnerability. Say I have an account with 2FA that I use to sign in, but I also have an account with another identity provider that has no 2FA and a weak password, but the same email (maybe it was created for some testing or something). Then, if someone broke my weak account, they could access the sign-in with the less secure identity provider account. We settled on allowing the user to manually link the other identity providers to their account, but not doing it automatically when they try to sign in. That way it is up to the user to intentionally link it, and there are no surprise access loopholes.
tl;dr: great idea, don't link the account automatically
Rick Spencer
David Dearden: Why not allow the user to determine their access levels (permissions) as a next step. This way security policies follow auth providers and auth discrepancies can be mitigated if the user elects to do so.
Angelo Ross
This has also been asked by some folks on the GitHub issues page: https://github.com/Requarks/wiki/issues/1497
To add to the discussion, GitLab does this by checking for the same email address. I feel like email addresses appear to be something unique enough for this, it would work with pretty much all current services, LDAP included, but it could cause problems with services like "generic" OAuth, but at this point I'd argue it's the Admin's problem for adding an authentication method that doesn't verify email addresses.