I think “disassociate” means simply removed associate oauth uid and user_id in local.
One more problem is that oauth credentials can be expired. The provider may ask for re-authorization. (When a plugin author wants to use the oauth2 credentials to trigger API, they would like to know this situation)
According to those 2 problems, an Authenticator has to report association and expiration information. They are simply trying to find a user record implicit.
Now, Discourse has {google,facebook,github,instagram,twitter}_user_info. Plugins can use oauth2_user_info or PluginRow. I would say a new model can represent all those information, for instance:
uid, comes from provideremailnameaccess_tokenrefresh_tokenexpired_at- CustomFields or a JSON field, can use for other information storage.
Then a simple query can get a list of associated providers for the user. Disassociation is simply done by remove this record.
Beyond that, Authenticator have to provide functions to determine:
- is there a existing user
- is the token fresh