I’d like to make a feature request: It would be great if it was possible to disable the automatic merging of accounts when logging in with OAuth that happens right now. Concretely, if I create a local account, and then later, I want to log in via GitHub to this account (local and GitHub account have the same email address), this should not work unless I first connect those two accounts.
The reason I am asking is security concerns: With the automatic merging as it is implemented right now, any broken or dishonest OAuth provider can take over any Discourse account. For example, if GitHub would respond with incorrect email information, saying that some random account
foo has my email address - this could happen either because something in GitHub is broken and they screwed up email verification, or because they became malicious, or because they were forced to do so by whatever means - then the owner of
foo could log in to Discourse as me, getting full admin privileges in my local installation.
GitLab shows how OAuth logins can be implemented without trusting that OAuth providers provide correct e-mail addresses: If I want to log in with GitHub to a locally created account, I first have to log in locally, and then “connect” the two accounts in my GitLab settings. This successfully prevents account take-over even if OAuth provides incorrect email addresses. So, with GitLab, only those users that actually use GitHub to log in have to trust GitHub not to misbehave. Whereas, with Discourse, every single user of a Discourse instance has to trust every single OAuth provider accepted by that instance.