I am setting Discourse up to work as an internal forum for users of a Google-Apps administered domain, let’s call it example.com.
I have users in example.com that I created directly as users in Discourse (because I am using mailcatcher instead of actually configuring SMTP while we’re dealing with initial setup and user testing, so I wanted to manually create the user and click the “register” link (instead of doing it via the rails console, since this is faster)).
The users I created via normal username-password creation are named email@example.com. Through an oversight, it seems most of these users actually have Firstname.Lastname@example.com as their official email address (in the user control panel on my google domain).
Once those users attempted to log in via Google OAUTH, it looks like the system created an additional account, named firstname.lastname@example.org. They’re in there twice, once with the nickname firstnamelastname (which I created manually) and once with Firstname_Lastname or Firstname_L (I imagine the user edited that).
Anyway, upon receiving oauth credentials from Google (or anywhere else, it might be a good idea to lower-casify; or look for lower-upper collisions. I’m not particularly worried here (since the majority of my users will just log in via google all the time, so no real collisions will happen), but it seems like there’d be a real authentication / trust collision problem. If some malicious user created Eric.Eslinger@example.com, then spammed the boards with stuff, would that go through, or is this just an OAUTH peculiarity?