[tmarman]

On all sites/apps I’ve built offering SSO, we’ve gone out of our way to support linking of accounts and detecting existing accounts when claims like emails are found. Also allowing for merges after the fact.

I would consider this a best practice when iffering any “ sign in with...”

[badtuple]

This seems like a nice user experience, but I'd be worried about leaking which email address has an account with us.

[Nextgrid]

Wouldn’t the sign in mechanism (which validates e-mail) prevent this, in the sense than they won’t be able to get a third-party account to authenticate with for a particular e-mail without verifying ownership of that e-mail to the third-party provider?

[nevi-me]

You address this by only linking accounts once a user has successfully signed in with another provider. That way if their email exists from another provider, you're more certain that it's the same account

[godzillabrennus]

Would make sense to create package for popular mvc frameworks that does this.