Have you a GitLab account? This kind of websites can have 5+ identity providers but their sysadmins are not involved in any user-per-user verification. That's a great example.
Instead, as far as I noticed, for already existing wikis introducing OAuth, a server sysadmin should manually verify each user to prevent accounts usurpation. This is an amazing feature but the current manual verification workflow is not feasible because:
- manual verification activity takes time
- every hour of a server sysadmin costs ($$)
- it's somehow hacky (contact each user via Special:SendEmail via both wikis or something like that?)
- this can be the cause of human errors and social engineering
- this is not the real-world workflow
Well, instead, this could be the workflow:
- user Foo logins into the local website with an already trusted method (like legacy credentials) - refusing other methods of course
- user Foo navigates in preferences
- user Foo clicks on connect your profile to AwesomeSocial
- (user Foo triggers authentication into AwesomeSocial)
- thank you! Now you are verified and next time you can quick-login via AwesomeSocial
- user Foo organizes a really hard party 🎉
Now. Instead of a brand-new preferences page, for now we can just trust an user already logged-in locally if she/he is able to complete an authentication from her/his favorite identity provider. From that moment, she/he can use that identity provider for future logins.
What do you think about?