Hey there! Let’s break down your two questions one by one, drawing on real-world auth system best practices I’ve worked with over the years.

The key here is to build a unified identity layer that abstracts away the differences between your own auth system and third-party providers like Facebook or GitHub. Here’s how to approach it:

• Use a single internal user ID (UID) for all identities: No matter how a user logs in (own account, Facebook, GitHub), your backend should assign and use a unique internal UID to represent that user. When a user logs in via a third party for the first time, automatically create a linked internal account (or prompt them to bind an existing one if they already have one).
• Standardize the login entry and backend handling: Put all login options (own email/password, Facebook, GitHub) on a single login page. For each provider, follow their official auth flow (e.g., Facebook’s OAuth 2.0 redirect, GitHub’s code grant), but route all successful auth responses to a unified backend service that maps third-party user data (like email, name) to your internal user record.
• Implement clear account linking/unlinking flows:
  • If a user logs in via a third party and already has an existing own account, show a prompt: "We found an existing KK account linked to this email. Do you want to bind your Facebook/GitHub account to it?"
  • Let users manage linked accounts in their profile settings (e.g., "Unlink Facebook account") to give them control over their identity options.
• Unified session management: Once any login flow succeeds, issue the same type of session token (like a JWT) to the frontend. The frontend doesn’t need to care how the user logged in—just validate the token against your backend for all subsequent requests.
• Map third-party permissions to your internal system: When you request data from third-party providers (e.g., Facebook’s email or public_profile permissions), map those to corresponding permissions in your own system. For example, getting a user’s email from Facebook should grant the same "access email" permission as your own login system.
• Prioritize security and compliance: Always use official SDKs for third-party auth to avoid token forgery. Never store sensitive third-party credentials (like Facebook access tokens long-term unless necessary). Follow regulations like GDPR by letting users delete their linked accounts and export their data.

This logic isn’t a one-size-fits-all answer—it depends on how you’ve designed your system’s permission model:

When it makes sense: #

• Fine-grained permission systems: If your KK app splits access into specific, non-overlapping permissions (e.g., "view my order history", "edit my payment methods", "manage my saved addresses"), asking for consent when a user first accesses a feature that requires a specific permission aligns with the principle of least privilege. For example, if a user logs in but never uses the payment feature, there’s no reason to grant them payment-related permissions upfront.
• Multi-app/service ecosystem: If KK is part of a larger suite of apps (e.g., KK Shopping, KK Notes, KK Community), where the main account acts as a single sign-on for all services, it makes sense for each sub-app to request specific permissions from the main account. For example, KK Notes might ask for "access my saved documents" when the user first opens it.

When it doesn’t make sense: #

• Basic, all-or-nothing access: If your app only requires basic account access (e.g., view profile, post content) and doesn’t have granular permissions, asking for consent during login is redundant. Users already expect that logging in grants access to core app features—prompting them for permission here will just create friction and confuse users.
• Mandatory global permissions: If the permission you’re asking for is required to use the app at all (e.g., "maintain login session", "access basic profile info"), there’s no need to get explicit consent. This is implied by the user choosing to log in.

Final takeaway: #

If your system has a sophisticated permission model or spans multiple services, this consent flow is a smart, user-centric choice. If it’s a single app with simple access requirements, skip it to keep the login process smooth.

内容的提问来源于stack exchange，提问作者Masked Man