We have had this problem since ages. Here is what we’re doing :
Have a common password for ALL users ( A static Password )
In the Create Session POST we are getting the session token with a static password. THEN we’re re-authenticating with a POST/PRE script and only returning the token when the RE-AUTH has succeeded. We re-authenticate using FB or Google or Email based auth again.
This is because FB / Google or any 3rd party service cannot be easily integrated with DF where login is not via OAuth.
The real life scenario is that if a user with email firstname.lastname@example.org has registered via email. and then later he uses FB with same email email@example.com and tries to authenticate, these are both same users and shadow user will not work in this case. Both accounts with same email needs to map to same DF user account.
Further, many FB accounts do not return a valid email ID as many have registered via Phone numbers, so DF user restricts and makes email id mandatory. I think username could/should be made mandatory instead of emails.
I think this could be better handled in future with a better built in mechanism.
What do you think @aislam ?