Account Linking
How rs-auth links OAuth identities to users.
Current account linking behavior:
- if a provider account already exists, login succeeds immediately
- otherwise, if the provider email matches an existing user and implicit linking is allowed, rs-auth links the account
- otherwise, a new user and account are created
This keeps the first release practical while still leaving space for stricter policies later.
Future direction
If you need stricter account-linking rules, plan for provider trust policies and explicit linking UX on top of the current defaults.