Simple scenario, let's say a user has two email addresses:

简单的场景是，假设用户有两个电子邮件地址：

[email protected]
[email protected]

I want to authenticate both email addresses. All of the examples in the docs involve storing one oauth token per user account, e.g.:

我想验证这两个电子邮件地址。文档中的所有示例都涉及为每个用户帐户存储一个OAuth令牌，例如：

class CredentialsModel(models.Model):
    id = models.ForeignKey(User, primary_key=True)
    credential = CredentialsField()

So if a single user account on my website has multiple associated email addresses, do I still store one oauth2 credential for that user? Or do I need to use the email address as the primary key instead of using the user id as a foreign key? Right now I'm storing a different credential for each email address, although when I look in the database the credential looks the same for both of my email addresses. I'm not sure if I'm just doing something wrong or what.

那么，如果我的网站上的一个用户帐户有多个关联的电子邮件地址，我是否仍然为该用户存储一个OAuth2凭据？或者，我是否需要使用电子邮件地址作为主键，而不是使用用户ID作为外键？现在，我为每个电子邮件地址存储了不同的凭据，尽管当我在数据库中查找时，两个电子邮件地址的凭据看起来是相同的。我不确定我是不是做错了什么。

Secondly, I realize this is a basic question, but when a user authorizes an email address, how do I know which email address they have authorized? I'm using the google-api-python-client to do all the validation, but I don't see anything in the python docs about how to do this.

其次，我意识到这是一个基本的问题，但当用户授权电子邮件地址时，我如何知道他们授权了哪个电子邮件地址？我使用google-api-python-client来执行所有的验证，但我在python文档中看不到任何关于如何执行此操作的内容。

OAuth never "entertains" user authentication at all. It's up to the service provider to worry about it. All that OAuth provide is that the consumer (in this case, your application) can have access to the resource authorized by the user (after a successful authentication to the service provider provided by the service provider itself).

OAuth根本不“接受”用户身份验证。这是由服务提供商来担心的。OAuth所提供只是使用者(在本例中是您的应用程序)可以访问用户授权的资源(在对服务提供者本身提供的服务提供者成功进行身份验证之后)。

The OAuth 2 credentials must be linked to the application that registered to the service provider through the oauth 2 endpoint.

OAuth 2凭据必须链接到通过OAuth 2端点注册到服务提供商的应用程序。

Secondly, I realize this is a basic question, but when a user
authorizes an email address, how do I know which email address they
have authorized?

You don't. The service provider does the authentication. This is to prevent 3rd party authentication by any 3rd party mechanism. Your application must just worry about getting an access token (which does expire) and what services it has access to. Receiving an access token is a "guarantee" that the user has successfully authenticated and has authorized your application in obtaining your protected resources.

您不需要。服务提供商进行身份验证。这是为了防止任何第三方机制进行第三方身份验证。您的应用程序只需考虑获取访问令牌(该令牌已过期)以及它可以访问哪些服务。收到访问令牌是对用户已成功进行身份验证并授权您的应用程序获取受保护资源的“保证”。

I know this question is ancient, but I'm here and the problem is evergreen.

我知道这个问题由来已久，但我在这里，问题是常青树。

My way around this problem:
I've amended my Identity Provider to collect multiple email addresses, and allow verification of them.
The app doesn't allow manual registrations, only oauth registrations. Then there's no e-mail matching, it's just matching the user ID.
The verified emails are passed through in the user object (the app needs them to match invites to teams).
My identity provider doesn't allow registration via other identity providers, just linking; and then you can 1-click logon.

我解决这个问题的方法：我修改了我的身份提供商，收集多个电子邮件地址，并允许对它们进行验证。这款应用不允许手动注册，只允许OAuth注册。然后没有电子邮件匹配，它只是匹配用户ID。验证的电子邮件在User对象中传递(应用程序需要它们将邀请匹配到团队)。我的身份提供商不允许通过其他身份提供商注册，只允许链接；然后您可以单击登录。

It's not perfect, but it's good and it avoids creating dead user profiles and trying to merge them later.

它不是完美的，但它很好，而且它避免了创建死用户配置文件并在以后尝试合并它们。