Tank is currently setup to authenticate using Github as the identity source. The username on Tank is the same as the username on Github.

This works fine as long as Github is the sole identity source. If not there is a chance of username collisions. For instance a Facebook and Github username are easily the same.

There are two ways to deal with this, neither of which is immediately accessible without changes to the tiddlywebplugins.oauth code or the tank code:

• Annotate stored users with the server source. When processing challenge data check the server source. If there is a collision fail out. The pro of this method is a relatively small change. The con is that in a situation where two different humans share a username across two different systems one of those humans is stuck. They need to log in with a different identity service. They might not be a member there.
• Switch to using mapuser, with the associated registration complexities. The trick here is effectively managing remote auth ids to keep them unique. Main pro: upon registration if the username is already taken an arbitrary one can be chosen instead. Main con: existing users will need to be mapped.

A third option is to not deal with it: Just use Github usernames. This is rather limiting.

After some discussion with @FND, I think I've got an OauthPlan.