Does the Google signup process provide you with an email address? You could send a confirmation request yourself to that address. This is a process I saw with a site using Facebook login just yesterday. The request for conformation email with a conformation link came from the targeted domain, not from Facebook.

Does the Google signup process provide you with an email address?

Yes the user's email address is provided. So the intention is to send a confirmation email, but the question really is, do you prevent the user from proceeding until the link in the email is clicked, or do you allow them to go ahead and then block them if the link isn't clicked after some time span?

I have not ever seen a site that allows folks to proceed before that confirmation number is entered or a confirmation email link is clicked. I personally prefer the confirmation number, but that's me. It does not mean no sites ever allow folks to move ahead, but it should be an expected step by most people when they are sharing contact information. Might depend on the sensitivity of the content that is being opened up with the confirmation. If it allows UGC I'd require it. It would open you up to PII protection/privacy compartment needs that may or may not be part of your established process(?). You should require agreement to your policies and their confirmation would indicate agreement.

@not2easy that is good advise. I will almost certainly display a modal dialog box informing the user and requesting acknowledgment of the terms or service / privacy policy.

It would open you up to PII protection/privacy compartment needs that may or may not be part of your established process(?).

Just to be clear, when a user signs in with Google (or FB) the user is explicitly asked if they want to share information with the website in question, once the user has signed in that consent has been given. If I intended to use the data for anything other than sign in and communication, then more consent would be required. Moreover, the only information shared by Google is the user's name and email address as well as a unique identifier. There is in fact less information provided by the user then when the user signs up using the conventional method because no password is collected.

So there is another case that I need to address, that is when a user has already created an account through the conventional method and then subsequently logs in using the Google method. If the user has used the same email address in their Google account as the email to sign up for my service, then a match is made. What do you do then?

It is safe to assume that both these accounts belong to the same person, but assuming is not knowing. I am reluctant to simply allow the user to proceed with a login as if they had used their password. Instead I was thinking of adding an "allow Google sign in" switch in the account. If the user logs in with Google, they are prompted to login normally, and set the switch to true. So if the Google account isn't the user's they would be blocked from proceeding, and if it is, they could sign in and a definite match would be made. Once set to true all subsequent logins with Google would proceed normally.

Also, I was thinking of only enabling the switch if the user has made a Google login attempt. This would prevent the user from setting the switch to true and then never login in with Google, such that in the very unlikely case that there exists a Google account with the user's email that then at some later point gains access to the account without the user knowing or remembering that the switch was set to true.

More importantly, enabling the switch only after a login attempt would mean that when the switch was enable the user's Google information would immediately be available, thus allowing me to immediately store the Google user id such that I no longer need to depend on the email as a unique identifier.

Sorry, I'm kind of thinking out loud, well thinking out typing!. Anyone see any flaws in my logic?