@martinbean Thanks for taking the time to clarify. It makes perfect sense.

I'm actually doing what you mentioned with multiple providers:

I'm checking to see if the user exists and then creating or updating based on some assumptions. I probably need to create an interface for this, but if anyone is curious, here's a (very raw) approach using the this schema. Any feedback would be appreciated.

        $social = Socialite::driver($provider_name)->user();

        // check for existing account via provider uid
        $social_profile = SocialProfile::where('uid', $social->id)->first();

        if ($social_profile) {
            // if profile exists - get the user object
            $user = User::find($social_profile->user_id);
        } else {
            // otherwise check for an existing email address
            $user = User::where('email', $social->email)->first();
        }

        // If we have a user - log them in
        if ($user) {

            \Auth::login($user);

            // Double check the uid on the social_profile
            // for the case of a different provider
            // if not found add a record
            $social_profile = SocialProfile::firstOrCreate([
                'user_id' => $user->id,
                'provider_id' => $provider_id,
                'uid' => $social->id
            ]);

            return redirect('user/profile');

        // Profile does not exist - create a new user account
        } else {

            $user           = new User;
            $user->name     = $social->name;
            $user->email    = $social->email;
            $user->password = bcrypt(substr($social->token, 0, 10));
            $user->save();

            $social_profile = SocialProfile::firstOrCreate([
                'user_id' => $user->id,
                'provider_id' => $provider_id,
                'uid' => $social->id
            ]);

            \Auth::login($user);

            // redirect the user and suggest changing their password
            return redirect('user/reset');

        }

Wouldn't this be insecure? Say someone creates a Github account with joe@example.com and signs up for your site... then some hacker sets up a Twitter account using the same email address and then goes to your site then they'd be able to login since you're matching up the email addresses?

I'm obviously ignoring Twitter's email verification and whatnot but regardless... seems like it could be insecure...

@martinbean I have a question that if user login/signup with social account, after then if user try to login with same email by login form, then i should allow the user to reset the password to login actually without resetting password user cannot login otherwise i should say invalid user.

And i have one case more, if after login, i allow the user to link other social account with current account then these email should be login by login form.

It's working for existing users. But when I remove the user from the database and try to login again, I see the error- "Argument 1 passed to Illuminate\Auth\SessionGuard::login() must implement interface Illuminate\Contracts\Auth\Authenticatable, null given, called in"

public function handleProviderCallback()
    {
        $user = Socialite::driver('facebook')->user();
        //dd($user);

        if (User::where('email', '=', $user->email)) {
            $checkUser = User::where('email', '=', $user->email)->first();
            Auth::Login($checkUser, true);
        } else {
            $user = User::firstOrCreate([
                'name'=>$user->getName(),
                'email'=>$user->getEmail(),
                'provider_id'=>$user->getId(),
                'photo'=>$user->getAvatar(),
            ]);

            Auth::Login($user, true);
        }


        return redirect('/profile');
    }

Do you know the solution?