Hello Alexander,
We internally discussed this.
Your option #1 sounds OK but we decided not to use the aliases, we realised that we have to remove or replace with something else if we want to use aliases for oAuth authentication (as I explained previously).
Instead we add "name" field in User object and make API use it for authentication and add ability to modify it. I think we deprecate and then remove "email" field (mostly because it is quite confusing that "email" is used for authentication).
So my vision is:
Step 1 (it will let your implementation work as expected)
1/ We add "name" field to User, use it for plain (user/password) authentication and make it editable.
2/ We deprecate and then remove "email" field (user's email will be accessible in the Profile along with other fields but we wont use it for authentication).
3/ Until step 2 we continue to use and support "aliases" for oAuth authentication only.
Step 2 (next API version, not critical)
1/ We deprecate and then remove "aliases" from User
2/ We add oAuth login infos (provider and user name) to the User Preferences and make oAuth authentication use it instead of aliases.
WDYT?