Prevent same auth name from being used for multiple users within the same provider

Agreed.

I don't think an extra explicit check is needed; if we change the database index, the save() will throw an exception, so that should be enough.

And the exception is pretty easy to prevent by a depending module; just call authmap->getUid($authname, $provider) or externalauth->load($authname, $provider). (I implemented this patch when I thought I really needed it to harden a module's code... but that turns out to be a mistake.)

I don't know if this exception should be documented in the interface; I just added comments (in a related and an only vaguely related place, to un-confuse myself).

Yeah this makes sense. The change itself doesn't mean that the module will do extra validation, simply by making the authname and provider fields together a unique index prevents other modules and extensions from saving duplicate information, helping modules that depend on this one from making a mistake.

Thank you for the patch and review.
It didn't apply to current HEAD, but I rerolled and committed.