HybridAuthProvider ordering discussion

The HybridAuthProvider allows the use of multiple USER authentication providers. Some providers are read only, ie LDAP/AD, while others can be writable to a back-end database. I’m looking for feedback on how everyone thinks conflict resolution should work. For example. if multiple providers have the same username, which one should be used to authenticate?

1.) read-only regardless of ordering, then writable providers in order they are listed (ie primary, secondary, tertiary)?

2.) solely based on ordering in the configuration (primary, secondary, tertiary)

3.) another way?

What’s of additional interest are scenario’s where data from providers are not (passively) used, but updated. How should that work?