I have a web and android applications. I want both apps to login users using their social media handles. I want to use
google
facebook
twitter
tiktok
apple
I have looked at how facebook authenticates users from the docs here https://developers.facebook.com/docs/facebook-login/web/
and there is userID which i assume will never ever change for any given user.
Since social media handles change, email addresses and usernames, is there a permanent account identifier token that the Oauth specification returns that uniquely identifies an account?
Related
I know that OAuth2.0 is framework using to authorization data request between apps, but to give this access auth server is required. It is my question: who is this server? Let's say: We have two apps: Twitter and Google. I am trying to register Twitter account using Google account. And now where is this auth server? Is it Google? Or maybe it is another third server (managed by Twitter and Google together where user data is?) If it is Google, how Twitter is able to check if user token (generated by auth server [Google??]) is valid?
Thanks
On your first question,
I am trying to register Twitter account using Google account. And now
where is this auth server? Is it Google?
Yes, it's Google. If you're trying to login/register to Twitter via Google, Google is the authorization server. Because, Google has to authorize/delegate access to Twitter to access your data such as your Gmail id, username, etc.
Once you click on "Sign up with Google" button on the Twitter registration page, you will be redirected to the Google login page first (to see if you're an authenticated google user) and then Google would show you a consent page saying that "Twitter is trying to read your profile data, are you okay with this?". Once you click on "Allow" button, Google will generate an access_token, id_token, and refresh_token and pass it to Twitter.
On your second question,
If it is Google, how Twitter is able to check if user token (generated
by auth server [Google??]) is valid?
Twitter is not going to validate the tokens. Twitter can pass the token to retrieve your Google profile information from Google's Resource Server (where all your data reside)
Google's Resource Server is the one that's going to validate the token. It first checks the 'iss' claim of the token to see if the token is issued by Google's Authorization Server. Additionally, it would check for 'aud' to see if the token is issued for them (recipient of the token). Finally, it checks for the 'scope' claim to see if Twitter has the right access to request the data. For eg, they would need to request only read-only access to your profile, but not write access. There could be additional validation depending on the use case.
I hope this answers your questions.
I would like users to register an account on my site via OAuth Spotify. I have the following scheme:
User authenticates via Spotify
Spotify ID and Mail are returned
An account will be created on the website (saved to the database)
The user can log in with his Spotify to access that account
The problem I foresee here is that someone can spoof the authentication by copying the ID of another user and it's mail, am I right? If so, what would be a better way to let an user create an account using Spotify Authentication? Let the user set a password? That seems user unfriendly to me.
So, how can I achieve this?
You can use the access token acquired through OAuth to find the associated username. You can use this as the basis for your accounts instead of a username or password on your own site. The process would be something like:
The User authenticates via Spotify
The Spotify OAuth callback returns a authorization code
You use the authorization code to get an access and refresh token for the user
You use the access token to access the associated User ID and use this as the unique ID for the accounts on your site.
Save an account with the Spotify user ID to your site's database
The user can log in again with Spotify to access their account (it will streamline the process by skipping the Spotify OAuth view, if they have previously approved your site, and are logged into Spotify in their browser)
Since your application will only retrieve the User ID from someone's valid access token, and the only way your application will receive that is if they log in through the Spotify OAuth flow, each account on your site will be linked to a valid, unique, Spotify user.
While looking into this, there are security considerations about using OAuth alone to authenticate users. I would look at this post on Security Stack Exchange and decide based on what level of security is needed for your site.
Using this guide to manage multiple providers I designed my Rails app to handle both Twitter and Facebook login. It does this by creating a separate model Identity that stores the Twitter / Facebook uid and associates it with a user on my site.
I'm also creating a companion mobile application that should authenticate users based on the uid passed back by Facebook or Twitter.
The issue is that Facebook and Twitter uids expire after a certain amount of time. Since I use the uid to determine the user that's logging in, I was wondering how to deal with uid expiration. How do you manage expiring uids from Twitter and Facebook in a Rails app?
It turns out I was getting authorization tokens mixed up - the access token on facebook expires, but the UID stays the same, so there isn't any issue!
I'm not understanding how OAuth2 works for Google API.
Supposing I've signed in API's console and chosen several API's I would like to use.
My website should offers these API's to its users.
I have a doubt if my website users have to be logged in GOOGLE to can use these APIs.
For example, some users that prefer to login with Facebook couldn't use the APIs?
Depends on the API. Anything where you're accessing a user's data on their behalf (tasks, calendar, etc) then of course the user would need to have a Google account and would need to log in when authorizing your app.
But not all APIs act on user data. APIs like search & translate don't require a user to authorize access, and typically use a simple API key rather than OAuth.
User must be signed in Google to grant authorization to your application.
Your application is required to provide an access token when call Google API. The access token is granted by a Google user so that your application is able to access this user's resource on Google. So it's obvious that the user must be signed in Google.
I'm using OAuth 2.0 to allow people to sign in to my website using a variety of different accounts (Google, Facebook, Windows Live, Twitter and OpenID). Currently I can get access to a unique profile ID using Facebook and Windows Live, but I can't find that information for Google.
It appears I can access it through the OpenSocial API, but that uses OAuth 1.0 for authentication.
Try - https://www.googleapis.com/oauth2/v1/userinfo
Of course - you need to add this to the scope - https://www.googleapis.com/auth/userinfo.profile