Firebase auth: switching providers - oauth

I'm currently building an application that uses sign in with Twitter. However, some users report losing their Twitter account (or also possibly getting banned from Twitter, etc), and am wondering if it's possible to switch those accounts to Google signin or email signin. Have not found docs on this, especially if the linked identifier is a Twitter handle instead of an email. Any help will be appreciated!

check here --> https://firebase.google.com/docs/auth/web/account-linking
But I think that the user must be logged in to do so, as you comment if they do not have how to enter with Twitter what you could do is a validation of additional data you have of the user (indicate their name, twitter user, something that you know about him) in a section that you build within the platform where new users can request to claim an account.

Related

How does social oauth really works?

I am confused with how social oauth works? Lets say i have implemented social oauth login in my project.
user A signed up in my website with Google Oauth. I somehow put that SIGN UP WITH GOOGLE button in my sign up page and then user will click it and will be directed to a link where google will ask to authorize my app or not. If the user A allows, then at first time what information does the google server send to my server. It will send something so that i could save it in my server to know that a user A has been signed up and could give the userA a id to link it to other tables of my database which is in my server (nothing to do with google server). So real question is what will google(or any other service provider like facebook, twitter etc) send me when a new user signed up and when a existing user signed in again. what will happen if a user (already signed up) try to sign up again? or didn't authorize the website again when logging in?
If you want more detailed question, please comment and I will elaborate.
Ok first off lets use a different term than social login. Lets call it third party login and heres why.
Your application has its own login system users can create their accounts on your system by say adding an email address and creating a login name and a password. Now you want to add third party login that being, Facebook, google and twitter login. These are actually third party logins.
What you will actually be doing is linking the users third party social media accounts with your login system. The term often used for this is called account linking.
Lets say user A has created an account in your system already now A has a Facebook account so they would like to link their Facebook account with your login system. So you create a Facebook login button Facebook will return to you an id this often being the id of the user on facebooks system. So when the user logs in using Facebook you get the Facebook id back that you can store on the users account in your system.
Things get a little more confusing if user B wants to login to your system using Google and B does not already have an account in your system
when they login then you will probably get the users id and i think you get their email address back as well so you can use the email address from google so you can create them a actual account on your system and directly link the google login to it automatically.
Its been a while since i have done it but i believe that you get the user id and the email returned to you from third party providers you may want to check thought if memory serves they are not all the same and you may have to make a request to get the email address after you get the id back.
Social login is still not normalized. You have to work them out one by one unless you leverage something that do it for you like the trusstee.io solution.
It appears to be simple to use and is described here https://medium.com/me/stats/post/ef5d5a5a3943.

Is there a way to avoid the "https://www.googleapis.com/auth/plus.login" scope?

I'm building an app with Google Sign Up button. Google suggested for me to use Google+ instead, which I did.
I'm asking for users profiles and email address in two different scopes (https://www.googleapis.com/auth/userinfo.email and https://www.googleapis.com/auth/userinfo.profile). However, I noticed that the scope https://www.googleapis.com/auth/plus.login is added automatically in the token request response.
Is there a way to remove it? I'd like only to ask users for the two I've mentioned in order not to have additional permission requests in the dialog box, and this one also causes a confirmation popup for access to users' circles (which I don't need). I've Googled about it a lot, but couldn't find anything related to this problem.
Previously you could not remove the plus.login scope from the Google+ Sign-In button, as profile information for users who had not upgraded to Google+ was not available from the Google+ APIs. Now you can choose whether you want to require a Google+ upgraded user and get access to the users' circles and the ability to write app activites, or just request basic profile information.
For full Google+ Sign-In include email and https://www.googleapis.com/auth/plus.login scopes.
For basic profile information include email and profile scopes. Note that these are just the bare strings profile and email - they are not in URL form.
The user's email address and profile information will be available from the Google+ profile endpoint. You can always allow users to upgrade to https://www.googleapis.com/auth/plus.login later using incremental auth so they can take advantage of access to circles users and writing app activities.
To use the Google+ Sign-In button you must request https://www.googleapis.com/auth/plus.login
plus.login includes a basic set of permissions that a generally useful including a request to read a users circles. Users can easily choose not to grant access to their circles for your app by simply selecting the 'Only you' option that is presented prominently on the consent dialog. However, it is not possible to reduce that set of permissions included in plus.login.

linking user accounts to their twitter/facebook/etc accounts

I have an existing rails app which uses 'devise' for authentication.
I would like user's to be able to link their twitter and facebook accounts to their account on my site, so that my application can post updates on their behalf.
Ideally:
When registering, you can choose to set up a standard account, or use twitter, Facebook, etc credentials.
If user chooses to use facebook credentials, I would still like them to be able to link their twitter account, so that my application can post to both at same time on their behalf.
A bonus would be allowing them to have identities which they could link twitter account A to one identity, then switch identities and use another twitter acccount.
My questions are:
if they use a standard account, and link facebook and twitter, are they going to be prompted to enter those credentials every time I post on their behalf? Or does omniauth give me an infinitely valid token?
I know devise can handle omniauth, but I can't seem to tell if it can handle what I am asking. It seems that it's omniauth support is more along the lines of just authenticating site users against twitter credentials not for linking multiples.
is there a rails gem that does this, and is well supported? I see socialite is no longer supported, but it seemed to be a one or the other type deal, not what I want anyway.
because I am already doing standard auth with devise, would it be simpler to just force users to create a standard account, and then use the twitter and facebook api's directly on top of that?
Looking for the best strategy here for doing what I want.
*note: If you think I can get 75% of what I want for 25% of the effort that all my goals would be, let me know. *
Thanks,
~S

multiple oauth providers and implicit user account creation

I'm learning oauth 2.0 and was wondering about the following scenario
say I want a website to allow login with both twitter and facebook
when a new user logs in for the first time using twitter, the server checks if a user with this twitter id exists in the database and if not, creates a new user using values returned from twitter
the same user logs out and logs in again, this time using his facebook account
Question: how can I match the returning user with the account that was created the first time and avoid creating a second user account for the same user ?
Thanks
If you request for their email address, you can detect matches and merge that way?
If you are only interested in having the user log in, then you should be looking at openID, not OAuth.
Unless you explicitly ask the user to link their various accounts together for your app, there really isn't a good way to know that JohnDoe on Twitter is JohnDoe on Facebook.
You can ask the customer to link their accounts together and give them tools to merge two accounts (one created with Twitter account and one with Facebook account) together.

Registration for own site viat twitter

anyone knows if it is possible to do registration via twitter just like facebook register (http://developers.facebook.com/docs/plugins/registration/)?
it is not login via twitter. i need to store some basic information from the twitter user, eg, name and email, and then request user to choose their own username and password for my site.
Thanks!
Twitter doesn't have this functionality at all , they have #anywhere for integration for some Twitter features on your website. That's the closest there is to this. What you can do is register an account with the information you gather from an authenticating user, but the development of this would be up to you. There are no boxed up solutions right now from Twitter. There may be something third party but I'm not aware of any.
It's also "against the rules"
You may not use Twitter Content or other data collected from end users
of your Client to create or maintain a separate status update or
social network database or service.
https://dev.twitter.com/terms/api-terms

Resources