I am creating an app with multiple login options.
There will be a possibility to login via Facebook, Google+, and a manual login.
Its all good for now. But lets talk about the case where a user decided to logout from one account, and login using the other account. For instance, logging in via Facebook, logging out, then logging in via Google+.
This scenario causes the database to create multiple users in the database for only one user.
The only way I can think of solving this, is to find a link between all the different logins.
Options:
Email - The user can use different emails for the different apps, or might not have his email public through one of the social apis.
Phone Identifier - The user might let someone else use the app on his phone, or the user might have multiple devices.
Name - There will be many people with identical names.
Due to the above not being viable options, I wanted to see how other people have approached this concern.
I am not looking to use any 3rd party frameworks.
Thanks!
Related
I couldn't find information on this. I have an iOS app, written in swift. Firebase is my storage and database place. For now, I authenticate my users with email and password (no social media auth). My question is - is it possible after they've created their account to create many sub accounts? And if so, how do I track those (meaning, which is the primary account and how to switch between them - something like twitter and the way it allows to use multiple accounts and switch between them)?
My goal is to allow each user to have/create multiple accounts, make 1 account primary and the rest would be secondary accounts. Not sure if Firebase allows any of this though. I know this is broad description, but I want to make sure that this is indeed possible before I try to do anything like that. Any ideas?
I made an app using firebase and I have implemented Google account based logIn system to my app because I thought it would good and also helps me for Firebase Invites but my app got rejected by the apple app review team and they are telling that I have to implement "significant account-specific functionality from Google".
My app is like a social networking app something similar to Facebook. Users in the app can invite friends, share content with friends to achieve this I used the Firebase features like real-time database, Storage, Firebase Invites etc... I really don't know what else I should implement to eligible for "significant account-specific functionality from Google."
I have sent an email for help but they haven't responded yet.
Using firebase is perfectly fine in iOS.
1.1 LEGAL: PRIVACY - DATA COLLECTION AND STORAGE - significant account-based features
Read section ii) https://developer.apple.com/app-store/review/guidelines/#data-collection-and-storage
If your core app functionality is not related to a specific social
network (e.g. Facebook, WeChat, Weibo, Twitter, etc.), you must
provide access without a login or via another mechanism.
Since your app is not using any specific social network feature ( facebook,twitter - which demands a login ) you must allow users to provide functionality without login.
You might want to appeal to Appeal board with explanation why user must login in order to use the app ( give examples and screenshots of specific functionality which cannot be used without login ).
If your appeal is rejected you don't have any option but to redesign the app to follow what apple is suggesting. What we have done in past is provide a basic flow without login but once it reaches point where login is must we force user to login ( something like anonymous user).
After 3-4 rejections I found the solution for this problem. I have have implemented a feature called Firebase Invites and for that they must sign in with their Google Account.
According to Appstore guidelines we even can't use third party login for sending invitations. In that situation, I have convinced them that "with this Firebase Invites I can able to see my friends in my Google Account and send them invitations personally". With that answer (they called me by phone) it seems they have convinced and accepted my app.
I had the same rejection this week because I have a Facebook login.
My app was already live, and this is rejection for an update.
There is a change in their guideline. This is new on Sep 1, 2016:
If your core app functionality is not related to a specific social network (e.g. Facebook, WeChat, Weibo, Twitter, etc.), you must provide access without a login or via another mechanism. Pulling basic profile information, sharing to the social network, or inviting friends to use the app are not considered core app functionality.
In essence, they are killing many apps that simply use social networks for single sign on.
A solution right now is to implement your own login account mechanism.
According to this question: Architecture for merging multiple accounts and registering a user account
Various answers have said that using email is a good way of establishing correspondence between different accounts and then doing automatic merging for multiple account sign in.
However, twitter is a major provider that does not provide email through their oauth API.
How can we reliably and automatically establish a correspondence between a twitter account and for example Google, Facebook, Github... etc accounts? So that we can auto-merge those accounts.
I'm writing a library to help in this, so it's not really useful to say do it manually, since I would like to provide options.
There is no secure-way to automatically do it, I implemented an application with local account/Twitter.Facebook/Google and I didn't have other choice.
I suggest you to allow your users to register with one method (local account, Twitter, Facebook, Google...) and create a page in "My account" that allow them to associate other accounts.
In Twitter a user can be identified by either a name or a key, you have no way to know them unless you explicitly ask them to the user.
Moreover now in Twitter 1.1 you have to redirect your user to Twitter to approve your application and then you get the OAuth token and security key. As you can see there must be an interaction with Twitter, at least if you need to perform some restricted queries on his behalf (e.g. create a Tweet).
I am working with the Firefeed app (based on Firebase) and I am wondering how I can give users the option to both login with Facebook and Twitter.
I correctly set-up my firebase but I guess the issue is that I either use
authClient.login("facebook");
or
authClient.login("twitter");
How can use both to give them the choice? I know, its probably a beginner questions. :)
Many thanks!
I'm not quite sure what you're looking for here. If you want to allow people to log in with either option, then you can simply have 2 buttons, one that says "Log in with Twitter" and one that says "Log in with Facebook".
If you want to have an account system that merges multiple social accounts into a single account on your system, so that users could log in with either system and access the same data, this is a little more complex. There's a thorough answer here:
How can I login with multiple social services with Firebase?
Me and my colleagues developing an application (both web application and mobile app(iPhone & android)), which includes a login process.
Currently, we have our own login mechanism (where users have signed for an account on our app, and have stored their info in our Database). We are looking into integrating oAuth and allowing users to login with Facebook, Twitter, LinkedIn and Google.
Now, when the users logs with any of those, as I understand the login process occurs outside our application and basically only get permission to access their resources.
My question is this: through oAuth, how do we remember users? i.e., users who login have read /write privileges and have preferences. How do we remember those when they don't actually sign up through our app.. Can we store their email address in our "Users" table??
What are the best practices in such a scenario?
Thanks for any info you can provide.
Having built authentication databases for a few different OAuth-enabled web sites, I can say that I've learned a few things that you should keep in mind.
You should have a table of users for your site that is completely independent of which OAuth provider they used for sign-up/sign-in. This enables your site users to combine multiple accounts together under their primary identity on your site. (For example, associate both Facebook and Twitter with you.)
When you let a user sign up, you should get an email address from them. Whether you ask Facebook for it, or if you have to ask directly. This enables you to "upgrade" users later from depending purely on third party OAuth to setting their own password on your site. (You simply send them a link to your password reset page in order to get them started creating their first password.)
You don't want to use email address as your primary key. I'm not sure if that's what you're actually describing or not, but you really want them to have a local user ID that you use for maintaining their session, etc. You then associate their Facebook ID or their Twitter ID with that local ID, and use the correspondence between such identifiers to match up which of your site's users to consider logged in.