I am trying user PayPal OAuth login to authenticate users on my django system. I am getting a user_id back but it does not match the user_id that we got when the user previously logged in via PayPal. All the other details are the same so it is clearly the same account.
Has anyone else seen paypal user_id changing over time?
Related
As the title suggests, I have implemented Sign in with Apple. After submitting my app online, I found that I can not get the user's email while I can get the username.
I collect the username and email and I found I can not get user email sometimes when the user first authorizes my app. Any reply appreciated!!!
The section Send Information to Your App Servers on the Apple Developer website states that this information is only returned to you the first time the user authenticates with Apple Sign In. You will need to store those details yourself in order to retrieve them again on subsequent logins.
Users can register an account on my site via the default authentication method that requires a username, email and password.
To allow users to login via facebook, I am using the facebook gem with Omniauth gem.
Existing guides shows me how to authenticate the users up to the point where they can confirm their details ("is your first and last name correct?") before successfully tying the uid and provider to the user record.
However, it does not check if the email is the same.
Does anyone know how to check if the email is the same and if it is, request the user to provide their password to the account already registered on my site either on the same screen for confirming user details or a new screen with just a password field and a message indicating that he needs to confirm he owns an account on my site with the same email facebook provides.
Should this be done on the model or controller layer? How would you go about doing this?
I am adding Twitter and Facebook login to a MVC 3 test application using TweetSharp and Facebook C# SDK.
Currently when a user signs in using Twitter I create a user account for that user in a user table and store the id, token, and token secret in a separate table with a foreign key to the user table. Since the id, token and token secret do not expire I can quickly locate the right user account when the user logs in next time using Twitter.
What if the very same user logs in using Facebook next time? Since Twitter does not provide email in their API and I therefore have no common piece of information to tie a user account to either Twitter or Facebook I assume I have to create a new user account for a Facebook login? Does anyone have any experience with this? Are there any ways to solve this?
I identify each user internally with a unique key. I check cookies for the user key when any user hits the site. If there's no cookie I create a new key. add it to the user database and set a new cookie. Once a user completes registration the first time by logging in with any of Facebook, Twitter or .Net membership , that key is forever married to that user.
So when an existing Twitter user logs in for the first time with Facebook, we know who they are because their user key exists. It is basically the same solution as macou suggested. Macou's has the plus of working on a new machine or if cookies are cleared, the cookie solution has the plus of not requiring additional user input.
Not really a solution, more of a work around. I was faced with the same problem and ended up forcing the user to complete thier account profile by asking for their email address before allowing them to proceed any further. This meant that if the email address coming back with the Facebook auth matched the email address created with the twitter signin then I didn't need to create another account.
The bigger difficulty was coming the other way, if the account was created by the facebook auth first. It meant an untidy marry up of accounts.
To be honest the information we got from allowing users to sign in with twitter was not worth the effort and in the end finished up only allowing Facebook auths. I'm not sure how important twitter is to your solution.
Not the perfect answer I know, but I thought I would share my experience.
You can't use just a cookie because I can login as facebook then my wife login as twitter using the same browser, you shouldn't link the two accounts in this case.
I think you need to do more than that:
Use a cookie then
Use name/first name/login name/... to see if they match.
Example:
Cookie id: 18459439731114330636, find user with id = 18459439731114330636. Found, go to 2, not found, go to 3.
Is username/first name/last name/... matches the current user? if yes, link accounts. if not, go to 3.
Create a new user.
I use Authlogic to handle login/authentication/sessions etc and I'm using paypal to handle my payment for subscription to my site. For users whose trial has expired, i'd like to log them in automatically after they go through the paypal payment process, but i can't work out how to do this without a password. My flow is thus:
expired user logs in
their trial has expired, so i push them to the subscribe page, keeping track of who they are via their unique persistence_token field, which i put in a param which gets sent on to paypal.
when i get the payment notification from paypal, i get their token as well, so i know which user has paid, and i amend their account accordingly.
when they have paid in paypal, the button to send them back to my site has the unique token of their order, so i can tell that it is the person who has just paid that is going to that 'subscription complete' page rather than anyone just typing in the url to their browser.
when they return from paypal to the site, they are still logged out, and they have to go through the login/registration process.
In the above situation, because i get the order token in the params to my 'subscription_complete' page, i know that the user is the same one who has just paid, and so i have enough information to trust them, as if they had logged in. So, i would like to log them in automatically, ie create a UserSession record for them. But, the problem is that i don't know their password (because passwords are 1-way encrypted), and i need the passsword to create the user_session.
So, my question is: if i trust the current user, but don't know their password, can i still log them in anyway? If so, how?
I've used UserSession.create(#user) before. Doesn't this work for you?
I have recently implemented login to my via facebook connect. So now users have 2 ways of logging in to the site. The old way of registering an account and the new way (facebook connect).
One thing I would like to do is link a new facebook connect user account to existing accounts if they logged in the old way.
Has anyone had any success doing this?
Very good question I think and lots of people will benefit from an answer.
What you need to remember is that accounts are only linked so long as they are authorised to be linked through Facebook. What you should do is maintain a second table of linked accounts in your database so that you know who is who and if they are linked with Facebook.
You should read this integration comment, it provides a lot of useful information.
http://crazyviraj.blogspot.com/2010/01/test-cases-for-basic-facebook-connect.html
It doesn't really say how to do things, but it makes sure you tick all the boxes of what you should be doing.
ie:
Sign Up should fail if the user denies
permission to the app (category: sign
up)
Since we need access to an email
address, Sign Up should fail if the
user provides publish permission but
denies email permission (category:
sign up)
If the user provides an email address
that already exists in your system,
fail Sign Up. Make sure no YouFace
backend tables are modified (category:
sign up, 1:1 mapping) PS - when this
happens, I didn't find a way for you
to de-authorize YouFace on the
Facebook user's behalf. The user must
manually do this if they wish you use
the same account but provide a
different email address.
Accounts created using Facebook
Connect should not be able to login
using YouFace's default email/password
login system (category: sign in,
account security). PS: Since YouFace
accounts require a password and those
created using Facebook Connect don't,
make sure to insert a random password
hash into your table to avoid silly
errors
Accounts created using YouFace should
be able to sign in without requiring
to be signed into Facebook, even if
when a link to a Facebook accounts
exists (category: sign in)
Any many more
You should be asking for permanent access through fb connect authentication. Once you've done that, you'll get a token which gives your permission to access someone's Facebook information, and that token will not expire unless the user explicitly removes you from the permission list or changes his/her password.
Once you have the token, associate that token with the user / create a new field in your user table to store it.
To associate the user with a Facebook account without the user logging in, you can try to match by email. It's not 100% accurate but it's pretty good. Facebook doesn't give you email addresses in text form but you can get email hashes from FQL. Since you already know user email addresses, you can calculate the hash for all of your user emails and search through your user base for matches every time a new Facebook Connect user signs up.