This is a theoretical question.
Suppose I have a Twitter, Facebook, G+, Instagram account all with the email address bill#example.com and now I want to design a web application that allows users to login to the application with their Twitter, Facebook, G+, Instagram accounts or by a standard registration form.
The unique identifier of my users is their email address.
Now suppose I already have an account registered with the email bill#example.com how should I design the mechanism to allow me to link my Twitter, Facebook, G+, Instagram account?
Method 1
Ask the user to login first then connect to their other accounts.
Pro:
Secure
Cons:
Can be a pain, what if the user forgot their username and password?
Method 2
Assume that the third party oauth providers confirms the email, just associate the third party account to the existing account (in my application) with the existing email provided by the third party.
Pro:
Easy, and simple
Cons:
Security?
Question
How can I ensure that bill#example.com from Facebook is the same bill#example.com from G+?
Or is there no simple/user friendly way to do this?
You can't assume that the email they've used to create your account is the same one they used to create their twitter or facebook accounts. In addition, twitter does not return the email address associated with the user's account. Solution number 1 is really your only option.
Related
I am confused with how social oauth works? Lets say i have implemented social oauth login in my project.
user A signed up in my website with Google Oauth. I somehow put that SIGN UP WITH GOOGLE button in my sign up page and then user will click it and will be directed to a link where google will ask to authorize my app or not. If the user A allows, then at first time what information does the google server send to my server. It will send something so that i could save it in my server to know that a user A has been signed up and could give the userA a id to link it to other tables of my database which is in my server (nothing to do with google server). So real question is what will google(or any other service provider like facebook, twitter etc) send me when a new user signed up and when a existing user signed in again. what will happen if a user (already signed up) try to sign up again? or didn't authorize the website again when logging in?
If you want more detailed question, please comment and I will elaborate.
Ok first off lets use a different term than social login. Lets call it third party login and heres why.
Your application has its own login system users can create their accounts on your system by say adding an email address and creating a login name and a password. Now you want to add third party login that being, Facebook, google and twitter login. These are actually third party logins.
What you will actually be doing is linking the users third party social media accounts with your login system. The term often used for this is called account linking.
Lets say user A has created an account in your system already now A has a Facebook account so they would like to link their Facebook account with your login system. So you create a Facebook login button Facebook will return to you an id this often being the id of the user on facebooks system. So when the user logs in using Facebook you get the Facebook id back that you can store on the users account in your system.
Things get a little more confusing if user B wants to login to your system using Google and B does not already have an account in your system
when they login then you will probably get the users id and i think you get their email address back as well so you can use the email address from google so you can create them a actual account on your system and directly link the google login to it automatically.
Its been a while since i have done it but i believe that you get the user id and the email returned to you from third party providers you may want to check thought if memory serves they are not all the same and you may have to make a request to get the email address after you get the id back.
Social login is still not normalized. You have to work them out one by one unless you leverage something that do it for you like the trusstee.io solution.
It appears to be simple to use and is described here https://medium.com/me/stats/post/ef5d5a5a3943.
Ok, let's imagine I've got my Rails application and user creates account through the app with email xxx#example.com.(He doesnt have any social account). My app has included Twitter,Google+ Facebook sign up with Omniauth gem. So now, let's say, that there is a malicious hacker, which creates social account on Twitter, G+ or Facebook with email xxx#example.com. He goes to our app, he can't log in normal way, but he can easly get into account by his social account, which matches with user email xxx#example.com. So, the question is, how we can provide safety in this situation? Or is it provided mayby in the way I dont get?
If i understand your question correctly, none of the social media accounts can be created without confirming your email id. So there is no way someone is going to create account in Twitter, G+ or Facebook with your email id.
I'm trying to implement a "sign in with twitter" button on my web application. Upon authentication I receive the users' credentials which do not include a user email address. Twitter does not provide user email addresses and so I've heard people use the twitter unique id to identify distinct users.
My application allows a traditional mode of registration (user creates an account with us) as well as sign in with facebook. In order to determine in my database whether the user already exists we use the email address provided under these two sign in methods, but twitter does not allow for that.
Sure, I could ask for their email address the first time they sign in with twitter but this poses a number of security concerns, for example, the user may provide another person's email address.
The question is, how can I, with the unique twitter id or other information provided by twitter, determine, short of asking for their email address, if the user already exists in my database?
I've seen people puzzled over the fact that twitter sign in credentials do not include email address?
I appreciate any ideas on how to solve this.
Thank you.
According to this question: Architecture for merging multiple accounts and registering a user account
Various answers have said that using email is a good way of establishing correspondence between different accounts and then doing automatic merging for multiple account sign in.
However, twitter is a major provider that does not provide email through their oauth API.
How can we reliably and automatically establish a correspondence between a twitter account and for example Google, Facebook, Github... etc accounts? So that we can auto-merge those accounts.
I'm writing a library to help in this, so it's not really useful to say do it manually, since I would like to provide options.
There is no secure-way to automatically do it, I implemented an application with local account/Twitter.Facebook/Google and I didn't have other choice.
I suggest you to allow your users to register with one method (local account, Twitter, Facebook, Google...) and create a page in "My account" that allow them to associate other accounts.
In Twitter a user can be identified by either a name or a key, you have no way to know them unless you explicitly ask them to the user.
Moreover now in Twitter 1.1 you have to redirect your user to Twitter to approve your application and then you get the OAuth token and security key. As you can see there must be an interaction with Twitter, at least if you need to perform some restricted queries on his behalf (e.g. create a Tweet).
anyone knows if it is possible to do registration via twitter just like facebook register (http://developers.facebook.com/docs/plugins/registration/)?
it is not login via twitter. i need to store some basic information from the twitter user, eg, name and email, and then request user to choose their own username and password for my site.
Thanks!
Twitter doesn't have this functionality at all , they have #anywhere for integration for some Twitter features on your website. That's the closest there is to this. What you can do is register an account with the information you gather from an authenticating user, but the development of this would be up to you. There are no boxed up solutions right now from Twitter. There may be something third party but I'm not aware of any.
It's also "against the rules"
You may not use Twitter Content or other data collected from end users
of your Client to create or maintain a separate status update or
social network database or service.
https://dev.twitter.com/terms/api-terms