Recently I just notice how Path, Pinterest, and the like change the way they authenticate their users. Currently it seems that they require us to create an account associated with Facebook or Twitter. I could not understand the reason behind this. Is there any security concern for them to make this move?
Why is simple authentication with Facebook and Twitter not enough?
I think it is about giving the site more control over their future and the relationship to their users.
If they have their own account system, but allow the users to link it to Facebook or Twitter, that link can later be changed if the relationship with those providers turns sour.
The big reason is that they don't have to take any risk with handling passwords, etc. which can get hacked. They are offloading the security of user accounts to bigger partners, so they don't have to worry about it.
Related
I know it allows a third party to have access to the user's data of the another website. If I just want to make an e-commerce website with Facebook login, and it'll only be used by my customer, is it an overkill to use OAuth?
For an ecommerce website you will require stuff such as phone number, address, pincode etc.. Facebook wont give you all of these things.
As not a lot of people save such info on fb,
Its wont be an overkill, infact it is much easier, but you wont benefit from it at all.
Thr best thing would be to get an write a custom login system, make it short and simple.Maybe even get a bulk sms module/service to verify phone numbers or order confirmations.
If the Facebook login is the only way to login, it can be quite limiting for people having no Facebook account or not wanting to use it. But it's not difficult to implement and it can make your application safer (not keeping passwords in your database) and easier to use for Facebook users, which I think makes it worth the effort.
After the first successful Facebook authentication, you can ask users for all additional data you need not available from Facebook.
And if you support one OAuth2 provider, it's easy to add other ones later (such as Google).
I would host the Website on Google Cloud Platform or one of the other big players (Azure, AWS) and use their Authentication systems and APIs.
In today's Cyber Security environment it seems almost "foolish" to use any other route. Why do you want to setup a "custom login system" when using things like Firebase (Azure or AWS has things too) makes it so you can do 5 or 6 of the major Social Logins and/or a username password system while "someone else" deals with all the hassles of password management and prevention password breaches.
There is no way a "small business" can compete with the security and infrastructure that these "Big Player" provide.
in my iPhone app, I implemented the Facebook API, to piggy back on their user identification.
Now, rather than polling Facebook every once in a while to see if the information of a logged in user has changed, I would like to use the 'User object subscriptions'. From this document I learned, that I have to create a Callback URL (done, and tested), and that my app needs to be Whitelisted.
On developers.facebook.com/apps/ I can't find a way to apply for being whitelisted, and Google doesn't seem to be my friend anymore.
I hope you are.
The docs are stating
...some of these objects may require your app to be whitelisted by Facebook for access.
Basic Realtime Updates should work without any whitelisting involved, at least they do so for myself.
Whitelisting your app is not always easy to do, as certain APIs are meant to be quite restricted at a developer level. You can find further information about whitelisting here if you have not already done so.
As far as whitelisting, in your case I believe it just a matter of your app settings and IP whitelisting, which you can find more information about here .
Is there a way to make the Google+ Sign-In not request the user's "list of people you're connected to on Google+"?
My goal is to use the G+ sign in for authentication purposes today, and in the future also use it for social sharing functionality. As the owner/operator of the service requesting sign in I don't care who is in a user's circles.
Is it possible to remove the request for all of the people a user is connected with? Am I missing something with this? For example if I didn't request all of a user's connected people would the user no longer be able to share to them?
I'm aware of the Google OpenId sign in functionality, but it doesn't provide the functionality I'd like for the future.
Whenever you use the Google+ sign-in button, the scope plus.login is added. As such, it will request the "know who you are on Google+" and "List of people you are connected with". A few notes on this:
The user has control over which people they share with you so if they don't want to share this information, it's within their control.
If you're interested in the information in the future - using the existing connections people have is a great way to make your site better - the access will be available to you.
If you still feel you should be able to just request the user's profile, please add a star/feature request to the issue tracker here:
https://developers.google.com/+/
The more information regarding why you want to do this and the clearer your request explanation, the better!
I have an existing rails app which uses 'devise' for authentication.
I would like user's to be able to link their twitter and facebook accounts to their account on my site, so that my application can post updates on their behalf.
Ideally:
When registering, you can choose to set up a standard account, or use twitter, Facebook, etc credentials.
If user chooses to use facebook credentials, I would still like them to be able to link their twitter account, so that my application can post to both at same time on their behalf.
A bonus would be allowing them to have identities which they could link twitter account A to one identity, then switch identities and use another twitter acccount.
My questions are:
if they use a standard account, and link facebook and twitter, are they going to be prompted to enter those credentials every time I post on their behalf? Or does omniauth give me an infinitely valid token?
I know devise can handle omniauth, but I can't seem to tell if it can handle what I am asking. It seems that it's omniauth support is more along the lines of just authenticating site users against twitter credentials not for linking multiples.
is there a rails gem that does this, and is well supported? I see socialite is no longer supported, but it seemed to be a one or the other type deal, not what I want anyway.
because I am already doing standard auth with devise, would it be simpler to just force users to create a standard account, and then use the twitter and facebook api's directly on top of that?
Looking for the best strategy here for doing what I want.
*note: If you think I can get 75% of what I want for 25% of the effort that all my goals would be, let me know. *
Thanks,
~S
Can we build applications on top of the twitter user base?
Is it just another open id or something more?
I noticed when using twitpic and some MUD type game 14mafia.com that it uses my twitter login (it tweets on your behalf).
If they are using my login/password that's pretty crazy, I mean what kind of security is that?
Anyhow, just want a developers who has expereince to tell me if we can re-use their membership like openid?
Can we build applications on top of
the twitter user base?
The Twitter API is described at http://apiwiki.twitter.com/
Is it just another open id or
something more?
Twitter is neither an OpenID consumer nor provider.
I noticed when using twitpic and some
MUD type game 14mafia.com that it uses
my twitter login (it tweets on your
behalf).
If they are using my login/password
that's pretty crazy, I mean what kind
of security is that?
Awful security. Don't give out your password to third party sites. Some just use the password anti-pattern, others will steal your credentials for purposes you don't want.
Twitter supports OAuth today. If a site wants to do things with your Twitter profile, it should use that.
Anyhow, just want a developers who has
expereince to tell me if we can re-use
their membership like openid?
No, you can't.
Twitter offers both OAuth and simple username/password authentication in its API. Originally they only had the basic authentication API so many early apps were built using it. Later, they added the OAuth support, but since it was easier to use the basic authentication, many twitter clients and apps still use it.
You can tell which one an application is using, because if they are using the simple authentication they will ask for your password. You have to trust them with it in that case. You're right that it's poor security.
I imagine they are using the Twitter API.