I'm currently creating a web app using Google's oAuth. I was wondering how I can uniquely identify an authenticated user so I don't accidentally add duplicates.
Doesn't Google give you other unique params like user name or user ID?
For example, Twitter and Facebook, give you user name and a unique url that identifies user's profile picture. If you save that params on server-side you can identify user next time that he comes on your site.
The best way to do this would be to use OpenID with the oAuth extension (aka hybrid).
I am currently using OAuth exclusively and I am requesting the https://www.googleapis.com/auth/userinfo#email scope as described on http://sites.google.com/site/oauthgoog/Home/emaildisplayscope to get the email address of the authenticated user. I am using the email address to uniquely identify the user. This should be good enough for now.
Edited:
According to a recent Google developer comment (https://groups.google.com/group/oauth2-dev/browse_thread/thread/cf5c137f872f9932), they are currently working on this problem, but for anything production ready, you should use OpenID authentication.
You should save somewhere the user_id you have for your users in your site, along with the corresponding access_token and access_token_secret.
Then you can query that table (or wherever you save that information) with the user_id and obtain the proper tokens
Regards
Related
My question is similar to What data can I save in my database to verify a user with Google sign in API?
I've built Google Sign In correctly and I get a response from the API like this:
{
"iss":"https://accounts.google.com",
"at_hash":"xxx",
"aud":"xxx.apps.googleusercontent.com",
"sub":"xxx",
"email_verified":true,
"azp":"xxx.apps.googleusercontent.com",
"email":"xxx#gmail.com",
"iat":xxx,
"exp":xxx
}
The SO link above says to save the sub field as this is a unique identifier. I can save the email/sub no problem. My question is: How do I allow this user to sign in next time with an email/password form, if they choose to do this, versus OAuth? I guess I could force them to sign in thru OAuth, then verify they're signed in and have them create a password, but I don't know if that's the best way to do this.
The "sub" parameter is only guaranteed unique for the "iss" parameter. So the combination of "iss" and "sub" is globally unique.
If you MUST store a password you will need to ask the user. Some apps put in a random-complex password for every user as some application frameworks require a password. This may be helpful if they forget they used Google to sign in for you to do you due diligence in assigning a temporary password for the user with the email address.
You should of course consider that the email address is globally unique at any given time, but could be reassigned in some cases.
I get a slightly changing User ID's on sign up/login when authenticating with xing oauth. Something like:
37578662_a467ef and 37578662_76a7fe.
Does somebody know if the user id changes when using a xing test key? Or if I could rely on the first part (before underline) to be equal and consistent on login?
Using python-social-auth and Django
Best
Johannes
Sry, found the answer. The user-id relies to the xing-app that asks for the user, which can only be configured by one developer account...
So you need to use the same credentials to ask for the users to be able to find the same user by using the user-id again.
I am developing a MVC project where I am trying to get the user id or user name from the facebook by using the email id provided by the user,
actually i want to fetch the photo of the user, which can be done using
graph.facebook.com/user_id|user_name/picture
where as i have only have the user email id.
with a little surfing on net i found that user name or user id can be fetched by using
graph.facebook.com/search?q=emailAddress&type=user&access_token=ACCESSTOKEN
but i was not able to get the access_token.
Also referred
developer facebook page
and also this
Any help or direction to work will help indeed.
Basically i understand that i need a access token to get the details.
So how do i do this in my MVC application
As you can read in the Search API docs, you can only search for Users by name, but not by E-Mail. It may have been possible in the past, but it is definitely not possible anymore.
Also, for searching by name, you need to use a User Access Token. You only get one by authorizing a User: https://developers.facebook.com/docs/facebook-login
I've been looking into OAuth for a while, but haven't implemented it in any of my applications yet. I'm having trouble really understanding the full concept, so I still have a few questions that I haven't found an answer to, so I hope that anyone can help me.
I want a user to be able to start my application (WP8), login to facebook / twitter / microsoft / ... .
When he gets authenticated, I want to actually save this user to my own DB so I can add some user specific stuff like preferences, posts, ... .
What do I need to save in my own DB to specify a user?
Do I need to save the token itself or is this something that will be invalidated after a while? Or do I need to specify the user's name? With other words: What can I use as a unique identifier?
And what happens when a user would authenticate with for example facebook and he deletes his account?
And one more question, would you ever allow a user to connect to an application with 2 different service providers? If so, how would you make the coupling of these 2 providers to 1 user in your own DB?
I hope my questions are clear enough!
If not, don't hesitate to ask for more information!
Kind regards,
Gert
I assume that you have your own back-end where you authenticate your own users and your WP8 application is just a client.
First, let me distinguish between a user credential and a user profile. User credential is something that validates who the user is, e.g. username/password, facebook user id supplied with a valid auth token. User profile, is what you store in your own database about the user.
You also need to distinguish between a token you use to authenticate the user and the AccessToken Facebook needs to grant you access to user's data.
So... to answer your questions:
What do I need to save in my own DB to specify a user?
Create a record with user data (like preferences, and your unique user ID), and user's login method (e.g. Facebook) and credential (e.g. Facebook's user ID). This is your user's profile.
Do I need to save the token itself or is this something that will be invalidated after a while?
You can also store the Facebook AccessToken here if you've been granted "offline access" privileges by Facebook, but that is used for Facebook's access by you... not by the user's access to your app/back-end. For user's access you could just use a mechanism similar to cookie-based authentication - it's up to you. You could use the AccessToken as a kind of a "cookie", but you would need to always check against Facebook that it's valid.
With other words: What can I use as a unique identifier?
You could treat Facebook's ID as unique (so long as you never allow another account in your user profile DB to link with the same Facebook account)
And what happens when a user would authenticate with for example facebook and he deletes his account?
It's a good idea to have users still create a username/password combination that works with you site and only rely on Facebook login for convenience. In any case, Facebook provides a "Deauthorize Callback URL" when you create an app profile on Facebook. This is called when a user deactivates your app or deletes an account with Facebook. When you receive this call, you could send your user an email when an auth link to setup a different credential so as to not lose access.
would you ever allow a user to connect to an application with 2 different service providers? If so, how would you make the coupling of these 2 providers to 1 user in your own DB?
Sure, you could do that. Say you'd want to allow a Twitter account as well. You'd need to add a Twitter user ID field to your user profile database.
Here's another tip: create an ASP.NET MVC4 project in Visual Studio - the template includes an example of how to set up a user profile database with OAuth login.
Hope it gives you the high-level overview to investigate further.
Trying to access user profile from Yahoo using Oauth system and for that i am taking help of Scribe-Java API
its working fine except one issue whcih i am sure not related to the API i am using
In my yahoo profile i have following settings
Yahoo! Email --->amy_yahoo_id#yahoo.com
Email--->other_id#gmail.com Primary - Change
So what i am getting back is other_id#gmail.com which means i am not able to get correct information of the logged in user.Once i am able to get guid i am sending the request to following URL
http://social.yahooapis.com/v1/user/guid/profile?format=json
any way i can get the yahoo mail id to which user is associated in place of other id even if that is set as primary or along with any other email id all i want is to get the yahoo mail id of the user by which he/she logged in to the system.
Is there any specific reason you must get the yahoo account's email?
I also facing the same problem as you earlier.
After think over, primary email means to be the contactable email for the user.
So may be that's why yahoo make it that way.
Of course it will be good if they can provide one more email which is account's email.
But if you just want to have unique identifier, we can use the guid.
So may be you can check again, does your requirement must have the account's email?
or you just need an email where user set primary because they preferred to be contactable by that email?
Now I will just make use of the primary email return from Yahoo for my OAuth