Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How can I integrate social login to my existing user schema/login system?

Tags:

authentication

oauth

database-design

login

single-sign-on

I have a RESTful API that multiple clients connect to (web, iOS, and Android apps). Currently, users can only create accounts with a username and password (email is optional) and they are represented in the database with exactly those columns.

A user "logs in" via our API by POSTing to a /session endpoint. The API response is a new secret token (which we associate with the username). The client uses this token to sign all POST requests initiated by the client which our API later uses to authenticate requests.

However, we now want to allow social login (Google+, FB, Twitter). Our users also want to use social login for the convenience but would prefer that they choose their own random username to be displayed next to their comments, etc.

My question: what changes do I need to make to my API in order to support social login? Do I need to make significant changes to my database schema to support this and, if so, what exactly? Also, does the server need to know anything about access tokens granted by the social login provider?

Please note that the scope of this feature does NOT include the ability to associate multiple social login accounts with the same person. I want to keep things as simple as possible.

Generally confused about how to properly implement this. I'd prefer to keep things as simple as possible so extra points for a simple solution. Any advice would be greatly appreciated.

like image 395
LuxuryMode Avatar asked Jul 15 '14 00:07

LuxuryMode

People also ask

How do you implement social login?

Social Login is a simple process, with the following steps. The user enters your application and selects the desired social network provider. A login request is send to the social network provider. Once the social network provider confirms the user's identity, a current user will get access to your application.

Is social login worth implementing?

Social login means users don't have to create and keep track of more credentials, lessening password fatigue and login failures. A trustworthy process: Regardless of the site users are accessing, social sign-on provides a recognizable, uniform method of logging in.

1 Answers

  • I had the exact same issue
  • I needed Facebook Twitter Google and GitHub login
  • Lets have a look at how this is supposed to work
  • I have 2 tables, a users table and a social_tokens table
  • My users table looks like this

users (user_id integer, nickname varchar(64), email varchar(255), password varchar(64), email_verified boolean, enabled boolean, created_at timestamptz, updated_at timestamptz)

  • Thing to note here is that user_id is the primary key, nickname is unique, email is unique, email_verified has a default value of FALSE, enabled has a default value of TRUE, password is OPTIONAL thanks to social login

  • My social_tokens table looks like this

social_tokens (provider_user_id varchar(255), provider_type enum('facebook', 'twitter', 'google', 'github'), user_id integer, access_token varchar(255), refresh_token varchar(255), expires timestamptz, created_at timestamptz, udpated_at timestamptz)

  • provider_user_id is the unique ID that a social network assigns to each user
  • provider_type is an enum with 4 values in my case, facebook, twitter, google and github
  • user_id REFERENCES the user_id from users table
  • access_token and refresh_token (if provided) are simply tokens allocated by the provider
  • google seems to have the concept of expiry so I added an expires column as well, it is OPTIONAL for the rest
  • PRIMARY KEY is the combination of (provider_user_id, provider_type, user_id) because a single user may have more than one social login so user_id CANNOT be the primary key

  • While it can be argued that provider_user_id is UNIQUE for each user in a given social network, what about different social networks? hence the combination

  • The idea is that each user may have multiple social logins

  • If you had a Twitter [email protected] and Facebook [email protected] both and if you login via both atleast once, they both are part of your login now
like image 158
PirateApp Avatar answered Sep 24 '22 02:09

PirateApp
Sign in to Comment

Related questions

How to disable NTLM authentication for OPTIONS requests in IIS
Proper HTML markup and authentication flow for password manager compatibility?
Generate a secure token for api access
Login with google - how to log out?
Configuring authentication for webpack proxy
react-boilerplate authentication login page flashes on page reload
Authentication Flow Using Android Navigation Component
How can I sign-in through an email link/magic-url to open a pwa instead of the browser to authenticate a user in an iOS device?
Prompt a user to login after he takes a certain action
Using Basic Authentication and Forms authentication on same site
Rethinking the User Login Process: User/Display Name and OpenID
Race Condition for Persistent "Remember Me" Cookies
Using Google-Account to log in [closed]
deny anonymous for all pages except the "~/" path in asp.net
FB error:Expected 1 '.' in the input between the postcard and the payload
Authentication on Google App Engine (web page)
Authenticating Dropbox leaves open Browser
Correct cookie management
Letting a pure HTML/CSS/JS SPA application ask the user for his username/password and pass it to ADFS?
Web API authentication and authorization (OAuth)

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!