I have a RESTful API that multiple clients connect to (web, iOS, and Android apps). Currently, users can only create accounts with a username and password (email is optional) and they are represented in the database with exactly those columns.
A user "logs in" via our API by POSTing to a /session endpoint. The API response is a new secret token (which we associate with the username). The client uses this token to sign all POST requests initiated by the client which our API later uses to authenticate requests.
However, we now want to allow social login (Google+, FB, Twitter). Our users also want to use social login for the convenience but would prefer that they choose their own random username to be displayed next to their comments, etc.
My question: what changes do I need to make to my API in order to support social login? Do I need to make significant changes to my database schema to support this and, if so, what exactly? Also, does the server need to know anything about access tokens granted by the social login provider?
Please note that the scope of this feature does NOT include the ability to associate multiple social login accounts with the same person. I want to keep things as simple as possible.
Generally confused about how to properly implement this. I'd prefer to keep things as simple as possible so extra points for a simple solution. Any advice would be greatly appreciated.
Social Login is a simple process, with the following steps. The user enters your application and selects the desired social network provider. A login request is send to the social network provider. Once the social network provider confirms the user's identity, a current user will get access to your application.
Social login means users don't have to create and keep track of more credentials, lessening password fatigue and login failures. A trustworthy process: Regardless of the site users are accessing, social sign-on provides a recognizable, uniform method of logging in.
users (user_id integer, nickname varchar(64), email varchar(255), password varchar(64), email_verified boolean, enabled boolean, created_at timestamptz, updated_at timestamptz)
Thing to note here is that user_id is the primary key, nickname is unique, email is unique, email_verified has a default value of FALSE, enabled has a default value of TRUE, password is OPTIONAL thanks to social login
My social_tokens table looks like this
social_tokens (provider_user_id varchar(255), provider_type enum('facebook', 'twitter', 'google', 'github'), user_id integer, access_token varchar(255), refresh_token varchar(255), expires timestamptz, created_at timestamptz, udpated_at timestamptz)
While it can be argued that provider_user_id is UNIQUE for each user in a given social network, what about different social networks? hence the combination
The idea is that each user may have multiple social logins
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With