Laravel 5.3 - Social login doubts

Question

I am developing a mobile app and currently depending on JWT to maintain the statelessness of the API. The API is consumed by mobile and web devices. The users will use their email and password to register.

I am assigned to implement social login option in this API. I would like to clear my following doubts.

1) When Social Login is used, how can I generate a token [like JWT] which will be stored at the client's end? This token is supposed to send with all subsequent requests after login.

2) In case social platforms are not providing/sharing email address [which is one of our primary keys], what all information shall I store?

Answer 1

SHORT ANSWER

1. You have to link the social login user to your standard user table and generate the (JWT) token as you are already doing
2. Social logins always return an ID identifying the user on the social. In an external table, store the social used and the social_id, together with the user_id of you main users table

---

LONG ANSWER

Let's start from the beginning in order to have a better view of all the issue and clear all the aspect of your doubts.

Basic user table
Usually you have a Users table structured in this way (simplified)

• user_id
• login (email)
• password
• jwt_token

When the user login, you are going to update the jwt_token field and return it to the user in order to consume your APIs.

Implementing social logins
A good approach to add social logins is to create a new social_logins table structured as follow (simplified)

• social
• social_id
• user_id

Once you "social login" a user, you get a list of data from the social network itself. Note that users can disallow the retrieve of the private email address (ex. from Facebook) even if you are explicitly asking for it.

The first thing you have to do is to check if the social returned you the user's email address.

• if an email returned, look for a user with that email address in your users table and create a record in "social_logins" table creating a relation with the user using the user_id field
• if the email is blank, you have to create a new user in the user table creating a "fake" email address (with a standard method - not random) and then create your social_login record

To avoid creating double users (different email addresses), I always prefer to ask the user to confirm his email address: with this simple question you can postpone the previous check and reduce the amount of double users. So, if the social login isn't returning you the email address, you just show an empty field asking the users to fill it with their email address that you will then use to look for a user in the users table. If instead you got it, just show the user the same field filled and ask him to confirm the email address or change it if he prefer to use another address or if he is already registered to your app with another email address.