Using OAuth but store extra information in my own DB

Question

I've been looking into OAuth for a while, but haven't implemented it in any of my applications yet. I'm having trouble really understanding the full concept, so I still have a few questions that I haven't found an answer to, so I hope that anyone can help me.

I want a user to be able to start my application (WP8), login to facebook / twitter / microsoft / ... . When he gets authenticated, I want to actually save this user to my own DB so I can add some user specific stuff like preferences, posts, ... .

What do I need to save in my own DB to specify a user? Do I need to save the token itself or is this something that will be invalidated after a while? Or do I need to specify the user's name? With other words: What can I use as a unique identifier?

And what happens when a user would authenticate with for example facebook and he deletes his account?

And one more question, would you ever allow a user to connect to an application with 2 different service providers? If so, how would you make the coupling of these 2 providers to 1 user in your own DB?

I hope my questions are clear enough! If not, don't hesitate to ask for more information!

Kind regards,

Gert

Answer 1

I assume that you have your own back-end where you authenticate your own users and your WP8 application is just a client.

First, let me distinguish between a user credential and a user profile. User credential is something that validates who the user is, e.g. username/password, facebook user id supplied with a valid auth token. User profile, is what you store in your own database about the user.

You also need to distinguish between a token you use to authenticate the user and the AccessToken Facebook needs to grant you access to user's data.

So... to answer your questions:

What do I need to save in my own DB to specify a user?

Create a record with user data (like preferences, and your unique user ID), and user's login method (e.g. Facebook) and credential (e.g. Facebook's user ID). This is your user's profile.

Do I need to save the token itself or is this something that will be invalidated after a while?

You can also store the Facebook AccessToken here if you've been granted "offline access" privileges by Facebook, but that is used for Facebook's access by you... not by the user's access to your app/back-end. For user's access you could just use a mechanism similar to cookie-based authentication - it's up to you. You could use the AccessToken as a kind of a "cookie", but you would need to always check against Facebook that it's valid.

With other words: What can I use as a unique identifier?

You could treat Facebook's ID as unique (so long as you never allow another account in your user profile DB to link with the same Facebook account)

And what happens when a user would authenticate with for example facebook and he deletes his account?

It's a good idea to have users still create a username/password combination that works with you site and only rely on Facebook login for convenience. In any case, Facebook provides a "Deauthorize Callback URL" when you create an app profile on Facebook. This is called when a user deactivates your app or deletes an account with Facebook. When you receive this call, you could send your user an email when an auth link to setup a different credential so as to not lose access.

would you ever allow a user to connect to an application with 2 different service providers? If so, how would you make the coupling of these 2 providers to 1 user in your own DB?

Sure, you could do that. Say you'd want to allow a Twitter account as well. You'd need to add a Twitter user ID field to your user profile database.

Here's another tip: create an ASP.NET MVC4 project in Visual Studio - the template includes an example of how to set up a user profile database with OAuth login.

Hope it gives you the high-level overview to investigate further.