Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What is the standard with oAuth for remembering users?

Tags:

oauth

user-accounts

twitter-oauth

facebook-oauth

Me and my colleagues developing an application (both web application and mobile app(iPhone & android)), which includes a login process. Currently, we have our own login mechanism (where users have signed for an account on our app, and have stored their info in our Database). We are looking into integrating oAuth and allowing users to login with Facebook, Twitter, LinkedIn and Google.

Now, when the users logs with any of those, as I understand the login process occurs outside our application and basically only get permission to access their resources.

My question is this: through oAuth, how do we remember users? i.e., users who login have read /write privileges and have preferences. How do we remember those when they don't actually sign up through our app.. Can we store their email address in our "Users" table??

What are the best practices in such a scenario?

Thanks for any info you can provide.

like image 388
mustang888 Avatar asked Jun 22 '12 22:06

mustang888

1 Answers

Having built authentication databases for a few different OAuth-enabled web sites, I can say that I've learned a few things that you should keep in mind.

  1. You should have a table of users for your site that is completely independent of which OAuth provider they used for sign-up/sign-in. This enables your site users to combine multiple accounts together under their primary identity on your site. (For example, associate both Facebook and Twitter with you.)
  2. When you let a user sign up, you should get an email address from them. Whether you ask Facebook for it, or if you have to ask directly. This enables you to "upgrade" users later from depending purely on third party OAuth to setting their own password on your site. (You simply send them a link to your password reset page in order to get them started creating their first password.)
  3. You don't want to use email address as your primary key. I'm not sure if that's what you're actually describing or not, but you really want them to have a local user ID that you use for maintaining their session, etc. You then associate their Facebook ID or their Twitter ID with that local ID, and use the correspondence between such identifiers to match up which of your site's users to consider logged in.
like image 129
sblom Avatar answered Sep 28 '22 08:09

sblom
Sign in to Comment

Related questions

Android Dev - Callback URL not working... (0_o)
how to sign out in LinkedIn using authrequest using android?
Google Contacts read only (OAuth 2.0)
Backbone.js + jsOAuth
Using AppEngine/Go Users API with OAuth: code sample, workflow, any help?
Android and Twitter4j: Handling OAuth with a Webview widget?
How can I get UIWebView to open Facebook login page in response to the OAuth request on iOS 5 and iOS 6?
Ruby Gem Twitter - certificate verify failed (Twitter::Error::ClientError)
Using dropboxjs to authenticate the client with oauth 2. What about the server?
Refreshing an OAuth access token for Microsoft Live API
How to setup Kibana SSO (through OAuth)?
Spotify API Authorization for cron job
Oauth 2 popup with Angular 2
How I can get user info profile from Google API?
Why must we "change temporary credentials for token credentials" in OAuth?
Authentication and authorization for RESTfull API (java jersery)
how to authorizate use google-api-ruby-client
What are the different options for social authentication on Appengine - how do they compare?
Getting First Name/Last Name/Email from Twitter using OAuth
Passing authorization header for oauth token request

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!