All geek questions in one place

What is the standard with oAuth for remembering users?

My colleagues and I are developing an application (both a web application and a mobile application (iPhone and Android)) that includes the login process. We currently have our own login mechanism (where users signed up for an account in our application and saved the information in our database). We study oAuth integration and allow users to log in with Facebook, Twitter, LinkedIn and Google.

Now, when users register with any of them, I understand that the process of entering the system occurs outside of our application and basically only gets access to their resources.

My question is: through oAuth, how do we remember users? that is, users who have read and write permissions have preferences. As we remember, those when they do not sign in our application. Can we save their email address in our β€œUsers” table?

What are the best practices in such a scenario?

Thanks for any information you can provide.

+6
source share
1 answer

Having created authentication databases for several different websites that support OAuth, I can say that I learned a few things that you should keep in mind.

  • You should have a user table for your site that is completely independent of the OAuth provider they used to register / sign in. This allows your site users to combine multiple accounts together under their primary identity on your site. (For example, connect Facebook and Twitter with you).
  • When you allow the user to register, you should receive an email address from them. If you ask Facebook for this, or if you need to ask directly. This allows you to β€œupdate” users later, depending on whether it depends on third-party OAuth to set your own password on your site. (You simply send them a link to the reset password page so that they can start creating their first password.)
  • You do not want to use the email address as the primary key. I'm not sure if this is what you are actually describing or not, but you really want them to have a local user id that you use to maintain your session, etc. Then you associate your Facebook ID or their Twitter ID with this local ID and use the correspondence between these IDs to match which of your site users should log in to.
+11
source

Source: https://habr.com/ru/post/918801/

More articles:


All Articles