I have a query that I want to set re-authentication in my website like this:
If i registered once in my website and link my account with twitter then next time I logged into the website I would not need to log in with twitter. It will be automatically connected with twitter.
You'll still need to authenticate with twitter each time, but you can save the users oauthtoken and oauthtoken secret to a mySQL database so you don't have to ask the user to authenticate manually. The keys, if you will, never expire. Your apps authentication can however be revoked by the twitter user. Here's a helpful tutorial on getting setup from scratch. Some of the first steps have changed, but "Registering users" section will be helpful to you.
Related
I've managed to have an user sign in for my website through Facebook. It works this way:
User goes to my website and chooses to sign in with Facebook
Users goes to Facebook to authorize my app
If the app is authorized, the user comes back to my website and gets registered into my database
The user remains logged in via a cookie set by my website
I store these pieces of information from Facebook: username, email and ID.
What should happen if:
User logs out from Facebook and is still logged into my website? I still have that cookie and session that lets the user remain online, so even if the user isn't logged on Facebook, my users still can benefit from my website. Is this behavior normal or should it be avoided?
An user removes my Facebook App from his authorized apps list? The user is now part of my database, but the user removed the app from his account. How should I deal with this? How can I check if the App->Website connections are still valid for that user? If an user removed the app from his account, should I also remove him from my database? If yes, again, how do I make that check?
There are quite a few other things that are puzzling me and I think I should dedicate another question to those later on.
I'm using Facebook PHP SDK for all these tasks.
P.S: I only use Facebook as an authentication method for my website, nothing more.
To answer your question here are few things we do for the facebook connect
If user choose to create an account with the FB connect, we grab the
details like firstname,lastname, email, fb_userid and then save to
our database.
If the same user when comes user has to click on the FB login button and we check in our database if the API return fb_userid is in
our database and process the login and give access to the user pages.
So ideally we never store the fb_userid in the cookie and next time if the user comes just do the autologin.
Now what if user remove the app from FB, since we do not allow auto login by cookie saved data the user must click on the login button and then re-authorized the app. Since the fb_userid is already in our db, we detect the user after giving permission and let them login.
We have one advantage in our case , i.e. our web app requires monthly subscription so user has to pay for that. So usually people who do want to continue they come to our web site and cancel the account, we then remove the user info and that way fb_userid is also removed at our end. This makes us not to worry what if user remove the app from their FB, since if someone has to cancel they will do it from our website since they are in monthly recurrent billing.
I suppose in your case its not as above point, so you can do the following without violating any terms and conditions
Do not store the session in cookie and make user login with FB button
each time they come to your website. Also make a small note on your
website next to FB login button as "what is this ?" as may be a tool
tip and mention that the website will store the users fb_userid and
this will not be shared with any 3rd party.
Also mention that in case they remove the app from their facebook the id will be still there in our database and create
a cancel account page where user can cancel the account, but that
needs the user to be logged in. Once they cancel the account remove
the FB id from your DB.
Finally I dont think any API call could be used to see if the user has removed the app for offline users, but people who have logged to your site using the FB connect different permissions could be checked as
$permissions = $facebook->api( "/me/permissions" );
If the app requires Facebook, then you need to test the cases you mention and generate appropriate error messages. Beyond that, you just provide obvious ways for your user to clean up, like a working uninstall command.
On my site i gave two options for user to login FB and Twitter, I successfully got user info from both APi's, now I want to handle facebook and twitter users in my MySQL database as one user.
For example : If someone registers with his FB profile and later if same user logged in with his Twitter account .I want to identify the user then.
Can it be possible? Any how?
if the user has used the same email address for facebook and twitter accounts, then if you have used the oauth settings to have carnal access to the facebook and twitter accounts then you could pick this out and compare them, but it's terrible practice.
on your own app do you ask for additional information? could you put in a branch that if a user is entering in data that you already have then you ask them if they are the same user? possibly checked by password?
Could you supply more information if i have misunderstood?
Margaret
Twitter and Facebook accounts are not generally linked, there is no way for you to find out automatically if they belong together. Even the email address could be misleading.
But is this even necessary? I would assume that a user that decides to log into your site via Facebook will always use Facebook. When they decide to user their Twitter login instead, they will expect to have a separate account.
You could give users the ability to "link" their accounts. When they have logged in via Facebook, provide a button "Add Twitter account" and vice versa. Then you can be sure that the person owns both accounts. This could even work when a user has multiple Facebook or Twitter accounts.
It is possible, however you would need to have a facebook field and a twitter field in the user table, and you would need to provide the user with the means of associating their existing account with their twitter / facebook account (whichever they weren't already using).
Personally I would favour having a user table which requires neither facebook nor twitter, but can use both. That we, Google+ people can use your site without being offended.
In my website I have put up Login with Google, Login with Facebook and Login with Twitter.
But if the same user logs in using different providers, ie. the user first logs in using Facebook and then logs out and then logs in using Google I need to identify that both are the same person.
Currently what I am doing is that if the Facebook and Google accounts has the same email id I combine the accounts. The problem is that if the user is logging in using Twitter I wont be getting their email Id which means I cant uniquely identify them.
Does anyone have any other solution ? Thanks
You might consider linking users fb,gmail or twitter to a local db on your site,
Alternate method
Whenever user logs in using any method generate a userid generated from your mysql db and save to a cookie, next time user logs in via any method retrieve the ip and cookie details and update your mysql database accordingly.
Next time user logs in , your system will know about their particulars.
Hope it helps.
I just wanted to make sure I had this understood correctly.
When I authenticate a Twitter account, I am given back the access_key and access_secret.
If I want to permanently retain this user's Twitter account authentication between logins, do I store the access_key and access_secret in the database with the user's account info, and then load those 2 tokens into the session whenever this user logs back in for API access without authenticating with Twitter services upon each login?
Thanks guys
Looks like that'd be a yes. I ended up finding a helpful article
http://net.tutsplus.com/tutorials/php/how-to-authenticate-users-with-twitter-oauth/
So I am trying to let my customers login in with Twitter, and just twitter.
Twitter says "You should never store a password for your users again", but how am I going to reauthenticate my users with twitters API?
If I resend the user to twitter after they have deleted their session, twitter asks the user again if they want to give acces to my application.
Is it at all possible to have seamless intergration with twitter accounts without ever storing local user data?
EDIT
It seems that the question is not extremely clear. What I have experienced using for example http://forum.jquery.com/. They use OpenID. I click "Login with google". I get redirected to google. Google remebers I gave acces to Zoho once and instantly sends me back to forums.jquery.com, this time with an access_token for zoho to authenticate me with. I have no persistent data with Zoho. Yet they can log me in.
What twitter with OAuth does is the following. A user comes to my site, they click "Login with twitter" and get redirected to twitter.
Twitter asks them again whether they want to give the application access to their data. Instead of the immediate redirect google does.
Is it possible for twitter to immediatly redirect the user to me. Is there a setting for me I am overlooking.
Send users to https://api.twitter.com/oauth/authenticate instead of https://api.twitter.com/oauth/authorize. If the user is already signed into Twitter and has previously authenticated with your app they will be redirected without seeing an allow/deny prompt.
What you store from Twitter are the user's TOKEN and user's SECRET. Those values are issued by Twitter (or any oauth provider) when you are in the process of oauth authentication.
You can get the idea using this library in PHP:
https://github.com/abraham/twitteroauth
Or this one in Ruby:
https://github.com/jnunemaker/twitter
The process is quite straightforward once you tried with any real example. It is not difficult at all.
There are also some nice screencasts here:
http://railscasts.com/episodes/241-simple-omniauth
http://railscasts.com/episodes/235-omniauth-part-1
http://railscasts.com/episodes/236-omniauth-part-2
Have you actually read the API?
Read the getting started page, you don't store passwords you store access tokens for the user. And if you want people to log in and register your going to have to store some data ;-)
I had this problem exactly and solved it using setAuthorizedUrl method - for more details see here http://www.evilprofessor.co.uk/359-sign-in-with-twitter-using-zend-framework/
This tutorials might Helpful for you.
Twitter API connect using oAuth
Cristian comment is what I was looking for.
You have to save those values in any persistent storage, if not, your users will always need to go Twitter again.
Shame that twitter doesn't recognize that the users have already allowed my app and redirects automatically