I've got Oauth support in place for an app I'm working on. What I'm trying to work through is the logic for associating Oauth accounts.
Example:
Let's say a user has logged in before. They authenticated using Facebook. I now have an email address which I can safely assume will always be unique to that user. However, Twitter does not provide email addresses through its Oauth implementation, so if someone signs in with Twitter, and then Facebook, how do I correctly associate their account? I can't use user name, or handler, because obviously that could vary per provider. Is there any other way I could do this?
Do I require the user to enter their email address if they use an Oauth provider which omits it? I'm trying to put together the best user experience and the most stable system - so your help is highly appreciated.
If you're looking at working with multiple identity providers then your best solution would be to use an internal ID unique to your system and then associate the external accounts with that ID when the external authentication takes place. Additionally users in FB can change their primary email address so it would be safe to assume it's unique it's probably not safe to assume that it's current.
Related
Does anyone know how to set the "Email Address" as mandatory when a user logins in via Facebook using Socialite (if it is possible)?
At the moment my integration allows the user to remove the Email Address from the data that will be shared by Facebook on the Facebook side.
While we don't currently use the email address to contact the user, we do use it for matching accounts together if they login via different methods. This makes the site easier for the user overall.
If this is not possible then in the long run I may need to revoke the users access if they don't share the email address in order to avoid data issues. However I will hopefully be able to avoid this.
Any help is appreciated.
Thanks,
Cs1h
You can't explicitly require it, it's up to the user to share it or not when authorizing so you need to build your application to support this.
In my opinion if they don't choose to share the email then you should detect this and have a page that asks them to enter it manually and send them an activation link to confirm their account before linking.
I am planning to allow users to login to my website using oAuth authentication. I have a doubt whether I can completly rely on the email returned from the response to link the users to actual user account in my website. Can there be any security issue with this?
The most immediate, is that you must absolutely trust the oAuth provider. It might lie to you and take over your local user account.
For example, if the oAuth provider does not validate the user email, someone might register an account there with someone else's email, then login to your site taking over the local user account.
Also make absolutely sure you're using SSL.
I've implemented Google OAuth 2.0 login on a site that I'm working on. It works fine, except in situations when the user is logged with two or more different accounts on the same browser. It's asking him to choose which one he want's to use. But it's asking the user every time to choose the account. Is there a way to remember this, so the user can choose the account only the first time and later automatically to log him with that account?
You can put hd=domain.com parameter in the request to Google, but that only helps if the two logged accounts are from different domains and it can than log the user in with #domain.com account.
I read somewhere that you can send user_id account as a parameter to Google (I guess that would be the email address), but in this case I don't know the users email address before he logs in.
I think this behavior is the same if you use OpenID.
I'm using Google's PHP OAuth library.
Thanks,
Andrej
Google should have a cookie set that enables OAuth applications to tell what account to currently use.
If you know the email address you want to log in with, you can use the login_hint parameter and they won't see the account chooser. See https://developers.google.com/accounts/docs/OAuth2Login#sendauthrequest
Correct me if I'm wrong:
With respect to a user's email address associated with their account...
You can ask for and receive email addresses from openID providers (i.e. Google, Yahoo!, AOL, etc.).
You cannot obtain email addresses from OAuth providers (i.e. Twitter, LinkedIn, etc.).
You can receive email addresses from Facebook via OAuth.
If I am wrong and there is a way to obtain email address via OAuth, please describe an easy method.
Well what you have described is almost right.It dependents upon what you want both protocols Oauth and Open-id provides a way to Authentication but Oauth provides a fine grained control.
basically you can get Email address from Google/Yahoo/Window Live using Oauth and as per your analysis Both Twitter and LinkedIn model do not have the option to give back email.associated with the user.
But you need to have a clear understanding of whats different between both of them as that will clear your case what is provided by way
Both work on domain of security, identity, and authorization.
work on the principal of decentralization.
With Open ID, there is no suggestion of two web apps sharing your data. Except in the very limited sense that the Open ID provider may hold some general information about you.but this is data of a generic.
OAuth lets you authorise one website – the consumer – to access your data from another website
In short OpenId is coarse-grained while OAuth is more fine-grained.Oauth proicde a level of security by asking use to provide access to your data to the party who is asking the access and now its in the hand of user to allow or deny while with Open_id generic data will be available.
So choice is all yours.
I have recently implemented Google and Yahoo's OpenID endpoints into my authentication system on my site so that users can avoid creating an account on my site. Pretty common practice, right?
I have a specific question though, but first a little background information.
When I get through the three-legged authentication I used Attribute Exchange to get the user's name and email address. Currently, I am storing their OpenID (a long string that looks like this: https://me.yahoo.com/a/2Z7LplQsnI_DgtAw(... a bunch of alphanumeric) in a special field in the users table.
Let's say my users table looks like this.
type id password email key
1 1 0e9212587d373ca58e9bada0c15e6fe4 test#example.com
2 1 b8d2f4a50d2b364ff2766556ba50da48 me#gmail.com https://www.google.com/accounts/o8/id?id=AItOawll6-m_y…
2 2 6687d5d88b359ee1340717ebf0d1afc6 you#gmail.com https://www.google.com/accounts/o8/id?id=AItOawm3-C_9…
3 1 fd193c2fa449c9d6dc201d62d5ca86d3 him#yahoo.com https://me.yahoo.com/a/2Z7LplQsnI_DgtAw…
1 2 2e710b13b3dd787e2b15eab3dde508c2 person#site.com
types
1 = native account
2 = Google OpenID
3 = Yahoo OpenID
When a user logs in with a native account, the email and password are used to authenticate (duh).
When a user uses Google or Yahoo OpenID, then the OpenID (key field) is used to authenticate.
Okay, now that all the background information is out of the way... will it be secure if I forget about storing the OpenID itself and simply use the email I got back from Attribute Exchange to authenticate the user? Can someone spoof the third leg of an OpenID transaction or can I trust that whenever I get you#gmail.com from the Attribute Exchange portion of an OpenID transaction with Google that it is genuine and not spoofed?
Such an intentional breaking of the protocol will cause you major headaches in the long run. For instance, consider cases where a user logs in using a custom-built OpenID server, but provides a #gmail.com email address.
The only information guaranteed to be absolutely consistent and reliable after an OpenID authentication exchange is the identity URL.