I am developing a mobile app and currently depending on JWT to maintain the statelessness of the API. The API is consumed by mobile and web devices. The users will use their email and password to register.
I am assigned to implement social login option in this API. I would like to clear my following doubts.
1) When Social Login is used, how can I generate a token [like JWT] which will be stored at the client's end? This token is supposed to send with all subsequent requests after login.
2) In case social platforms are not providing/sharing email address [which is one of our primary keys], what all information shall I store?
2 Answers
Answers 1
Once you "social login" a user, you get a list of data from the social network itself. User can disallow the retrieve of the email address (ex. from Facebook): in this case, you have to create a new user in you database, connect this user with the ID received and ask him to enter his email address. After the social login, if it is the first time, I suggest you to ask the user to confirm their email address or even change it: in this way, you have just one flow.
Pay attention that a user could register himself using email/password and then try to login using Facebook or Twitter: in this case you should try and check if you already have a user with that email address and just link this user with the new token. Otherwise, create a new user.
The token is created as you actually do, after a successful login.
Answers 2
Some social networks allow to delegate user authentication instead or requiring credentials in your own system. When user logs in, the external platform will provide you an access token that can be used to get some information of the user,
Use this data to register user into your own system. Attach the access token. Depending on the permissions you have requested, you can use the token to perform additional operation in the social platform.
Then issue a JWT to be used as authentication token in the web/mobile app where user log on. This JWT must be independent of the access token sent by authentication provider. For example
{"sub": "userid", "name": "User name" "iss": "issuer", "exp": 1300819380, "login":"facebook" }
If you plan to use several authentication systems like Google or Facebook, do not use the email as unique identifier because it could different for the same user. You will need an additional register process to link the accounts that the user has in different networks. For example, letting user set the identifier that is using in other system or just launch the log in process in twitter when user is logged by Facebook
0 comments:
Post a Comment