I am using Register via Facebook for my website.
After a user authenticates via Facebook Login, I retrieve and store their email address and name (nothing else).
Is there some type of unique identifier that goes along with everyone's facebook account?
What if someone changes their email address on their Facebook account?
I've checked their docs but can't find anything to use.
You are looking for user id. This is going to be unique for each facebook user and cannot change (unless some user deletes their facebook account and then goes in a registers a new facebook account)
Every Facebook user has a unique 'userId'. This userId will never change.
http://developers.facebook.com/docs/reference/api/user/
Related
Initially, we have enabled FB login to one of our iOS app. At that time, we were only storing Facebook unique number in our database for user's unique identification purpose. Now that our customer is asking us to enable Google Login, since we didn't store user's email address at the time of their login, it became tricky for us authenticate existing FB users if at all if they want to use Google login. Consider, user is using google email as their FB login. Now we need your help in getting user's email id by using FB unique number which we already have it in our db. Your help in this regard would be highly appreciable. Thanks in advance.
There is no way to get the email of a user on Facebook, unless he specifically authorized your App with the email permission.
Just curious,
In case I want to make application using API for login(i.e Facebook of Google+)
What user's unique key do I stored in my database? Do my apps have same user's unique key as them(Facebook or google+), or they generate a new unique key for my user when sign in my apps? And what type of data is it?
Do I duplicate user's information into my database or keep accessing user's information from Facebook or Google+? Like do I have to create table for user's name, gender, birthday,etc and register user's information once user login to my apps or straight access it from Facebook or Google+ every time my apps needs it?
Is it really safe for user to using login with API? Can someone using API to get user's email and password, or make post in user's Facebook or Google+ that user don't want to post, or hijack user's account?
This might be common case, but I have no experience in using API so I have no idea about that.
What user's unique key do I stored in my database? Do my apps have same user's unique key as them(Facebook or google+), or they generate a new unique key for my user when sign in my apps? And what type of data is it?
When you use Google or Facbook signin you really only need to store the information that they return to you.
LoginProvider ProviderKey ProviderDisplayName UserId
_____________________________________________________________________
Facebook 1969950809700159 Facebook 21248583
Google 117200475532672775346 Google 21248582
User Id is the users id from my user table. Where i store there user information my system needs ProviderKey is the users Id on the login providers system.
Do I duplicate user's information into my database or keep accessing user's information from Facebook or Google+? Like do I have to create table for user's name, gender, birthday,etc and register user's information once user login to my apps or straight access it from Facebook or Google+ every time my apps needs it?
You can duplicate some of it when the user creates or links their account to your system but i wouldn't automatically update it without informing the user you are doing so. Some users dont realize how much information you have access to via linking to social media accounts.
Is it really safe for user to using login with API? Can someone using API to get user's email and password, or make post in user's Facebook or Google+ that user don't want to post, or hijack user's account?
I think you are confusing identity for Authentication. Using Oauth2 you request a user to grant you access to see there data though an api this is authorization. If you are using Google+ or facebook signin you are using an identity server and signing in as the user. You should be using signin if you want them to login to your system using their social media accounts. By singing in you are that user. No I dont think they can be hijacked using signin.
I'd like to offer our users a Facebook login option. But I'm not sure how to identify existing users (without a stored Facebook ID).
From the docs:
https://developers.facebook.com/docs/facebook-login/multiple-providers#addingfacebook
After a successful login using Facebook, you will have the person's
email address, Facebook ID, and access token. Your app should search
for an existing account that has been created with that same email
address. If one exists, you should merge the two accounts and add
the Facebook info to the existing account - as recommended above.
That doesn't sound like a secure approach to me. What would prevent someone from creating a new Facebook account with a fake email address that matches a user account in my app and then use my Facebook login option? (Obviously, this will not work if the user already owns a Facebook account)
Your concern...
That doesn't sound like a secure approach to me. What would prevent someone from creating a new Facebook account with a fake email address that matches a user account in my app and then use my Facebook login option? (Obviously, this will not work if the user already owns a Facebook account)
TL;DR
Facebook Registration process
Go to facebook.com/reg.
Enter the name you go by in everyday life.
Enter your email or mobile phone number.
So...
Facebook needs your email or phone number, that means there's no way someone can use another account's email or phone number to sign up again.
My advice to you is...
You have two or more authentication methods - 1 manual (email & pass) | the rest (social login).
You already have users, so when users login using OAuth and a matching email or phone number is found, you ask permission to link their Facebook account to your app or site account with a matching credential.
At this point you should authenticate the persons identity one last time, by having them enter the password for their account on your app or site.
Now you can safely assume this person is who they say they are and store their info in your DB.
I'm creating a website that people can send sms from my website, I want to implement facebook login to my website and any one who logs in to my website using his facebook account and doesn't have an account in my website i want to create one for him. as he should later enter his phone number and verify the number and without having an account in my website its not possible. now the problem is if I use his facebook username to create the account it might cause duplicate name (as someone else might have got that username).
I will of course combine the information of the existing accounts when someone uses facebook login which have already account in my website. this is not a problem.
what would you suggest?
thanks in advance.
Dont use the Facebook user name as the userName column of your users database. You can get many other unique information from a Facebook user, like e-mail or facebook ID. Use them to "connect" between the information from your database details and the info you receive from Facebook.
For example:
When signing up to your website, one of the fields you can ask is the facebook login e-mail. Thats how a user would have the option to login to your website by Facebook, without any connection between his facebook user name and your user name.
In your user details table, just add a facebookEmail column, then, after you implement the Facebook Login API and a user login, check to see if his e-mail (from facebook) is in your table.
now the problem is if I use his facebook username to create the account it might cause duplicate name (as someone else might have got that username).
Well, then either build in a check if the user name is still free and if not prompt the user to enter a different one; or
automatically chose a different user name, f.e. by using a counter – if the user name from Facebook is foobar and this is already taken, then check if foobar1 is available, etc.
If creating it automatically, maybe you want to give the user the possibility to change it afterwards.
HI, I hava a website in php where i have integrated a Facebook Connect API which enabled the Facebook login button.
I login using the button by providing my Facebook credentials. It gets logged in. I can access my profile picture, full name and some other information. But i can't access the user email id i.e. the Facebook user id. I have checked the FBML page here but i didn't get any tag that may give me the user id. I guess that Facebook might not allow me to get the id.
Please help me how to get the Facebook user id from the Facabook Connect API.
Apparently, Facebook uses an numeric increment ID instead of email addresses to uniquely identify each User entity. By Facebook API policies, email addresses are protected to prevent spam and other issues.
In order for an application to get the email addresses of a Facebook User, you will need special permissions from the User. See the API for such permissions.