I am creating an app in which you can login via Facebook, Twitter, or our own internal mechanism. The issue is the following scenario:
I open the app and login using Facebook
I logout
I open the app and login using Twitter
The above scenario will result in me as a user having two accounts in the system. How do I prevent this from happening so that I have one account and it doesn't matter whether I login using Facebook/Twitter?
Every time a user login using Facebook I am as well creating an internal account, with the Facebook username and Facebook id as password. The same thing when I login using Twitter I am creating an internal account with the Twitter user name and id as password.
An idea came in my mind to solve this:
When a user logs in using Twitter check the name and email if a user with that information already exists in the database. However, the name and email they use in both Facebook and Twitter might not be the same, so this might not work all the time.
You can't make this work with your current flow (when the user logs in then logs out again). Instead you should allow a user to login with either their Facebook or Twitter credentials and then, whilst they're still logged in, get them to associate their account with their other service with that user.
So, the flow would be something like:
New user arrives at site User logs in with Facebooks oauth2
mechanism
Your server receives their FB ID and generates a new user
in your systems. Stores their FB ID against that user.
You prompt
the user to add their twitter auth credentials. User logs in with
Twitter oauth2 mechanism
Your server receives their twitter ID,
checks to see if a user is currently logged in with your
application. Because there is, you save the twitter ID agains the
current user.
Later, the user can log out and then log in with either service.
Related
I wonder what kind of workflow other people have had when logging in with facebook.
I have an app that requires signup. People can also signup by logging in via facebook. That part has been integrated.
However, when a user signs in with facebook (which means: facebook page open and requires login), my workflow
takes the user to a screen where he needs to create a username (as having a username is required).
After the user picked up a username, then I create this new user, save the facebook token and generate a password.
Now, automatically, the user will be logged in in my app.
Next time the user opens the app, in background, I will login the user taking the email (which originally was fetched from facebook) and the password, which are stored in local storage.
But what if the user logs out or delete the app and reinstall it? I have seen that this happens some times. In that case, the workflow (if the user clicks on facebook login on my app) will take the user again to facebook. And after he logs in in facebook, he will come back to my screen where he can choose a username. This is bad. Because I already created an account for the user with the email binded to that facebook account.
Of course, I can understand that this user that logs in via facebook already has an account. But what can I do? Can I just login him in background? Are there any security implications (yeah, my app is not that sensitive, but I would prefer to use best practice).
Yes, if the user already logged in once, the expected behavior is to be logged in again on future visits to the app. If the user passed the Facebook login, you can safely assume that it is the same user imho.
I am using Facebook login with the Facebook javascript sdk. I have implemented all the login flow. I want to know what I should to do to start a session on my application. From Facebook docs https://developers.facebook.com/docs/facebook-login/login-flow-for-web:
Once your app knows the login status of the person using it, it can do one of the following:
If the person is logged into Facebook and your app, redirect them to
your app's logged in experience.
If the person is logged into Facebook but not your app, prompt them with the Login dialog.
If the person is not logged into Facebook, prompt them with the Login dialog.
I want to work on the first one: redirect them to my app's logged in experience. But I do not know how to recognize the user and start the new session on the server so that he can access personal data. I thought a possible solution might be to send the accessToken received on the client to my server, then ask to Facebook's servers if that is a valid token, if so then start a new session for the recognized user, otherwise ignore the request. Is that a correct flow?
I have a website where users can log in with the Facebook oAuth API.
Once the user logs in or registers via Facebook it is stored in my database.
But what I'd like to achieve is, once the user goes to his Facebook application settings page and removes my website app permissions, the used should also be deleted from my database.
Is there any work around to this problem, if this is not possible via the Facebook oAuth API?
You can add Deauthorise Callback URL by Navigating to Settings > Advanced section of your application. Whenever a User Deauthorises your Facebook app, Facebook performs a HTTP POST of signed request to your URL. You may use the field user_id to determine which User has deauthorised your app.
Actually, I would do the following:
Add a date to his last log in to your site.
Have cron job check for old, unused accounts.
Send an email to the user's email address (or Facebook message mail) telling him his account is due to expire soon.
Delete account from database.
today I've an hard question that it causes me some problems.
I'm beginning to implement, for the first in my life, the Facebook Login/Connect in my iOS application.
What's strange? Nothing so far, except I want that the users can ONLY login in the app with Facebook Login, not signup. I explain better: only the users that are already registered in my website can use Facebook Login for logging in.
Website: users can signup with Facebook Connect
iOS app: users can use Facebook Connect only if they're already connected in the website with Facebook Connect.
Is it possible or is an illusion? For example if there's a way to get the facebook uuid of the logged user before show the permission popup it would be great, because I check for this uuid in my database and if exists I'll allow to connect the user.
On the website side
Your user logs in, then authorizes to use your app. As soon as she is authorized, add her user id to your database.
On iOS side
Your user logs in. As soon as she logs in you have access to her user id. So, before showing the main app screen display a loading graphic. Send a request with the user id to your server. The server replies that she is authorized and you proceed to show your main app screen. OR, the server replies that she is not authorized and you proceed to show an error message that instructs the user to first authorize on the website (maybe this screen should have a retry button).
if i get your question .. you can build an Api_service on your website through it you can send the user email from the application and check if this mail registered on your website .. so before the user login to Facebook you make a request to call this api > you returned a value to your app tell you that the user is registered in your site or not .. so then you can allow just the user's you want to login fb.
How do they manage to get user to login to Twitter / Facebook through Javascript so smoothly?
I am trying to replicate it for the web app. Basically, the user only needs to add a javascript snippet to their site to kickstart but I am clueless as to how to integrate facebook and twitter connect seamlessly.
Do they store access tokens after successfully authenticating a user?
Short answer is yes, they store access tokens after successfully authenticating a user.
After you try facebook and twitter apis, you'll see that, they both returns ids for every user who succesfully logged-in through your application. You can then simply add those ids pairing with the platform they logged in to your database. You can then use that data to track users easily.
You need to
Create applications on both platforms
Have pages for each provider to check if user performed a succesful login
Check if user is a newcomer and add that user to your database if so.
Set a session or cookie variable of user's local id in your own application or do whatever you are normally doing to track if a user logged-in as that user is your local user.