5

I'm about to use one of those multi-provider authentication frameworks Opauth or Hybridauth (don't know which is the best but I had a little preference for the second one) so the consequence is that I have to manage multi account.

In fact I already have my own account management (login+password+email) and I had last year facebook users. Now I will have to deal with Twitter account, linkedin account, etc... So the question is easy : how to manage the username ? For instance, John create a account on my site. So "John" login/username is taken. But if another John from Facebook then another one from Twitter arrive, what i'm supposed to do ? In Stackoverflow (or elsewhere), what is the practice ?

I don't want a John write on the behalf of another John. Today with my own system, I verify that the login (username) is unique. If not I reject the user. But now ?

I thought that I can check the email but... I learnt that email address can't be the key because of Twitter that doesn't give it to you.

Hope I'm clear enough :)

regards

Pierrot
  • 85
  • 1
  • 1
  • 9

2 Answers2

0

As you say it's not possible to just retrieve the username from different sources and just store it. I don't know how it is done here in stackoverflow but if you try to register the name is optional so probably it is not an unique key. I can't see the way to login with twitter here so I bet that email is a unique key.

I'll try to answer your question but I've only used facebook API so maybe this can't be done with others. I suppose that each API gives you something you can store in your database and use it later to identify your user against their API.

If you allow users to register with facebook (or gmail, twitter...)then you can use the next approaches (I'm sure there are few more):

  1. They always login with facebook (or twitter, gmail...): you store a record for them inside your database with the key provided by the API and other useful info you can collect. As you said each API gives you different things so you have to think in advance what you really need to provide your users with a good experience: is their name needed? age? If you need more data than the provided by the API you should jump to the next approach or prefetch it and make it editable before. Here you don't ask your user for a password so they can only login with facebook not with a login form, if a user tries to authenticate with facebook (or twitter, gmail) again you know which key you have to look for and authenticate your use.

  2. The can create an account and link it with facebook (or whatever): you ask for facebook permission and then prefill a form for them to provide the data that is missing (password, mail if they use twitter...) and then create the record storing the unique key provided by the API as well to proceed exactly as step 1 if they use their facebook accounts to login. If you asked for a password and an email they can use a standard login form as well.

  3. You can use the first approach and ask the user to change the attribute that is in conflict with other user (name in your case) or even ask to fill what is missing depending on which social network they are using to sign in. You can use name+surname as username to reduce the colission possibility if this is what you want to store to identify your user.

Hope this helps

LuisClemente
  • 385
  • 2
  • 11
  • Thanks @LuisClemente for helping. In fact, I don't have a problem for managing the unique ID. Every provider manage the unicity so non problem. My system manage it too but base on email+login. The question is how to know the difference between John and John when John comments a news for example. I just saw that Stackoverflow add a unique ID in the URL. I searched for all "Pierrot" and 2 exists :) ==> SO.com/users/ **985357** /pierrot – Pierrot Dec 14 '12 at 08:19
  • @Pierrot then there is your answer. As it seems here the name can be duplicated (so non unique key) and you only can tell the difference if you see their profile (or they have different avatars or something XD). As I said it totally depends on the experience you want for your users and on what is important for your site to work. – LuisClemente Dec 14 '12 at 08:27
  • Yes @LuisClemente, you're right. I have to change complemently the behaviour of my web site. But I think it's for the best and as I read on [janrain.com](http://janrain.com) I'll be able to drag more member with an OpenID account management. Thanks a lot. Discuss help to see things clearer :). – Pierrot Dec 14 '12 at 13:21
  • @Pierrot no problem, if you think this is a valid answer, please, mark the accept mark ;) . Regards – LuisClemente Dec 14 '12 at 13:32
0

HybridAuth gives you an excellent way to integrate your site with the social media...

http://hybridauth.sourceforge.net/

This should also help...

Scrappy Cocco
  • 1,192
  • 3
  • 21
  • 38