0

Im trying to build and automated log in using Googles authSub, but I need to store data for the users the log in.

... and basically I don't get it. Should the token from Google change the 2nd time a user logs in, that user looses his / her info and you don't get any info like a userId that you can use to store information against it.

Unless the token does not change and you can store info against that token.

How would you store information (mySQL) for that token if it changes?

See http://code.google.com/apis/accounts/docs/AuthSub.html#WorkingAuthSub point 5

Laurel
  • 5,965
  • 14
  • 31
  • 57
CodeChap
  • 4,132
  • 6
  • 30
  • 40
  • Do you think it would be possible to shorten the title a bit? So it's easier to get what you ask at a glance? Plus it's nicer to look at? – raoulsson Jan 01 '10 at 22:08

1 Answers1

1

There are two kinds of token; I'm going to assume that you're not talking about the single-use token obtained from a call to AuthSubRequest, but are talking about the long-lived session token obtained from AuthSubSessionToken

The page explicitly says that

Session tokens do not expire.

So no, the token shouldn't become invalid just because a user logs in again.

On the other hand, if you ignore your existing token and request a new one - yes, you'll end up with a different token.

There is one thing (other than your app calling AuthSubRevokeToken, which of course will result in the token being invalidated) that can result in the token becoming invalid: the user can visit the Change authorized websites page and choose to manually invalidate a token. If that happens, all you can do is throw out the old one and request a new token.

James Polley
  • 7,977
  • 2
  • 29
  • 33
  • So at the end of the day its not really a secure way of handling user authentication. thanks. – CodeChap Jan 01 '10 at 22:12
  • What do you mean by "secure way"? What do you mean by "User authentication"? authsub isn't intended to be used for authentication; it's used for authorization - it authorizes your app to access the user's data. If all you're trying to do is authenticate the user, you want Federated Login (http://code.google.com/apis/accounts/docs/OpenID.html) – James Polley Jan 01 '10 at 22:17
  • Thanks I know, Ive been battling with Federated login for the past three days now - its far too complex, and that's why I'm looking for an alternate method. – CodeChap Jan 01 '10 at 22:51