20

I am building a app/API that allows user to login with Facebook, Twitter or Google. I am wondering what are the best practices in allowing those user to use the same account to login to the API.

  1. A couple Ideas that I have had is pass the auth token/cookie in a header to the API for every request and use that to authenticate on the backend.
  2. Run my own OAuth setup and make the user authenticate once with the back end to get my OAuth token and use those from then on.
Fenton
  • 241,084
  • 71
  • 387
  • 401
Vitaly Babiy
  • 6,114
  • 4
  • 26
  • 24
  • You mention that users have the option of logging in with Facebook, Twitter, and Google. Are they forced to log in with one of those OpenId providers? – Andrew Church Jul 03 '12 at 14:32
  • This is exactly my problem and solution 1 seems really good but I don't understand how the API uses the auth token to authenticate the request. Could you please explain? – s0nica Mar 24 '13 at 15:22

2 Answers2

1

I am doing the same thing and my solution is to match the email addresses that you get from these respective APIs.

For Facebook, you need special permission from the end user to get the email address registered there. You do this by adding &scope=email to the first oauth request.

A disadvantage is that you need to get this permission from the end user and they may decline. Another disadvantage is that users need to use the same email addresses for Google, Facebook and Twitter.

An advantage is that user records are merged automatically, so users can directly access all their data if they logged in the first time through Google, and the second time through Facebook.

Another approach would be to manually merge their data by making them log in to Google when they are already logged in through Facebook. Then you can conclude that they are the same user, even when they use different email addresses for both. But this is a more tedious approach, as you still need to merge the app's user data from both accounts.

matthias krull
  • 4,389
  • 3
  • 34
  • 54
Jeroen Kransen
  • 1,379
  • 3
  • 19
  • 45
  • How does getting the user's email address facilitate authentication in any way? (if the consumer of the API can spoof any email address they want, then that is no security at all) – Kirk Woll Oct 18 '12 at 18:12
  • Not getting the email address per se, but the fact that you are able to get a token from Facebook or Google. That means that the user successfully authenticated against that account. – Jeroen Kransen Oct 19 '12 at 14:50
  • how to parsing of the soap xml –  Dec 14 '12 at 11:54
  • @Balveer parse the xml parsing of the soap xml –  Dec 14 '12 at 11:56
0

Your first solution is exactly the way I do it. As all my rest services are stateless, the access token goes in the header and is parsed by spring security authentication filters on every request. I use a grails sever with the spring-security-oauth plugin. We also run a website which allows for using session cookies for browser based access.

bjoern
  • 272
  • 3
  • 11