15

im trying to implement a login with facebook/twitter functionality in my app, i read some guides on oAuth, and i think i understood some of the basic concept, and here is what i understood (please correct me if i'm wrong):

  1. myApp send request to the oAuth provider, get the (A)request token.
  2. send user to authenticate the (A), returns with (B)authenticated request token (is this whats called oAuth token?)
  3. use the (B) to get the (C)access token.
  4. use C to access user information.

and here is what i can't get around my head, which one of these that i should use/store to identify the user? i thought about the possibility of using each one of those, but im always stuck on how to check if the user has signed in before...

hndr
  • 757
  • 13
  • 29

1 Answers1

14

If all you need is just authentication, then storing only user_id is enough.

So create another table like:

id | service_name | user_id | my_user_id

where service_name is either twitter or facebook, user_id - is user's id from twitter/facebook and my_user_id is a user_id in your authentication system.

So:

SELECT my_user_id FROM oauths WHERE service_name = 'twitter' AND user_id = 42

would return you your system user_id or nothing

PS: service_name could (and should) be normalized, I kept it as a string just to simplify an example

PPS: as you said in comments you probably would want "posting/tweeting".

In that case you need to store user's access token for twitter, and store nothing additional for facebook, but request for publish_stream permission when authenticate user.

zerkms
  • 249,484
  • 69
  • 436
  • 539
  • i was thinking on posting/tweeting as well, but by user_id, did you mean, storing the user_id that we can get to access with the access token? – hndr Apr 11 '12 at 05:23
  • @that_guy: yep. The user_id from oauth provider – zerkms Apr 11 '12 at 05:25
  • @that_guy: btw, added about posting – zerkms Apr 11 '12 at 05:27
  • hmm.. my head is still showing the loading bar... but i think i get the idea, thanks! – hndr Apr 11 '12 at 05:30
  • another question, if i'm using the provider's user_id to identify the user, doesn't that means i would need to authenticate the token each time? then why would i store the user's access token for twitter? or am i supposed to update the access the token each time the user signs in? – hndr Apr 11 '12 at 05:35
  • @that_guy: that depends on when you need to tweet on behalf of user. If in between - then you need to persist tokens somewhere, if on authentication - just use them and drop – zerkms Apr 11 '12 at 06:31
  • @hndr what did you end up storing? Cause he keeps talking about "your" authentication system but your using third party OAuth so I don't get why you have your own. I've heard about storing the token before. but once again i forget which one. – Kyle Calica-St Dec 07 '16 at 17:23
  • @KyleCalica-St Depends on your use case, but if you're just using it to authenticate user, then you can just store the provider's identifier, (e.g. FB id or email). – hndr Dec 08 '16 at 03:25
  • Ping Identity is an OAuth Provider. If I want to use this provider. Should I store user info such as username, password, role so on? please tell me. – Kumaresan Perumal Sep 22 '22 at 04:19