1

I am using Opauth for users to login with their social networking accounts for a commenting system.

After reading around this particular site, it appears that the token is one way to identify the user by storing it in a session. However, I've also read that it isn't necessary to use the token, a User ID would suffice.

My question is, what determines whether you use a token or the User ID is simply enough to identify the user?

Chris Burton
  • 1,195
  • 6
  • 19
  • 54
  • "how the token identifies the user" --- it's on a provider side. `token - application - user` relationship. So a particular token identifies a user for a particular application – zerkms Jan 14 '14 at 05:00
  • Thanks @zerkms, although I'm still having trouble understanding. I think this question and answer helps on what I'm trying to do and understand if a token is necessary in my case: http://stackoverflow.com/a/10100252/938664 – Chris Burton Jan 14 '14 at 05:53
  • it's funny that it's my 2 years old answer as well :-) – zerkms Jan 14 '14 at 08:28
  • @zerkms If you'd like, I edited the question which you may be able to answer more thoroughly. – Chris Burton Jan 15 '14 at 01:00
  • With only token - if you need user's details you have to perform an API request. Whereas if you store both a token + some basic user info you won't do that. – zerkms Jan 15 '14 at 01:01
  • @zerkms I'm talking about the token that I receive **after** I perform an API request. – Chris Burton Jan 15 '14 at 02:11
  • you lost me. What API request and what token then? – zerkms Jan 15 '14 at 02:22
  • @zerkms I am using Opauth for a very simple social network login system on my blog for commenting. When the user clicks a link to login, I receive a response of their profile data, including a token. If you have Facebook or Twitter, take a look at the **[response](http://cloud.chrisburton.me/0W2t0F3W1N3B)**. You will see a token under [credentials]. – Chris Burton Jan 15 '14 at 04:44
  • 1
    you need a token and a secret if you need to perform further requests. If you don't - then `uid` (for twitter) is enough for user identification. – zerkms Jan 15 '14 at 05:15
  • @zerkms Thank you. If you put that into an answer, I will gladly accept. – Chris Burton Jan 15 '14 at 05:59

2 Answers2

1

The uid uniquely identifies the user, but the token and secret are used to make requests to the Twitter/Facebook API's after you've gained access to the account.

If you aren't intending to make any additional requests the secret and token will not be of use to you.

Pez Cuckow
  • 14,048
  • 16
  • 80
  • 130
1

I'll try to explain you the purpose of Access Tokens in reference to the Facebook API.

A uid (User Id) is something that can uniquely identify a user on Facebook. For example: 1786565687 (that's me by the way). Whereas, an Access Token is an opaque string that identifies a user, app, or page and can be used by the app to make graph API calls. A User Access Token for instance is needed any time the app calls an API to read, modify or write a specific person's Facebook data on their behalf.

I've also read that it isn't necessary to use the token, a User ID would suffice.

This is true but using a user Id, you an only obtain a limited amount of information related to a particular user. For example: https://graph.facebook.com/1786565687 will provide you only a limited amount of information for the user Rahil Arora (that's me again) and you won't be able to write or modify on my behalf.

Whereas, using a valid Access Token, you an even write or modify a specific person's data on their behalf. Because of privacy checks, the majority of API end points on Facebook need to include an access token and therefore you can't access there end points by just using the user Id. You need a valid Access Token in order to access extra information related to a particular user. For example: https://graph.facebook.com/1786565687?access_token={Access_Token} will give you a lot more information than the previous call.

what determines whether you use a token or the User ID is simply enough to identify the user?

Well, as you can see, you can choose either a token or just a user id depending on the type of action that you're willing to perform.

You can refer to the links posted in the answer for further information.

Rahil Arora
  • 3,644
  • 3
  • 26
  • 43
  • Did you check this **[link](http://cloud.chrisburton.me/0W2t0F3W1N3B)**? Login to your Facebook and you will see that I am receiving much more data than what you have **[shown](https://graph.facebook.com/1786565687)**. Based on that data, my question is that can I identify the user now with just their UID, not the token? – Chris Burton Jan 15 '14 at 17:42
  • Yeah. I know. That was just an example. The point here is, with a token, you can do additional stuff. For identification, you can use both. It is possible using debugging tools to get user info from an access token. Take a look at [this link](https://developers.facebook.com/docs/facebook-login/access-tokens/#debug) – Rahil Arora Jan 15 '14 at 17:43