My website allow users to signup by their Google or Facebook account. But some users use clone account to signup for spamming, so I want to detect and allow only Facebook or Google account which was created at least 1 year ago to signup.
I know that Facebook and Google API do not allow to see that information, do you have any opinions about this, please help me.
Thank you vẻry much.
I have few thoughts over this. In my view I do not think that information can be available via API. Both Facebook and Google have strong layer of security with some abstractions in terms of data they shared about a perticular entity. IMHO (in my humble opinion), it appears too much internal to me regardless of the fact that you have fair enough information being shared by their rich set of API.
Here is an overview of what Facebook has mentioned regarding permissions:
When a person logs into your app via Facebook Login you can access a subset of that person's data stored on Facebook. Permissions are how you ask someone if you can access that data. A person's privacy settings combined with what you ask for will determine what you can access.
However you can check what permission you have been grant access to in your app by Facebook.
For Google API, i did not see/find such information. Check obtaining user profile section.
So is there anything we do to check spammers?
Well, not in kind of way we anticipated, but one thing that could be helpful is the email verification. Most of the spam users do not like to provide valid/verified email addresses while sign up.
Calling the Facebook Graph API like https://graph.facebook.com/version/me/?access_token=token&fields=verified (where verified can be true or false). I saw some users report that it brings in whether the account has been verified, not the email.
In Google API, we can get the profile by calling the people.getOpenIdConnect endpoint. This method has email_verified property which returns true only if the email address is valid.
These may or may not be helpful but something is better than nothing until some better option get available in future versions of API.
Besides it is certainly not in scope of a developer using the API to control fake/spam users from signing up on either of these social networking giants. I believe that apart from checking the authentication, it is not easy to detect/filter out the such users out of million users even at their end.
