Social Media Logins and Account based systems



So you want a sign in account based thingo for your Acme website with the old social logins and maybe even a roll your own one for those who don't trust your linking to any of these social companies.

Seems simple enough, but there are some interesting side things that can happen.

Suppose you are on Facebook, Google and Hotmail (whatever it's called) even Twitter and Linkedin.

If you are one of those types who has a different email for each service, then thanks and good luck that's your problem, every time you sign up/in, you'll be given a new account by our Acme company.

If you do have an email address that follows you round, then shouldn't you not care about who is validates that it's you? Sure, you shouldn't care, so said user then doesn't need to remember whether they signed on with Facebook / Google/ Linkedin or whatever.

So how do we achieve that? well at some point, you have to have 1 metric which you deem to be the identifier. Not necessarily a primary unique identifier in your data set, but at least identifiable that no-one else can have it.

In my case, I'm interested in emails, it's how we communicate and primarily what we can get easily from most of these social logins (twitter excepter).

So,
Facebook- returns an email, but actually this can be changed, so you need to store the identifier.

Google - returns an email, which cannot be changed.

Yahoo - email (and btw, if you ever retire your yahoo email, please don't delete it, as some one else can reclaim it and reuse it!)

Linkedin - id field again because the email can be changed.

Microsoft - haven't used this one

Based on this, you'd have to (upon first sign up) create an account holder with whatever email address you got from the system. 


Side Notes: 
  • Sign in user first, then request permissions
  • Check email is verified, otherwise what's the point
  • If you want a phone number, validate it using https://github.com/googlei18n/libphonenumber/
  • Also, why not send an authentication code
  • If rolling your own login, make sure they validate the email by clicking on some sort of link etc.



Facebook has a nice article on this stuff @
https://developers.facebook.com/docs/facebook-login/multiple-providers where they explain how you should merge existing accounts using the email address ! (just happens this is the approach taken in this article)

Basic Stuff: 
Google Sign-In for Websites: https://goo.gl/5MiKLZ
Google Developer Console: https://goo.gl/ppwHMi
Design Guidelines: https://goo.gl/BrLYKy
Google Sign-In Sample Code: https://goo.gl/GP8lht

Authenticate
Google Sign-In for Websites: https://goo.gl/5MiKLZ
Google Developer Console: https://goo.gl/ppwHMi
Design Guidelines: https://goo.gl/BrLYKy
Google Sign-In Sample Code: https://goo.gl/GP8lht




Comments

Popular posts from this blog

cf_sql_timestamp vs cf_sql_date vs getdate()

Global SQL Procedure, System Objects and sp_ms_marksystemobject

Ghost Records, Card Recon and PCI Compliance