I need to implement facebook-connect to a website where users already might have their internal accounts. If internal account doesn't exist, it should be created from facebook credentials. Also it should be possible to link an existing account to facebook account. The technical implementation is clear to me, but I am more interested about a practical, optimal, and understandable user activity workflow.
1) My initial idea was to have a login form with user and password fields and two buttons: "connect with facebook" and "login". If "login" is pressed, the internal account is normally logged in. If "connect with facebook" is pressed, the user is connected to facebook and then depending on the state of user and password, I could retrieve the internal user and bind it with facebook user, or create a new internal user and bind it to facebook user, or retrieve the internal user that is binded to the facebook user. However, there I see some gotchas in the workflow. What if the user and password entered are of a different internal user than the one that is binded to the facebook account?
I will try to illustrate the problem in pseudocode:
if "login" is pressed:
internal_user = authenticate(username, password)
if "connect to facebook" is pressed:
facebook_user = get_facebook_user()
if username and password are filled in:
internal_user = authenticate(username, password)
if facebook_user has no internal_user:
facebook_user.bind_internal_user(internal_user)
else:
# conflict! what to do with it?
# facebook_user.get_internal_user() != internal_user
else:
if facebook_user has internal_user:
internal_user = facebook_user.get_internal_user()
else:
internal_user = facebook_user.create_internal_user()
internal_user.login()
Also users might get confused asking themselves if they need to enter facebook username and password or the username and password of the website.
2) Another option could be to have a login form, connect to facebook, and registration form as three different options, where connect to facebook would either get or create an internal account; and then a separate optional form for logged-in users to bind their facebook accounts. But then again there would be possibilites left to create a duplicate internal account.
What are the best practices to deal with that? What are the other websites using mostly?
Login form:
[username] |
[password] | or [fbconnect button] with facebook
[ok] |
(two mutually exclusive sections "either or", you don't need to fill out the login form if you use facebook)
Once a user is connected with FB and you don't have associated user account for this uid then you popup another form:
Welcome,
Please choose username for this site:
[username] [ok]
(you can prompt to select a password as well if you want)
----------------------------------------------------
If you already have an account on our site please enter your credentials:
[username]
[password]
[ok]
After this step you should be covered - no matter which way they chose the result should be the same.
Usually you don't prompt for password for facebook connected users during login, they just use facebook connect button, so randomly generated password would do. If you want to create full scale account that could be used without facebook then you prompt for a password (but still don't use it for facebook login).
FBConnect should ignore your username/pass, in your database you need to store the fb tokens which will be returned from a fb connect login. If the user successfully logs in you will be redirected to a page of your choosing where you can take that fb token and compare it to the database and ignore the username/password. The username/password they filled in on the form will be ignored when fb pops up its own login window.
I hope that answers your question.
Related
In my Spring Boot I'd like to have both social login and signup with user and password.
Let's say the user signs-up via Google. After some time, he forgets that he signed-in via Google and tried to register using the same email.
What should happen in this case?
Should I save user info (returned by Google) in a "users" table of my database to prevent the same user to register twice?
Is there an article or something that explains a similar login/registration flow?
you can save all the users(OAuth or signup) in the user table. you can maintain a column by which you will be able to identify them if a user is signed in via OAuth or email. then if a user tries to signup via the same email you can show a message. or you can design your signup process using multiple steps. at first, the user needs to enter her email address, then you can send her an email where she needs to click some link that has some token in the url, if she previously logged in using some oath provider then she will be automatically logged in otherwise she needs to set her password.
I am adding a Login with Facebook button to my Larvel web app. Users can already register using an email and a password, So what I need to do is to give the users the ability to Login with Facebook, without having to register using Facebook from the beginning. I have already accomplished this, but I facing a security issue.
The authentication flow goes like this once a user cliks the Login with Facebook button:
Redirect users to facebook -> Users enter their email and password -> Facebook returns the user object back -> If the email returned with the user object exists in my database, log the email owner in.
Mostly you have already noticed the problem, but if not, consider this case:
If a user registers with their email in my application, and happens to not have a facebook account associated with that email, then anyone can register a new facebook account with that email, and then just simply log in into my application (Because that email exists in my database!!)
I have been googling this for quite a while now, and it seems like there's no one mentioning this problem, I am assuming this is because I might just be doing it the wrong way!, or maybe it's just done this way! Not really sure.
So, I am seeking guidance, how is this done right?
My app is currently released without any Parse Facebook login. I am working to add this now.
Currently my user's have their Parse account by signing up with username and password.
I am going to add a button in the app to allow that user to link his account to Facebook by using:
if !PFFacebookUtils.isLinkedWithUser(user) {
PFFacebookUtils.linkUserInBackground(user, withReadPermissions: nil, block: {
(succeeded: Bool?, error: NSError?) -> Void in
if (succeeded != nil) {
QL1("Woohoo, the user is linked with Facebook!")
} else {
QL4("Booo, the user is not linked with Facebook!")
}
})
}
The problem is the following:
If user decides to log off and then click on the facebook login button, then Parse library will create a brand new user account for that user and he will "lose" his previous account.
I am trying to come up with a way where when he logs in via Facebook, first I search the User table for the given username. If I cannot find it, then it's a brand new user and all good. But if I can find a record then:
1- I must delete the user that was created in the Facebook log in process
2- I must log out
3- I must login with the user that was found and link his account to facebook (it will probably trigger a second Facebook permission screen, which is also a bad thing...)
Step 1 and 2 I can do... the problem is to programatically log in someone, since the password field is empty when you do a PFUser.query()
Can anyone suggest any alternative please?
Another thing I thought was: If user logs in with Facebook and already have an account, I log him off and pop and alert up telling him to login using his password and then link the app from within the app...
This definitely would work, but the UX is not that awesome.
Thanks
I am working on a Laravel 4.2 project.
I already have implemented an email activation module for new user registration. Whenever a new user registers, I provide an activation link to him in an email and clicking on link, I compare the token (a random string with 30 characters) I have provided with link and user's email address with database records. If found to be matching, I just set is_active field of users table to true and redirect him to login page with a Congratulations message for successful activation.
But now, I DON'T want him to redirect to login page, but if successful activation, I want him logged in directly to his account.
But I believe that authenticate an user with just a string token and email address is not a secure way.
There must be something that I can trust on. Many sites do this including stackoverflow itself but I am not sure how?
Can you please guide me how to do this?
I am creating a webpage using Azure ACS, or "Windows Azure Active Directory Access Control" as it's also called.
I have managed to get this to work, and upon login I extract the claim information like this:
var identity = Thread.CurrentPrincipal.Identity as Microsoft.IdentityModel.Claims.ClaimsIdentity;
I then store the nameidentifier in a database so I can recognize the user when he logs in again.
Now I want to let the user log in using another identity while he is still logged in with the first one so that I may associate these two claim sets to the one user.
When I direct him to the acs loginpage and he is redirected back after logging in the list of claims in the identity is still the same, it doesn't contain new claims for the new identity he logged in with. Do I have to somehow store an identity in a cookie and log him off before redirecting him to the ACS login page to get the next identity claim information? If not how is this done?
You'll have to implement something like a verification code that will allow you to identify the user and store its various name identifiers.
user logs in
is it a "verified" user, i.e., its name
identifier is associated with a user?
2a. Yes, proceed.
2b. No, ask
for the verification code
2b1. Valid code, associate user with
verification code
2b2. Invalid code, go to 2b
This way multiple identities can be associated with the same user through the verification code.
Hope this helps!