You might have seen many of sites now showing links or buttons of Facebook, Twitter, Google + or other social network sites on their sign up and sign in page. This is to make users life bit easier for the login or sign up process on various websites. What happens when you click on any of that link? Have you tried anytime?
Let’s see how you as a developer can develop this feature for your website. For this we consider a use case.
User came to the sign in page of your site and he looked at the login with “facebook” or “twitter” or “google” (or any of the site) link. He has a separate account of any of these listed social network sites which you have integrated in your website. He clicks on any of the link and now he is redirected to the respective site for authentication. He provides correct credential for that social network site. He is now authenticated by that social network site and if it is for the first time he is using this authentication system, he has to agree to share his profile data with the other site from where he is coming for the authentication.
When user agrees to share his profile data on successful login, that social network site redirect him to your site with user’s profile information. Of course password would not be sent to your site. This authenticating social network site will generate one token for this session and send along with the user’s profile data. This token is unique to user and your site. Now all communication and data exchange between your site and the authenticating social network site happens with this token generated by the authenticated site. Give essential profile data to your website login system and create a successful login session at your website and treat him as a logged in user.
You can store this user information into your database and send an email to him with the new login credentials to login in your site directly in future. If he doesn’t want to login from your site directly, he still has an option to login again from the social network site which he chooses. Check every time while login weather he is the stored user with his unique field value like email address or username and if not found in your database store it and or otherwise directly give an authentication to the logged in section of your site.
All of these redirections and authentications are made through APIs provided by these authenticating sites. Most of these sites do provide a sign in APIs but do not have the APIs for sign off from the authenticated site (There are few exceptions in this). Once user is logged in to your website through open authentication system via a different web site, he has to actually login into that website. Now when he clicks on the logout link of your site, he logs out from your site not from the site from where he was authenticated. This is risk if any user is accessing your site from the public computer and forgets to log off from the authenticated site. His account would be compromised.
You as a developer of your site must provide information about the risk factors to your users before they use separate authentication system for your site. Developers need to create an account on these sites and get secret API key to use their APIs and use this secret key into data transactions with the site.
Here are few providers of open authentication services are also called resource owners to authorize other web service or web site to their resources without sharing their users’ credentials.
Amazon, Dropbox, Facebook, Flickr, GitHub, Instagram, LinkedIn, Twitter, Tumblrand …..And many of others.
0 Comment