I have read too much pages and tried scribe samples but I miss the most important point - what is unique and persistent user id for oauth authentication?
I want to implement website where user can sign in with Google, FB, twitter etc. I expect that flow is:
Now I can use this access token in provider's APIs, for example to browse google drive or post malicious tweets. Fine, but all I want is to get some kind of id that I can store in database and associate it with user account. So when user comes next time, I can recognize him.
I do not think that access token is what I want. I ran scribe examples and this value changes with each call.
Shall I find some provider API that returns user's login and call it each time he logs in? I do not like this idea because this is (in my eyes) extra HTTP connection for each login. And for example google drive sample will return bunch of data, when all I need is few characters. I think that I miss some important point there. Or is it really designed this way?
The tokens are opaque. They don't contain user information. What everybody does in that case is keeping a separate database with [USER_ID
, ACCESS_TOKEN
] so when the user logs in you can fetch it's access token. If you log to multiple services perhaps you also need a SERVICE_NAME
to separate twitter from google tokens.
OAuth is not an authentication or login protocol, it wasn't designed as one so, while you may be able to get the user identity via ad-hoc extensions (Twitter returns the user_id
on the access token response) or making further requests, it will always be a hack.
Perhaps a better fit for your needs is OpenID (and scribe won't help you here, unfortunately)