javafacebooktwitteroauthscribe

Building oauth login with Scribe


I have read too much pages and tried scribe samples but I miss the most important point - what is unique and persistent user id for oauth authentication?

I want to implement website where user can sign in with Google, FB, twitter etc. I expect that flow is:

  1. servlet asks selected authorization provider for request token
  2. servlet constructs authorization URL and redirects user there
  3. user grants a permission
  4. authorization service redirects to callback and passes verifier as parameter
  5. callback's servlet asks authorization provider for access token

Now I can use this access token in provider's APIs, for example to browse google drive or post malicious tweets. Fine, but all I want is to get some kind of id that I can store in database and associate it with user account. So when user comes next time, I can recognize him.

I do not think that access token is what I want. I ran scribe examples and this value changes with each call.

Shall I find some provider API that returns user's login and call it each time he logs in? I do not like this idea because this is (in my eyes) extra HTTP connection for each login. And for example google drive sample will return bunch of data, when all I need is few characters. I think that I miss some important point there. Or is it really designed this way?


Solution

  • The tokens are opaque. They don't contain user information. What everybody does in that case is keeping a separate database with [USER_ID, ACCESS_TOKEN] so when the user logs in you can fetch it's access token. If you log to multiple services perhaps you also need a SERVICE_NAME to separate twitter from google tokens.

    Edit

    OAuth is not an authentication or login protocol, it wasn't designed as one so, while you may be able to get the user identity via ad-hoc extensions (Twitter returns the user_id on the access token response) or making further requests, it will always be a hack.

    Perhaps a better fit for your needs is OpenID (and scribe won't help you here, unfortunately)