I have a client who’s requesting using oauth on their site so users can authenticate using their facebook or google credentials. I was wondering what information during the process is persistant so I can link them to their account records in my database.
My first instinct was to use the final token (the one used to actually request information from whatever site) but from my understanding those tokens can expire thus breaking my link. How can I identify who is who if their token expires?
If you’re still unsure of what I mean, take stackoverflow as an example. I login to stackoverflow using my google credentials. How does stackoverflow associate my oauth login to my account information? Somethings has to persist.
I feel like I’m missing something glaringly obvious, but for some reason I can’t connect the dots. Most likely due to my ignorance regarding oauth.
Any insight would be greatly appreciated.
EDIT: I just realized stackoverflow uses openID. Am I barking up the wrong tree? Can this be accomplished with oAuth?
It depends on what you’re trying to accomplish. If the client wants to be able to manipulate the user’s data on Facebook from their site then something like OAuth is going to be necessary.
If the client just wants to keep their user’s from needing to create another user name and password then OpenID is probably the way to go.
If you use OAuth, when the token expires you have to go through the login process again and ask for another one. The timeout is a valuable security feature.