Big News: FounderDating is joining OneVest to build the largest community for entrepreneurs. Details here
Latest Notifications
You have no recent recommendations.
Name
Title
 
MiniBio
FOLLOW
Title
 Followers
FOLLOW TOPIC

Question goes here

1,300 Followers

  • Name
    Entrepreneur
  • Name
    Entrepreneur
  • Name
    Entrepreneur
  • Name
    Entrepreneur
  • Name
    Entrepreneur
  • Name
    Entrepreneur
  • Name
    Entrepreneur
  • Name
    Entrepreneur

What are best practices for social login?

We are implementing login through social sites like Facebook, LinkedIn, Twitter, g+, etc., but wondering about best practices. How are folks dealing with the same user that has different email addresses tied to different social sites?

Ideally, you would let users log in as any of their social identities, yet associate all of their social identities with the same internal user record. Have folks accomplished this easily? Are there good examples of how are most sites are dealing with this?


Thanks!

6 Replies

Dennis Kayser
2
0
Dennis Kayser Entrepreneur
Co-founder & CEO Forecast.it - Intelligent PPM
Hi Lucia,

It's fairly easy to do. However it sounds like you've tied your user identities up on email instead of a unique user identifier, which is not good practice. What happens if the users wishes to change their existing email? I assume that's possible, otherwise you have a serious technical flaw.

The core idea is that models for a local site identity and the third-party site identities are kept isolated, but are later linked. So every user that logs into the site has a local identity which maps to any number of third-party site identities.

The third-party identities contain information relevant only to authenticating with a third-party. For OAuth, this typically means a user identifier (like an id, email, or username) and a service identifier (indicating what site or service was authenticated with). In other parts of the application, outside of the database, that service identifier is paired with a method for retrieving the relevant user identifier from that service, and that is how authentication is performed.

Let me know if you need more details.
Igor Chernyy
0
0
Igor Chernyy Entrepreneur
Senior Cloud Architect at Lyric Labs
Hi Lucia,

The way this usually works is that you provide user an ability to log in using their Google credentials (for example). The way this works - is in the essence you redirect them to Google - where they will be able to provide their credentials, after that Google will say something like - "Such and such website would like access to your basic information", they will have an option for yes / no. Now assuming they said Yes, Google will redirect them back to your website and give you a key that you can then use to access some of the basic information that is associated with that user (to the level that you requested or user gave you permissions). That key is usually valid for a long period of time or until user revokes it.

You can then use basic information you pulled about the user from Google in your local database (and/or use that information to create an account for the user) and you also store that key so you can keep that information updated. Next lets say you want to connect a Facebook account, the system is exactly the same, you redirect the user to Facebook. User logs in, give you permissions, Facebook sends him back with the key.

Most big social networks support this type of system today. I can go into technical details of how this API works. Most places call it "Login API" but it varies from site to site.

As for examples, you can take a look how this (FoundersDating) website does it. Since you can associate your LinkedIn/Facebook/Twitter account with your FD account.
Andrew Ballard
1
0
Andrew Ballard Entrepreneur
Integrating business, technology and creative workflows in a master data management world.
Hi there Lucia - I've had consider this exact issue on my site, http://webcred.it

The process I use on Webcred.it is to allow a new user to sign up with the OAuth provider of their choice. Five seconds later, the user is logged in, and their basic contact points are stored.

After that painless experience, the technique is to then offer to *connect* that registered user to their other social accounts. For the user, it's entirely optional. Technically, it's relatively straightforward, since you have the user's first contact points - so you're simply updating their record to add more data.

That means that when they log back in again on a different social media account, chances are we have that record, too. (As Dennis suggested, their Unique ID from that OAuth provider is a better match than their email address).

The edge case is if they happen to log back in on a different social media account.
-- I do try to match email addresses across the different social media accounts - on the basis that the social media provider has already asked them to confirm that email account. (This works for Facebook, Google and Linkedin - Twitter doesn't collect emails, for instance)
-- This is a fallback, though, and I have seen both some mis-matches, AND some issues where users have two Facebook/Twitter/etc accounts (one for work, another for personal). This can be solved by the first process: asking the authorised user to connect to the other accounts, which re-connects the social media accounts.

There are extreme edge cases, I'm sure, so I'd be keen to keep reading more solutions to this topic.

Note that I don't offer an generic email signup alternative. The convenience of the social one-click login is just too good to have to verify email addresses and do password reminders.

Feel free to poke around http://webcred.it
Jon Lunardi
0
0
Jon Lunardi Entrepreneur • Advisor
CEO of ScholarVets.com | Military & Veteran Advocate | Education Technologist | DC Entrepreneur | OU Sooner for Life!
You can look at what we have done at ServingVets.com. We are moving toward every user must have an internal account and then they can link/add any of their other social logins to associate their social graphs and whatever else the API enables. Facebook is limiting their api in April and FB is by far our most popular login, google is 2nd. Also look at how SocialRadar.com does it on their app. They have a great UX for it and I believe they do it the best. SocialRadar is all former Blackboard employees so they know what they are doing. Jonathon Lunardi CEO ServingVets.com - Be Fearless!
Karl Schulmeisters
1
0
Karl Schulmeisters Entrepreneur
CTO ClearRoadmap

If a user has different Social Media identities - that is their choice. If they opt to present you with a single oAuth identity and not the others (as Igor described the oAuth process) - that's their choice.

If they choose to use a single oAuth identity across all social media - great. If not - its up to them to figure out which - if any - to use with you.

Assuming they want to integrate all of them is a huge presumption on your part and a potential privacy violation

Philip Jones
0
0
Philip Jones Entrepreneur
Web Designer/Developer at Gogo
We are implementing through the developer track in Facebook and Twitter. They have modules that can be implemented in your site. So when you click
Join FounderDating to participate in the discussion
Nothing gets posted to LinkedIn and your information will not be shared.

Just a few more details please.

DO: Start a discussion, share a resource, or ask a question related to entrepreneurship.
DON'T: Post about prohibited topics such as recruiting, cofounder wanted, check out my product
or feedback on the FD site (you can send this to us directly info@founderdating.com).
See the Community Code of Conduct for more details.

Title

Give your question or discussion topic a great title, make it catchy and succinct.

Details

Make sure what you're about to say is specific and relevant - you'll get better responses.

Topics

Tag your discussion so you get more relevant responses.

Question goes here

1,300 Followers

  • Name
    Details
  • Name
    Details
  • Name
    Details
  • Name
    Details
  • Name
    Details
  • Name
    Details
  • Name
    Details
  • Name
    Details
Know someone who should answer this question? Enter their email below
Stay current and follow these discussion topics?