Facebook and Google login

[Neketek]

We need to start researching how to implement Facebook and Google login, because these two are most popular in the web. It's very important to have such functionality because we can use it as good selling point because Facebook and Google login allow easy user conversion which is very improtant for clients who want to develop popular service.

[Neketek]

Generally speaking, these two are just OAuth 2.0 protocol implementations by Google and Facebook respectively. I expect, that workflow of sign up and login will be simple enough.

1. Get OAuth token from client application
2. Send OAuth token to server.
3. Get email of account to which access token belongs.
4. If email already exists and connected to the user account server should update user cookies session token which is responsible for web request authentication.
5. If email does not exist or it is not connected to user account server should create new user account using server side API of selected third party, in other words, perform sign up operation using data obtained using OAuth token.

[Neketek]

I successfully integrated Facebook SDK. No I need to implement login low according to my plan, but I also need to synchronize it with Facebook developers documentation.

• Implementation plan review accordingly to Facebook documentation and recommendations.
• Facebook login server side

[Neketek]

[Neketek]

I need to decode signed request data to obtain the code from it. Then I should obtain long lived access token and verify user email using that token, but not the token which I received from client application.

[Neketek]

After long investigation I found that this is not the way it should work in case of web app.
I will verify token by:

1. Decoding encrypted data which was encrypted by app secret key
2. Getting information about token via /debug_token?input_token={x}&access_token={y} and comparing encrypted user_id with user_id received from API call, configuration app_id with app_id received from API call.

Then I will get email,first_name, last_name using API. This data grants an ability to create new or login into existing account.

[Neketek]

I think I should explore the possibility of standard static site authorization API, because it allows obtaining of the special code which grants the permission to get access token at server side.

[Neketek]

Facebook login seems to be working well, also I managed to get long lived access token which allows us to operate from server side during 2 months. I checked integrity verification method, it's HMAC, so everything looks very secure, but despite of this I decided to double check long lived access token via token debug functionality which verifies token origin.

I started to work with Google Identity and I need to implement almost same functionality but using google services.

So.

My next steps are:

1. Google login functionality via JS SDK which is used primarily to obtain short lived access token.
2. Google login functionality at the server side using python API client which is used to obtain long lived access token and to get verified user profile to create or login into existing user account.

[Neketek]

oauth2.0 explanation