Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I have a requirement to implement Facebook and Google login in my web applicatio

ID: 658124 • Letter: I

Question

I have a requirement to implement Facebook and Google login in my web application. I also need to access a user's Facebook/Google+ friend list. I have gone through the complete OAuth2 documentation of Facebook and Google. I understood the basic concept. For example, lets say for Facebook login the steps are:

1. The user will click on "FB Login" button.
2. The user will be asked to login to Facebook and allow permission. If user allows it will return an authorization code.
3. Now we will use the authorization code to get an access token.
4. We can store the access token in session to start a user session.
5. Now we can use the access token to access to different user resources.

Now I have some confusion after step 3. Should we generate access token each time the user logs in or store the access token in our DB?

If we store the access token in our DB,How we can reuse it when a user comes to our site after 10 days(Lets say he cleared the browser cookies) and click on "FB Login" button again. Because when user clicks the 'FB Login' button again he will get a new authorization code and have to start the complete process again. How can I recognize that this user already has an access token in my DB.

Any help would be greatly appreciated.

Explanation / Answer

Technically you can store the access token in your database, and use it for API calls until it expires. It might be more trouble than its worth, though.

For one thing, as Jonathan notes in his comment above, now you have to worry about securing your database and the data in it - these tokens give access to some fairly privileged information about your users. Of course, simply storing the token in session storage might put it on disk too, depending on your session configuration. Its a good idea to keep it encrypted while you're not using it.

Your proposed scenario about the user clearing cookies and coming back is also an issue. You could take the access token from the database and stick it back into their cookies, but before you do that, you have to make sure they are who they say they are - and now you have to do another layer of passwords just to give them access to the token they already gave you.

You're probably better off simply re-doing the authorization flow when they come back and click the login button again. Its not that expensive. But if that truly is a showstopper for you, then storing the token is an option. You'll just have to be really careful about working through all the associated issues.

Related Questions

I have a question regarding an economics problem Use reserve market\'s supply-de
Question #1217559
I have a question regarding ananswer supplied for College algebra 7th edition by
Question #3095176
I have a question regarding arrays from my intro class, how would I print the fo
Question #674422
I have a question regarding bacteria. I have isolated bacteria in a media with l
Question #85384
I have a question regarding matlab I am trying to write a for loop using 3 varia
Question #3655699
I have a question regarding metabolism. I subscribe to a running magazine in whi
Question #43945
I have a question regarding metabolism. I subscribe to a running magazine in whi
Question #46479
I have a question regarding problem #11 from Ch.2 of Principles of Modern Chemis
Question #871935
Dr Jack
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Chat Now And Get Quote

Navigate

Previous
I have a report that takes data from one spreadsheet and places into another tab
Next
I have a resource loader object that loads objects from the disk or from a ZIP a

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.