Login/Register
How should I store OAuth with my own authentication system?
Asked Answered
Solved databaseauthenticationoauthgithub-oauth
C

2

7

I have an existing signup/login system: a user enters an email and password. The password is hashed. I store it in a database.

When a user logs in, they entire their email and password. The password is hashed, and I look up the email in the database and check that the email matches. If it does, they are logged in.

I want to add a system to let users login with a 3rd party OAuth, such as GitHub. I have that setup, but I am unsure what data to store in my database.

I was thinking I take their GitHub email as the email and then use the access token for their GitHub as the password (so I would hash it and store it.)

I think this would work, but I am worried that the access tokens could change meaning they would be locked out of their account.

If I shouldn't be using the access token as a password, what should I be using? I need to store the user's email on my database but that requires a password currently, which I can't get if they use GitHub login.

(Note that when the user logs in, I call my backend to generate an access token (JWT) which I can use to require their user details and then store it in local storage. I'd like to then be able to do the same thing with with GitHub or whatever.)

Collard answered 28/11, 2021 at 4:51 Comment(4)
why do u must store the password? if you use oAuth, you do not have to store the password; you get the access-token and that's it. does your app need access to github? or in other words: can you use also oAuth of Facebook/LinkedIn ?Cabriole
' I call my backend to generate an access token (JWT) which I can use to require their user details and then store it in local storage' - which user details are you using? where you get them from ?Cabriole
@Cabriole For now, the backend stores their username, password, createdAt and then their account has various relations to other tables e.g. user has X posts.Collard
@Cabriole If I don't store them in the DB, how would I be able to use these relations? They wouldn't have a userID and so can't have posts because each post needs a userID FK. (I'd like to add OAuth without massively changing my code structure.)Collard
C
4

oAuth is usually for authorization. Meaning, you get an access token from the authorization server, the resource server validates it and let the user access to the data.

In your case, you "do not really need" the access token - you want to use oAuth just for the authentication. Web-applications (like StackOverflow) do this to "save the trouble" of handling the authentication flows. Meaning, if I write a secured application, I need to implement somehow the create account flow, login flow, forgot password, etc. When you use a 3rd-party authentication, you save this trouble.

However, your application does need some user-id to perform actions; so you must create a user-id in you app when a user appears for the first time. Since then, you do not need to worry about password-expiry, forgotten-password and even not for the login. When the user logs-in, you get the access token and all you need to do is to get yours app' user-id from it.

Thus, I do not see a reason why you need to store a 'password', or the access token.

Hope that makes sense.

Cabriole answered 28/11, 2021 at 16:51 Comment(5)
Thanks, this is what I'm looking for. So I basically want to do the same as StackOverflow by implementing GitHub for login. Like you said, my application needs a user id to perform actions. Currently, I get this user id by adding an email/password to my DB and using the PK as the ID. How would I create a user id for the GitHub logins if I can't put anything in as their password? Do I have to create a seperate table for GitHubUsers that stores their GitHub username only and an ID?Collard
first - feel free to accept or upvote an answer that helped you. second, the question should be - why do you create the usedId by the email AND password? why do u need the password for?Cabriole
I need email and password because that's how I have let users create accounts currently. I want to add GitHub as an additional signup/login method, it sounds like my option right now is to just remove my login and only use GitHub and store just the GitHub username.Collard
i understand your use case. i think that you can (and should) support both methods, otherwise a user without a GitHub account will not be eligible to use your application. (do u want that?). I suggest to use only the email as the user-id, without the password. I think it is unique enough. think about that - do you wish to accept 2 users with the same email but with different passwords? (i think not)Cabriole
Is it possible to check that user authenticated via oAuth still exists. For example: I let Google user to oAuth login and create some content on my site, then I would like to check every few months that user still exists on Google to keep their content on my site otherwise I will delete the contents.Kerbela
F
0

What you are looking for is actually OpenID Connect - it's an authentication framework built on top of OAuth, which lets you log in users using external Identity Providers, like Github.

When a user logs in using GitHub then you will receive an id_token in a form of a signed JWT. You can easily verify the authenticity of the JWT - so you can easily make sure that the id token really comes from Github and presents real data. Usually one of the information in the id token will be the user's email. You can use that to look up the user in your database. You don't need any password in this case.

So, you will have two ways of finding a user in your DB - either through comparing the email and password, or by looking up the user's email from a validated id token from Github.

Fallal answered 29/11, 2021 at 11:18 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.