User token

[chrisburton]

I am using Opauth to authenticate Facebook and Twitter users to comment with Kirby. Some of you may know about this. However, is the user’s token really necessary at all for a comment system?

karlpcrowley: @chrisburton The tokens are really for access stuff on those sites, maybe just get proof of login from the API if that’s all you need

So I was thinking I could just use their user ID to validate them. Am I missing something here?

[__]

If you don’t have any need to authenticate the token, then you probably don’t need it at all.

Are you really “authenticating” the user, or is this basically just a convenient way to get a name and photo?

[chrisburton]

That’s the thing, I’m not sure if I need to authenticate the token. I’m just trying to use their credentials to allow them to comment.

By credentials I mean:

• ID
• Name
• Image
• link to their social networking account

I plan to store that information in a database but I think I should also store something in a session so that they stay logged in.

But what if they’re logged out (for whatever reason), I already have their credentials stored in a database and they want to log back in?

[__]

Are you still working on this?

I’ve done a bit of reading, but I’m not certain about what the “token” actually is. Is it user-specific? response-specific?

I plan to store that information in a database but I think I should also store something in a session so that they stay logged in.

If you want to keep the user “logged in,” just give them your own token once you’ve authenticated them. Keep it in the session, or set a cookie if you want it to persist longer.

But what if they’re logged out (for whatever reason), I already have their credentials stored in a database and they want to log back in?

Well, the whole point of OpAuth is that the user doesn’t log in with you; they log in with someone else. Now, if the “token” you refer to is user-specific (doesn’t change), then when a user logs in again you could use it to recognize them (and use the existing user info, instead of creating a “new” account).

Dunno if that answers your question.

[chrisburton]

Are you still working on this?

I was but I have to quit to focus more on my classes as the new semester started today. Perhaps during spring break or this summer. It really depends when I have the time.

I’ve done a bit of reading, but I’m not certain about what the “token” actually is. Is it user-specific? response-specific?

User Access Token – The user token is the most commonly used type of token. This kind of access token is needed any time the app calls an API to read, modify or write a specific person’s Facebook data on their behalf. User access tokens are generally obtained via a login dialog and require a person to permit your app to obtain one. – Facebook Docs

The token changes each time the user logs in (I tested this). I assume this is for security reasons. Maybe I do need this if I want to keep them logged in by storing it in session.

But what if they’re logged out (for whatever reason), I already have their credentials stored in a database and they want to log back in?

Well, the whole point of OpAuth is that the user doesn’t log in with you; they log in with someone else. Now, if the “token” you refer to is user-specific (doesn’t change), then when a user logs in again you could use it to recognize them (and use the existing user info, instead of creating a “new” account).

The way I was thinking about the token was that if the token always changed for each login process or every time I need to read from the API, how could I verify it belongs to that person? Would I have to constantly update the database? That is what I am having a hard time with.

Edit: I think this helps me understand a little better on the whole purpose of the token. It’s exactly why I need it.

[__]

The token changes each time the user logs in (I tested this). I assume this is for security reasons.

According to the comment you linked to, it’s because the token represents a user session (of sorts), not the user themselves. So, no, it’s not suitable for your purpose. Is there some unique (or reasonably unique) data in the response? usernames? id? email address? If so, you could combine this with the service name (e.g., “facebook”) to identify users over time.

[chrisburton]

According to the comment you linked to, it’s because the token represents a user session (of sorts), not the user themselves. So, no, it’s not suitable for your purpose.

What I was linking to is to show the purpose of what the token is used for. The answer I found is that the token is used for sessions to identify the user but I don’t think that person’s issue relates to mine. I probably shouldn’t have posted the link to that comment. Might be a bit confusing.

Is there some unique (or reasonably unique) data in the response? usernames? id? email address?

In general or similar to how the token changes during each login? In general, the only truly unique data in the response that stays the same is the user ID.

[chrisburton]

I think this answers my question: http://stackoverflow.com/q/10100231/938664

[__]

What I was linking to is to show the purpose of what the token is used for. The answer I found is that the token is used for sessions to identify the user but I don’t think that person’s issue relates to mine.

Well, it’s not the same issue, but it does provide an answer to your question.

think this answers my question

Yup! Looks like

[TheDoc]

Sorry I haven’t been much help here, @chrisburton. Let me know when you think I should jump in and do some testing!

[chrisburton]

@TheDoc Since I don’t have to deal with the user token, this makes it a bit more simple. It won’t be for a while but I will let you know when I need someone to test.

Just so we’re on the same page I won’t be introducing spam protection like I initially hoped. Integrating what I already have with Akismet and having to run the response data through that API just seems over my head.

[TheDoc]

When you do the next push to the repo with the token stuff just let me know and I’ll try to jump in there and see what I can do.

[chrisburton]

Great. The next repo will be a complete overhaul, though. I guarantee there’s many security issues in its current state.

I haven’t thought this through but what I’d like is for the user to simply add a snippet to their single-article template. The only additional setup is to create an app and add your keys to Opauth. I’d also like it to be flexible with options such as:

like => true, // add a 'like' count feature to user comments

[TheDoc]

Are you currently working in a separate branch that you can push up?

[chrisburton]

Unfortunately, no. The code will really be a complete overhaul by the time you receive it. Right now what I have is a bunch of content echoing out for testing. I have yet to tie in Opauth and the comments together. I still have to figure out and learn how to join two tables or if that is necessary. If I handed over the code, all you would have is an error if you don’t have the proper setup.

[Author]

Posts