Django, and social media authentication (django-social-auth)?

S

S0ulReaver2012-05-21 15:13:08

Django

S0ulReaver, 2012-05-21 15:13:08

I am writing a small entertainment website in Django. When it came to creating a registration page, the first thing that came to mind was: “Everyone now does authorization through social networks, but what about me?”. Downloaded django-social-auth, started trying. Alas, as it often happens with me - first I do, and only then I think. I set up authorization through Vkontakte, I was glad, and then I thought about how it all works ... Well, let's suppose that authorization is configured on the site through vkontakte and twitter. Thus, if I try to log in through each service, 2 different accounts will be created, which is somehow crazy. No, of course you can argue with the fact that why log in through different social networks, if you can always use only one, but... And what if the user, say, cuts his page out of VK? It turns out that you can no longer log into my site under your account? Of course, a user from the database of my site will not go anywhere when deleting a page in VK, but it is also impossible to enter without a password.
Further, as far as I understood (and almost zero knowledge of English let me down a lot), this issue can be solved through the association mechanism, for example, by linking all accounts from the user's social networks to a single email, right? But then we are faced with another problem, because as I understand it, for example, VK and Twitter do not give the user an email, forcing them to enter in a separate form? But how then does such authorization differ from the usual login / password / email registration?
In general, if there are people who understand - tell me, am I thinking right, or am I mistaken in something?

Reply

Answer the question

In order to leave comments, you need to log in

5 answer(s)

V

vasilykharitonov, 2012-05-21
@vasilykharitonov

You can implement a solution based on two tables.
Users - users
Login - social accounts. networks.
The Login table has a relationship with the Users table.
If the user is authorized on the site, then the entrance through another social. the network can link a new Login to an existing account (for example, it was created when you first logged in through another social network or when registering).

B

barker, 2012-05-21
@barker

Think correctly, but there seems to be no particularly decent and universal solution, for the reasons you voiced - the difficulty of comparing accounts in different social networks. And if you simplify, then, obviously, there will be a security problem.

I

int03e, 2012-05-21
@int03e

It seems to me that there is no decent solution, how to compare accounts? Alternatively, you can unobtrusively ask for an e-mail after registration. Indicates - good, does not indicate - well, okay.

H

hOtRush, 2012-05-21
@hOtRush

for example, I use ulogin.ru, so the mail is always returned, and you can check whether it is in the database or not.
and to produce accounts on the site IMHO is stupid

P

Pavel Sysolyatin, 2012-05-22
@PSyton

If the site needs mail, then one way or another, you need to make a mailbox request from the user. And at the same time, you need to check that this mail really belongs to this user. Accordingly, we can offer the following solution:
When registering through unreliable services, always ask for mail. And after registration, perform the verification procedure by sending an email with an activation link. Activation is needed not to activate the login, but to make sure that the mail is not left. If the user does not want to confirm it, this is his personal problem.
In this case, you need to consider what to do with the binding of a new social. (unreliable) network to the old account on the quiet is also impossible, and here you also need confirmation that the old account really belongs to the same person as the email specified in the old one.