Tuesday, June 10, 2014

Social Authentication (Facebook) in WC2014Challenge

People expect these days from a public website you can authenticate with Facebook, Google+, Linkedin, Microsoft etc. It's very convenient as you don't need to create a specific account per website.

Background

All of the social networks have very good documentation how to call their APIs.
Here's for example the Facebook Login explained.

Most of the API's use the OAuth2.0 protocol, there's an application key and tokens that are send with the requests. Here's an overview how it works with Google+


So how easy is it in Oracle Application Express (APEX) to do such social authentication?

Unfortunately Oracle APEX doesn't provide us with a native social authentication mechanism just yet. But nothing prevents you from building it yourself.

Here are the options I reviewed:

  • Custom build; in PL/SQL you call the different url's and make some procedures public so when the social network comes back you can intercept the call and move on.
  • Oracle REST Data Services supports OAuth 2.0 and the calls are mostly REST calls, so I also looked into writing the logic in ORDS (and PL/SQL) and integrate that way with my APEX application.
  • Some people in the community wrote an authentication plugin which does the hard work for you.

I went with a combination of the Facebook plugin in combination with my own PL/SQL code.
Peter was so nice to share his work with me, thanks again for that Peter. I first thought that the authentication plugin would be plug-and-play, just like the other APEX plugins... but that is not the case.
It hasn't much to do the way Peter's team implemented it, it has more to do with the complex setup of SSL certificates etc. So when downloading the plugin, know that it will take some time to configure it. Luckily Peter provides good documentation so it makes it a bit easier.

So, to see the authentication to work, login with your Facebook account on the wc2014challenge.com site. I extended the plugin a bit so it will automatically create a site account for you behind the scenes so regardless if you create a site account or login with Facebook it can hook up the scores, bets etc. in the same way.

Challenges with Social Authentication

If you want to provide Facebook, Google+, LinkedIn and a normal site account in your app, I found some challenges with that. How do you hook-up a person that logs-in with Facebook the first time, with the same player logging in with Google+ the same time? You could use the email address maybe? But what if they use different ones? There are many blog posts about this topic and how to get around it, but it would bring me to far in this post. I might do a follow-up post later as it's an interesting challenge.

Future 

I really believe that most public sites will allow social authentication, so I hope the team of ORDS or the APEX development team will make something available to do the social authentication natively in the future. I believe that would be the best solution (fast to implement and secure).

2 comments:

Fernando Santucci said...

I would like to know how you bypassed these issues about the connection between accounts of the same user.

Scott Wesley said...

Future readers may be interested in this
https://timnzblog.wordpress.com/2010/09/13/application-express-and-janrain/