Announcement Announcement Module
Collapse
No announcement yet.
Some Concerns on User Account Data Pulling Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Some Concerns on User Account Data Pulling

    This new project could be very helpful for our clients if it could do a good job on user account data pulling and content sharing.

    I would like to discuss the user account data pulling first and leave content sharing for another time.

    In my mind, a new user account of our application can be created in the following fashion. After a new user sign in with his/her exist social media login data, the account data will be pulled into our system and this user needs to fill in any missing data requested by our system, but not by the social media site. I am thinking of a few issues in the regards. With this approach whether we will trade security for convenience or not? While security is not a big concern in any social media sittings, it is a big deal for our system. FB uses user's email address as the login ID and Twitter use either email address and user name as user ID. A user account with an email address as the user ID is much easier to get hacked.

    I haven't studied the code yet. I don't know how to handle the uniqueness of user name when we pull user account data from various social media.
    Last edited by vw729; Nov 9th, 2010, 01:19 PM.

  • #2
    Originally posted by vw729 View Post
    FB uses user's email address as the login ID and Twitter use either email address and user name as user ID. A user account with an email address as the user ID is much easier to get hacked.
    Certainly different applications will have different security requirements and there's not a one-size-fits-all answer for deciding how to represent a user ID. This actually has little to do with social integration and more to do with the design decisions made when considering your application's security and how user IDs will be represented in your application.

    As you pointed out, a user account with an email address as its ID is a bit more hackable. If that's a concern for you, then don't do that. Decide on credentials that are fitting to your application's security requirements.

    Now, once those decisions have been made, you may choose the convenience of letting your user's create their account based on the information in their profile on some social network. In that case, Spring Social can help. But again, that's an optional convenience and even if you choose to use it, you may choose to use certain information in their profile and disregard other bits of information.

    In any case, synchronizing accounts with social profiles is really only a single use-case in the bigger Spring Social story. The more exciting stories involve enhancing your user's experience with tweets from Twitter, knowing their friends on Facebook, enabling them to send tweets based on events in your application, alerting them to real-world events that coincide with their TripIt itineraries, etc, etc.

    Comment


    • #3
      As Craig mentions, what's appropriate for your application depends on your security requirements.

      Greenhouse supports sign-in by email address OR username, and the Account username field itself is optional. I could imagine a mode in which sign-in by email was disabled and the username field was required then. Would you find it useful if Spring Social provided a sign-up and sign-in module that could be customized in that manner?

      It's definitely a useful feature to support automatically populating your local Account profile from a linked social profile. Greenhouse supports this to some extent already. Specifically, when you "Sign in Using Facebook", if the Facebook access token obtained from your local browser cookie is not associated with an existing Greenhouse Account, you'll be redirected to a signup page and the signup form will be pre-filled from your Facebook profile information. In this case, yes, your email address will be populated because we got it from your Facebook account -- but it won't necessarily be usable as a sign-in credential unless your application allows for that. In Greenhouse, a specific FacebookSigninController handles this case; if we supported "Sign in Using Twitter", for example, we could have a TwitterSigninController that maps Twitter profile data onto the signup form as well.

      Do let us know what else you're looking for in this area once you take a look at the code.

      Keith
      Last edited by Keith Donald; Nov 9th, 2010, 03:29 PM.

      Comment


      • #4
        Originally posted by habuma View Post
        ...

        Now, once those decisions have been made, you may choose the convenience of letting your user's create their account based on the information in their profile on some social network. In that case, Spring Social can help. But again, that's an optional convenience and even if you choose to use it, you may choose to use certain information in their profile and disregard other bits of information.
        That is the approach in my mind. Our application requests a username as user ID for a user account. It has a Spring Security mplemention already. I believe the SS suggests to have a username as a user ID. If a user data is pulled from FB, we may just use the email account ID of this user's email address as the username. On the other hand, our application currently doesn't ask for user's gender nor DOB. We don't mind to have those data though.

        Originally posted by habuma View Post
        In any case, synchronizing accounts with social profiles is really only a single use-case in the bigger Spring Social story. The more exciting stories involve enhancing your user's experience with tweets from Twitter, knowing their friends on Facebook, enabling them to send tweets based on events in your application, alerting them to real-world events that coincide with their TripIt itineraries, etc, etc.
        For content sharing, our application currently already uses the ShareThis widget on every possible pages. I expect this project will bring the social media content sharing to a much high level than what ShareThis does.

        Comment


        • #5
          Originally posted by Keith Donald View Post
          ...

          Do let us know what else you're looking for in this area once you take a look at the code.

          Keith
          Thanks Keith.

          I would like to let a new user account data populated from either FB and LinkedIn. I am not sure about Twitter since its user account doesn't contain much information other than login data. I don't know anything about TripIT.

          I will look into the Greenhouse sample shortly.

          Comment


          • #6
            Alright, so let me re-state your requirements then to see if we heard you right:

            - You'd like the ability to "Sign in with Facebook"; in the case your account doesn't already exist, you expect to be taken to a sign up form pre-filled with default values obtained from your Facebook profile.
            - You'd like to be able to do the same with LinkedIn (probably also Google).
            - You'd like the ability to share content, such as news items, hosted at your site with your Facebook friends. If you could elaborate more on what you mean by "bringing content sharing to a much high level" that would be helpful.
            - You'd like the ability to be able to configure different username/password authentication modes (mode #1: by email or username, where username is optional, by #2: by username only, where username is required). I do wonder how useful such configurability is in practice, and if it's enough to simply make mode #1 the only one we support.

            Keith

            Comment


            • #7
              Originally posted by Keith Donald View Post
              Alright, so let me re-state your requirements then to see if we heard you right:

              - You'd like the ability to "Sign in with Facebook"; in the case your account doesn't already exist, you expect to be taken to a sign up form pre-filled with default values obtained from your Facebook profile.
              Yes, that is my envision in the regard,

              Originally posted by Keith Donald View Post
              - You'd like to be able to do the same with LinkedIn (probably also Google).
              Correct. I am not sure about Google though.

              Originally posted by Keith Donald View Post
              - You'd like the ability to share content, such as news items, hosted at your site with your Facebook friends. If you could elaborate more on what you mean by "bringing content sharing to a much high level" that would be helpful.
              Yes, a user currently can share an entry/content at our site by posting a message on his/her wall (Fackbook, Twitter, Linkedin etc.) through ShareThis. I have seen some web sites where a user/visitor can post a comment on a content at the sites as a FB user. And this user/visitor doesn't need to be a registered user of the site. And the content page also lists all comments made by FB users. I believe that those comments also appear on those FB users' walls. I would like to see this type of integration ability which enables social media users engage conversations on our site, but not just posting messages on their walls from the Social project.

              Originally posted by Keith Donald View Post
              - You'd like the ability to be able to configure different username/password authentication modes (mode #1: by email or username, where username is optional, by #2: by username only, where username is required). I do wonder how useful such configurability is in practice, and if it's enough to simply make mode #1 the only one we support.

              Keith
              I will go for username only for our application which is the current implementation of our system. If a user wants to login in through a social media site, the credential will go with whether it is required.
              Last edited by vw729; Nov 10th, 2010, 12:53 PM.

              Comment


              • #8
                I just learn the Google Friend Connect, a two-year old project, today and I am wondering whether the Social project aims to match up and surpass it in terms of functionality or not. I guess what I saw the FB case describe above was implemented with Facebook Connect.
                Last edited by vw729; Nov 12th, 2010, 12:05 AM.

                Comment


                • #9
                  Any Progress?

                  Originally posted by Keith Donald View Post
                  Alright, so let me re-state your requirements then to see if we heard you right:

                  - You'd like the ability to "Sign in with Facebook"; in the case your account doesn't already exist, you expect to be taken to a sign up form pre-filled with default values obtained from your Facebook profile.
                  - You'd like to be able to do the same with LinkedIn (probably also Google).
                  - You'd like the ability to share content, such as news items, hosted at your site with your Facebook friends. If you could elaborate more on what you mean by "bringing content sharing to a much high level" that would be helpful.
                  - You'd like the ability to be able to configure different username/password authentication modes (mode #1: by email or username, where username is optional, by #2: by username only, where username is required). I do wonder how useful such configurability is in practice, and if it's enough to simply make mode #1 the only one we support.

                  Keith
                  Hi Keith,

                  Any progresses on this aspect of the Spring Social project? Can the FacebookProfile and LinkedInProfile also contain a user's address data?

                  Comment


                  • #10
                    Any answer on this?

                    Wondering if there was an answer for this?

                    thanks

                    Comment


                    • #11
                      According to a survey(http://www.emarketer.com/Article.aspx?R=1008226), social media login is very important for some types of web applications. I hope this project can move forward quickly.

                      Comment


                      • #12
                        Originally posted by habuma View Post
                        Certainly different applications will have different security requirements and there's not a one-size-fits-all answer for deciding how to represent a user ID. This actually has little to do with social integration and more to do with the design decisions made when considering your application's security and how user IDs will be represented in your application.

                        As you pointed out, a user account with an email address as its ID is a bit more hackable. If that's a concern for you, then don't do that. Decide on credentials that are fitting to your application's security requirements.

                        Now, once those decisions have been made, you may choose the convenience of letting your user's create their account based on the information in their profile on some social network. In that case, Spring Social can help. But again, that's an optional convenience and even if you choose to use it, you may choose to use certain information in their profile and disregard other bits of information.

                        In any case, synchronizing accounts with social profiles is really only a single use-case in the bigger Spring Social story. The more exciting stories involve enhancing your user's experience with tweets from Twitter, knowing their friends on Facebook, enabling them to send tweets based on events in your application, alerting them to real-world events that coincide with their TripIt itineraries, etc, etc.


                        I'm agree with you.Very well said.

                        Comment


                        • #13
                          Have you had a look at Spring Social 1.0.0.M2 yet? It offers support for sign-in-with-Twitter and sign-in-with-Facebook. In short, it works like this:

                          - After signing into the Twitter/Facebook, if a local account can be found that's connected to the Twitter/Facebook account, then the user will be signed in automatically using their connection as their credentials.
                          - If no matching connection can be found the user will be sent to an application-defined registration page. After a successful registration, a call to ProviderSignInUtils.handleConnectPostSignUp() will create a connection between the newly created account and the Twitter/Facebook account.

                          You can read more about how it works in the reference documentation: http://static.springsource.org/sprin...ml/signin.html

                          Have a look and let us know if there's any way that it can be improved upon. For example, one improvement that I've already been asked about is to have the user's profile data readily available for the registration form to be prefilled.

                          Comment


                          • #14
                            Originally posted by habuma View Post
                            Have you had a look at Spring Social 1.0.0.M2 yet? It offers support for sign-in-with-Twitter and sign-in-with-Facebook. In short, it works like this:

                            - After signing into the Twitter/Facebook, if a local account can be found that's connected to the Twitter/Facebook account, then the user will be signed in automatically using their connection as their credentials.
                            - If no matching connection can be found the user will be sent to an application-defined registration page. After a successful registration, a call to ProviderSignInUtils.handleConnectPostSignUp() will create a connection between the newly created account and the Twitter/Facebook account.

                            You can read more about how it works in the reference documentation: http://static.springsource.org/sprin...ml/signin.html

                            Have a look and let us know if there's any way that it can be improved upon. For example, one improvement that I've already been asked about is to have the user's profile data readily available for the registration form to be prefilled.
                            Thanks Craig for your information.

                            I am studying the M2 and the showcase sample these days. For our user account sign in/creation, I am going to have our FacebookSigninController class based on the M2's FacebookSigninController class so that the user will be redirected to a registration form with a portion of prefilled data, that is first name, last name, and email address, from the FacebookProfile if this user account doesn't exist in our system. We need to add a FB ID attribute to our user account entity so that we can identify FB users.

                            Our system would like to allow user login with multiple social media accounts. What is your suggestion on how to identify a user with accounts on multiple social media? Say one user already has his/her account with us through FB, now this user want to login through his/her Twitter account. How our system knows this user already has an account in our system? None of names, email address can be used as a user identifier.

                            I have a few other questions in regarding of the M2. I will post them as separated threads.
                            Last edited by vw729; Mar 4th, 2011, 02:55 PM.

                            Comment

                            Working...
                            X