All geek questions in one place

The correct way to use "Login with LinkedIn" to identify users on my website?

I'm trying to understand "LinkedIn Login." I seem to only understand part of the picture.

As I understand it, a user signs up with LinkedIn on my site, and LinkedIn returns a unique user ID to my site.

Somehow I later use this identifier on my website to identify the user.

But I don’t understand - as soon as the end user sees the identifier, what is needed to prevent their use directly from now on and never log in via LinkedIn? Should a user identifier be kept secret or can it be displayed publicly, for example, in a URL?

Also, what should prevent someone from finding another user ID and then use it to access my site?

It seems like I am missing the entire dashboard of understanding how the user ID returned from LinkedIn should be used, and what security concerns exist.

Can someone please explain?

thanks

+4
source share
3 answers

I will answer myself. Turns out you can also ask the LinkedIn API to also return a cookie containing the signature. Return this cookie to your server on the HTTPS server and you can verify the signature on your own API key. Voila - you proved that this is a valid user, and you proved that the user login really came from LinkedIn, and not a fake.

+3
source

When a user logs in via linkedin, their API will return your user ID. This is really not a secret, it is simply related, telling you that a user on your site has registered as a user with this unique identifier. You cannot log in as another user, just knowing their associated identifier - for the associated API to return this identifier, the user on your site must log in with a username and password.

As long as you can be sure that the API you are accessing is really bound and the response has not been intercepted / modified / falsified, you can trust that the identifier returned by the API is the correct user identifier on their site and that they are logged in and authenticated as this user.

Basically, you are safe if you always use the linkedin API to authenticate related users and do not have a form on your site with a prompt “enter your linkedin ID for authentication”. Even if the user knows a different user ID, they still need an associated username / password for the API to return that ID to you.

Feel free to store the return identifier to keep track of user settings / actions. You can even associate it with a user already in your database and give the user the opportunity to log in using the username / password combination stored in your database (salted / hashed, hopefully) OR using one of the oauth options.

Hope this helps me figure it out!

ISRAEL BASED ON COMMENT

Another point of emphasis regarding how you handle things AFTER an API request. You can trust that the identifier obtained through linkedin is correct, but after that you must also be sure that the identifier stored on your site is still the same as that received from linkedin. Use something server-side that the user cannot edit to save this identifier (for example, PHP sessions are NOT URLs).

+1
source

Assume that after the user successfully completes authentication,
it redirects to your page http://www.xyz.com/redirect.php .

Now you have the code in redirect.php that takes oauth parameters from the url and calls the user id.

function getUserID (){ // code which takes oauth params and calls linked in api with access token //and returns userId of user return userID; } $userID = getUserID();

Now that you have $userID , create a session with $userID and redirect the user to his home page. Check the session on the home page if the $userID session is $userID , allow the user to open the page, if the session is unavailable, do not show the page and first inform her of registration.

Now, to your question, what do you think, in this approach, the user can enter the userID his own?

0
source

Source: https://habr.com/ru/post/1414471/

More articles:


All Articles