Progress will discontinue Telerik Platform on May 10th, 2018. Learn more

Introduction to Social Login

Introduction to Social Login

By implementing social authentication, or social login, you allow your users to leverage their existing social network accounts to log in to your app. This has many advantages for the user, including:

  • No need to create a new account thus saving time
  • No need to remember another username/password combination
  • No need to trust another authentication provider
  • Seamless integration with other features provided by the social network

Telerik Platform supports the most popular providers of social authentication services. Find the full list in Introduction to User Management.

This article is organized as follows:

Protocol Versions

Telerik Platform relies on the OAuth protocol to communicate with the social authentication provider. Different providers use different protocol versions as shown in the following table:

Authentication Provider Protocol Version
Facebook OAuth 2.0
Google OAuth 2.0
Twitter OAuth 1.0a
Microsoft Account OAuth 2.0

Authentication Pattern

When using social authentication, Telerik Platform partakes in a three-way OAuth communication together with the client device and the social authentication provider.

The authentication flow is presented on the following illustration:

Image

  1. In your app, you request an access token using the respective provider's APIs. This includes you requesting that the user authenticate to the OAuth provider and agree to share their user details with your app.
  2. The OAuth provider returns an OAuth Token after verifying the user authentication and consent.
  3. You pass the OAuth Token to Telerik Platform.
  4. Using the OAuth Token, Telerik Platform obtains the user information from the OAuth provider and then:
    • Registers the user in case of first-time users
    • Authenticates the user in case of returning users
  5. Telerik Platform issues a Telerik Platform access token and returns it to your app which concludes the login flow. The Telerik Platform access token is used for subsequent communication until the user logs off.

For further information, including implementation details, check these external links:

Except for the part where you use the provider's APIs, you use the Backend Services RESTful API or the appropriate SDK to implement the above steps. Refer to the links in See Аlso for more information.

Important Notes

These are a few important notes that you need to know about when using social authentication in Telerik Platform:

  • The first time that the user authenticates through a social network, Telerik Platform creates a user account for them. Subsequent authentication requests simply authenticate the user. This way the same endpoint is used for both registration and authentication.
  • Users registered through their social identities do not have usernames in Telerik Platform.
  • The name of the user provided in the social profile is stored in the user account's DisplayName field.
  • From a security standpoint, social users are treated exactly the same as internal users.
  • The app's default role is assigned to the user.
  • The user is automatically marked as verified.
  • The user profile that Telerik Platform reads from the social authentication provider is stored as an object in the user account's Identity.Provider field, where Provider is one of these values: Facebook, Google, LiveID, or Twitter (if applicable). The Identity field is visible only when using MasterKey authentication or when a request is made for a specific User object using bearer authentication and the passed access token is issued for the user that the object represents (e.g. getting a user object by Id).

    As social authentication providers evolve, the user profiles structure may change, leaving you with an Identity object containing inconsistent fields for different users.

  • If the provided token has email in its scope, then the email address provided in the social profile is stored in the Email field of the user.

  • If the application is configured to send a welcome email and an email address is included in the user's social profile, then the user receives the email.

Linking to a Social Authentication Provider

In addition to authenticating (and registering) users coming from social authentication providers, Telerik Platform supports linking your existing app users to their social identity. This allows them to log in to your app using both their Telerik Platform user account and their social identity.

You can link user account using the Backend Services RESTful API or the appropriate client SDK. Refer to the See Аlso links for more information.

These are important points you need to know about linking:

  • The user who you are linking must be logged in to their Telerik Platform account (in other words, you need the Telerik Platform access token to perform linking).
  • Users who have linked their social identity to their Telerik Platform account can log in using either of them.
  • The user profile that Telerik Platform reads from the social authentication provider is stored as an object in the user account's Identity.Provider field, where Provider is one of these values: Facebook, Google, LiveID, or Twitter. The Identity field is visible only when using MasterKey authentication or when a request is made for a specific User object using bearer authentication and the passed access token is issued for the user that the object represents (e.g. getting a user object by Id).

    As social authentication providers evolve, the user profiles structure may change, leaving you with an Identity object containing inconsistent fields for different users.

  • If the Telerik Platform user account's Email is empty and the provided token has email in its scope, then the email address provided in the social profile is stored in the user account's Email field.

  • You cannot link a single social account to multiple Telerik Platform user accounts. If you try this, you receive an error.

Unlinking from a Social Authentication Provider

Unlinking a user account from a Social Authentication Provider prevents the user from logging in using their social identity. Note that the user will still be able to log in using their Telerik Platform account username and password.

You can unlink user account using the Backend Services RESTful API or the appropriate SDK. Refer to the links in See Аlso for more information.

These are important points you need to know about unlinking:

  • The user who you are unlinking must be logged in to their Telerik Platform account (in other words, you need the Telerik Platform access token to perform unlinking).
  • Telerik Platform deletes information about the user's social profile by setting Profile.Provider to null in the user account object.
  • After a user has been unlinked you can relink them.
  • The users can only unlink their own external accounts. They cannot unlink other users' external accounts, even if they have UPDATE permissions for the Users content type. This restriction is not present when using MasterKey authentication.
  • You can only unlink user accounts that existed before linking them to a social authentication provider.

See Also

Start a free trial Request a demo
Contact us: +1-888-365-2779
sales@telerik.com
Copyright © 2016-2017, Progress Software Corporation and/or its subsidiaries or affiliates. All rights reserved.