Why identify forum users by access_token?

In this forum example, users are identified by the github access token returned via the oauth2 process:

ForumUsers::findFirstByAccessToken

In case a user revokes the phalcon forum app authorization on github and subsequently tries to login to this forum again, github issues a new access token and the user loses access to any of his past posts and settings.

Wouldn't it be better to identify a github user with some kind of github ID that doesn't change when revoking and reauthorizing the phalcon forum app?



82.3k
edited Nov '14

If someone closes his/her Github account and then someone else open a new account with the same user it could not use the historic of the old user.

Just compare your answer with a mobile number. If I quit my cellular contract, people still try to reach me with my old number. If I moved from one house to another there has to be some time where my old post can be redirected to my new address. I agree that there has to be a grace period and it's up to github in that case to block a username for e.g. 3 months where my old account is not associated with a new user. In this case it seems to be special because only developers who are aware of the technical consequences login to this forum but in real life people are not aware of the consequences when revoking an authorization. I dare to say that "normal" internet users are not aware of the fact that revoking an authorization can be undone. IMHO users have to be indentified by a unique ID and not a temporarily granted access token. It's up to developers to decide if an old user ID could be assocaiated with an old user or whether it has to be reverified in some way.



82.3k
edited Nov '14

For example, next week we create an internal messaging system, so users can send private messages between them.

Current implementation creates a new user if the user removes his/her authorizations or if he/she closes his/her account not allowing someone else to read those old private messages that not belong to him/her. We don't have a way to ask Github is a user called "bob" is the same "bob" the forum does know.

edited Nov '14

I understand what you mean but the problem is, the user revokes an autorization on github not in the Phalcon Forum. If he wants to delete his Phalcon Account he has to do that here, not on Github. "Login with github" in other forums than this means that people are just lazy of creating a new account. It's not about managing the Phalcon Forum account from github.

Revoking an authorization means the user prohibits this method to login to a user account not deleting the account itself. As most oAuth2 (like Facebook) state: "Removing the authorization means the previously authorized service may still have your data stored."

Creating a new user with every new access token means leaving a lot of dead accounts. In case of Facebook oAuth2 it generates a new access token for every device that logs in which means a different user for every device...

Just keep in mind, it's not about closing my github account. This of course should invalidate my github user id / account name. It's about keeping my github account but just revoking the authorization for phalcon forum and reenabling it again.



5.5k

Hmm, regarding this problem, I would suggest this forum stores the email of the user (github api value of user:email┬░) when a user authorizes with a github account. That way new access tokens can be issued to the same email address which is stored locally and obtained the first time user authorized with a github account. If email on the github side is changed on the other hand, then yes, new user is generated on the forum side (no way to map the user).

Is something like this possible?

┬░https://developer.github.com/v3/oauth/#scopes

I think this would be a good idea. "user:email" should be "more" unique than the username and would make it possible to identify a returning user even when the access token changed.

As I understood from the RFC the access token can expire and can be reissued anytime when the OAuth service decides to do so. A token change does not mean the user changed anything or intentionally revoked and reauthorized an app.

I understand Phalcon's point that it should not be possible to get access to old messages if a user closed his github account and another person registers at github with the same name. But there has to be some kind of unique id in the github database, I don't want to believe that their database primary key is the user's name.

As I could read in the github API docs there seems to be no way to retreive their internal user id so using "user:email" sounds reasonable to me.

(By the way my primary interest is NOT to change the phalcon forum or criticize the developer's decisions. I'm just developing a "Login with ..." service for a phalcon based community myself and I try to understand the phalcon forum oauth2 phps. In my case one of the OAuth services used should be Facebook and Facebook returns their unique userid which makes it much more simpler to identify returning users even if access tokens change.)



82.3k

Actually, a user can change his/her email in Github, it also can tell Github to return an e-mail like [email protected] which is not a real email as well. If the combination of user:email changes from one day to another it will create a new user as currently happens.

Good point, didn't think of that. Is the username unique? Is it even possible to close my github account and let someone else register at github with my old username or is the username taken forever? This would meen that the username is globally unique. If not storing both access token and email and allowing 1 of the 2 to change could be a workaround though I know this is dirty as well.



82.3k
edited Nov '14

As far as I know Github allows to reuse the username, let's take this user as example: https://github.com/sjinks he closed his account a couple of months ago and created a new one with the same user but lost his historial.

OK, so this seems to be unsolvable, as long as we are not able to retrieve a unique id from github. Because I think sjinks' first account would have had for example 12345 as database id and his new account maybe 56789 as github treated him as new user. But would you agree that in case of Facebook OAuth2 where my userid is "1463560549" no matter if I change my name or email address this would be the correct way to identify returning users?



82.3k

Well, I'm checking the Github API and it's returning an "id" https://api.github.com/users/phalcon

So, If that id is unique it would be a good start point to address the problem

OK, cool, couldn't find that as possible "scope" in the docs but maybe it's returned anyway. The key "id" and the gravatar url suggests that this is really unique. Sounds as could this be the perfect solution.

According to the github documentation an id is returned by the response:

{
  "login": "octocat",
  "id": 1,
  ...
}

would this not be a unique way to identify github users?

OK, I just tried to register a new github account, delete it and register again with the same name. This is what happened:

Registered "phtestuser9999" and the API returned:

{ "login": "phtestuser9999", "id": 9722583, ... }

Then I deleted the account and tried to register again, but github said: Account was recently deleted. Please contact support

So I registered another User "phtestuser999999" and the API returned:

{ "login": "phtestuser999999", "id": 9722723, ... }

(The incremented User ID suggests a unique ID)

Instead of deleting I now changed the username to "phtestuser9999991" after being warned that their will be now redirects and that this might have unexpected side effects https://api.github.com/users/phtestuser9999991 now returns:

{ "login": "phtestuser9999991", "id": 9722723, ... }

So the ID stayed the same, everything else changed.