Clever Geek Handbook

If a user has multiple email addresses, do I need to store multiple oauth tokens?

A simple scenario, let's say a user has two email addresses:

personal.email@gmail.com
work.email@somecompany.com

I want to authenticate both email addresses. All examples in the docs involve storing one oauth token for a user account, for example:

class CredentialsModel(models.Model):
    id = models.ForeignKey(User, primary_key=True)
    credential = CredentialsField()

So, if one user account on my website has multiple associated email addresses, am I saving all the oauth2 credentials for that user? Or do I need to use the email address as the primary key rather than using the user id as the foreign key? I currently store different credentials for each email address, although when I look in the database, the credentials look the same for both of my email addresses. I'm not sure if I'm just doing something wrong or what.

Second, I understand that this is the main question, but when a user authorizes an email address, how do they know which email address they allowed? I am using google-api-python-client to do all the check, but I don't see anything in the python docs on how to do this.

+3


source to share


1 answer


OAuth never "includes" user authentication at all. It depends on the service provider to be concerned about this. All OAuth provides is that a consumer (in this case your application) can have access to a resource authorized by the user (after successfully authenticating to a service provider provided by the service provider itself).

OAuth 2 credentials must be associated with an application that has registered with the service provider through the oauth 2 endpoint.



Second, I understand that this is the main question, but when a user authorizes an email address, how do I know which email address they are authorized to use?

Not. The service provider performs authentication. This is to prevent third party authentication by any third party mechanism. Your application should just worry about getting an access token (which expires) and what services it has access to. Obtaining an access token is a "guarantee" that the user has successfully authenticated and authorized your application to receive your protected resources.

0


source






More articles:


All Articles