What can i use as password when logging/registering in users with OAuth2.0?

1
votes

I'm including Google and Facebook OAuth2.0 to my site. I got it working so it pre-populates my registration form with first name, last name and email (password must be entered manualy). Now i want to enable that users can login/register without entering password. As i mentioned i can get email address with no problems from OAuth but i dont know what to use as password because i cannot have an empty password field in my database (then you could enter users email with no password and you could login).

In my database i'm checking for email and password fields (simple login).

So how do i register my users with OAuth (what to enter into password field), so that i can login them later just by clicking on OAuth icon?

Is there any key that is user specific and is not public?

1
phpjavascriptoauth-2.0facebook-oauthgoogle-oauth
So, What you have try ?Nirav Ranpara
“because i cannot have an empty password field in my database” – why not? Fix your database design if it is not suited for this use case. Or, if it’s a system you can’t change, just write some random value/hash in there, that no one will be able to guess.CBroe
I just want to know which data from OAuth response i can use as password for my registration field. I havent tried anyting yet.BoonZ
So if response is successfull i can ignore the password field? Is that secure?BoonZ
You could add a field to denote that the User is authorized from Oauth providers and could skip checking password for him, moreover if the User's Id (in case of Facebook) is retrieved without problem then it would denote that the same user has logged in. You would also require to store the unique social id that represents the user in different Oauth providers.Anvesh Saxena

1 Answers

0
votes

I think you have not understood the true meaning of the OAuth.

OAuth creates and authorisation layer and separating the role of the client from that of the resource owner. The client Application access only those resources that are controlled by the resource owner after the Authorsation provided by the User.

For security purposes the resource owner's credentials to access protected resources, the client obtains an access token -- a string denoting a specific scope, lifetime, and other access attributes.

Access tokens are issued to third-party clients by an authorization server with the approval of the User. The client uses the access token to access the protected resources hosted by the resource owner server.

According to the RFC 6749:

The authorization server MUST NOT issue client passwords or other
client credentials to native application or user-agent-based
application clients for the purpose of client authentication.  The
authorization server MAY issue a client password or other credentials
for a specific installation of a native application client on a
specific device.

Thus there is no need of the password