If a user has multiple email addresses, do I need to store multiple oauth tokens?

3
votes

Simple scenario, let's say a user has two email addresses:

[email protected]
[email protected]

I want to authenticate both email addresses. All of the examples in the docs involve storing one oauth token per user account, e.g.:

class CredentialsModel(models.Model):
    id = models.ForeignKey(User, primary_key=True)
    credential = CredentialsField()

So if a single user account on my website has multiple associated email addresses, do I still store one oauth2 credential for that user? Or do I need to use the email address as the primary key instead of using the user id as a foreign key? Right now I'm storing a different credential for each email address, although when I look in the database the credential looks the same for both of my email addresses. I'm not sure if I'm just doing something wrong or what.

Secondly, I realize this is a basic question, but when a user authorizes an email address, how do I know which email address they have authorized? I'm using the google-api-python-client to do all the validation, but I don't see anything in the python docs about how to do this.

1
pythonoauth
The given example class does not imply that there can be only one token per user. The user is a ForeignKey, so there can be many CredentialsModel instances per User. On the other hand the application code has to support that as well.Klaus D.
Any hints on how to support that in my application code? The python docs only give the examples of Storage.get() for retrieving keys, but there isn't any example of how to then associate a key with a given email address.Alex3917

1 Answers

0
votes

OAuth never "entertains" user authentication at all. It's up to the service provider to worry about it. All that OAuth provide is that the consumer (in this case, your application) can have access to the resource authorized by the user (after a successful authentication to the service provider provided by the service provider itself).

The OAuth 2 credentials must be linked to the application that registered to the service provider through the oauth 2 endpoint.

Secondly, I realize this is a basic question, but when a user authorizes an email address, how do I know which email address they have authorized?

You don't. The service provider does the authentication. This is to prevent 3rd party authentication by any 3rd party mechanism. Your application must just worry about getting an access token (which does expire) and what services it has access to. Receiving an access token is a "guarantee" that the user has successfully authenticated and has authorized your application in obtaining your protected resources.