How to Restrict OAuth Registrations

2 posts, 0 answers
  1. Kelly
    Kelly avatar
    73 posts
    Member since:
    Apr 2011

    Posted 10 Mar 2014 Link to this post


    I'm working on an app where users have to "find" each other to share TBS data, presumably by entering the target user's email address, since that is unique. I would really like to use the Google, Twitter, LiveID and Facebook login functionality that TBS offers, exclusively.  I don't want to build my own authentication or ask users to create yet another account.

    My first attempt at using the OAuth stuff worked nicely, but I found that logging in with my Windows LiveID account resulted in a TBS user record being added without an email address or username.  That's useless in my application.  The Display Name is certainly not unique.  So:

    1)  Is there a way to restrict OAuth registration to users who have configured their social accounts to provide email access? As the doc says "If the provided token has scope for email then the email address provided in the profile will be stored in the Email field of the user."  If that scope is missing, can I ask TBS to reject the registration in the cloud code somehow?

    2) Or, is there a way to supplement the OAuth registration with an Email address during registration?  The reason I ask, I edited my Windows LiveID account, and don't even see any way to specify or allow "scope for email".

    What would you do?

    Thank you,

  2. Anton Dobrev
    Anton Dobrev avatar
    530 posts

    Posted 11 Mar 2014 Link to this post

    Hi Kelly,

    In regard to OAuth 2.0 authentication providers, the 'scope' of the request obtaining the token for the user will require from the provider's API a specific information for the user. You can refer to our 'Friends' sample app to see the required configuration.

    In order to receive the email of the user, for the different social authentication providers the "scope" must be set with the following values:

    •  for LiveID set the scope to:
    scope: 'wl.emails'
    • for Google set the scope to:
    • for Facebook set the scope to:
    scope: 'email'

    These examples are for hybrid app, but the same configuration is applied for the requests to the OAuth providers' APIs constructed with other programming languages.

    In regard to OAuth1a providers (e.g. Twitter) the email of the user is not provided by the authentication authority. The client app has to obtain explicitly the email address by asking the users to enter it manually.

    Note that the current logic of the backend does not allow a user to be created, if an account with the same email already exists. In the case of social authentication, a user already authenticated with Google will not be able to switch using his/hers LiveId account that uses the same email address). You may implement a 'linking' logic in the client app to handle such cases, if applicable.

    Please, let us know if this is helpful for you.

    Anton Dobrev
    Everlive is now Telerik Backend Services, and is part of the Telerik Platform. For more information on the new name, and to learn more about the Platform, register for the free online keynote and webinar on Wednesday, February 12, 2014 at 11:00 a.m. ET (8:00 a.m. PT)
Back to Top