The way we implement the ‘login with Google, Facebook, or Github’ thing you see on some websites
When implementing a login feature (i.e. usernames/passwords, and a “logged in” vs “not logged in” status), we have two choices:
- Roll our own authentication, storing the usernames/passwords ourselves.
- Delegate that to some other identify provider.
The second choice is almost always preferable. Maintaining a database of usernames/passwords is an invitation to be hacked. And, even if your webapp is nothing special, people have a bad habit of reusing passwords across many different websites.
A common way of delegating authentication is via a protocol called OAuth.
This is the protocol that allows the “login with Facebook”, “login with Google”, etc. functionality you see on many websites.
Table of contents
- Google: Create Developer Project
- Google: OAuth Consent Screen
- OAuth: Authorizing GitHub Third Party Apps
- OAuth: GitHub Setup
- OAuth: Google Setup
- OAuth: Troubleshooting