Can the OAuth 2.0 authorization login function identify the same user even if the user information changes?

Asked 2 years ago, Updated 2 years ago, 400 views


If you create a login feature using OAuth 2.0 (without OpenID Connect) on the web page, click the
·Can the user information be uniquely identified even if it changes?How do we do that?
·If the user cannot be identified, is there a way to confirm that the user is the same as before the change?
I would like to know two things.

I am studying authentication using OAuth 2.0 authorization when OpenID Connect is not in use.
In the book I was reading, it was written that anyone who can access their email address or user ID using OAuth 2.0 could create an authentication/login function.
However, some authorization providers allow you to change your email address and user ID, so if you change your user information, you will be treated as a different user.
Even if it is changed, can it be identified as the same user as before?How is it actually done?
Also, if it is not possible to identify it, how on earth do you ensure that the users before and after the change are the same for the services that are actually being operated?

My knowledge and ability have not reached the stage of creating a web service yet, but I am worried about it.
Could you please let me know?

oauth

2022-09-30 21:56

1 Answers

(The order of answers will vary.)

·If it cannot be identified, is there a way to confirm that the user is the same as before the change?

An authorization server (and resource server) that claims to have so-called social login capabilities should provide some kind of unchanging user identifier.

·Can the user information be uniquely identified even if it changes?How do I do it?

This is not defined in the spec and depends on the implementation of the authorization server (and resource server).
For example, on Twitter service (*OAuth1.0a) it has an invariant value of user_id which is different from the email address and screen name (Note).- It appears that you are supposed to identify the za.
(Note: Twitter service doesn't use these as user identifiers because you can change your email address and screen name.)

Broadly speaking, OpenID Connect is a spec that states the obligation to provide such a user identifier (sub).

Conversely, it is impossible to achieve social login with an authorization server (and resource server) that does not provide the same user identifier as described above, as questioned in the questionnaire.

2022-09-30 21:56

If you have any answers or tips

Popular Tags
python x 4647
android x 1593
java x 1494
javascript x 1427
c x 927
c++ x 878
ruby-on-rails x 696
php x 692
python3 x 685
html x 656
Popular Questions

537 Uncaught (inpromise) Error on Electron: An object could not be cloned

642 /usr/bin/google-chrome:symbol lookup error:/usr/bin/google-chrome: undefined symbol:gbm_bo_get_modifier

980 In Java servlet, when SHA-256 sends WW-Authenticate header for digest authentication, the client does not return the result.

557 Scrap text information after the "View More" button when searching in the Yahoo! News search window

709 When building Fast API+Uvicorn environment with PyInstaller, console=False results in an error

© 2024 OneMinuteCode. All rights reserved.