Skip to content

Instantly share code, notes, and snippets.

@exonomyapp

exonomyapp/Provider Specifics.md

Created August 18, 2024 18:34
Show Gist options
  • Save exonomyapp/58b5e0d266b2bf20d6d1fb2565b835b2 to your computer and use it in GitHub Desktop.
Save exonomyapp/58b5e0d266b2bf20d6d1fb2565b835b2 to your computer and use it in GitHub Desktop.
Download ZIP
Provider Specifics and Handling of Unique Aspects
Raw
Provider Specifics.md

Each OAuth provider has unique aspects that distinguish it from others, ranging from the required scopes to the way they handle user data, token exchange, and API quirks. Below are the key differences and important notes for each of the listed providers:

1. Google

  • Scopes: Common scopes include email, profile, and openid. Google supports a wide range of APIs, so you may need additional scopes like https://www.googleapis.com/auth/calendar for accessing specific services.
  • ID Token: Google provides an ID token as part of the OAuth flow when using the openid scope, which is a JWT that contains user identity information.
  • User Info Endpoint: Google's user info endpoint is https://www.googleapis.com/oauth2/v3/userinfo.
  • Token Expiry: Refresh tokens are typically long-lived, but access tokens expire quickly, usually within 1 hour.

2. Facebook

  • Scopes: Common scopes include email, public_profile, and user_friends. Facebook has granular scopes for accessing specific data (e.g., user_posts, user_photos).
  • Permissions Review: Certain permissions require Facebook's approval before they can be used in a production app.
  • Graph API: Facebook's API is centered around the Graph API, which can access a wide range of user data depending on the granted permissions.
  • Data Retention: Facebook imposes strict rules on data retention and requires developers to delete user data upon request.

3. GitHub

  • Scopes: Common scopes include user, repo, gist, and notifications. GitHub uses OAuth to provide access to user repositories and other resources.
  • User Data: GitHub's user data includes information relevant to developers, such as repositories and organizations.
  • Token Scope Granularity: GitHub's scopes are highly granular and application-specific, meaning you must be explicit about what your application needs.
  • Two-Factor Authentication: GitHub accounts often use two-factor authentication (2FA), which might affect how you handle the authentication flow.

4. Apple

  • Scopes: Apple requires a specific scope email and name to retrieve user information. The openid scope is used to obtain an ID token.
  • ID Token: Apple’s ID token is always provided and includes user identity information. Apple uses the JWT standard, but with their own quirks.
  • User Data: Apple only provides user data (name, email) on the first authentication, and developers must store this information securely as it cannot be retrieved again.
  • Private Email Relay: Apple often provides a private relay email (@privaterelay.appleid.com) instead of the user’s actual email address to protect privacy.
  • JWT Signing: Requires developers to create and sign a JWT for the authorization request using their Apple Developer credentials.

5. Microsoft

  • Scopes: Common scopes include User.Read (for basic profile information) and Mail.Read (for email access). Microsoft uses different scopes for different services (Outlook, Azure, etc.).
  • Multi-Tenant Support: Microsoft accounts can be either personal or organizational (Azure AD), requiring multi-tenant app support.
  • Microsoft Graph API: This unified API endpoint is used to access resources in Microsoft 365, including user profiles, emails, calendars, and files.
  • Token Types: Microsoft provides different token types, such as access tokens, refresh tokens, and ID tokens (if openid scope is used).

6. Amazon

  • Scopes: Common scopes include profile and postal_code. Amazon’s scopes are limited compared to other providers.
  • User Info: Amazon's user info API is straightforward, providing basic profile information like name, email, and postal code.
  • Developer Console: Requires integration through the Amazon Developer Console, similar to AWS services.
  • Device-Specific Access: Amazon provides specialized scopes and APIs for accessing device-specific data, such as Alexa or Kindle.

7. Twitter

  • OAuth 1.0a: Twitter uses OAuth 1.0a, which is different from OAuth 2.0 used by most other providers. This requires signing requests with a consumer secret.
  • Scopes (Permissions): Permissions in Twitter OAuth are defined during app creation rather than via scopes in the OAuth request. Common permissions include read, write, and direct messages.
  • User Data: Twitter’s user data focuses on profile details, including handle, followers, and tweets.
  • Rate Limiting: Twitter's API is subject to strict rate limiting, especially for write actions.

8. LinkedIn

  • Scopes: Common scopes include r_liteprofile, r_emailaddress, and w_member_social. LinkedIn's scopes are geared towards professional profiles and social posting.
  • User Data: Provides professional data, such as job titles, company, and connections. Full profile data (r_fullprofile) requires additional permissions.
  • API Restrictions: LinkedIn restricts API access based on app type; for example, full profile data is only available to certain partners.
  • Data Protection: LinkedIn has strict data protection policies, especially around user connections and professional data.

9. Spotify

  • Scopes: Common scopes include user-read-private, user-read-email, and playlist-modify-public. Spotify has a broad range of scopes for accessing user playlists, listening history, and more.
  • Music Data: Provides access to Spotify-specific data, such as playlists, saved tracks, and listening habits.
  • Rate Limits: Spotify’s API has rate limits, particularly when modifying playlists or accessing user library data.
  • Session Management: Spotify uses access tokens with a relatively short lifespan, requiring frequent refreshes.

10. PayPal

  • Scopes: Common scopes include openid, profile, email, and https://uri.paypal.com/services/paypalattributes. PayPal’s scopes are used to access user payment data and account information.
  • Payments API: Integrates tightly with PayPal’s Payments API for transactions, making it distinct from other OAuth providers that focus on social or profile data.
  • Currency Handling: PayPal's API is heavily focused on financial data, requiring precise handling of currency and transaction details.
  • Token Management: PayPal issues tokens that are specifically used to authorize payments or retrieve user information.

Summary:

  • Authentication Flow: Most providers follow a standard OAuth 2.0 flow, but Twitter uses OAuth 1.0a, requiring a different implementation.
  • Token Handling: Providers like Google, Apple, and Microsoft issue ID tokens (JWTs), while others, like Facebook and LinkedIn, focus more on access tokens.
  • Data Access: The types of data you can access vary widely: from basic profile data (Google, Facebook) to financial data (PayPal) and even music preferences (Spotify).
  • Privacy and User Data: Apple, in particular, has a unique approach to privacy, offering limited access to user data, while others, like LinkedIn, restrict access based on the type of application.
  • API Quirks: Each provider’s API has its quirks, such as Facebook’s permissions review process, LinkedIn’s API restrictions, or Twitter’s rate limits.

Understanding these differences is crucial for properly integrating and managing authentication with each provider in your application.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment