Social Authentication with Spring boot 3.2.x — Part 1: Understanding of social login.

Introduction

Hello everyone, using social authentication is more and more familiar with every user over the world. It becomes an important UX to allow users interact with our application. All users need to do is just click into the “Login by Gmail” button, and our application will handle all things behind the scenes. Imagine that users use their information which is registered on their social platforms to create a new account in different systems without direct registration. The social media has become popular day by day such as Facebook, Tiktok, Google, X, LinkedIn, Instagram and a complete new social media, Threads. And all of them can be logged in by an email. For example, when you want to use Instagram, you can use your Facebook account to log in, Instagram will automatically create a user in their database with the information from your Facebook account. Of course, you may worry about the privacy, because sometimes you are able to be leaked your information due to their access scope. We should be more careful and read slowly other platforms’ terms to make sure that you do not allow them to get the information you do not want to share.

So, I would like to share how I implement and integrate some of them to my application. I will split this into several parts because it’s quite long.

Understanding of social login

Firstly, we should understand how a social login flow work under the hood.

Figure 1: The authentication flow.

As you see the Figure 1, it is more complex than the normal ones.

1. In user’s browser, click “Login as <provider>” button.
2. Open login dialog.
3. Choose an account then click the login button.
4. Frontend (user’s browser) sends login request to provider.
5. Provider will verify the request with the client id (I will talk about the client id later).
6. Return response with credentials (accessToken, IdToken, etc.) to Frontend.
7. Frontend sends those credentials to Backend.
8. Backend verifies them by sending to provider one more time.
9. Provider returns the user info if the verification is successful.
10. Backend handles the main logic with the user info then save it to database.
11. Return to Frontend an access token signed by Backend.

The most difficulty step is step 10. It requires more logic to handle on the server side (backend).

In details, you will handle some cases below

• What if user has not registered in your application.
• What if user uses the same email but different providers.
• What if user has already registered.
• What if user has already registered but uses the normal login feature with the same email (username).

Of course, there are some cases will depend on your business. Therefore, the implementation will be different from others.

Furthermore, most of social logins have the same concept. Each provider will provide their sdks, developer consoles, etc. In general, it always requires the client id, client secret and the authentication I wrote above won’t change much.

Some key points about social login

1. Ease of use

Social login reduces the need for users to remember another username and password for a website. If they’re already signed into their social media account, they can often sign into the third-party website with just one click.

2. Increased Registration Rates

By making the registration process simpler and quicker, social login can increase registration rates on websites.

3. Access to User Data

When users sign in with social login, the website can often access certain information from their social media profile, such as their name, email address, and interests. This can help the website provide a more personalized experience.

4. Security

Social login can be more secure than traditional login methods, as it leverages the security measures of the social media platforms. However, it also means that if the social media account is compromised, so is the access to websites that use that account for login.

5. Privacy Concerns

Some users might be reluctant to use social login due to privacy concerns, as it can give the third-party website access to their social media profile and activity.

6. Dependency

With social login, the website becomes dependent on the social media platform. If the platform experiences downtime or changes their API, it can affect the login process on the website.

In summary

Most social media platforms provide APIs and SDKs that make it relatively straightforward to implement social login. However, it’s important to handle the process securely, to respect user privacy, and to comply with the platform’s terms of use.

Last words

I will upload new parts about implementation step by step.

Thank you for your reading and Happy coding :)