[Socialite] How to handle providers that don't return the email

I generally store the social data in a separate table. So if the response user object doesn't have an email it returns a redirect for the user to supply and email. This flow works for my use cases as I require a password anyways. So a simple has email check to show that input.

Flow: click Facebook link. If id isn't found create new social in db with out user link. Set cache or session with data. Show finish registration page with required fields. In case of Facebook use avatar and set password. If Twitter then above two plus email.

Reasons for the above:

If you allow multiple social links then the email can be duplicated but only one in user table. Also modify the user name, some social accounts have the users real name. Not always good for the user. Like I stated many users have one main email. If stuck in users table, while issues obviously. Lastly is avatars. Might be inappropriate for some use cases so user can elect not to use the socials particular avatar. Sure there's more but that's off the top of my head.

Thanks @jekinney, that's a good idea.

Once you redirect them back to the page where they can supply their email to complete their profile, how do you link that data (when the form is submitted) with the OAuth data (provider name & identifier) that was returned by the OAuth provider before?

Let's say that I make a table social_logins with the following fields :

• user_id (integer)
• provider (string)
• identifier (string)

If there's no email returned by the provider, I can create an entry with the user_id set to 0 or something, but later once they do provide that email, how do you link the new account with the social_logins entry?

Do you use a token that you pass to the "profile completion" view?

For sites with social integration, I usually don't ask the user for any information. I use a one-click registration and login. However, I do ask them to confirm the registration information before adding the user to my db(In case someone else was logged into a social site and they didn't realize it). So, if the user doesn't exist and their email wasn't returned with the socialite object, I also show, along with the returned information, a single-input form for their email address. They can confirm the returned info and add their email address at that point. It may not be ideal, but it's still pretty simple.

@Demers94

Sorry for late response, I usually check from mobile and no notifications ;(.

When I set the social data in the DB I return that data in the session. Once I have the rest of the data or confirmation I then create the user in the users table. At that time i connect the two (set user_id in the socials table). I allow it to be nullable. This, for me, allows a scheduled command to remove any rows that have a null value created during the week.

So the registration page checks if the session has social data, if it does (similar to the default error messages in auth scaffolding registration and login views) it set the value in the input or just doesn't display it.

So after successful setting or a user's social data, redirect to the registration page, if I have the email, only shows username, password and avatar. If twitter, the email input will display because the email is empty.

Now, caveat is you can't "confirm" the email if social network doesn't return it, so if required you may need to do what ever logic you normally would (send activation email, etc..) to verify the email. That depends on your business requirements.

This flow also allows a user to link other social accounts if you want as the relationship should be a hasMany().