Return Drip's unique user ID as the UID, instead of the client id. #5
Conversation
| end | ||
| end | ||
|
|
||
| context 'uid' do |
There was a problem hiding this comment.
| } | ||
|
|
||
| uid { access_token.client.id } | ||
| uid { raw_info['accounts'][0]['id'] } |
There was a problem hiding this comment.
I think this should actually be a unique identifier corresponding to the user. For Drip, the user's email address is this unique identifier.
uid { user_info["users"][0]["email"] }
For example, it's possible that a user does not actually have access to any accounts.
There was a problem hiding this comment.
Gotcha... but isn't it the account that we're authorizing? For example, I login to Drip using one email address, but I have two Drip accounts. If the user email is used as the identifier, how would we know which Drip account it's linking to?
This is what it looks like when I go to the authorize url:
If I authorize using my email address, and select the first Drip account, my user_info looks like this:
(byebug) user_info["users"]
[{"email"=>"ryan@•••••••.com", "name"=>"Ryan Heneise", "time_zone"=>"America/Chicago"}]
... and the account info looks like this:
(byebug) raw_info['accounts']
[{"id"=>"xxxx222", "href"=>"https://api.getdrip.com/v2/accounts/xxxx222", "name"=>"mysmallidea.com", "url"=>"mysmallidea.com" ...}]
Now if I want to connect the second Drip account (under the same user login), my user info looks the same:
(byebug) user_info["users"]
[{"email"=>"ryan@•••••••.com", "name"=>"Ryan Heneise", "time_zone"=>"America/Chicago"}]
... but the account info has the unique ID that I can use to identify the account:
(byebug) raw_info['accounts']
[{"id"=>"xxx337", "href"=>"https://api.getdrip.com/v2/accounts/xxxx337", "name"=>"memberman.com", "url"=>"www.memberman.com", "default_from_name"=>"Ryan Crispin Heneise", "default_from_email"=>"hello@•••••••.com" ...}]
If we use the user's email address, rather than the account ID, it would be impossible for my app to tell these two Drip accounts apart. In this case wouldn't it make more sense to use the account ID rather than the user email as the UID?
There was a problem hiding this comment.
Yeah, I see what you mean. I need to give this some thought. The complication is that most tokens issued these days are indeed always tied to one (and only one) active account, but there are some edge cases.
In the meantime, I would recommend making a call to the /accounts endpoint right after obtaining the token to figure out which account the token is authorized to access. This is what most integrators do, which is probably why this issue has not be raised to date.
|
|
||
| def callback_url | ||
| options[:redirect_uri] || (full_host + script_name + callback_path) | ||
| end |
There was a problem hiding this comment.
I don't know about the other change, but without this change this gem is essentially broken on omniauth-oauth2 v1.4+
3 participants
Solves Issue #4 and correctly returns the drip user's id as the
uid.