Return Drip's unique user ID as the UID, instead of the client id. #5
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this should actually be a unique identifier corresponding to the user. For Drip, the user's email address is this unique identifier.
For example, it's possible that a user does not actually have access to any accounts.
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Gotcha... but isn't it the account that we're authorizing? For example, I login to Drip using one email address, but I have two Drip accounts. If the user email is used as the identifier, how would we know which Drip account it's linking to?
This is what it looks like when I go to the authorize url:
If I authorize using my email address, and select the first Drip account, my user_info looks like this:
... and the account info looks like this:
Now if I want to connect the second Drip account (under the same user login), my user info looks the same:
... but the account info has the unique ID that I can use to identify the account:
If we use the user's email address, rather than the account ID, it would be impossible for my app to tell these two Drip accounts apart. In this case wouldn't it make more sense to use the account ID rather than the user email as the UID?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I see what you mean. I need to give this some thought. The complication is that most tokens issued these days are indeed always tied to one (and only one) active account, but there are some edge cases.
In the meantime, I would recommend making a call to the
/accountsendpoint right after obtaining the token to figure out which account the token is authorized to access. This is what most integrators do, which is probably why this issue has not be raised to date.