Social networking · Web Development

What are best practices for social login?

Lucia Guh-Siesel CEO & Founder, Bandalou

February 24th, 2015

We are implementing login through social sites like Facebook, LinkedIn, Twitter, g+, etc., but wondering about best practices. How are folks dealing with the same user that has different email addresses tied to different social sites?

Ideally, you would let users log in as any of their social identities, yet associate all of their social identities with the same internal user record. Have folks accomplished this easily? Are there good examples of how are most sites are dealing with this?


Dennis Kayser Co-founder & CEO - Intelligent PPM

February 24th, 2015

Hi Lucia,

It's fairly easy to do. However it sounds like you've tied your user identities up on email instead of a unique user identifier, which is not good practice. What happens if the users wishes to change their existing email? I assume that's possible, otherwise you have a serious technical flaw. 

The core idea is that models for a local site identity and the third-party site identities are kept isolated, but are later linked. So every user that logs into the site has a local identity which maps to any number of third-party site identities.

The third-party identities contain information relevant only to authenticating with a third-party. For OAuth, this typically means a user identifier (like an id, email, or username) and a service identifier (indicating what site or service was authenticated with). In other parts of the application, outside of the database, that service identifier is paired with a method for retrieving the relevant user identifier from that service, and that is how authentication is performed.

Let me know if you need more details.

Karl Schulmeisters Founder ExStreamVR

February 24th, 2015

If a user has different Social Media identities - that is their choice.  If they opt to present you with a single oAuth identity and not the others (as Igor described the oAuth process)  - that's their choice.

If they choose to use a single oAuth identity across all social media - great.  If not - its up to them to figure out which - if any - to use with you.

Assuming they want to integrate all of them is a huge presumption on your part and a potential privacy violation

Andrew Ballard Integrating business, technology and creative workflows in a master data management world.

February 24th, 2015

Hi there Lucia - I've had consider this exact issue on my site,

The process I use on is to allow a new user to sign up with the OAuth provider of their choice. Five seconds later, the user is logged in, and their basic contact points are stored. 

After that painless experience, the technique is to then offer to *connect* that registered user to their other social accounts. For the user, it's entirely optional. Technically, it's relatively straightforward, since you have the user's first contact points - so you're simply updating their record to add more data.

That means that when they log back in again on a different social media account, chances are we have that record, too. (As Dennis suggested, their Unique ID from that OAuth provider is a better match than their email address).

The edge case is if they happen to log back in on a different social media account. 
-- I do try to match email addresses across the different social media accounts - on the basis that the social media provider has already asked them to confirm that email account. (This works for Facebook, Google and Linkedin - Twitter doesn't collect emails, for instance)
-- This is a fallback, though, and I have seen both some mis-matches, AND some issues where users have two Facebook/Twitter/etc accounts (one for work, another for personal).  This can be solved by the first process: asking the authorised user to connect to the other accounts, which re-connects the social media accounts. 

There are extreme edge cases, I'm sure, so I'd be keen to keep reading more solutions to this topic.

Note that I don't offer an generic email signup alternative. The convenience of the social one-click login is just too good to have to verify email addresses and do password reminders.

Feel free to poke around 

Igor Chernyy

February 24th, 2015

Hi Lucia,

The way this usually works is that you provide user an ability to log in using their Google credentials (for example). The way this works - is in the essence you redirect them to Google - where they will be able to provide their credentials, after that Google will say something like - "Such and such website would like access to your basic information", they will have an option for yes / no. Now assuming they said Yes, Google will redirect them back to your website and give you a key that you can then use to access some of the basic information that is associated with that user (to the level that you requested or user gave you permissions). That key is usually valid for a long period of time or until user revokes it.

You can then use basic information you pulled about the user from Google in your local database (and/or use that information to create an account for the user) and you also store that key so you can keep that information updated. Next lets say you want to connect a Facebook account, the system is exactly the same, you redirect the user to Facebook. User logs in, give you permissions, Facebook sends him back with the key.

Most big social networks support this type of system today. I can go into technical details of how this API works. Most places call it "Login API" but it varies from site to site.

As for examples, you can take a look how this (FoundersDating) website does it. Since you can associate your LinkedIn/Facebook/Twitter account with your FD account.

Jonathon Lunardi

February 24th, 2015

You can look at what we have done at  We are moving toward every user must have an internal account and then they can link/add any of their other social logins to associate their social graphs and whatever else the API enables.  Facebook is limiting their api in April and FB is by far our most popular login, google is 2nd.   Also look at how does it on their app.  They have a great UX for it and I believe they do it the best.  SocialRadar is all former Blackboard employees so they know what they are doing. Jonathon Lunardi CEO - Be Fearless!

Philip Jones Web Designer/Developer at Gogo

February 27th, 2015

We are implementing through the developer track in Facebook and Twitter. They have modules that can be implemented in your site. So when you click