I am sure you have noticed most of the software services today that require you have an account allow you to “Login with Google” or “Login with Facebook.”
That is very convenient for your potential users and customers as Facebook and Google are so ubiquitous.
The process above is a form of Single Sign-On. The user logs in only once into Google and then uses that login to authenticate themselves into various other software services that accept Google as an “identity provider.”
The term “identity provider” is what Google and Facebook do when they allow you to use their services to authenticate your users.
I was reluctant to use an external identity provider before, because I had assumed that it would mean that you do not “own” your user base, but instead Google does, and they could cut access on a whim. But that is not the case. If you request and are granted access to the user email, you can still get in touch with them, even if Google or Facebook will refuse to do business with you anymore, for whatever reason.
So it makes sense to add such a feature to your service because it will make it much easier to adopt.
For larger companies that manage multiple applications and services, it is possible, and it makes sense to implement their own Identity Providers to create the Single Sign-On capability.
A big challenge that I found with using Identity Providers is “session management,” which means keeping track of the “logged in user.” For example, if the user logs out of Google and logs in with a different account, your application needs to be able to spot this and create a new session for the new account. Otherwise, you risk exposing private data to the wrong person.
The Technical Side
Implementing Identity Providers and consumers it is relatively easy now because they are standard, so you can find ready-made libraries that will make the connection a breeze.
The libraries I have worked with that I can recommend are:
For Php Composer:
– The PHPLeague / OAuth2-Server
– The PHPLeague / OAuth2-Client
WordPress Client Plugin:
– OpenID Connect Generic Client (this required some modification as it was not implementing all the requirements out of the box.)