I am writing an app. Like Google suggests, the user should be to be able to link multiple sign in methods to their account. In order to do that, the ideas of “identities” and “accounts” are separated in the RESTful backend.
When signing up/in with a third party SDK, the access token (or ID token in the case of Google) gets sent to the backend, which then verifies and forgets about it. The app also forgets about this information, as it receives a separate bearer token from the server.
In the account settings, I now want to display a list of all linked accounts. The app receives an array containing the user IDs from the third party accounts. It should then populate the list with profile pictures and names.
The problem: Third party identity provider APIs only seem to hand out information like usernames and profile pictures if they are given the user’s access token. I looked everywhere for APIs without access tokens. I thought at least the username would be public information and could be retrieved with a simple HTTP GET request and the user ID.
Google seems to have had a Google Plus API that was useful, but that is being shut down. The Google People API gives access to names, but required OAuth2 authentication. Facebook has the Graph API, which also wants the user’s access token. Twitter has https://api.twitter.com/1.1/users/show.json, which requires authentication headers.
How does one go about this?
I could store the access token from the third party sign up on the client. Not only does this seem very sloppy, but it also comes with a problem: If the user buys a new phone, the access tokens are lost and the linked accounts list can’t be displayed correctly.
Another possibility would be to store the access/ID token on the server. The server could then either send all access tokens back to the client when it needs them, or populate usernames and profile pictures itself. But this seems like a huge security issue. Surely, access tokens are not meant to be kept around for a long time?
The backend could store the information like the username, the email address and the profile picture the moment the user signs up with a third party account. It would then not have to keep the access token. However, if the user changes their profile information in the third party account, these changes go unnoticed. In addition to that, storing a third party profile picture on the server seems absurd.