Last modified 10:12, 23 Mar 2015


This method instructs the Gigya service to authenticate the user using an external provider, such as Facebook or Yahoo.

The Gigya service opens a popup window with the login screen of the requested provider. In some cases, such as Facebook and Yahoo, users are also asked to give the site permission to access their personal data. When the login process completes, the popup window closes automatically, the method callback function is called and the global onLogin event is fired. 


Supporting Providers

The following providers currently support this operation: Facebook, Twitter, Google+, LinkedIn, Yahoo!, Microsoft Messenger, AOL, Foursquare, Instagram, Vkontakte, renren, Kaixin, Tencent QQ, Sina Weibo, mixi, Yahoo! Japan, Odnoklassniki, Spiceworks, WordPress, Blogger, Typepad, PayPal, LiveJournal, VeriSign, OpenID, VZnet, Skyrock, Netlog, Signon, Orange France, Livedoor, Amazon, Xing and WeChat.


Securing the Login Process

The Gigya service supports a mechanism to verify the authenticity of the login process. To prevent fraud Gigya "signs" the login process with a cryptographic signature. Your site receives the cryptographic signature provided by Gigya in the login method's callback function as part of the response object (please refer to the Response object Data Members table below).

We highly recommend verifying the authenticity of the signature to prove that it has indeed originated from Gigya rather than somewhere else.

To learn more about this subject, please refer to the Security page of the Developer's Guide.





Method Parameters

The following table lists the params object members:

Required Name Type Description
Required provider string The provider that is used for authenticating the user. The following values are currently supported for use with this parameter: facebook, twitter, googleplus, linkedin, yahoo, messenger, aol, foursquare, instagram, vkontakte, renren, kaixin, qq, sina, mixi, yahoojapan, odnoklassniki, spiceworks, wordpress, blogger, typepad, paypal, livejournal, verisign, openid, vznet, skyrock, netlog, signon, orangefrance, livedoor, amazon, xing, wechat

SAML providers are also supported - use the format "saml-<name>".

Optional actionAttributes JSON object In Gamification, your users receive points for actions they perform on your site. In this case, logging in grants the user points. Action Attributes may be used to annotate actions with additional information, such as the section of the web site that generated the action. If you set actionAttributes, the log in action receives an attribute, for example "tv-show":"glee". 
actionAttributes contain a JSON object comprised of a series of attribute keys (categories) with associated values. You can also use a generic "tags" key. No more than three values can be given, they can be with a single key or each have their own key. For more information see Variants and Action Attributes. Action attributes are later used to filter GM Plugins by a certain attribute.
Example:  {"<attribute key1>": ["<attribute value1>", "<attribute value2>"],  "<attribute key2>": "<attribute value3>" }
  authCodeOnly false This parameter is intended only for developers who wish to implement the "Web Server Flow" of the OAuth 2.0 standard. If you set this parameter to 'true', you will not receive the user data in the response. Instead you will receive an authCode.
The authCode contains a code that is intended to be used for invoking the OAuth 2.0 getToken end-point along with the grant_type parameter set to authorization_code.
  authFlow string Using this parameter you may specify that the login flow will use page redirects instead of using a popup. This gives a solution for environments where popups are unavailable (e.g. mobile web view controls). This parameter accepts two values:
  • "popup" (default)
  • "redirect" - the login flow uses page redirects. When the login process completes successfully, the user is redirected to the URL specified by the redirectURL parameter (see above). If the redirectURL parameter is not specified, the user will be redirected to the original page from which the login process started.
    Notes: This option will only work if CNAME is configured.
    The context object will not be passed when authFlow=redirect.
  callback function A reference to a callback function. Gigya calls the specified function along with the results of the API method when the API method completes.
The callback function should be defined with the following signature: functionName(response).
The "Response object Data Members" table below provides specification of the data that is passed to the callback function.
  cid string A string of maximum 100 characters length. The CID sets categories for transactions that can be used later for filtering reports generated by Gigya in the "Context ID" combo box. The CID allows you to associate the report information with your own internal data. For example, to identify a specific widget or page on your site/application. You should not define more than 100 different context IDs.
Note: This parameter overrides the value of the identical parameter in Global Conf (the global configuration object). If the parameter is not set for the method, the value from Global Conf is used.
  context object A developer-created object that is passed back unchanged to the application as one of the fields in the response object.
  extraFields string This parameter accepts a comma-separated list of additional data fields to retrieve. The current valid values are: languages, address, phones, education, honors, publications, patents, certifications, professionalHeadline, bio, industry, specialties, work, skills, religion, politicalView, interestedIn, relationshipStatus, hometown, favorites, likes, followersCount, followingCount, username, locale, verified, irank, timezone, and samlData.

Note: Before your application can retrieve Facebook data, the user must grant your application with access. Please make sure you have checked the check boxes that enable retrieving the relevant fields from Facebook in the Permissions page on Gigya's website. You may find more information in the Facebook Permissions section of our guide.

  facebookExtraPermissions string A comma-delimited list of Facebook extended permissions to request from the user. This parameter gives the possibility to request extended permissions in addition to the permissions that Gigya is already requesting. Refer to Facebook's extended permissions page for the complete list of permissions.
For example, if you wish to RSVP to events on the user's behalf and to to send text messages to the user define: facebookExtraPermissions : "rsvp_event,sms"
Note: This parameter overrides the value of the identical parameter in Global Conf (the global configuration object). If the parameter is not set for the method, the value from Global Conf is used.
  forceAuthentication Boolean
The default value of this parameter is 'false'. If it is set to 'true', the user is forced to provide their social network credentials during login - even if the user is already connected to the social network. This parameter is currently supported by Facebook, Twitter, Renren, and LinkedIn. Note that the behavior of the various social networks may be slightly different: Facebook expects the current user to enter their password, and will not accept a different user name. Other networks prompt the user to re-authorize the application or allow a different user to log in.
  googleExtraPermissions string This parameter gives the possibility to request extended permissions in addition to the permissions that Gigya is already requesting. The supported values are: "wallet" - for Google wallet permissions.
Note: This parameter overrides the value of the identical parameter in Global Conf (the global configuration object). If the parameter is not set for the method, the value from Global Conf is used.
  googlePlayAppID string The objective of this parameter is to support Over The Air app installs for Android devices during Google+ login. Set this parameter with the package name of your Android app (for example: ""). As a result, after signing in with Google+, users have the option to send your Android app to their device instantly, without leaving your website. As a preliminary step you'll need to Utilize Google+ Native Android Sign-on on your Android app. The package name passed to this parameter is the same one you enter when enabling the Google+ API.
  includeAllIdentities Boolean The default value of this parameter is 'false'. If set to 'true', you will receive all the user's identities, including those with expired sessions. Each <identity> entry will have an attribute <isExpiredSession> that will be 'true' when the session has expired for that provider (or is otherwise inactive) and 'false' if it is active.
  loginMode string The type of login being performed:
  • standard - (default) the user is logging into an existing account.
  • link - the user is linking a social network to an existing account. The account being used to login will become the primary account.
  • reAuth - the user is proving ownership of an existing account by logging into it. The loginID will be ignored and the password verified. Note that this option overrides the forceAuthentication, setting, making it 'true'.
  pendingRegistration Boolean The default value of this parameter is 'true'. The default behavior - when a new user logs-in (registers) his new Gigya account is not considered final until socialize.notifyRegistration is called. While being not-final the identities associated with this account can be connected to another account without causing an error.
If this parameter is set to 'false' - when a new user logs-in (registers), his new Gigya account is final immediately.
Note: the value of this parameter overrides the value of the newUsersPendingRegistration parameter in the global configuration object.
  redirectMethod string This parameter is only applicable when redirectURL is specified and it determines how the user info data is passed to the redirectURLs. This parameter accepts two values: 
  • 'get' (default) -  the user info values should be passed as query string parameters.
  • 'post' - the user info should be passed as POST fields.
  redirectURL string A URL to which to redirect the user when the login process has successfully completed.
The following additional parameters are appended to the URL string: UID, UIDSig, timestamp, loginProvider, loginProviderUID, nickname, photoURL, thumbnailURL, firstName, lastName, gender, birthDay, birthMonth, birthYear, email, country, state, city, zip, profileURL, proxiedEmail, provider.
These parameters are equivalent to the User object fields. Please find the parameters' description in the User object reference page.
When redirectURL is explicitly defined by the partner the user object fields should always be sent with the redirect regardless of the authFlow mode.
Note: we strongly advise providing a secure HTTPS URL.
  regSource string  A string representing the source of the registration. This would typically be the URL where it took place.
 regToken string This parameter is required for completing the link accounts flow. Once the initial login has failed, call the login method with loginMode=link and the regToken returned from the initial call to complete the linking. For more information go to the social account linking guide
  sessionExpiration integer This parameter defines the time in seconds that Gigya should keep the login session valid for the user. To end the session when the browser closes, please assign the value '0'. If this parameter is not specified, the session is valid forever.
Note: This parameter overrides the value of the identical parameter in Global Conf (the global configuration object). If the parameter is not set for the method, the value from Global Conf is used.
  includeiRank Boolean Deprecated. This parameter's default value is 'false'. If set to 'true' you will receive the user's iRank (influencer rank) in the response User object.


Response Object Data Members

Field Type Description
errorCode integer The result code of the operation. Code '0' indicates success, any other number indicates failure. For a complete list of error codes, see the Error Codes table.
errorMessage string A short textual description of an error associated with the errorCode for logging purposes.
operation string The name of the API method that generated this response.
context object The context object passed by the application as parameter to the API method, or null if no context object has been passed.
user User object User object that includes updated information for the current user.
UIDSignature  string The signature that should be used for login verification as described under Validate the UID Signature in the Social Login Process.
signatureTimestamp  string The GMT time of the response in UNIX time format (i.e. the number of seconds since Jan. 1st 1970). The timestamp should be used for login verification as described under  Validate the UID Signature in the Social Login Process.
UID  string The User ID that should be used for login verification as described under  Validate the UID Signature in the Social Login Process.
Note: The UID string must be encoded using the encodeURIComponent() function before sending it from your client to your server.
isNewUser Boolean Indicates whether the user logging in is new. The parameter is returned only when it is set to "true", or when the user is missing the 'connectionIdentity' field in the DB.
When 'RaaS' is enabled, If 'newUser == TRUE' and no required fields are missing, a 'SocialLeadToAccountNewUser' event is called and a new user is created. 
If account is pending verification, a 'SocializeLeadToAccountsPendingVerification' event is fired instead.
signature  string Deprecated. Please use the UIDSignature parameter instead.
timestamp  string Deprecated. Please use the signatureTimestampparameter instead.
This parameter holds the GMT time of the response in "yyyy-mm-dd HH:mm:ss" format where HH is in 24 hour time format.


Triggered Global Event

By using this method the onLogin global event may be triggered (the onLogin global event is fired when a user successfully logs in to Gigya). To register an event handler use the socialize.addEventHandlers API method. Refer to the onLogin event data. Refer to the Events page in the Developer's Guide to learn more about how to handle events generated by the Gigya service. 


Code Sample

<script type="text/javascript" src="">
  connectWithoutLoginBehavior: 'alwaysLogin'     // change the connect without login behavior        

var params = {
    callback: onLogin,


function onLogin(response)
    // verify the signature ... 

In the code sample the connectWithoutLoginBehavior parameter is used, please refer to the global configuration object for a detailed explanation.

  • This sample is not meant to be fully functional code. For brevity's sake, only the code required for demonstrating the API call itself is presented.
  • To run the code on your own domain, add your Gigya API key to the socialize.js URL. A Gigya API key can be obtained on the Site Dashboard page on Gigya's website. Please make sure that the domain from which you are loading the page is the same domain name that you used for generating the API key.

Page statistics
4127 view(s) and 5 edit(s)
Social share
Share this page?


This page has no custom tags.
This page has no classifications.


You must to post a comment.