Gigya Job Openings

accounts.socialLogin JS

Skip to end of metadata
Go to start of metadata

Description

This method logs-in/registers a user to your site via his social network / webmail account.

When calling the method, a popup window opens with the login screen of the requested provider. In some cases, such as Facebook, users are also asked to give the site permission to access their personal data. When the login process completes, the popup window closes automatically, you receive the method response and the global onLogin event is fired.

The login operation is currently supported by the following providers:  Amazon, Blogger, Facebook, FourSquare, GooglePlus, Instagram, Kakao, LINE, LinkedIn, Livedoor, Messenger, mixi, Naver, Netlog, Odnoklassniki, Orange France, PayPalOAuth, Tencent QQ, Renren, Sina Weibo, Spiceworks, Twitter, VKontakte, WeChat, WordPress, Xing, Yahoo, Yahoo Japan.

Note: If you plan on integrating Gigya's Accounts API, we highly recommend reading the Registration-as-a-Service Guide. Registration-as-a-Service (RaaS) is a premium platform that requires separate activation. If RaaS is not part of your site package, please contact Gigya by filling in a support form through the Console. You can access the support page by clicking Support on the upper menu after logging into the Gigya Console.

 

Social Registration

If the user is new in your site, the method attempts to register the user to your site. Gigya examines the site Policies and Schema and determines whether the registration process can be finalized or if it is pending. 
In the first case, Gigya finalizes the registration and returns an "errorCode":0 in the response. In the second case, you will receive in the response, a relevant error code and message; in addition you will receive a regToken  string (registration token). You can then identify the actual reason from the error code and message that you receive. After completing the registration process, you should call accounts.finalizeRegistration and pass the regToken .

The possible reasons for pending registration:

  • Account pending registration error: If there are fields defined as "required" in the Schema and some of these fields are missing in the social data. Recommended action - redirect the user to a second step registration screen. The response will include the existing social data, so you can pre-populate the screen with information already received. Let the user fill-in the missing required data. Call accounts.setAccountInfo and then accounts.finalizeRegistration with the regToken .
  • Login identifier exists error: If email is defined as a loginIdentifier in the policy, and the email address received from the provider exists in the system but is associated with another user. Recommended action - offer the user to link his accounts.
  • Missing required loginID error: If requireLoginID is "true" in the policy and there are no login identifiers or no password associated with the account. Recommended action - ask the user to provide login identifier and call accounts.register.
  • Account pending verification error: If the user is trying to login and the account is not verified and allowUnverifiedLogin is set to false and verifyEmail is set to true in the policy. Recommended action - call accounts.resendVerificationCode.

Securing the Login Process

The Gigya service supports a mechanism to verify the authenticity of the login process. To prevent fraud Gigya "signs" the login process with a cryptographic signature.
Your site receives the cryptographic signature provided by Gigya in the login method's callback function as part of the response object (please refer to the Response object Data Members table below).
We highly recommend verifying the authenticity of this signature to prove that it has indeed originated from Gigya rather than somewhere else.
To learn more about this subject, please refer to the Security page of the Developer's Guide.

Syntax

 

Parameters

The following table lists the available parameters:

RequiredNameTypeDescription
providerstringThe provider that is used for authenticating the user. The following values are currently supported for use with this parameter:
amazon,  blogger, facebook, foursquare, googleplus, instagram, kakao, line, linkedin, livedoor, messenger, mixi, naver, netlog, odnoklassnikiorangefrance, paypaloauth, qq, renren, sina, spiceworks, twitter, vkontakte, wechat, wordpressxing, yahoo, yahoojapan.
Also SAML providers are supported - the format of the provider name is "saml-".
actionAttributesJSON objectIn Gamification your users receive points for actions they perform on your site, in this case performing social login grants the user points. Action Attributes may be used to annotate actions with additional information, such as the section of the web site that generated the action. If you set here the actionAttributes, each time a user performs social login, the action also receives an attribute, for example "tv-show":"glee", which can mean that the action was performed on the "Glee" page of the site. 
actionAttributes contain a JSON object comprised of a series of attribute keys (categories) with associated values. You can also use a generic "tags" key.

No more than three values can be given, they can be with a single key or each have their own key.

For more information see Variants and Action Attributes. Action attributes are later used to filter GM Plugins by a certain attribute.
Example:  {"<attribute key1>": ["<attribute value1>", "<attribute value2>"],  "<attribute key2>": "<attribute value3>" }

authCodeOnlyBoolean

This parameter is intended only for developers who wish to implement the "Web Server Flow" of the OAuth 2.0 standard. If you set this parameter to 'true', you will not receive the user data in the response. Instead you will receive an authCode.
The authCode contains a code that is intended to be used for invoking the OAuth 2.0 getToken end-point along with the grant_type parameter set to authorization_code.

Default value is False.

authFlowstringUsing this parameter you may specify that the login flow will use page redirects instead of using a popup. This gives a solution for environments where popups are unavailable (i.e., mobile web view controls). This parameter accepts two values:
  • "popup" (default)
  • "redirect" - the login flow uses page redirects. When the login process completes successfully, the user is redirected to the URL specified by the redirectURL parameter (below). If the redirectURL parameter is not specified, the user will be redirected to the original page from which the login process started.
  • This option will only work if CNAME is configured.
  • The context object will not be passed when authFlow=redirect.
  •  Important: When using authFlow: redirect, ensure that the default screen-sets in your Site's Policies are defined and configured correctly. 
    • When a user is redirected back to your site, the previous screen-set data is lost and if any errors are triggered, the necessary screens to display will be determined from the default screen-set as defined within your Site Policies.
callbackfunction
A reference to a callback function. Gigya calls the specified function along with the results of the API method when the API method completes.
The callback function should be defined with the following signature: functionName(Response).
The "Response Object Data Members" table below provides specification of the data that is passed to the callback function.
cidstring
A string of maximum 100 characters length. The CID sets categories for transactions that can be used later for filtering reports generated by Gigya in the "Context ID" combo box. The CID allows you to associate the report information with your own internal data. For example, to identify a specific widget or page on your site/application. You should not define more than 100 different context IDs.

Note: This parameter overrides the value of the identical parameter in Global Conf (the global configuration object). If the parameter is not set for the method, the value from Global Conf is used.

conflictHandlingstringHow the server handles a "login identifier exists" conflict on a new account:
  • fail - (default) returns a "login identifier exists" error.
  • saveProfileAndFail - profile data is saved, a regToken is returned for account linking, and an error is returned "OK with error login identifier exists".
contextobject
A developer-created object that is passed back unchanged to the application as one of the fields in the response object.
extraFieldsstring
This parameter accepts a comma-separated list of additional data fields to retrieve. The current valid values are: languages, address, phones, education, honors, publications, patents, certifications, professionalHeadline, bio, industry, specialties, work, skills, religion, politicalView, interestedIn, relationshipStatus, hometown, favorites, likes, followersCount, followingCount, name, username, educationLevel, locale, verified, irank, timezone, and samlData.

Note: Before your application can retrieve Facebook data, the user must grant your application with access. Please make sure you have checked the check boxes that enable retrieving the relevant fields from Facebook in the Permissions page on Gigya's website. You may find more information in the Facebook Permissions section of our guide.

facebookExtraPermissionsstringA comma-delimited list of Facebook extended permissions to request from the user. This parameter gives the possibility to request extended permissions in addition to the permissions that Gigya is already requesting.
Please refer to Facebook's extended permissions page for the complete list of permissions.
For example, if you wish to RSVP to events on the user's behalf and to to send text messages to the user define: 
facebookExtraPermissions : "rsvp_event,sms "

Note: This parameter overrides the value of the identical parameter in Global Conf (the global configuration object). If the parameter is not set for the method, the value from Global Conf is used.

forceAuthenticationBooleanThe default value of this parameter is 'false'. If it is set to 'true', the user is forced to provide their social network credentials during login - even if the user is already connected to the social network. This parameter is currently supported by Facebook, Twitter, and  Renren. Note that the behavior of the various social networks may be slightly different: Facebook expects the current user to enter their password, and will not accept a different user name. Other networks prompt the user to re-authorize the application or allow a different user to log in.
googleExtraPermissionsstringThis parameter gives the possibility to request extended permissions in addition to the permissions that Gigya is already requesting. The supported values are: "wallet" - for Google wallet permissions.

Note: This parameter overrides the value of the identical parameter in Global Conf (the global configuration object). If the parameter is not set for the method, the value from Global Conf is used.

googlePlayAppIDstringThe objective of this parameter is to support Over The Air app installs for Android devices during Google+ login. Set this parameter with the package name of your Android app (for example: "com.yourdomain.app"). As a result, after signing in with Google+, users have the option to send your Android app to their device instantly, without leaving your website. As a preliminary step you'll need to Utilize Google+ Native Android Sign-on on your Android app. The package name passed to this parameter is the same one you enter when enabling the Google+ API.
includeAllIdentitiesBooleanThe default value of this parameter is 'false'. If set to 'true', you will receive all the user's identities, including those with expired sessions. Each  entry will have an attribute  that will be 'true' when the session has expired for that provider (or is otherwise inactive) and 'false' if it is active.
loginModestringThe type of login being performed:
  • standard - (default) the user is logging into an existing account.
  • link - the user is linking a social network to an existing account. The account being used to login will become the primary account.
  • reAuth - the user is proving ownership of an existing account by logging into it. The loginID will be ignored and the password verified. Note that this option overrides the forceAuthentication, setting, making it 'true'.
redirectMethodstringThis parameter is only applicable when redirectURL is specified and it determines how the user info data is passed to the redirectURLs. This parameter accepts two values: 
  • 'get' (default) -  the user info values should be passed as query string parameters.
  • 'post' - the user info should be passed as POST fields.
redirectURLstring

A URL to which to redirect the user when the login process has successfully completed.
The following additional parameters are appended to the URL string: UID, UIDSignature, signatureTimestamp, loginProvider, loginProviderUID, nickname, photoURL, thumbnailURL, firstName, lastName, gender, birthDay, birthMonth, birthYear, email, country, state, city, zip, profileURL, provider. 
These parameters are equivalent to the User object fields. Please find the parameters' description in the User object reference page.
When  redirectURL  is explicitly defined by the partner the user object fields should always be sent with the redirect regardless of the authFlow  mode.

Note: We strongly advise providing a secure HTTPS URL.

regTokenstringThis parameter is required for completing the link accounts flow. Once the initial login has failed, call the login method with loginMode=link and the regToken returned from the initial call to complete the linking. For more information go to the social account linking guide.
sessionExpirationintegerThe time in seconds until the login session ends for the user. Set the parameter to 0 to end the session when the browser closes.

Note: This parameter overrides the value of the identical parameter in Global Conf (the global configuration object). If the parameter is not set for the method, the value from Global Conf is used. If the parameter is not set in Global Conf the login session remains valid forever.

 

Response Object Data Members

FieldTypeDescription
errorCode integer The result code of the operation. Code '0' indicates success, any other number indicates failure. For a complete list of error codes, see the Response Codes and Errors table.
errorMessage string A short textual description of an error associated with the errorCode for logging purposes.
callId string Unique identifier of the transaction, for debugging purposes.
context object The context object passed by the application as a parameter to the API method, or null if no context object has been passed.
regTokenstringA ticket that is used to complete the registration process. The regToken is returned when there is a pending registration error, which occurs when the user did not complete the registration process, or there are missing fields in the user profile data that were defined as required in the Schema.
isNewUserBooleanIndicates whether the user logging in is new. The parameter is returned only when it is set to true.
   
UID string The unique user ID. This user ID should be used for login verification. See User.UID for more information.
UIDSignature string The signature that should be used for login verification. See User.UID for more information.
signatureTimestamp string The GMT time of the response in UNIX time format, i.e., the number of seconds since Jan. 1st 1970. The timestamp should be used for login verification. See User.UID for more information.
created string The UTC time the account was created in ISO 8601 format, e.g., "1997-07-16T19:20:30Z".
createdTimestamp integer The UTC time the account was created in Unix time format including milliseconds (i.e., the number of seconds since Jan. 1st 1970 * 1000).
data JSON object Custom data. Any data that you want to store regarding the user that isn't part of the Profile object.
emails JSON object The email addresses belonging to the user. This includes the following fields:
  • verified - an array of strings representing the user's verified email addresses
  • unverified - an array of strings representing the user's unverified email addresses.

Note: emails must be specified explicitly in the include parameter in order to be included in the response.

groups JSON object When using CIAM for B2B, this is where the user's Organization Management data is stored. For a detailed description of this field, see the Groups object documentation.
identities array An array of Identity Objects, each object represents a user's social identity. Each Identity Object contains imported data from a social network that the user has connected to.
Note: You must explicitly specify identities within the include parameter for them to be included in the response: identities-active , identities-all, or identities-global to return only active identities, all identities of a site, or all identities of a site group, respectively.
   

Be advised that if a user registers to your site using a Social Identity, then goes through the Forgot Password flow, a Site Login is added to their account, however, a Site Identity is not. A Site Identity can only be created when accounts.setAccountInfo is called on the user's account.

iRank integer Influencer rank of the user. This property is deprecated and will always return 0.
isActive Boolean Indicates whether the account is active. The account is active once the user creates it even without finalizing it. The account can be deactivated, but it will still be registered if the registration process has been finalized. If isActive==false the user cannot log in, however any currently active sessions remain valid.
isLockedOut Boolean Indicates whether the account is currently locked out. This parameter is not included in the response by default, and is not returned at all from accounts.search. If you wish to include it in a response, specify it as a value of the include parameter.
isRegistered Boolean Indicates whether the user is registered. The user is registered once his registration has been finalized.
isVerified Boolean Indicates whether the account email is verified.
lastLogin string The time of the last login of the user in ISO 8601 format, e.g., "1997-07-16T19:20:30Z".
lastLoginLocation JSON object The user's last login location. This includes the following fields:
  • country - a string representing the two-character country code.
  • state - a string representing the state, where available.
  • city - a string representing the city name.
  • coordinates - an object containing:
    • lat - a double representing the latitude of the center of the city.
    • lon - a double representing the longitude of the center of the city.
lastLoginTimestamp integer The UTC time of the last login of the user in Unix time format including milliseconds (i.e., the number of seconds since Jan. 1st 1970 * 1000).
lastUpdated string The UTC time when user profile, preferences, or subscriptions data was last updated (either full or partial update) in ISO 8601 format, e.g., "2017-07-16T19:20:30Z".
lastUpdatedTimestamp integer The UTC time when the last update of the object occurred (either full or partial update) in Unix time including milliseconds, based on when the 'lastUpdated', 'Report AccountsFirstLogin' or 'AccountsReturnedLogin' events are fired.
loginIDs JSON object The user's login identifiers. This includes the following fields:
  • username - a string representing the username
  • emails - an array of strings representing email addresses
  • unverifiedEmails - an array of strings representing email addresses that were not validated

Note: loginIDs must be specified explicitly in the include parameter in order to be included in the response.

loginProvider string The name of the provider that the user used in order to login.
oldestDataUpdated string The UTC time when the oldest data of the object was refreshed in ISO 8601 format, e.g., "1997-07-16T19:20:30Z".
oldestDataUpdatedTimestamp integer The UTC time when the oldest data of the object was refreshed in Unix time format including milliseconds (i.e., the number of seconds since Jan. 1st 1970 * 1000).
password JSON object The user's Site account password details. Includes the following:
  • hash - the hashed password
  • hashSettings - object includes:
    • algorithm - Represents the hash algorithm used to encrypt the password.
    • rounds - Represents the number of iterations to perform the hashing.
    • salt - Represents the BASE64 encoded value of the salt.
    • format - Represents the template for merging clear-text passwords. This is only returned if the pwHashFormat parameter was set during account import and until the user's first login to Gigya (when the user's password is rehashed per the site's settings). See the RaaS Import Guide for additional information.
UIDSignature string This property is deprecated in server to server REST calls! The signature that should be used for login verification. See User.UID for more information.
signatureTimestamp string This property is deprecated in server to server REST calls! The GMT time of the response in UNIX time format, i.e., the number of seconds since Jan. 1st 1970. The timestamp should be used for login verification. See User.UID for more information.
phoneNumber string The Phone Number ID, if the account uses Phone Number Login.Note that this field cannot be mapped using the UI Builder or the Web SDK.
preferences Preferences object The user's preferences information as described in the Preferences Object. To have this data returned in the response it must be specifically requested using the include parameter.
profile Profile object The user's profile information as described in the object. The profile is returned in the response by default, but if the include parameter is used to specify other fields that should be provided in the response, the profile must also be specified explicitly in the include parameter.
rbaPolicy JSON object The current RBA Policy defined for the specified user. Properties include:
  • riskPolicy - Determines the rule set from the defined rulesSets configured in accounts.rba.setPolicy or one of the default policies.
  • riskPolicyLocked - Determines whether the user can change their own riskPolicy. If true, only an admin can change the user's riskPolicy.
registered string The UTC time when the isRegistered parameter was set to true in ISO 8601 format, e.g., "1997-07-16T19:20:30Z".
registeredTimestamp string The GMT time when the isRegistered parameter was set to true in UNIX time format, including milliseconds.
regSource string A string representing the source of the registration. Can be used to set varying destination pages in accounts.setPolicies.
socialProviders string A comma-separated list of the names of the providers to which the user is connected/logged in.
subscriptions Subscriptions Object The user's subscription information.
userInfo User object The Gigya User object. This property is deprecated and should not be relied upon.
verified string The UTC time when the isVerified parameter was set to true in ISO 8601 format, e.g., "1997-07-16T19:20:30Z".
verifiedTimestamp string The GMT time when the isVerified parameter was set to true in Unix time format including milliseconds (i.e., the number of seconds since Jan. 1st 1970 * 1000).

Triggered Global Event

By using this method the onLogin global event may be triggered (the onLogin global event is fired when a user successfully logs in to Gigya). To register an event handler use the accounts.addEventHandlers API method.

Refer to onLogin event data for more information.

Refer to Events to learn more about how to handle events generated by the Gigya service. 

Code Sample

function loginResponse(response)
{
    // verify the signature ...
}

var params = {
    provider:'facebook',
    callback: 'loginResponse',
    redirectURL:'http://www.MySite.com'
};

gigya.accounts.socialLogin(params);

Notes:

  • This sample is not meant to be fully functional code. For brevity's sake, only the code required for demonstrating the API call itself is presented.
  • To run the code on your own domain, add your Gigya API key to the gigya.js URL. A Gigya API key can be obtained on the Site Dashboard page on Gigya's website. Please make sure that the domain from which you are loading the page is the same domain name that you used for generating the API key.