Gigya Job Openings

Page History

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


The social login process requires the user to successfully login to one of the providers supported by Gigya. Obviously, this process has to happen on the client side, which means there is a risk that a malicious user will try to tamper with the data sent from the client to the server. The most important piece of data is the UID, which is used to authenticate the user and log him/her into your system. Gigya uses HMAC-SHA1 digital signatures to prevent tampering with the UID and therefore it is crucial to validate the signature before logging the user in based on the UID coming from the browser.

It is important to note that the UIDSignature and signatureTimestamp properties are only returned to client-side calls and only after a successful login. The two aforementioned properties are never returned when a user is still pending registration, as access to these fields may allow an unauthorized user interaction with your server.

Refer to the Social Login documentation, for a complete overview of the social login flow and the signature verification within it.