How do I secure an account that is created via OAuth Spotify

Question

I would like users to register an account on my site via OAuth Spotify. I have the following scheme:

1. User authenticates via Spotify
2. Spotify ID and Mail are returned
3. An account will be created on the website (saved to the database)
4. The user can log in with his Spotify to access that account

The problem I foresee here is that someone can spoof the authentication by copying the ID of another user and it's mail, am I right? If so, what would be a better way to let an user create an account using Spotify Authentication? Let the user set a password? That seems user unfriendly to me.

So, how can I achieve this?

Answer 1

You can use the access token acquired through OAuth to find the associated username. You can use this as the basis for your accounts instead of a username or password on your own site. The process would be something like:

1. The User authenticates via Spotify
2. The Spotify OAuth callback returns a authorization code
3. You use the authorization code to get an access and refresh token for the user
4. You use the access token to access the associated User ID and use this as the unique ID for the accounts on your site.
5. Save an account with the Spotify user ID to your site's database
6. The user can log in again with Spotify to access their account (it will streamline the process by skipping the Spotify OAuth view, if they have previously approved your site, and are logged into Spotify in their browser)

Since your application will only retrieve the User ID from someone's valid access token, and the only way your application will receive that is if they log in through the Spotify OAuth flow, each account on your site will be linked to a valid, unique, Spotify user.

While looking into this, there are security considerations about using OAuth alone to authenticate users. I would look at this post on Security Stack Exchange and decide based on what level of security is needed for your site.