Best practices (best for Android): authenticate a user with Facebook or Google login

After some reading and asking I have come up to this:

1.Yes, if you want your users to sign up with their Facebook or Google account, you call the API, get the e-mail address (it is even easier with Google´s AccountManager on Android), send it to your server that will save the e-mail address, associate a userID and generate it´s own access code. The access code will be sent back to your client app to store it for later use. Whenever the user wants to do some operations, the server API will be called with the user´s e-mail address and access code and you can be sure it really is the user. It is much harder to call the API from outside and guess correctly both the e-mail address and access code so it is somewhat safe.

2.Since the Facebook login is only used to authenticate the user, which means to only verify that the user exists and has an account, we don´t actually need the FB accessToken. We would need the FB accessToken only for API calls for Facebook server, so for example when we want to retrieve a list of user´s friends and so on. In this case, you can get the active session that is provided by Facebook SDK and get the accessToken from there.

3.This case is again pretty simple.If you only use Facebook login to authenticate the user, you don´t care if the user deletes his account in the future. After the first login, you save his email address, possibly a picture and no longer care about his facebook profile.If you use the Facebook login for getting a friends list and so on, you do not keep this type of data in your local storage anyway, so as soon as the user deletes his account, he loses his friendlist as well. Or, you can keep his friendlist and try to update it everytime he uses your app and once he deletes his account, the friendlist stops being updated and it is, again, up to your user not to use the Facebook account. The last idea would rather suit game apps use cases....just an idea, not anything officially accepted as the best.

• 1 & 2

You can do it in multiple ways and is up to you on implementation, you can have your email received from each login hash it and save it as a user in your database. Then for any user that logs in can go through and hash the email returned and check if that hash already exists.

You can also have the user login with a service and then have them finish user creation with username,email password etc. Then when you try to login with a differential service you can have it go through the sign up again with a I already have an account button, as well as linking to an account if you try to create the same account twice.

Save the tokens associated in a third party login token table linked to a user.

I recommend hashing all user private data, gives users more trust with your app

• 3

I never like to rely on third party accounts and believe the "finish creating your account" process would create better account management. Allowing users to sign in with both third party or username and password.