I am running an ecommerce website and would like to make the website more accessible, hence I am thinking of using OAuth so they can login using some of their social media profiles. I also send out a lot of marketing campaigns to my customers via email and other methods, so at the moment when a user signs up I have some information such as their email and some details about their occupation (relevant to the products, don't worry I am not being nosy!).
If a user signs in using OAuth, then they won't be providing me with some of this basic information such as their email, as they don't have to use a signup form.
So, when implementing OAuth, I want to know what data I can store to my database about the user? At the moment I can send a newsletter to all of the users on my website for example, but with OAuth is something like this possible? What kind of information can I access for each user if they are signed in using OAuth?
Sorry if these questions have been answered elsewhere, I have been trying to search around but haven't found anything about what the company can gain, I've only found the advantages and disadvantages from a basic coding point of view and from a user point of view.
Thanks!
Using OpenID Connect, which is a standardized extension profile of OAuth 2.0 you can authenticate users through 3rd party providers. There are also a number of providers out there that have created their own proprietary extensions of OAuth 2.0 that gives them login semantics, but they are not standardized and your client code would have to deal with each of these proprietary extensions. It can be expected that all providers using proprietary OAuth 2.0 extensions for login migrate to OpenID Connect in the future.
OpenID Connect (and also the proprietary OAuth 2.0 extension protocols) do not just authenticate users but they also provide user identity information in the form of claims (or: attributes). So they do provide the basic information that you are looking for (e.g. e-mail) if only the user consents to giving it to your client. You can use that information and store it in your database for offline access.
The benefit of OpenID Connect is that it has standardized a number of basic claims so that your code can be provider agnostic when dealing with user info. See http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims. The proprietary OAuth 2.0 login protocols do not provide standardized claims so you need custom handling (mapping/translation) per provider.