Social Login works,but uses only one Access token for all users?

Hey :slight_smile:
I have a social login in my app, when users land on index they are automatically asked to login in the social login’s provider website.

This is my workflow logic: (If a user is not logged in, he is asked to login, if he is logged in, go to page X)


If i don’t use the “create an account for someone else…” bubble won’t create a user when the user is logged in, and instead, it just replaces the existing user with another one… not sure if thats supposed to happend.

The boolean “has_logged_in” is mainly used for other reasons.

Anyway, my suspicion is that there is only one Access token for all users, if that makes any sense. Bubble keeps showing me this message every few days after the user has logged in. Seems like the token has expired?

My questions are:
1) Do i really have only one access token for all users? there is no way i could check this.
2) if i do, can it cause security issues? should i be woried?
3) does this popup also shows on live apps?

Thank for reading and i will appreciate your help!

I have the same question. Did you figure this out?

You need to understand that is just for you to be able to initialize other API Call.
This doesn’t appear in live mode and even in dev mode, this only appear with debug mode active.
When you create an oauth2 api connection, Bubble need you to authenticate one time to be able to configure other API call.
So you configure the auth part, create a social log in, activate it and after you go back to API connector and configure other call.

End user will log in and be able to use the api call you have configured using is own credential.

Really not sure this is what you want to do. If they signup with the same creds again, then it will just log them in, not create a new account.

Interesting, thanks for that info.

Not sure if this related, but I’ve seen that when I create a user account and signup via social login (Google), the API calls based on that login work initially but start to fail after maybe an hour after the initial authorization. What am I missing here?

FYI, I am logging in as a user in run mode, not debug mode. Seems to happen for both development and production environments.

1 Like

Are you managing the tokens yourself? They need to be refreshed.

Yup, Google access tokens can expire in a hour.

As long as you ask for offline access, you will get a refresh token that never expires. So you have long term access as long as they don’t revoke it.

This is the issue with using the Oauth plugins without understanding the underlying workings of how tokens work.

@NigelG @keith - I’m using the API connector user-agent flow with offline access enabled. Here’s my setup: