Is it possible to document a bit more the service provider?

[maelp]

For instance, if I am to build my own login/pass user signup, but I'd also like to enable the users to use Facebook or Google login, how would I do it?

what is exactly the purpose of the accessToken, is that the equivalent of a sessionToken?

how come when you logout, you don't allow the serviceProvider to also logout of its service and disable the current session? how would you do that?

for instance I'm using flask+flask-login, and I'd like to post to /logout on my server when the user logout to destroy the cookie session, is there a better way to handle the login? should I use the accessToken? (but I'm not sure whether flask-login does expose the access token)

[molily]

For instance, if I am to build my own login/pass user signup, but I'd also like to enable the users to use Facebook or Google login, how would I do it?

If you’ve got a LoginView with a user/pass field, the submit button would call triggerLogin for the corresponding ServiceProvider, passing the login data. Then the ServiceProvider sends them to the server to verify (using an Ajax request, for example). Like other providers, it then fires a serviceProviderSession on success or a loginFail on failure.

what is exactly the purpose of the accessToken, is that the equivalent of a sessionToken?

An accessToken is returned by most of the OAuth-based client-side login services. It’s not mandatory for the ServiceProvider to work. If your custom login service doesn’t have or need to transmit this piece of data to the client application, you don’t have to include it in the serviceProviderSession event payload. This event payload will be eventually used as data for the user model.

how come when you logout, you don't allow the serviceProvider to also logout of its service and disable the current session? how would you do that?

This may be done in several ways:

• The SessionController knows about the current ServiceProvider (via serviceProviderName), so it can call a logout method on it when the app-wide logout happens (https://github.com/chaplinjs/facebook-example/blob/master/coffee/controllers/session_controller.coffee#L118).
• More easier and more decoupled: The ServiceProvider listens for the app-wide logout event and then logs you out on the server by fetching /logout.

I agree, we should add this behaviour to the ServiceProvider template. The problem is that most of the third-party login services allow to logout, but this is a “global” logout not only on the specific site, but also at the login service. On moviepilot.com for example, we separated the login status at Twitter/Facebook/Google from the site login status intentionally.