Usergrid and external Identity Providers (OpenID connect)

[Roberto Carlos Navas]

We have a App software design question:

We have implemented our own OpenID connect identity provider, so all our Apps can use it to Authenticate the user (login and signup) and our users have a single identity (user/pass) for all our Apps and web sites. The way it works is that the Client App just call an API endpoint to take care of the user authentication and authorization and the App gets a callback with an id_token and an access_token (OpenID connect is based on OAuth 2.0, so you get a token)

At the same time, most of our Apps need integration to Social Networks so users can share, comment, post, etc. to their social network of choice (mostly Facebook, twitter and G+).

So here is my question:

If I'm implementing a new App using Usergrid (Apigee AppServices) as the backend, I usually need to create a 'user' in usergrid, so I can associate other User-specific data to it. This user needs to have a password set, otherwise I won't be able to login (using usergrid SDKs).... so when using an external Identity provider (like our case) what is the best practice in terms of creating that 'user' entity in Usergrid? 

what should be the password in that case? the id_token from the OpenID connect provider?

should we just skip the /users implementation in usergrid and just use collections to store data? in this option, how do I secure this collections then?

What about the social networks integration, what identity information do you store in usergrid ? where?

Thanks.