Preamble:
I don’t know a damn thing about OpenID and less about web applications, but I do know a thing about security, authentication and the like. And, I am a facebook user and like most other internet consumers in this day and age, I am not thrilled that I have to remember a whole bunch of different user names and passwords for each and every online location that I visit.
Facebook’s OpenID integration
Once, and for one last time, you login to facebook with your existing credentials. Let’s say that is your username <joe@joeblow.com> and then you go over to Settings and create your OpenID as a Linked Account. In the interests of full disclosure, I am still working with Gary Krall of Verisign who posted a comment on my previous post describing problems with this linking process. I am sure that we will get that squared away and I can get the linking to work.
Once this linkage is created, a cookie is deposited on your machine indicating that authentication is by OpenID. You wake up in the morning, power up your PC and launch your browser and login to your OpenID provider, and in a second tab, you wander over to http://www.facebook.com.
The way it is supposed work is this, something looks at the OpenID cookie deposited earlier and uses that to perform your validation.
Are you nuts?
As I said earlier, I don’t know a lot about building Web Applications. But, methinks the sensible way to do this is a little different from the way facebook is doing things.
Look, for example, at news.ycombinator.com. On the login screen, below the boxes for username and password is a button for other authentication mechanisms. If you click that, you can enter your OpenID URL and voila, you are on your way. No permanent cookies involved.
Now, if you didn’t have your morning Joe, and you went directly to news.ycombinator.com and tried to enter your OpenID name, you are promptly forwarded to your OpenID providers page to ask for authentication. Over, end of story. No permanent cookies involved.
Ok, just to verify, I did this …
I went to a friends PC, never used it before, pointed his browser (firefox) to news.ycombinator.com, clicked the button under login/password, entered my OpenID name and sure enough it vectored over to Verisign Labs. I logged in and voila, I’m on Hacker News.
Am I missing something? It sounds to me like facebook is paying lip service to OpenID. Either that or they just don’t get it?
Hype Cycles 
Issues with the OpenID (Verisign) to Facebook integration have been resolved. See https://hypecycles.wordpress.com/2009/09/10/openid/#comment-150
Now, if facebook would just get its act in shape.
LikeLike
Facebook seems to have a fixation with Single Sign-On (log in once to a service and you are logged in to all sites on the network). Just take a look at what they did with facebook-connect. As a developer, i’m disgusted with the thing and what makes this even more sad is that I keep reading praises about it. Sure it’s cool for related sites (gmail, google docs, etc), but when 2 different sites only share facebook-connect in common, I don’t exactly see the point of forcing a login to Site A when the user only wants to log on to Site B. I think Facebook got caught in its own eagerness to roll out their own solution with Facebook-Connect. They don’t know how to change things now and revert to a more OpenID like mode of operation.
LikeLike
Michael,
Great point, and another thing that made me use verisign PIP and MyOpenID as my OpenID provider.
When you try to use single sign on with Facebook and Google, the things that are shared are your authentication (i.e. single sign on) AND CONTACTS.
Now, I don’t know that I can speak for the entire world but … I do not want to be facebook friends with every one of the 1900 or so people who are in my Google Contacts.
Here, we quote the great philosopher George Costanza (http://www.seinfeldscripts.com/ThePoolGuy.html)
“This is not good. World’s are colliding! George is getting upset!”
LikeLike
I agree the cookie idea is smart.. but the facebook developers are dumb.. I think Zuckerburg should look deeper into this..
lol the idea exists since Windows Live ID.. that should have worked as a “Internet Passport” but Microsoft security rep is suspicious.
Of course creating a openID button on facebook welcome screen would be the best! but at the same time..
it will also conflict with Facebook Connect.. since now Facebook itself.. would Advertise Facebook Connect’s Rival (OpenID) on it’s own site.. which is not in Facebook interests..
LikeLike
Hey Hype man 😛 I found a solution!! and I used it and works perfectly ^_^ on all sites.. it uses the basic idea of OpenID but it doesn’t make the sites join it’s system.. since it has a smarter tactic!!
😛 There check this out. you’ll go crazy!
http://pip.verisignlabs.com By the way.. Verisign is a really trusted source and server for your identity ^_^ and It’s slightly simple!
LikeLike
Dinoraptor,
Thank you for your most insightful comment. It did bring a smile to my face.
If you read this article and the previous one you may note that I’m talking about Verisign PIP as the OpenID vendor of choice.
But, thanks for visiting.
-amrith
LikeLike