Admittedly, this post is not really news. Those of you who read tech blogs regularly have probably already forgotten about it, albeit the news are not even one month old. Anyway, I was hesitant to write about Facebook’s support for OpenID as a Relying Party for one single reason: I didn’t get it back then and I’m not even sure I fully understand it now.
Facebook users can associate one or more OpenIDs to their Facebook account. Just head over to the account settings and have a look at Linked Accounts.
Adding a Google Account
Most people will probably use their Google account as an OpenID. That’s fine and works smoothly. Facebook makes use of the OpenID User Interface Extension specification which is still a draft, though. Users don’t have to experience the redirect game of OpenID, instead everything works in a single popup.
Clicking Allow and the Google OpenID is associated with Facebook. Simple, really. However I don’t like that users can’t decide if they want their contacts imported or not. All or nothing, that’s not really user friendly. Also what happened to the contacts from my Google account? Where are they on Facebook? I don’t see them there. Or is there some matching between existing Facebook users and my address book happening behind the scenes?
Adding Another OpenID
While Google is an obvious choice for many users, I also tried to add my own OpenID, notsorelevant.com. Currently, it’s delegated to MyOpenID which is supported by Facebook. Actually, that association worked as well. But much to my surprise Facebook is not storing notsorelevant.com as my OpenID but the MyOpenID one. That’s different from all Relying Parties I know. What if I change my mind and delegate to another supported provider? That doesn’t make sense.
Automatic Login
Well, two OpenIDs are linked to my Facebook account now and according to the Facebook announcement I’m supposed to be logged in to Facebook automatically if I’m logged in to my OpenID Provider already.
This login method is possible due to a feature of the OpenID specification called checkid_immediate, which has to be supported by the OpenID Provider. Basically, this means that the Relying Party requests the OpenID Provider not to interact with the user but to send a reply that authentication was successful directly to the Relying Party. Hopefully, I got that right and didn’t risk my neck with careless talk here. Apparently, checkid_immediate is not supported by all providers, though. Anyone know if there is a way to find out?
OK, this was some technical explanation but did it work? Well, at first it didn’t. I was logged in to both Google and MyOpenID, logged out of Facebook, closed the browser tab, opened another one, typed in the Facebook URL but nothing happened. This was exactly the reason I didn’t write about this topic before.
By now it works, though. Well, it actually depends on the provider. If I remove Google from the linked accounts it’s not possible to log in automatically. Remember, MyOpenID is the only linked account left. Oddly, MyOpenID get requests from Facebook, though, and also seems to authenticate me but nothing happens. Below is a screenshot of the MyOpenID log.
I’m clueless what is wrong here. Is it MyOpenID or is it Facebook? If I associate my Google OpenID again, automatic login works.
According to Facebook it should be possible to register a new Facebook account with a Gmail address only (= with a Google OpenID) but I don’t see any hints on the Facebook start page, though. Anyone tried that already?
Tags: Facebook, Google, Login, OpenID, Relying Party
-
Thanks for posting this; you’ve got it pretty much down. We are still working out a few bugs and working to improve the experience.
I’d be happy to look at this case; do you mind filing a bug at bugs.developers.facebook.com ? Also, I’m keeping track of known issues here: http://wiki.developers.facebook.com/index.php/OpenID_Known_Issues
-
OK, will do so tomorrow. It’s quite late at this side of the ocean now.
-
-
Indeed a ‘patchy’ experience. The documentation and support by Facebook is indeed lax. The delegation as per your observation is totally broken due to a lack of interpretation of the OpenID specification. Although there is a positive comment from Luke Shepard at FB, there has been no action.
At this point imho, FB is rendered as a useless relying party considering it does not provide an OpenID logon to public users, but furthermore, it does not even support its current users with their delegated OpenIDs.-
Facebook’s implementation also seems to cause problems if the browser auto-fills the email and password boxes. Then auto-login isn’t working as well. At least for me.
-
Comments are now closed.
View Comments