I'm confused about facebook and whether or not facebook is an openid provider like google.
According to this link: http://developers.facebook.com/blog/post/246/, facebook is an openid relying party. What does that mean, and is that different from an openid provider like google.
Basically, I am currently using lightopenid to allow users to use their openid's to log into my site, but can't seem to find a url for facebook's openid authentication to do this.
I have seen a question similar to this which confuses me because in that question, the questioner was told that facebook is not an openid provider, yet facebook documentation says something that facebook is a openid relying party...???
Facebook is an OAuth provider. You need to use OAuth if you want to allow Facebook users to authenticate against your service.
Being an OpenID Relying Party means that Facebook accepts OpenID logins from their users, e.g. you can log in to Facebook with your Google account. Your service is also a Relying Party if it allows users to authenticate using their OpenIDs.
For more information on the terminology used by OpenID, see the OpenID Wikipedia article.
Related
The Wikipedia article says
Other shared authentication schemes not to be confused with SSO
include OAuth, OpenID, OpenID Connect and Facebook Connect, which
require the user to enter their login credentials each time they
access a different site or application.
but I've seen OpenID and SAML compared as if they are trying to achieve the same thing (the above article says SAML is an SSO mechanism).
Can someone explain why OpenId is not an SSO mechanism?
Forget about that article, that's the most confusing story around SSO I've ever read, containing statements that are plain wrong.
OpenID is an SSO mechanism, just like SAML, OpenID Connect and Facebook Connect. LDAP and OAuth are not SSO mechanisms, but one could build an SSO mechanism on top of OAuth, which is what OpenID Connect and Facebook Connect are.
Is there a way of passing username/ password to Google Apps IDP and get a response as to whether a username/ password pair is correct?
I know I can use OAuth for authorization and access user data but note that I want to check if his credentials itself are valid. OAuth for sure will not work for me. I need a way to directly query Google Apps' IDP particularly not to use it and access something else.
I wish to use this to customize the Google's standard login page itself. OAuth doesn't allow me to do that.
Short answer: no.
Google actively tries to prevent the scenario that you describe because it would mean that Google users hand over their Google credentials to your application, aka. phishing.
That precludes branding of the Google login pages as well since it would make it harder for users to verify that they actually type in their credentials on a login page provided by Google.
As said in the other answer, Google Signin with OpenID Connect (built on top of OAuth 2.0) is the standardized way to offer users login to your application with their Google account.
Google (Apps) accounts can be used as an OpenID identity provider. By implementing your app as as a relying party, you could authenticate your users based on their Google accounts. Much like stackoverlow Google login: http://code.google.com/googleapps/domain/sso/openid_reference_implementation.html
With SAML SSO, Google acts as a relying party. While its possible to use provisioning API and clientLogin, this is not supported and is possibly against Google Apps ToS.
Can someone confirm whether Facebook Login API (https://developers.facebook.com/docs/facebook-login/v2.2) is based on OpenID Connect (http://openid.net/connect/) specification?
No it isn't at the moment. Uses OAuth2 (also used by OIDC)
This page
https://developers.google.com/identity/
states that the "Google Sign-In" secure authentication system "gives you ... federated sign-in with ... Facebook".
Google Sign-In is based on OpenID Connect.
I am not sure if the actually answers your question in the affirmative because the rest of the page only talks about signing in with Google.
I'm reading conflicting reports of Facebook OpenID support. A Facebook blog post from 2009 states that they do, but apparently there is OAuth and Facebook Connect. Or do they only support other OpenID logins on Facebook itself? I have only used JanRain's RPXNow up to now, so integrating directly with OpenID is new to me.
As of December 2010, does Facebook support OpenID logins on external sites with a Facebook account?
Facebook is an Relying Party, so you can sign in to facebook using an OpenID.
Is is not a provider, however, so you can't sign in to other websites using your facebook account - at least not using OpenID.
Facebook is not an OpenID provider. There is no OpenID from Facebook you can use on other pages to login. But there are some third party servers that work as proxies. You connect them to Facebook and they provide an OpenID. In the end you have an OpenID if you are logged into Facebook.
Facebook is not even an OpenID customer. There is no page where you could enter your OpenID to login on Facebook.
Yes, you can set up OpenID providers, Google or some other services as so called "Linked accounts". They promise: "If you are logged into one of the accounts below you will automatically be logged into Facebook." But it does not work and it technically can not work as long as Facebook does not ask for the OpenID.
Referencing Is Facebook an OpenID provider? here. This is kind of an additional question based on it.
I have also read the article at : What is the "openid" url of facebook? - but I am still pretty confused on the whole ordeal. The goal is for people who use facebook to easily login to our website, not to neccessarily integrate with facebook and add things to it (yet). I have read the documentation on facebook connect and am still having trouble grasping exactly what we need to do to accomplish this.
I notice that it says that facebook accepts openid logins - so in theory someone with a facebook account could login to a site that took other openid logins, correct? Or do I have to code a separate 'facebookconnect' system just to accept logins from facebook accounts?
There is a difference between an OpenID provider (who gives you a URL you can log into other sites with) and an OpenID consumer (who lets you log into their site using an OpenID URL).
Someone who "accepts openid logins" sounds like a consumer, but your description "someone with a facebook account could login to a site that took other openid logins" is describing a provider.
There's nothing stopping a site being both a consumer and a provider, but as far as I know, Facebook isn't one.
You have to code a separate "Facebook Connect" system just to accept logins from Facebook accounts, they do not use the OpenID standard.
RPX is a commercial service that offers a way to cut down on some of the confusion.