facebook with openid - facebook

Referencing Is Facebook an OpenID provider? here. This is kind of an additional question based on it.
I have also read the article at : What is the "openid" url of facebook? - but I am still pretty confused on the whole ordeal. The goal is for people who use facebook to easily login to our website, not to neccessarily integrate with facebook and add things to it (yet). I have read the documentation on facebook connect and am still having trouble grasping exactly what we need to do to accomplish this.
I notice that it says that facebook accepts openid logins - so in theory someone with a facebook account could login to a site that took other openid logins, correct? Or do I have to code a separate 'facebookconnect' system just to accept logins from facebook accounts?

There is a difference between an OpenID provider (who gives you a URL you can log into other sites with) and an OpenID consumer (who lets you log into their site using an OpenID URL).
Someone who "accepts openid logins" sounds like a consumer, but your description "someone with a facebook account could login to a site that took other openid logins" is describing a provider.
There's nothing stopping a site being both a consumer and a provider, but as far as I know, Facebook isn't one.

You have to code a separate "Facebook Connect" system just to accept logins from Facebook accounts, they do not use the OpenID standard.
RPX is a commercial service that offers a way to cut down on some of the confusion.

Related

Facebook Messenger: get access token of linked account

First off, I'm not looking for the access token of a facebook account.
I (or my facebook messenger bot) need the access token of a linked 3rd party account.
The account was successfully linked as described here: https://developers.facebook.com/docs/messenger-platform/identity/account-linking
Slightly off topic: The first issue I noticed that does not meet the OIDC/OAuth2 specs is, that the redirect URI given to the /authorize endpoint expects a param "authorization_code" instead of "code" with the actual authorization code. Ok, good thing we do not use off-the-shelf software for the IdP, so I could mend that. Yet.
Now, I'm accustomed from the Amazon Alexa account linking to let the amazon do the token management, refreshing etc. and to deliver an 3rd party access token with every request.
But not with Facebook, it seems. As far as I managed to understand (not by the docs, but by try&error), for the Facebook Messenger the account linking is finished once they get the authorization code (and call an associated webhook).
But since I need an actual access token for every request to my bot, that's not gonna help much.
It now looks as if I have to extend my bot to be a complete, but not standardised, OAauth2/OIDC client (including token handling, refreshing etc.) with some problems:
how to check the validity of the redirect URI?
should be the same as in the initial request
how to validate the authorization_code?
keep in mind, normally this bot has no connections/access to the database of the IdP
how to link this to a specific facebook user id?
My question now is, how to cope with that behaviour when I aim to use standardised software for the OAuth/OIDC IdP? Any ideas?
Thanks in advance
Thomas
EDIT:
To clarify what is meant by "account linking": I'm not interested in the users facebook account, I want to access information of a 3rd party account (provided with my actual service) of that user.
For example a call like "How many pictures are in my tumblr account" will need the customer to link the tumblr account to this facebook messenger bot.
For comparison: this worked extremely smooth with Amazon's Alexa and Google Actions. I simply had to input the client credentials and OAuth endpoints and thats that. If the user successfully linked the 3rd party account, I get an access token with every query to my backend, as expected.
EDIT2: as pointed out by CBroe, this is not supported by Facebook. Only actually "linking" the User IDs is possible.

AnyOpenId site for OpenId authentication stopped working

Does anyone know if http://anyopenid has stopped existing or has be compromised as I get 404 errors and cannot use the Facebook OpenId Url i.e. http://facebook.anyopenid.com/. Is there an alternative or will I need to use the OAuth to authenticate users on my application via their Facebook, Twitter accounts.
I was emailing with one of the developers, and he told me that it has been sun-setted due to poor uptake and high maintenance costs. Too bad; it was a great service. :-( We have moved to using OAuth on our site as a result.

Is facebook an openid provider?

I'm confused about facebook and whether or not facebook is an openid provider like google.
According to this link: http://developers.facebook.com/blog/post/246/, facebook is an openid relying party. What does that mean, and is that different from an openid provider like google.
Basically, I am currently using lightopenid to allow users to use their openid's to log into my site, but can't seem to find a url for facebook's openid authentication to do this.
I have seen a question similar to this which confuses me because in that question, the questioner was told that facebook is not an openid provider, yet facebook documentation says something that facebook is a openid relying party...???
Facebook is an OAuth provider. You need to use OAuth if you want to allow Facebook users to authenticate against your service.
Being an OpenID Relying Party means that Facebook accepts OpenID logins from their users, e.g. you can log in to Facebook with your Google account. Your service is also a Relying Party if it allows users to authenticate using their OpenIDs.
For more information on the terminology used by OpenID, see the OpenID Wikipedia article.

Current state of Facebook OpenID support

I'm reading conflicting reports of Facebook OpenID support. A Facebook blog post from 2009 states that they do, but apparently there is OAuth and Facebook Connect. Or do they only support other OpenID logins on Facebook itself? I have only used JanRain's RPXNow up to now, so integrating directly with OpenID is new to me.
As of December 2010, does Facebook support OpenID logins on external sites with a Facebook account?
Facebook is an Relying Party, so you can sign in to facebook using an OpenID.
Is is not a provider, however, so you can't sign in to other websites using your facebook account - at least not using OpenID.
Facebook is not an OpenID provider. There is no OpenID from Facebook you can use on other pages to login. But there are some third party servers that work as proxies. You connect them to Facebook and they provide an OpenID. In the end you have an OpenID if you are logged into Facebook.
Facebook is not even an OpenID customer. There is no page where you could enter your OpenID to login on Facebook.
Yes, you can set up OpenID providers, Google or some other services as so called "Linked accounts". They promise: "If you are logged into one of the accounts below you will automatically be logged into Facebook." But it does not work and it technically can not work as long as Facebook does not ask for the OpenID.

LinkedIn / Twitter / Facebook as OAuth and OpenId use

Firstly I understand OpenId is for authentication and OAuth is for authorisation and unlike other questions on the site I am not asking which should be used for which but whether anyone can advise a solution for my issue.
I want to allow users to login to my site via their LinkedIn/Twitter/Facebook account once logged in say via LinkedIn they could also then authorise their Twitter and Facebook account as a optional login method. This would allow the user to authenticate via any of the three but end up with their user account on my site as the end result.
I also want to use the authorisation they have provided to get basic user details (profile pic/name etc) and post status updates.
I don't want to ask a user to login with their account via openId then have to authorise the same account again via oauth to allow my site to publish to their service feed and have to do this for each of the 3 services.
Any ideas or issues to this issue?
If you are using ASP.NET MVC, DotNetOpenAuth is an excellent solution for supporting OpenID/OAuth sites. StackOverflow is using it, and they are quite picky for the code they use in the site.
The integration if OpenID with DotNetOpenAuth is quite straightforward. I have not tried OAuth, but I don't expect it to be of any less quality.
Unfortunately, Facebook does not support OpenID/OAuth, so you need to use a different solution for it. The one I use is Clarity Consulting's Facebook Developer Toolkit. It works, although I do have certain complaints about the quality of the code; unfortunately I haven't found anything better yet. (Note: If anyone knows a better alternative, by all means let me know)
The basic integration of Facebook Connect with the Facebook Developer Toolkit is also relatively straightforward. However, their object model is somewhat messed up, due to their attempt to stay as close to the Facebook APIs, so the HTTP API patterns are bleeding through a lot. Still, it does the work.
Update: Now that Facebook announced that they'll be supporting OAuth 2.0, DotNetOpenAuth might turn out to be the best solution.
Have you looked into RPX?
https://rpxnow.com/
I don't want to ask a user to login with their account via openId then have to authorise the same account again via oauth to allow my site to publish to their service feed and have to do this for each of the 3 services.
I'm afraid you'll have to connect the user's account to each of the 3 services individually. What platform are you using to build your app? If it's Ruby, then a gem like OmniAuth looks promising.