tags:

views:

507

answers:

2
+2  Q: 

Can my website *safely* allow logins via Facebook Connect, Google Friend Connect, OpenID, *and* etc?

Is it possible for a website to allow users to log in via multiple different methods, like Facebook Connect, OpenID, etc?

Not referring to simultaneous logins of the same user, but wondering if it's possible to have multiple "SSO" options.

Is there a side-effect of a user with credentials at, say, OpenID and Facebook logging in as both, with separate session information, and "gaming" or cheating "the system" somehow?

Is that the primary reason for offering only one? Are there other reasons?

UPDATE: In an effort to clarify a bit, I should say that we'd like to use Facebook Connect, but not all of our expected users have a facebook account. The same as with OpenID, etc. We do have the need to tie user actions to a particular local 'account', which would obviously be sync'd with whichever auth-provider they used to log in (or tie in later, as with SO), but would like to offer the most convenience possible.

Perhaps we should just do in-house?

+1  A: 

I suggest tracking all of the various forms of authentication to one account. Granted this can only be done if the user does so. But look at it this way. There is nothing stopping a person from setting up multiple accounts on a custom authentication system and performing the same "games" as choosing to use various OpenID like accounts to do the same thing! Using these forms of authentication along with a custom in house tracking system is a good way to go and doesn't really present any new complexities regarding security that you wouldn't have with just an in house login system. It simply adds more convenience factors for your users (at the expense of more coding for you...but isn't that always the case? (:P) ).

Andrew Siemer  2009-06-23 19:32:32
So essentially there is no non-existent downside to offering multiple login methods that wouldn't exist with a regular in-house authentication system? (in this case, we would of course tie the authentication system to a 'local' user, but was wondering about pitfalls if multiple auth systems are used)
anonymous coward  2009-06-23 19:45:05
You can use as many auth systems as you like. As long as each possibility can be tied to one account...or all possibilities can be tied to one account (as you wish) and as seen on SO. There are no "new" issues. People can create as many accounts as they have emails to verify the account with! Nothing new here.
Andrew Siemer  2009-06-23 20:30:13
+1  A: 

My plans for doing this is to have each SSO provider be able to map from the SSO account to a local user id. You'll be able to assign multiple SSO accounts to a single local account. All of this is hidden neatly behind an interface, probably using the Chain-of-Command pattern.

You should look at using RPX. They handle all of this for you and allow Facebook, OpenId, Windows Live Id, and more. The result is transparent to you -- you just get an opaque token to represent the ID.

Talljoe  2009-06-23 20:53:30
This looks like a great solution. Are there any other notable sites using RPX other than pickfu.com?
GavinR  2009-06-25 17:17:05

related questions

how to get login credentials by openId?
OpenID Migration
PHP Tutorial for OpenId and OAuth
OpenID login workflow?
OpenID support for Ruby on Rails application
Using OpenID for both .NET/Windows and PHP/Linux/Apache web sites
What is the benefit of using ONLY OpenID authentication on a site?
Problems with migrating Cardspace cards between computers
secure way to authenticate administrator in ASP.NET site using OpenID with DotNetOpenID
How do I enable open id on a Java Webapp?
What would it take to make OpenID mainstream?
What's the best .NET library for OpenID and ASP.NET MVC?
Useful browser plugins for openid authentication?
How do I implement an OpenID server in Rails?
How do I implement OpenID in my web application?
Why is HTML form redirection used in OpenID 2?
How do you set up an OpenID provider (server) in Ubuntu?
OpenID as a Single Sign On option??
Should my website abandon username/password authentication in favor of OpenID?
OpenID authentication in ASP.NET?
Open ID - What happens when you decide you don't like your existing provider?
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
How do I use more than one OpenID?