How does "Facebook Connect", "Sign in with Twitter", etc. work technologically?

Question

I'm curious how these systems work technologically. As I understand it you do the following as a user:

1. Go to your favorite 3rd party site.
2. Click the "Facebook Connect" button.
3. Log into Facebook (if not already).
4. Authorize Application
5. You are routed back to the 3rd party site logged in.

But, how does the 3rd party site talk to FB about who you are? I can understand how it could get the information it needs when you initially authorize the application, but how would it know afterwards? Here's a scenario:

1. You go to Facebook and log in.
2. You then go to your favorite 3rd party site (which you already authorized).
3. It already knows you are logged in!

Answer 1

Check out OpenID. Also this presentation is very interresting: Facebook Connect vs FriendConnect

Answer 2

It's using a 3-legged authentication system called OAuth.

After you start the process, the 3rd party site connects to Facebook, and if you were already logged into Facebook (live session with cookies) then it will just use that, and ask permission to authorize the 3rd party app.

Once it is authorized, it will get an auth_token, which it can use to access information from your account, unless you revoke it's access.

Answer 3

A background ping using an IFrame is performed, and if the currently signed in account has already authorized the application, then the access token and user id are returned to the application. With this the application can decide what to do (usually, set a cookie and refresh the page so that the server can re-render the page knowing who you are based on the cookie that was just set). If you're curious, you can look at the Facebook implementation of the client side JS method called FB.getLoginStatus() here: http://github.com/facebook/connect-js/blob/master/src/core/auth.js#L117