
Django-SocialAuth - Login via twitter, facebook, google, etc. from single app - naish
http://uswaretech.com/blog/2009/08/django-socialauth-login-via-twitter-facebook-openid-yahoo-google/
======
Steve0
While this is certainly handy. I forsee lot's of problems for users typing
their gmail password to autenthicate for other sites. Phishing has been around
for a long time, and by using these authentication mechanisms it will only get
easier.

For users it's not clear which site is legit.

This is legit:
hxxps://www.google.com/accounts/ServiceLogin?service=lso&domain=Socialauth.uswaretech.net&anonSign=1&continue=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fud%3Fst%3DBDKB7DbZLrOEjmE3c2kS

This is not:
hxxps://www.google.com.evilsite.com/accounts/ServiceLogin?service=lso&domain=Socialauth.uswaretech.net&anonSign=1&continue=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fud%3Fst%3DBDKB7DbZLrOEjmE3c2kS

For the avarage user, logging in means, click on the bookmark, see if a
loginform pops up, log in. Now it's go to random site, get asked for your
gmail password, and type it or else 'no cookie for you'.

That being said, I have no solution for the problem.

~~~
farmerbuzz
Chrome/IE8 actually do a reasonable job of addressing this by greying out
everything but the domain in the address bar. Its something I'd like to see in
FF -- if anyone knows of an add-on to do this let me know.

~~~
scotth
Locationbar²!

<https://addons.mozilla.org/en-US/firefox/addon/4014>

------
jessep
That's pretty sweet! The demo worked well for me on everything but Facebook,
where it reloaded the page within the facebook popup, a littttle odd. This is
a great start, though, for developing services that integrate with the API's
of these services. Psyched to try it integrating it into an app.

~~~
shabda
Can you try it and let me know what address it shows in the popup bar? If you
log a bug on github, we will definitely try to fix it.

~~~
nuggien
You're setting the base path wrong for xd_receiver.htm would be my guess. FB
connect is redirecting to
[http://socialauth.uswaretech.net/accounts/login/?next=/../xd...](http://socialauth.uswaretech.net/accounts/login/?next=/../xd_receiver.htm)

------
yish
One challenge I have with all these logins options is that it becomes hard to
remember which provider you logged in with. We have an issue already with
Facebook connect and standard Django auth of duplicate accounts for a single
user being created. Often times merging these can be rough. Has anyone come up
with an elegant solution to this problem?

------
endlessvoid94
How integrated is this to Django? Would it be easy to adapt to other framework
(I'm thinking of Pylons). I'm working on a little website and would love to
add this functionality without switching to Django.

~~~
shabda
Pretty closely integrated, as I wanted a seamless experience as close to
normal django auth in part. But talking to providers is generic. Let me know
if you would need my help porting this to Pytlons.

------
messel
Wow I was looking for precisely this demo. Rockin'

~~~
ricree
Depending on what you want it for, I've had good experiences with django-
authopenid ( bitbucket.org/benoitc/django-authopenid ).

It doesn't have the facebook or twitter, but it does work well with most
openid providers (google, yahoo, etc). Plus, it lets users go ahead and just
create a normal login if they don't want to use openid.

There's an example at openid-example.e-engura.org if you're interested.

------
coconutrandom
can you still login with django.contrib.auth?

~~~
shabda
Yes, these are just exposed as authentication_backends, any existing ones will
work alongside.

------
kentf
Let's start working on one for Rails

~~~
paulitex
I'm already working on a similar authentication system for a rails app and
this just really motivated me to release it as a plugin...

That said, I'm sure lots of other Rails developers have already built their
own solution. I'm also sure some are more mature than mine (i.e. in
production). Isn't uservoice.com backed by Rails? Their social authentication
is so pretty Google uses it as a demo.

