
How do you design user authentication for an app that runs on the open web and social networks? - jotto
I want to launch an app that is accessible within social networks, for example, Facebook. Assume it is in an iframe. What's the best way to handle the user's table in the database so as to take maximum advantage of the user's facebook/x social network? What's the best way to handle authentication?<p>Ideally the user could authenticate with Facebook and utilize features that exist due to facebook's network, but what about users who dont want to be on the facebook network, but do want to be on the app's network? Meaning they login to the app and make friends, see people nearby geographically, etc...
======
jsjenkins168
This may not offer much advice for your particular application, but may at
least show you how NOT to handle authentication. Its the best resource on the
subject I've seen thus far [PDF]:

<http://pdos.csail.mit.edu/papers/webauth:sec10.pdf>

~~~
grimoire
That is a pretty good paper. I haven't gone through it in full detail, but the
sections I read were excellent. Thanks!

------
rglullis
_Behold the power of OO!!_

    
    
      CREATE TABLE User (
             id serial PRIMARY KEY,
             full_name varchar(100) NOT NULL DEFAULT 'Anonynous Coward',
             ...
      );
      
      CREATE TABLE FacebookUser (
             fb_id int UNIQUE NOT NULL
      ) INHERITS (User);
      
      CREATE TABLE AppUser (
             uid int UNIQUE NOT NULL
      ) INHERITS (User);
      
      
      CREATE TABLE Friend (
             uid integer REFERENCES User (id),
             friends_with integer REFERENCES User (id)
      );
    
    
    

If you are able to pull the user data, you pull the list of friends and add to
your table. The part where you use session information to check which user is
accessing your web app is left as an exercise to the reader.

------
szferi
You may give a possibility to users whose have OpenID, Live ID, InfoCard etc.
to sign-in using these IDs as well.

