Can my website *safely* allow logins via Facebook Connect, Google Friend Connect, OpenID, *and* etc?

2
votes

Is it possible for a website to allow users to log in via multiple different methods, like Facebook Connect, OpenID, etc?

Not referring to simultaneous logins of the same user, but wondering if it's possible to have multiple "SSO" options.

Is there a side-effect of a user with credentials at, say, OpenID and Facebook logging in as both, with separate session information, and "gaming" or cheating "the system" somehow?

Is that the primary reason for offering only one? Are there other reasons?

UPDATE: In an effort to clarify a bit, I should say that we'd like to use Facebook Connect, but not all of our expected users have a facebook account. The same as with OpenID, etc. We do have the need to tie user actions to a particular local 'account', which would obviously be sync'd with whichever auth-provider they used to log in (or tie in later, as with SO), but would like to offer the most convenience possible.

Perhaps we should just do in-house?

2
openidfacebooksingle-sign-ongoogle-friend-connect

2 Answers

1
votes

I suggest tracking all of the various forms of authentication to one account. Granted this can only be done if the user does so. But look at it this way. There is nothing stopping a person from setting up multiple accounts on a custom authentication system and performing the same "games" as choosing to use various OpenID like accounts to do the same thing! Using these forms of authentication along with a custom in house tracking system is a good way to go and doesn't really present any new complexities regarding security that you wouldn't have with just an in house login system. It simply adds more convenience factors for your users (at the expense of more coding for you...but isn't that always the case? (:P) ).

1
votes

My plans for doing this is to have each SSO provider be able to map from the SSO account to a local user id. You'll be able to assign multiple SSO accounts to a single local account. All of this is hidden neatly behind an interface, probably using the Chain-of-Command pattern.

You should look at using RPX. They handle all of this for you and allow Facebook, OpenId, Windows Live Id, and more. The result is transparent to you -- you just get an opaque token to represent the ID.