Software Engineering for Smart Data Analytics & Smart Data Analytics for Software Engineering

User Tools

Site Tools

S6T1 Investigation on Facebook/Google authentication

Vadim Costache/Chih-Song Kuo

Summary: The basic idea of both Facebook/Google account authentication is to outsource the account management part to some third-party server. That server will handle user account creation, password-forgotten retrieval, and user information storage. Once the user is authenticated by a third-party, an identifier which is not identical to one's Facebook/Google account will be returned to our website. That identifier can then be used to specify the user's own data in our own database.

We found Facebook/Google account authentication saves reasonable effort to build safe, secure user management, which usually requires much knowledge and time to implement. However, this doesn't mean a developer can implement the needed code for third-party authentication in a short time because there are reasonable documents to read and mechanisms to understand.

In our point of view, implementing Facebook/Google account authentication would take about the same time as a “simple (unsecure)” self-built account management system. If we need higher robustness, then we think it is worth to use third-party account authentication.

There is also the alternative of directly using OpenID on the website.

Facebook Account Authentication

Facebook Registration How Facebook registration works Facebook uses OAuth




- You can sign in even if you don't have a FB account - There is also an XFBML tag for use with the Javascript SDK. - You may also request data from users that isn't present on Facebook.

To do this, you can use a JSON string in the fields attribute 
instead of the CSV

- If the user arrives at your site logged out of Facebook,

the button will say Login. When the user clicks it, she will 
be prompted to enter her Facebook username and password. 
If she has not registered for your site, she will be redirected
to the URL you specify in the registration-url parameter. 
If she has already registered for your site, the button will 
fire an onlogin() Javascript event. When this event is fired you
should login the user to your site.

- uses OAuth 2.0 - JavaScript on the Client Side - PHP on the Server Side

related stuff

Node Facebook SDK

S6T02 Diagram for a site that uses Facebook and its own Registration


- JSON - easy to implement - manages social interaction (if you block a user on facebook, he won't be able to access your data on the website): Facebook Login


- uses popups ( for websites, not for mobile apps ) - you can only login if you have a FB account

Google Account Authentication

Main Ref: Google Account Authentication

Based on the OpenID 2.0 protocol OpenID Official Page May also choose use OAuth as a complementary dual to OpenID if needed

Taken from

Pros: Quite flexible. Supports log-in through the same browser window or a pop-up one.

Cons: Takes time to understand to whole procedure and how OpenID works.

**S6T2** - Google+ Sign In

A Simple lightweight Google+ API for Client Side:

Info on OpenId

OpenID for Node.js


Add OpenID OpenID - Getting Started OpenID Libraries

Features - user logs in to an OpenID provider. That OpenID is used to auth with any website.


- universal


- complicated


OAuth provides some extension to OpenID


MISC Stuff (things we found on the way)

some OAuth Javascript code

Javascript OAuth

some random JS login code

JavaScript Login Code

an article on how to secure oauth in javascript

OAuth Javascript

articles on how to integrate openid as the login system

Integrate OpenID alt - integrate openid

— our comm —

teaching/labs/xp/2012b/facebookgooglelogin.txt · Last modified: 2018/05/09 01:59 (external edit)

SEWiki, © 2019