I am implementing Facebook single sign on for my applications. In this first part of my Facebook authentication tutorial, I discuss the basics of the Facebook authentication process (see also: part 2, part 3).
Getting started: some terminologyIf you are like me and haven't implemented Facebook integration before, the terminology and various API's can be confusing. And the Facebook developer documentation is a combination of too-much-information and not-enough-explanation.
First, the Facebook documentation talks about different kinds of applications, which are:
- Facebook canvas applications: Applications-within-Facebook, or what users think of as "Facebook apps".
- FBML / FBJS apps (built using FB-specific markup)
- Facebook desktop applications (rare; basically anything that cannot run within a browser, like a desktop client for Facebook)
- Facebook web applications (websites with Facebook-integration such as single sign-on and custom Facebook elements within them such as CNN and Digg)
- Facebook Connect - no such thing exists anymore (e.g. http://mashable.com/2010/04/21/facebook-kills-facebook-connect/). The new API is called the Graph API, and talking about Facebook Connect is inaccurate..
- Graph API: The new version of Facebook's API. The Graph API is much more than just authentication: it is the mechanism which powers Facebook applications and allows you to read and write date to Facebook.
- Old REST API: The early version of Facebook's Graph API; Facebook does not recommend you use it because they are in the process of deprecating it.
- FQL (Facebook Query Language): A SQL-like language for querying the Graph API. Supposedly makes using the API easier for apps.
- Other stuff from Facebook:
- Open Graph Protocol: A convention of meta and other tags which allows you to add metadata to Like button clicks, integrating them with Facebook (e.g. a like on a profile).
- Social plugins: Ready-made Facebook widgets you can embed using an iframe.
How does Facebook authentication work?Conceptually, it works like this (picture of user represents page shown to user): There most important authentication methods are:
- web application authentication (using server side SDK's): When you do web application authentication, you need redirect the user to Facebook in your app. When the user allows access for your app, Facebook redirects them back and sends the access token and user ID as part of the GET request to your authentication-complete redirection page. Then you can access the user's information using the returned token.
- http://developers.facebook.com/docs/guides/performance (good illustration on the difference between FBML and IFrame applications)
Alex: Thanks for creating this. I am also confused about the ever-changing technologies FB is using. I wish they made it simpler. Your post helped me understand a bunch of different nuances. :)
Grant: Thank you. It's often only in seeing all of the pieces side by side that we understand. I hadn't found something so clear and comprehensive as your post.
don11: thanks. if the user logged out and or the cookies cleared. the access token will became invalid. what is the best way to handle that