Sign In to Facebook Transparently Just by Being Signed Into Google / GMail

By Daniel Miessler on August 17th, 2009: Tagged as Information Security | OpenID | Social Networking | Technology

facebook_square_icon   google_icon
openidlogo

So you have a Facebook account, right? And you use Google Mail, right? Good, then this is for you. It’s just recently become possible for you to sign into Facebook automagically, i.e. without entering your Facebook username and password, just because you’re already signed into GMail. It’s full of win.

identity

The wholesomeness that allows this to happen is called OpenID, which is a powerful technology that you probably want to start paying attention to. It allows you to use one online identity on many different websites, and it keeps you from having to give your password to the sites you use. Basically, it offers:

  1. Convenience: faster registration on new sites: get setup in seconds
  2. Simplicity: a single username and password to remember
  3. Security: you don’t give websites your password

If you’re interested in more details, I just finished a piece on web auth technologies here, but the point is that OpenID is blowing up. Everyone’s getting into it: Google, Yahoo, Facebook, Verisign…everyone. The big players who aren’t there now will be soon.

Facebook + Google = OpenID

handshake

So, two of the companies that are embracing OpenID the most are Facebook and Google, but in different roles. Within the OpenID system you can be an Identity Provider (someone that websites trust to provide authenticated users), or a Relying Party (a website that has services and wants to accept users from an Identity Provider).

Well, Google is now the behemoth of Identity Providers, and Facebook is now the Grand Pubah of OpenID Relying Parties. It’s a phenomenal combination for users. In other words, Facebook is saying to the world:

We accept Google users as valid users, so if you show up to Facebook and you’re already signed into Google, you’re considered legitimate to us, and we don’t need to authenticate you further.

Setup

settings

So here’s how to get going–in like two minutes. First, sign into Facebook normally–using your Facebook username and password–and go to your Settings. On the default, left-most tab you’ll have a section called “Linked Accounts”. Click “Change” there to add an account.

add_account

Select “Google” from the pull down menu and you’ll be asked to allow Facebook and Google to interact. Once you’ve authorized the connection your two accounts are linked! Now sign out of Facebook (but stay logged in to your Google account) and then go to the Facebook homepage. You’ll see some trickery taking place in the URL bar, and then you’ll be logged into Facebook without having to enter anything!

linked

The way this works is just like when you enter an OpenID identity manually on a site: you’re getting transparently redirected to the OpenID provider (Google, in this case) where Facebook confirms that you’re already logged in and subsequently lets you into the site.

The only difference is, instead of you providing an OpenID through a login form, Facebook already knows where to redirect you based on the previous “Linked Accounts” step.

Notice that you can also add a number of other account links as well, including various OpenID providers, and Yahoo! My favorite, however, is Verisign PIP, because it allows me to use two-factor authentication to access my OpenID provider.

Anyway, enjoy your new transparent login to Facebook through Google, and keep your eye out for more OpenID developments around the web. ::

  • Digg
  • Reddit
  • HackerNews
  • StumbleUpon
  • DZone
  • Google Bookmarks
  • Twitter
  • Facebook
  • del.icio.us
  • FriendFeed
  • Posterous
  • RSS
  • email
  

View Comments

  • Is it possible to log into Facebook "automagically" via the other OpenID providers it lists (like Yahoo!, AOL, Verisign, Myopenid)?
  • Yes, I tried to setup my PIP account within Facebook. You can see the error I got at http://hypecycles.wordpress.com/2009/09/10/openid/

    Clearly facebook is reaching Verisign PIP because Facebook is showing up in my "Trusted Sites".

    As you can see, this reply comes to you authenticated by Verisign PIP so that part of the system seems to work.

    The error I get is also shown in the screen shot on that page.
  • Ok, it's just broken right now. I deleted mine and tried to reset it
    and got the same error as you.

    Also, I suggest setting up delegation so you can just use your own
    domain name as your OpenID instead of your full PIP address.

    Search my site for PIP and delegation and you'll get the code. Or just
    look at the source on this page.
  • Hello,

    I just wanted to point out that working with the nice folks from Verisignlabs, I was able to get things working again; you should be able to perform the re-association again.

    http://hypecycles.wordpress.com/2009/09/10/open...

    I have also used the delegation code that you provided.

    I would love your comments and thoughts on http://hypecycles.wordpress.com/2009/09/12/face...

    Thanks!
  • Thanks, I followed your advice; you should see the delegation at work here.

    I'm thrilled that I can use my OpenID. But, so far, it has worked on exactly two sites; verisignlabs.com and your site :(

    -amrith
  • Greetings,

    I was trying to link my facebook account to my verisign PIP account. It doesn't seem to work. It looks like you got it to work with both Verisign PIP and Google.

    Did you have to do something special?
  • Did you set up your PIP and Google accounts within Facebook?
  • anonymous
    The problem with this, is that I don't want the spamtastical site, known as Facebook; to ever, ever have anything other than incorrect information about me because their attitude toward privacy is appalling.

    In fact, I have used a disposable account and the only emails that account has ever received are spam presumably from facebook, since they are the only one's to have this address: <@disposable-email.com">random-string>@disposable-email.com

    While it is conceivable that spammers also spam random strings - I have my doubts about this. I believe the main business model of Facebook is actually selling private information about individuals to 'marketting' firms like the known Russian spammer whom recently invested 12 million into Facebook.
blog comments powered by Disqus

 

twitter_icon

Sample Original Content


Information Security

Tutorials and Primers

Culture & Society

Technology & Science

Politics

Philosophy & Religion

Miscellaneous

Tools & Projects


Blog Archives