I’m curious how these systems work technologically. As I understand it you do the following as a user:
- Go to your favorite 3rd party site.
- Click the “Facebook Connect” button.
- Log into Facebook (if not already).
- Authorize Application
- You are routed back to the 3rd party site logged in.
But, how does the 3rd party site talk to FB about who you are? I can understand how it could get the information it needs when you initially authorize the application, but how would it know afterwards? Here’s a scenario:
- You go to Facebook and log in.
- You then go to your favorite 3rd party site (which you already authorized).
- It already knows you are logged in!
A background ping using an IFrame is performed, and if the currently signed in account has already authorized the application, then the access token and user id are returned to the application. With this the application can decide what to do (usually, set a cookie and refresh the page so that the server can re-render the page knowing who you are based on the cookie that was just set). If you’re curious, you can look at the Facebook implementation of the client side JS method called FB.getLoginStatus() here: http://github.com/facebook/connect-js/blob/master/src/core/auth.js#L117