Pages

11/16/2010

What?? Facebook is using OpenID?

Just noticed this today.
When I open facebook.com for first time (no other tabs are opening any facebook page)
it shows as I'm not logged in and asking for my email and password (I think it's the login page)

Suddenly, it changes to my facebook's home page (home.php) without me doing anything.?!?!?

So, I monitored it using Wireshark and I got the sequence of opening facebook as...

Request: GET / HTTP/1.1
Host: www.facebook.com    

HTTP/1.1 200 OK

Request: GET /openid/receiver.php?provider_id=
Host: www.facebook.com    
Referer: http://www.facebook.com  
[FB_ID]&protocol=http&context=background_login&request_id=0&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res&openid.op_endpoint=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fud&openid.response_nonce=2010-11-16T08%3A29%3A[SOME RANDOM]&openid.return_to=https%3A%2F%2Fwww.facebook.com%2Fopenid%2Freceiver.php%3Fprovider_id%3D[FB_ID]%26protocol%3Dhttp%26context%3Dbackground_login%26request_id%3D0&openid.assoc_handle=[SOME RANDOM]&openid.signed=op_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_handle&openid.sig=[SOME RANDOM]%3D&openid.identity=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%3D[SOME_RANDOM]&openid.claimed_id=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%3D[SOME_RANDOM]&openid.ns.ext1=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fui%2F1.0&openid.ext1.mode=popup&handle=[RANDOM AGAIN] HTTP/1.1

HTTP/1.1 200 OK    (comes with Cookies and OpenID data which is plain text T_T)

Request: POST /login.php HTTP/1.1
Host: www.facebook.com
Referer: http://www.facebook.com/

HTTP/1.1 302 Found

Request: GET / HTTP/1.1
Host: www.facebook.com
Referer: http://www.facebook.com/

HTTP/1.1 200 OK

Now it's logged in.

Verdict:
It's good that finally facebook joined the main stream of single-sign-on community to use OpenID.
But maybe it can be less obvious without flickering page like this. I think it could be done in background between Facebook - Google

No comments:

Post a Comment