I was excited to see Facebook (FB) supporting login via OpenID (FB is a relying party), and I decided to give it a whirl. Here I list the results of my investigation, which describe the odd use of OpenID, as well as my wire level analysis which I hope you find informative. This post doesn't go into details of how OpenID works, if you're interested in that leave a comment and I'll put up such a post.
FB uses OpenID in a way I've never seen before. In the "common" OpenID login model, you get a login page that shows you some sort of login via OpenID buttons. When you go to the FB login page there is no login via OpenID. This confused me, but I went to my FB account settings and linked my google account to my FB account. (Attempts to link my MyOpenID account failed with a strange error message).
After some trial and error I realized that if I was logged into my Google account and went to the FB page than I'd automatically get logged into FB.
Debugging SSL via Charles
I needed to look at the network layer to see what is going on. Some of you may want to investigate this with tshark, but much of the traffic runs over SSL, since we don't have the server certs that's a dead end. Instead you should fire up Charles, an http(s) debugging proxy. Charles can sit in the middle of your SSL connections, and relay SSL traffic by presenting ‘untrusted certs’. Visually it looks like this:
How Facebook OpenID login works at a high level:
- Your browser tries to connect to Yahoo and Google OpenID Endpoints, which post results back to FB
- If the login via OpenID succeeds, and you have a linked account you get logged into FB.
- If the request fails or there is no linked account you see nothing.
The Facebook OpenID approach:
If you’re logged into your Google account, and then go to the FB page, you’ll be automatically logged into FB, otherwise nothing happens. This is by design as mentioned here.
This is an interesting implementation of login via OpenID. It has the following advantages:
- It’s immune to phishing
- It requires no UI when you’re logged into your OpenID provider
At the same time there are some big disadvantages:
- There is a privacy leak as all OpenID providers supported by FB now know you’re trying to access FB and at what frequency and from what client
- FB needs to connect to every OpenID provider that exists on login.
- FB doesn’t allow you to specify which account you want to use to login if you have multiple.
- You can’t link your FB account to OpenID by logging into OpenID
- It’s hard to discover login is failing because you aren’t signed into an OpenID account.
I look forward to seeing how FB moves this forward.
How Facebook OpenID login works at a protocol level:
This is probably too geeky for most but I find it interesting so I’ll share it. Comment if you’d like to see more of this sort of analysis.
The first column is the return code 200 is success, 302 is a redirect. Second column is the DNS name, and third column is truncated request.
// Connect to FB
200 GET www.facebook.com
200 GET pixel.facebook.com /ajax/openid/metrics.php?metric=requestSent&immediate=true&context=background_login&openid_url=http%3A%2F%2Fyahoo.com%2F&asyncSignal=779
200 GET pixel.facebook.com /ajax/openid/metrics.php?metric=requestSent&immediate=true&context=background_login&openid_url=http%3A%2F%2Fgmail.com&asyncSignal=9380
// 2.1) HTTPS connection to Google OpenID
302 GET www.google.com /accounts/o8/ud?openid.claimed_id=…
// 2.2) HTTPS connection to Yahoo OpenID
302 GET open.login.yahooapis.com /openid/op/auth?openid.claimed_id=…
// 2.3) Yahoo OpenID telling FB it failed.
302 GET www.facebook.com /openid/receiver.php?provider_id=1923581983856&openid.mode=setup_needed&…
// 2.4) Google OpenID telling FB it succeeded.
302 GET www.facebook.com /openid/receiver.php?provider_id=1010459756371&…openid.sig=…
// FB telling itself the Yahoo login failed (this gives FB the chance to add new paramters server side, which it does)
200 GET www.facebook.com /openid/receiver.php?provider_id=1923581983856&…
// FB recording stats that the yahoo login failed.
200 GET pixel.facebook.com /ajax/openid/metrics.php?metric=requestCanceled&immediate=true&context=background_login&openid_url=http%3A%2F%2Fyahoo.com…
// FB telling itself the Google Login Succeeded (this gives FB the chance to add new paramters server side, which it does)
200 GET www.facebook.com /openid/receiver.php?provider_id=1010459756371 …
// 3. If the login via OpenID succeeds, and you have a linked account you get logged into FB. (FB Logging in)
302 POST www.facebook.com /login.php
200 GET www.facebook.com /
The actual request if you’re feeling really geeky:
// More Details 2.1) HTTPS connection to Google OpenID
// More Details 2.4) Google OpenID telling FB it succeeded.