Social Login buttons like the ubiquitous Login with Facebook/Google/Twitter/... button is convenient for users as they don't have to go through a lengthy registration process and create yet another username/password. And without a proper password manager (which probably 99% users don't use), they tend to reuse the same password which is bad in terms of security!
However behind the scene, some SDKs (I'm looking at you Facebook!) inject an iframe in your website to display the Continue as {MyName} or Login with Facebook button. Loading this iframe allows Facebook to know that this specific user is currently on your website. Facebook therefore knows about user browsing behaviour without user's explicit consent. If more and more websites adopt Facebook SDK then Facebook would potentially have user's full browsing history! And as in "With great power comes great responsibility", it's part of our job as developers to protect users privacy even when they don't ask for.
Loading this iframe allows Facebook to know that this specific user is currently on your website
The iframe is actually injected in a second script loaded by the https://connect.facebook.net/en_US/sdk.js
:
So what should we do to provide this Login with Facebook button to our users? The good news is this is actually easy as Facebook implements OAuth2/OpenID standard so you can use any OAuth2/OpenID library to add the Facebook login button. You can also add other login providers like Google, Github, Apple ... at the same time as those are also OAuth2/OpenID-compliant.
Here are some ressources to implement OAuth2/OpenID in your app for different languages/frameworks:
JS: hello.js, jso, oidc-client-js. oidc-client-js is used to create some OAuth2/OpenID libraries for frameworks like React, VueJS, Angular, Aurelia as listed on https://github.com/IdentityModel/oidc-client-js/wiki
Python: Requests-OAuthlib, Authlib, Python Social Auth
NodeJS: PassportJS, openid-client.
If you happen to use Flask (Python), I have written an article on dev.to on how to implement OAuth2/OpenID into a Flask application: https://dev.to/simplelogin/create-a-flask-application-with-sso-login-f9m
If you really need Facebook SDK, please ask user consent before loading the SDK or only load the SDK when user clicks on the Login with Facebook
button.
Update 1: turns out that Google also uses this practice, more info can be found on https://news.ycombinator.com/item?id=21429482
Top comments (1)
Could add Django-rest-framework and django-allauth to the list of Python libraries that enable you to easily implement secure database backed session authentication in HTTPOnly, SECURE cookies.