On Mon, 7 Jan 2008, Eric Lease Morgan wrote:

On Jan 7, 2008, at 6:16 AM, David Pattern wrote:

What I want to do is put together a small application that will give
user info from their library account, e.g.

  You have 5 books on loan, and 2
  of them need returning tomorrow.
  Click here to go to your library
  account if you'd like to renew

Obviously I'd need to figure out a secure and safe way of
associating a
Facebook user ID with a specific library account.

Yes, I've been thinking about the same thing. I think such a thing is
a challenge but not insurmountable.

I'm no expert on facebook (I think I've logged into my account all of
twice), but I was the archtiect and wrote most of the framework for the
first incarnation of the portal for The George Washington University, so
I've done some similar linkages before.

If you have the ability to add an extra field to your user table, or add a
secondary table, I would suggest adding a special 'facebook-only' password
in your system.  (it could be user supplied, or system generated).

The idea of this extra password is that it would _only_ allow read-only
access through certain methods, and not the user's typical access.  You
can provide them a link to log into their account and get other
information, but then they'd have to supply their normal password.

With the extra password, it's something that could be changed without
having to completely remove the user's account and recreating it -- so if
something should get shared accidentally, you can remove access.  You
would also require the user to do something to add this field (it could
generate a value, then give them the code they need to insert into
Facebook), so they would have to explicitly opt-in.

You also have the advantage that it'd require a little bit of extra effort
if someone were to take a brute-force approach to get account information.
(not that they would, but you never know).

I'd be interested to know if anyone sees any flaws with my logic and/or
has an alternate solution.

Joe Hourcle

Reply via email to