How do you design user authentication for an app that runs on the open web and social networks?

[jotto]

I want to launch an app that is accessible within social networks, for example, Facebook. Assume it is in an iframe. What's the best way to handle the user's table in the database so as to take maximum advantage of the user's facebook/x social network? What's the best way to handle authentication?

Ideally the user could authenticate with Facebook and utilize features that exist due to facebook's network, but what about users who dont want to be on the facebook network, but do want to be on the app's network? Meaning they login to the app and make friends, see people nearby geographically, etc...

[jsjenkins168]

This may not offer much advice for your particular application, but may at least show you how NOT to handle authentication. Its the best resource on the subject I've seen thus far [PDF]:

http://pdos.csail.mit.edu/papers/webauth:sec10.pdf

[grimoire]

That is a pretty good paper. I haven't gone through it in full detail, but the sections I read were excellent. Thanks!

[gibsonf1]

Thanks for this link!

[rglullis]

Behold the power of OO!!

  CREATE TABLE User (
         id serial PRIMARY KEY,
         full_name varchar(100) NOT NULL DEFAULT 'Anonynous Coward',
         ...
  );
  
  CREATE TABLE FacebookUser (
         fb_id int UNIQUE NOT NULL
  ) INHERITS (User);
  
  CREATE TABLE AppUser (
         uid int UNIQUE NOT NULL
  ) INHERITS (User);
  
  
  CREATE TABLE Friend (
         uid integer REFERENCES User (id),
         friends_with integer REFERENCES User (id)
  );

If you are able to pull the user data, you pull the list of friends and add to your table. The part where you use session information to check which user is accessing your web app is left as an exercise to the reader.

[szferi]

You may give a possibility to users whose have OpenID, Live ID, InfoCard etc. to sign-in using these IDs as well.