Carefully review apps that provide Facebook Login
Facebook Login makes it easy for a website's users to connect with that app or website without having to create a new set of credentials and instead reuse your Facebook account details.
It came as a surprise to me that a shopping site implementing OAuth with Facebook as a provider could receive many more personal details than required for a regular e-commerce transaction.
The shopping site places a condition that I should allow it to access my "basic info". I was shocked to find that to Facebook, "basic info" means all of these:
- Profile picture
- User ID
- List of friends
- Any other info you made public
Except my name & possibly my email address, the shopping site had no business to know any other details.
In addition, it informed that app can make posts on your behalf on your Facebook timeline and the visibility of those posts was set to Friends by default. The onus is on the subscriber to set it to "Only Me" to prevent their FB friends from being spammed by the site requesting all these details.
With this kind of cloaking & ambiguous wording, it is hard to trust websites these days.
Update (APRIL 30, 2014) - FB announced that when its 1.3 billion users log in to other websites or mobile apps through their Facebook identities, they will be able to limit what they reveal to the site or app to just their email addresses and public profile information, like name and gender.
Related: HOW TO implement Authentication & Authorization using OAuth 2.0 Providers with ASP.NET WebForms