While this is certainly handy. I forsee lot's of problems for users typing their gmail password to autenthicate for other sites. Phishing has been around for a long time, and by using these authentication mechanisms it will only get easier.

For users it's not clear which site is legit.

This is legit: hxxps://www.google.com/accounts/ServiceLogin?service=lso&___domain=Socialauth.uswaretech.net&anonSign=1&continue=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fud%3Fst%3DBDKB7DbZLrOEjmE3c2kS

This is not: hxxps://www.google.com.evilsite.com/accounts/ServiceLogin?service=lso&___domain=Socialauth.uswaretech.net&anonSign=1&continue=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fud%3Fst%3DBDKB7DbZLrOEjmE3c2kS

For the avarage user, logging in means, click on the bookmark, see if a loginform pops up, log in. Now it's go to random site, get asked for your gmail password, and type it or else 'no cookie for you'.

That being said, I have no solution for the problem.

Plus it is certainly better that what we had a few years back, wherin you gave your password to third parties to authenticate to a trusted site. (Like Gmail contacts import, twitter apps). Now at least you are authenticating on the trusted site, where you can verify the address bar.

On one hand you don't want to remember multiple passwords (on multiple sites) and on the other hand you don't want to let people authenticate from your own trusted site.

Most of the time, since you are already logged-in on Facebook google, yahoo or twitter, you will not be prompted for password, only for approval of authentication.

Chrome/IE8 actually do a reasonable job of addressing this by greying out everything but the ___domain in the address bar. Its something I'd like to see in FF -- if anyone knows of an add-on to do this let me know.

Locationbar²!

https://addons.mozilla.org/en-US/firefox/addon/4014

Well, try the demo. The google login works with a mechanism on googles servers asking you explicitly to grant access to the referring site. If the user doesn't check the address on the target ... well ... :/

I've spotted another weakness though on the facebook login. The username's are generated as facebook_$firstname, which will lead to duplicates on big sites quite fast. I'd like to see a mechanism asking the users to chose a username.

I think this is a problem. Lot's of users just type www.example.org in the google and click the first link. they hardly know what the address bar does.

One way to look at it is: stupid user, you did it to yourself.

Another is: lots of people will be fooled, maybe we should rethink.

As I've said before, I have no solid solution.

It's a tough one, but it isn't new - PayPal have had that exact problem for years (it's baked in to their core product).

That's pretty sweet! The demo worked well for me on everything but Facebook, where it reloaded the page within the facebook popup, a littttle odd. This is a great start, though, for developing services that integrate with the API's of these services. Psyched to try it integrating it into an app.

Can you try it and let me know what address it shows in the popup bar? If you log a bug on github, we will definitely try to fix it.

You're setting the base path wrong for xd_receiver.htm would be my guess. FB connect is redirecting to http://socialauth.uswaretech.net/accounts/login/?next=/../xd...

One challenge I have with all these logins options is that it becomes hard to remember which provider you logged in with. We have an issue already with Facebook connect and standard Django auth of duplicate accounts for a single user being created. Often times merging these can be rough. Has anyone come up with an elegant solution to this problem?

How integrated is this to Django? Would it be easy to adapt to other framework (I'm thinking of Pylons). I'm working on a little website and would love to add this functionality without switching to Django.

Pretty closely integrated, as I wanted a seamless experience as close to normal django auth in part. But talking to providers is generic. Let me know if you would need my help porting this to Pytlons.

Wow I was looking for precisely this demo. Rockin'

Depending on what you want it for, I've had good experiences with django-authopenid ( bitbucket.org/benoitc/django-authopenid ).

It doesn't have the facebook or twitter, but it does work well with most openid providers (google, yahoo, etc). Plus, it lets users go ahead and just create a normal login if they don't want to use openid.

There's an example at openid-example.e-engura.org if you're interested.

can you still login with django.contrib.auth?

Yes, these are just exposed as authentication_backends, any existing ones will work alongside.

Let's start working on one for Rails

I'm already working on a similar authentication system for a rails app and this just really motivated me to release it as a plugin...

That said, I'm sure lots of other Rails developers have already built their own solution. I'm also sure some are more mature than mine (i.e. in production). Isn't uservoice.com backed by Rails? Their social authentication is so pretty Google uses it as a demo.