Important terms:
The reasons locatabl.com uses an IdP are:
- The IdP generally "maintain" their register to prevent fake accounts (users with multiple accounts).
- It makes the RP-site simpler and easier to maintain.
- They relieve the RP from handling sensitive data (passwords etc).
- They handle stuff like forgotten passwords.
- Furthermore, you as the end-user will have fewer passwords to remember :-)
Facebook is probably the best IdP at the time of writing, but there could be better ones (Facebook after all wants you to do a lot of other stuff (write messages and post pictures ... (it is above all a social media))). So if a better (simpler, less intruding, still widely accepted)) IdP comes along, then that site might be used instead.
Here is a
comparison of Identity providers that are considered.
What data is exchanged between the IdP and the RP?
At the minimum the IdP must send an identifier-code that is unique for the user but typically is different for different RPs.
You can see in the login window exactly what data (access rights (read/write access)) are being shared. You can typically also go into the IdP-site and change/withdraw these rights later.
Facebooks minimum is to send what they call the
public_profile. However locatabl.com does not use all the data in the public_profile (only the identifier-code, name and image are used). The name and image can then be changed in the settings (under
) on the (app).locatabl.com.
locatabl.com does not send any data to the IdP.
What if you change your mind about sharing things
On (app).locatabl.com: in the
->Deadline->"Delete account" you can delete your account (and all store data about you). Since the site software is open source people with software knowledge can verify how the site works and that the data is actually deleted.
On facebook.com under settings->apps you can also go in and delete the RP's access to your data.