I have an application in ZF1 running and with authentication system that uses database query. I would like to know how I can integrate the 2 ways of logging, that is, if the user opts for facebook, have the same accesses and the same information as the one that opted to log in directly to the site (user / password).
Remembering that I'm not just looking for ready code, my question is more conceptual anyway.
The solution I use and recommit is to link the Facebook profile to your site's profile by email address.
You need to integrate the authorization process with Facebook's OAuth using the requested API scope that includes the 'email' value.
This will allow you to make a call to the Facebook API for this address below to request the user's email.
https://graph.facebook.com/me
There in your application you check if you already have some users with the email returned. If it does not exist, you create a new one with user data obtained from Facebook.
If it already exists, you simply start a logged in user session for the user of your site who has the email returned by Facebook.
I've used this scheme on my sites for about 2 years and users loved it because I never ask for username and password. Users hate having to register a new password and do the usual email verification process. So with OAuth both things are avoided.
Even though I allow the usual username, password and email address for those who do not have a Facebook account or do not want to sign in to Facebook.
Incidentally, I not only let you log in through Facebook, but also through Google, Yahoo, Microsoft, StackOverflow and GitHub. Most of these sites use the OAuth schema. Some only provide email via OpenID.
So I've developed a generic PHP for OAuth class that has integrated support for dozens of APIs, and can support many more with manual configuration.
Not a class specific to the Zend Framework, but can be used with any framework including Zend. Here's an example of how to log into Facebook by OAuth using this class.
If you have two authentication systems, the purpose of them is the same: to allow your user access to the system.
Login authentication is the most common, and with a simple form (and the necessary security validations) already solves your life. However, the Facebook login is very handy for the user, and depending on the permissions that your application requests, you can have the same information as you would have if you opted for a standard login form.
When you allow your application (or website) to access your data through Facebook, it is allowing the application to have its oauth_token and oauth_token_secret. So it's these values that you'll have to store every time you try to authorize a user.
When a user, for example, revokes an application's access to their profile, it is invalidating oauth_token and oauth_token_secret, so your application will have to ask permission again to access your data. On the other hand, user access will be denied, forcing you to provide your data again - or make a traditional registration.