OpenID and Facebook Connect Package

Morfik's OpenID and Facebook Connect Package provides the required functionality to maintain user authentication through OpenID providers’ services and Facebook Connect. With OpenID and Facebook Connect, visitors to your site use an existing portable identity to sign in to your site. Because these users authenticate against an existing identity provider, there is no need to store passwords or invest valuable time and resources into expensive account and password recovery. This frees you to focus on the core functions of your web application and achieve greater customer satisfaction by eliminating frustrations associated with forgotten passwords.


A Quick Walkthrough

To use Morfik's Morfik's OpenID and Facebook Connect Package simply add the package to the project by utilizing the ‘Used Packages‘ command on the Project ribbon (Figure 1), or simply drag the package file onto the application main client area. Once added, two widgets will appear on the Home ribbon when the Form Designer is active (Figure 2). These widgets can be placed on application forms and provide immediate functionality without the need for coding and with little need for configuration of their properties.

Figure 1: Used Packages Command

Figure 2: Widget Gallery

Morfik 3 Beta NOTE: - the OpenID/Facebook Connect package requires the Indy library for it to compile. While in Morfik 2 the Indy library is a part of the framework, in Morfik 3 this library has been taken out and turned in to an independent package. Therefore to use the current version of this package (V 1.1) in Morfik 3, one has to follow the steps below:

  1. Install the Indy package in the target project. You can download the Indy package from here.
  2. In the mfk_OpenIDManager module replace the module reference SystemInternetIndy to mfk_SistemInternetIndy.

The quickest way to utilize this package is to place the OpenID Login widget (Figure 3) and/or ‘Google, Yahoo!, Facebook’ widget (Figure 4) on the the main form of your application. These provide access to most of the key user interface elements related to user OpenID and Facebook Connect authentication—in two simple widgets.

Figure 3: OpenID Login Widget

Figure 4: Google, Yahoo!, Facebook Connect widget

The OpenID Login widget provides functionality for user login through OpenID. The user can select any predefined OpenID provider or choose ‘Other’ and type their username directly into the input area. If a user utilizes a predefined provider it is not necessary to remember the exact OpenID address, only the username.

The ‘Google, Yahoo!, Facebook’ widget provides functionality for user login through OpenID to Google and Yahoo!, while to login using Facebook Connect you will need to set the Facebook API key for your website in the FacebookKey property of the ‘Google, Yahoo!, Facebook’ widget. If you do not have the Facebook API key, you can obtain one here:

This is all that is needed to add OpenID and Facebook Connect authentication to your application. Users can now log in to the site.

To show the OpenID or a Facebook identity of a logged-in user, the OpenID UserName widget can be used. At runtime it will display the OpenID or a Facebook identity of a logged-in user. It states ‘Anonymous’ if the user is not logged in.

All widgets will invoke events upon successful login, logout, on failure of the authentication process and when the process of authentication is cancelled.

OpenID and Facebook Connect authentication—a technical overview

By definition, all web applications are multi-user systems with a central repository of resources and a common point of access. It is therefore necessary to provide a mechanism through which the identity of a website visitor can be determined. Once identified, it is highly desirable to be able to control and limit a visitor’s access to application resources. This requires a system for authenticating a user.

Using OpenID, there is no need to provide an independent authentication system for every application. Nor does the user need to register with every site to gain access to the site's content. A user can register once with an OpenID provider they trust and then authenticate on any OpenID-supported site. It is not necessary for the user to type their password into the site they wish to log in to; their password is typed only in their trusted provider's site. The authentication process is fully maintained by their provider, which may request a standard user password or user certificate or some other authentication method—as long as an OpenID user can log on securely they are not likely to care exactly which method of authentication was used.

Although OpenID is the way of the future, this approach currently has a few quirks which arise from the use of external authentication. Most OpenID providers open the authentication page in a new window. While this method is more secure, as it prevents other sites from having access to a user's username and password, in many cases a new popup window is less than desirable from the user‘s perspective. Additionally, providers manage their own cookies, which means that other domains cannot access those cookies. Cookies are cleared when the browser is closed. Consequently, logging out may not result in the current session being closed until all browser windows are closed. (Session cookies persist until the last browser window is closed.) A side effect of this is that if a user has logged out from Morfik's OpenID and Facebook Connect Package, some providers may be able to ‘remember’ which user was successfully logged in and may not subsequently request a user's password. Facebook Connect utilizes its own methods of authentication and does not support consequent log in with stored cookies.

Coding with Morfik's OpenID Package

OpenIDManager Object OpenIDManager is the central object of OpenID authentication in the current package. In most cases there is no need to use it directly, however it is used implicitly every time you use OpenID authentication.

To provide OpenID authentication without visual components a user can call the OpenIDManager's method Login which has two parameters: username (if the actual parameter is empty, username is set to the property UserID) and timeout (if the actual parameter is empty, default timeout occurs after 1 minute). Next the Login call package tries to determine the real username and the provider's endpoint. If the endpoint can't be determined, login fails. After the endpoint is found, the Morfik's OpenID and Facebook Connect Package opens the provider's site in a new window. The users can then carry out authentication (by password or other means). After successful authentication a cookie is set and notification of successful login is broadcast.

At any point during authentication, the user can cancel the login process by calling the CancelLogin method. In this case the login process is terminated and notification of login failure is broadcast.

After successful login a user can logout by calling the Logout method. In this case any special cookie which may have been created previously is deleted and notification of logout is broadcast.

A user can manually register handlers to detect login, logout and failure events by calling the RegisterEventHandler method, passing as the first parameter Login, Logout, or Failed'’, and the pointer to the event handler routine as the second parameter.

The login event handlers receive two parameters: Sender of type Tobject, and Username of type String. The logout handler receives one parameter of the type TobjectSender—and the Failed handler receives Sender and Reason of Failure (of type String). Here is an example of manual registering the login handler:

FX Code

TestForm = Class(Form)Procedure HandleLogin(Sender: TObject; S: String); Message;
    Procedure Button1Click(Event: TDOMEvent); Message;
Uses mfk_OpenIdManager;
Procedure TestForm.OpenIDLogin(Sender: TObject; S: String);
    //This is shown after successful login
    ShowMessage(Format('User {0} is now logged in', S));
Procedure mfk_TestForm.Button1Click(Event: TDOMEvent);
    OpenIdManager.RegisterEventHandler('Login', GetMethodPointer(Self, @HandleLogin));

The OpenIDManager has a special property, UserName which holds the name of the current user.

Note: Your OpenIdManager.UserName may be totally different to the UserName you have passed to the OpenIdManager.Login() method. For example, if a user has a website and an OpenID, if they add some tags to the site address becomes an OpenID alias to The user can type either or as their username, but in both cases OpenIdManager.UserName would be

In most cases the user doesn't need to operate with the OpenIdManager object explicitly. The only thing that cannot be done visually is the handling of the timer during login.

FacebookManager Object

FacebookManager is the central object of Facebook Connect authentication in the current package. In most cases there is no need to use it directly; however, it is used implicitly every time you use Facebook authentication.

To provide Facebook authentication without visual components, a user can call the FacebookManager's method FacebookLogin. After FacebookLogin has been called, a popup window appears where the user who undergoes the process of authentication using Facebook Connect needs to enter his/her Facebook Login and Password into respective fields. Successful authentication with Facebook Connect will result in logging out from Open ID if the user was logged in.

After successful login the user can logout by calling the FacebookLogout method. In this case notification of logout will be sent. The user can manually register handlers to detect login and logout events by calling the RegisterEventHandler method, passing 'Login' or 'Logout' as the first parameter, and the pointer to the event handler routine as the second one.

Facebook's login and logout handlers have the same parameters as OpenID's login and logout handlers, with the exception of the Sender parameter, which is always nullified.

You can use FacebookManager the following way:

FX Code

FacebookManager.Key := 'Your key'

The manual login/logout handler registration is the same as with OpenIDManager.


Once the OpenID package is installed, it adds three widgets that come as part of this package. All you need to do is to place them on your application forms – there is no need for coding.

OpenIDUserName Widget

This widget is comprised of a TextLabel which displays the currently logged-in user (or ‘Anonymous’ if a user has not logged in). Alternatively you can achieve the same result by registering the login/logout event handlers and set a standard TextLabel caption to the login handler's second parameter.

OpenIDLogin Widget

In the Morfik's OpenID and Facebook Connect Package, a user can choose one of ten predefined OpenID providers or type an OpenID manually. If the user chooses a predefined provider, he or she must remember only the username—it is not necessary to remember if the username follows the site name or vice versa, or other details. To choose a provider, the user can change ‘username’ to an actual username. After typing their username, the user can press the ‘Enter’ key or use the dropdown button to start the login process. The OpenIDLogin widget receives notifications of login, logout, login failure and login cancellation.

Google, Yahoo!, Facebook Widget

This widget is comprised of Google, Yahoo! and Facebook Connect buttons that allow a user to login using their Google, Yahoo and Facebook Connect identity. The ‘Google, Yahoo!, Facebook’ widget receives notifications of login and logout.

See Also

Back to top