Note: There many ways to implement this, but this seemed to make the most sense to me at the time.
A login can either come from someone clicking a login link and being sent to a login page or we can force the login and not allow guests. The login/logout button is easy enough, just modify the distributed site controller’s login and logout “action” methods. In order to force the login, the best wat to do this is to implement a behavior. Please see Larry Ullman’s blog for more information on that.
Then we get to the IdentityFactory. Yii has a nice configuration system in place for its components, so I did some Identity components extending the standard Yii UserIdentity that was included with the Yii distribution. I have the login entry point call on the identity factory which checks a param in the config and returns an instance of the appropriate object.
These objects are where all authentication type specifics happen. Lets take a look at a simple flow diagram:
So the IdentityFactory chooses which identity we’re using based on the config. It will send the request over to the FacebookIdentity, which gets all the info needed for the UserIdentity class to query the database, update information there, and then set the user session.
The more interesting part is the connection between FacebookIdentity and the Facebook SDK. For this I made use of a Yii extension. I used yii-facebook-opengraph, which, while not the most mature of facebook connect extensions, is the most actively developed and the closest to functional. (Last year Facebook made a huge change to their SDK which is not at all backwards compatible so they broke most extensions that exist and most developers did not make updates to their extensions.) This extension only needed one method added to help deal with the Facebook problem with access tokens.
// had to add this function to deal with php's poor handling of expired access tokens
public function setAccessToken($access_token){
return $this->_getFacebook()->setAccessToken($access_token);
}