In a facebook app, with SDK3. My question is, while using facebook 's process to log on to my app, do app be secure and need a way like user name password. The general website is a password verification and app isn't. No, no, no, no, no.
If you know oauth authentication, then you know that this is a very secure authentication mechanism, and it isn't necessary to add a authentication method on this. After all, the user uses oauth authentication to don't enter the password.
The difference between oauth and openid is that the former is primarily a secure resource access interface for user fully controllable ( user authorization ), which is a special login authentication protocol that can only be used to log on authentication.
We use oauth protocol to log in, just using the
checkUser interface in its many interfaces. And the interface that app needs to use is much more. So third party logins can also be seen as an app, except that you use oauth 's user authentication interface, not knowing that you understand it.