User signup workflow for Oauth authorisation

PS: I understand the concept of OpenID authentication and Oauth authorization (i think). And i am using facebook as an example of Oauth

It has been a trend for Websites to asked you to "signup" by "login with facebook" but during the signup workflow (after receiving permission and member info from your facebook account) they still ask you to pick a user开发者_如何学运维name and password. Which creates a local user and "links" that user to said facebook account.

But now i noticed during the signup process for websites like buzzfeed and even stackoverflow, they seem to be doing full authentication with facebook. You grant the website permission to you facebook account, and you are now logged in (as sort of a facebook user)

update (corrected authorization to authentication): Does this mean facebook connect now does "authentication"? and does this mean users are no longer stored locally?

In the case of stackoverflow, I think they create user account internally, however they create username on behalf of the user - like user1243534, if the user does not specify his own. This internal account is used to store all stackoverflow related information for the user, that does not exist in facebook (or other provider) - reputation, questions, answers, everything.

If in your case, your web application does not need to story ANY data related to the user, except session with some session temporary variables (that he is logged in with facebook, his facebook name, etc.), then you can omit local user storage and accounts. In that case your application will lose any data related to the user, when his current session expire.

However, if you want to store whatever data in regard to your users, e.g. how many times he logged in, what language he prefers, persistent settings, or anything that is not stored in the provider, you should create your local user account.

Your first question: Yes, facebook is authenticating each time the user wants to log in, if no other authentication process is provided.

Your second question: Depends if you'd like to store user data for more time than the session duration (user data that is not taken from provider).