I wasn't planning on signing up at all—to my knowledge, nothing about this single-page-app requires a session at all.
The risk here is that I don't want the app creator to know my name. It's that simple—I don't know them, I don't trust them, I trust them less now that they ask for completely unnecessary information. Let's say traffic to this site is linked with lower credit scores: it's naturally absurd that the two are causally related, but it's a reality that I have zero control over how my traffic data relates to how companies use it. All I can do is reduce my traffic data from getting into their hands where I can help it.
>nothing about this single-page-app requires a session at all.
The app saves you the gifs you like/disliked that requires a session. Now you could say the app doesn't have to save that information, but then I'd say it's a toy app so it doesn't have to do anything. The creator wanted it to save your history, therefore it requires a session.
Let's say it requires a regular email login instead of facebook (in order to support password reset). If you're using an anonymous email that you've been careful never to accidentally associate with your name, then yeah you could keep the app creator from knowing your name.
If like most people you just use your regular email address, it's trivial to get your name with a quick google search.
>Let's say traffic to this site is linked with lower credit scores
If you're really worried about that, then you should probably have an entire fake virtual identity to handle things like this.
I hope you realize the irony of "protecting your identity" when you link your Github on HN (that has your real name) and which, in turn, links to your resume, portfolio, personal website, and (presumably) private email address.
My email address isn't private, and I am OK with these comments being linked to my real identity. But—and this is important—I elected to do that.
It's far more of a dick to force your users to reveal their identity.
EDIT: to be clear, OP is not a dick, but there should be a non-session or non-sso signin option (as there is now) if I want to preserve anonymity for what is essentially a (polished) toy.
As a non-facebook user, I would enjoy just being able to try the service. Email I have so that would be enough for me and I guess a lot of other people as well.
Why would anyone want to trust their precious personal information including real name, photograph, and friend list to some random guy from the internet? Would you publish it on reddit? On NH? On shady anonymous forums?
All of that information is already public. Anyone can get it from facebook (not just your friends), why would you care if already public information gets reposted?
Also the app didn't request access to your friends list.
If the app requires an email login, they could search for the email and for the vast majority of people it would return enough information to locate their facebook profile.
That's beside the point though. You're worried that a random person on the internet has access to publicly available information that the entire internet already has access to.
The only extra information you're giving out to the owner of the site by logging in with facebook is that you are a user of this site. The worse thing the owner can do is publish that fact.
That is the only foreseeable risk. I can't imagine enough people are concerned with that risk to make it worth most developer's time to address.
The risk here is that I don't want the app creator to know my name. It's that simple—I don't know them, I don't trust them, I trust them less now that they ask for completely unnecessary information. Let's say traffic to this site is linked with lower credit scores: it's naturally absurd that the two are causally related, but it's a reality that I have zero control over how my traffic data relates to how companies use it. All I can do is reduce my traffic data from getting into their hands where I can help it.