My vote would be: both!
Since a facebook canvas is simply an iframe to your own site, you could let users play it both ways. For players who found your game through FB and who enter it by clicking their FB app menu, they will play in the canvas. For players who found your game outside of facebook, they can login directly.
But I guess my real vote is for "canvas" because I think that people who enter through facebook feel better about privacy and safety when the app is displayed inside FB, rather than going to "some third party site". Users feel safer within FB, I think.
A usability difference would be that when your site is viewed through the canvas, you would redirect non-logged-in users to the FB login page. When your site is viewed directly, you would redirect to your own login page which could include a FB login button.
In both cases you can get the login url from the PHP-SDK using $fb->getLoginUrl(). For the canvas just directly redirect to it: output a <script>window.location.top = loginurl;</script>. you need to do this with JS to redirect the top frame, not the iframe.
Otherwise you can output a FB login button which is actually just a link to the getLoginUrl. You can also use the JavaScript SDK to make a button that opens a login popup. Then you can detect the JS event that signals that the user has logged in.
The options to getLoginUrl are relevant: give it the "cancel_url" and "next", which are the URIs where the FB login will redirect to next. For canvas, you want it to go to your canvas uri (apps.facebook.com/blah/).
Poll