Facebook login to existing user database, and access tokens

Question

Trying to add facebook login to an existing login system on a project I am working on. Built with angular, using the FB JS SDK. This is primarily to allow frictionless login, and not currently that fussed about using the access tokens to make further calls with the FB API.

So as a new user, they hit the FB login, accept permissions etc, and it fires me back an access token etc. The new user is created in my DB, along with the accesstoken, FB userid, etc.

How do I now authenticate the user with the userid and accesstoken now stored in my DB? As far as I can see, the access token changes on virtually every page load / request, so next time the user hits the FB login, or I check the FB login status the only constant thing I have is the userid.

Have done various reading on SO and FB docs eg:

https://developers.facebook.com/docs/facebook-login/web https://developers.facebook.com/docs/facebook-login/multiple-providers https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow#checktoken

How should a Facebook user access token be consumed on the server-side?

... although that has only served to confuse things further.

I imagine I would take that stored accesstoken then check its validity, however due to the various instances of access tokens expiring and being invalidated, this also seems like an incomplete solution.

So my question: How do I securely authenticate my FB users with their counterpart user in my own DB?

Answer 1

The Facebook login request returns user id + short lived access token (client side).

Use the server side Facebook SDK to check the validity of the access token (will return user_id and app_id fields if valid).

You can trust the user_id field returned from the Facebook API to check against your existing user database.