Login with Facebook and User Registration in a Mobile App

Question

I have an Android application that provides users to use it by their Facebook accounts. For this purpose, I have integrated Facebook login. However, I confused about the user registration by Facebook.

When the user logged in, Facebook provides userId, email and access token. I can use them to create an account for the user at my back-end. Let's demonstrate the scenario:

User comes first,

    1- User logged-in by Facebook.
    2- The email is checked by server and returns no such user
    3- An account is created by the information from Facebook
    4- The user keeps using the app with this account.

User comes again,

    1- User logged-in by Facebook.
    2- The email is checked by the server and returns that there exists a user.

In right here, here are the questions:

1- How can the server trust the request that it is from really Facebook so the server can respond to the app "he can log in"? To be sure, should I verify the access token by connecting to Facebook at server side too?

2- If not, how can a user be registered by using the Facebook login in a very safe way?

A similar question has been asked here, but there is no answer as a solution.

Answer 1

I have researched and finally decided to apply the following steps:

1- The app logins with Facebook and get access token, e-mail, name and userId.

2- The app connects to the API (the server side), sends the information gathered from Facebook

3- The server gets the access-token and verify it by using the following:

https://graph.facebook.com/me?access_token={ACCESS-TOKEN}

It returns the following:

{"name":"{USER-NAME}","id":"{USER-ID}"}

4- The servers checks whether the both user ids are same. If they are, it verifies the token is from Facebook and the information can be used for login/register.

5- The server checks whether the email/user id(fb id) exist at the system. If it doesn't, a user is created (the register process is trigged). If it does, login is set as success and the server returns the user information with access-token and refresh-token which are just generated.

6- The other operations are all performed by using those access and refresh tokens in the way of oAuth approach without connecting Facebook again.

Everytime the app is opened, AccessToken.getCurrentAccessToken() brings the access-token from Facebook. If it is null, user will see login screen. If it is not, the steps above will be applied.

Good Questions and Answers Related This Topic:

REST API for website which uses Facebook for authentication

Architecture Design - REST API to support Facebook Login done by Mobile app

About already existing users, merging operations, and data structure suggestions from Facebook itself :

Essential Guides of Facebook

Using Facebook Login with Existing Login Systems