I have a mobile app that requires user login, with user accounts stored on my server. what is the best way to associate a user's account with their Facebook account?
for example, you can login using the Facebook mobile SDK, then send the Facebook user ID to the server. However I'm concerned that this means someone can send someone else's FB user ID (since those are public).
Instead, I send the access token, and retrieve the user ID on my server. This seems a bit inefficient, though, as I'm essentially doing two lookups - once on client for access token, then once on server.
Does it make better sense to do a double lookup, or just send the user ID directly? Or is there a better way?
The only secure way is to send the token to the server and have the server retrieve the user id. This is how services such as stackmob and parse work.