We are not storing any user credentials in Stormpath, only we need Stormpath to authenticate the user for us.
Here's my scenario: I created a Facebook Directory in Stormpath, and a user signed up through Facebook and created an Account in the Directory. The next time the same user logs in via Facebook, we retrieve the account and see that it's an existing (not a new) account.
My question is: Only getting to know user account (new or existing one) is valid process to authenticate the user? Is there any way that Stormpath can return the Facebook ID of user when Stormpath authenticates the user second time?
Major concerns for me are:
What are valid or secure ways of authenticating a user each time when login via Facebook?
If I am understanding your question correctly, during the login process using Facebook, you want to get the user's Facebook ID. Stormpath only returns the Facebook Access Token, but you can use this to get the Facebook ID easily.
When you log in to Stormpath with Facebook, a post request is made to the Stormpath API. The request that is made will look like the following:
{
"providerData": {
"providerId": "facebook",
"accessToken": "USER_ACCESS_TOKEN_FROM_FACEBOOK"
}
}
If you are working with an SDK, after logging in, the post request to the accounts endpoint will happen automatically. If you are using the REST API only, you will have to post a request to the accounts endpoint manually.
Once the request is complete and if all worked, you will be supplied with a Stormpath Account object. When you get this back, you will be able to get the providerData from the object which will include the Facebook Access Token. Reference for this can be found in the documentation.
Once you have an access token from the Provider Data, you can use the Facebook API to get access to any of the scopes your application allows.
Disclaimer: I am an employee of Stormpath.