How to verify email and name on a server using FB access token received by javascript SDK on a client side

Question

I have a client (HTML+JavaScript) and a server (ASP MVC) and I need to provide a user some private information. To achieve that I need to verify that

1. user authenticated and
2. use users email address to retrieve its private information.

I want to use FB authentication. It looks pretty straight forward but has a flaw which I am sure people can tell me how to solve or what am I missing.

1. client initializes FB SDK and requests user to authenticate using FB
2. result of successful step #1 is access token.
3. We can place another call to FB using this access token to retrieve email and name.

How can my server know what is the email and name of the authenticated user? My understanding that client should not send email and name to the server (it can be hacked and can not be trusted) but instead client should send the received access token, which server should use to get user's email and name, but on the server side. Please explain, give me an example, point me to a link on how can I achieve that on the server as all my searches for that failed. One more time, my backend is ASP MVC.

Answer 1

On the server, make a call to the Graph API:

https://graph.facebook.com/me?fields=name,email

Use the Access Token and you will get the correct data:

https://graph.facebook.com/me?fields=name,email&access_token=xxx

Btw, you should also read this: https://developers.facebook.com/docs/graph-api/securing-requests