For my facebook app i need to store user-records on the server side. Because the data should be anonymized i don’t want to store the user-id. I found out that the third-party-id should be what i’m looking for (user can request his data but it’s not possible to get the user based on the data).
But now my Questions regarding the third-party-id:
- The id seem to be dependend on the used access token. But when i use the user-access token (which expires) will the third-party-id change when the user gets a new token?
- Is it common to received it via an app-access-token?
- I tried it in the graph-api-explorer where I was able to find users based on the third-party-id. Why is this possible and how can I prevent it?
Thanks in advance
No the third party ID is not dependent to your access token. The user access token is a temporary key that allow access to permanent data, such as the name, or the third party ID.
By the way you can test it yourself by generating a third pary ID on your account for your App, record both the ID and the token used to get it, uninstall your own app via the page http://www.facebook.com/appcenter/my , and finally reinstall your App. You will see a new token ginving access to the same old ID.
I don’t understand what you mean by receiving it via an app-access-token. App access tocken do not give access to users’ data.
Finally, you don not have to do anything to prevent it. Facebook got you covered. While using the third party ID instead of the user ID is a good idea for extra security, the third party ID has been introduced for cases where your Facebook unique identifier is not totally invisible.
You were able to find a user based on his third party ID because you own the Facebook App that generated this ID. A user has as much third party ID that he has installed App, and they are all different and only only works with the App that generated it. So your server side user record is safe because the IDs it contains would not be of any use to something else than your app.