The JS API’s FB.login method returns a response with a dictionary of user info, including the user id. That exists client-side in the JS api.
If this is going to be sent back to the server running the facebok canvas app, the server has to trust the user id hasn’t been tampered with. As there is no signed checksum that comes back with the response, I can’t see how this can be guaranteed.
I can see how you could take the user ID from the POST signed request and store that in a session, but that doesn’t seem quite right. I’m sure there’s a method for doing this securely that’s less baroque than that.
Ideas?
You should use the Server-Side authentication for the server.
When the user loads your app and has yet to authenticate you send him to the auth dialog, when he returns you get a code which you then exchange against the facebook servers to get an access token back, you can then query the graph api for “/me” and get the user data, since you get it from the facebook servers you know it’s ok.
In addition, when facebook POSTS to your canvas url you get a signed request which was signed using your app secret, after you decode it you can then check it against your secret key to verify it’s authenticity.
In addition the signed request has the user id so you know that’s secured as well.
I recommend using both the server side authentication and the client side one, you get different tokens (server is 60 days long, and the client is a few hours) and you can use them both.