Facebook SDK registration how it should be done

Question

I want to implement in my app normal registration/login without fb and also provide a fb login/registration. Now my question is how it should be done. Like without fb I'm using email and password. With fb I'm using what? fb id, email, token?

And now second question. When I register with FB I cannot get the password of a user and store it to my database right? So this mean like when user register using FB he will not be able to login using normal email and password from fb account because I cannot set the password he is using for facebook login?

What is a good practise to handle both logins?

Answer 1

With FB Login, the best way imho is to store the (App Scoped) ID of the user and present a Form for the user where he can put it his personal data (email, name, ...). You can prefill the Name, but you should ALWAYS present the data to the user before storing it.

That means there are 2 ways:

• Login with FB > if the user is not in the database yet (check with the FB ID), present a Form where he can put in his personal data
• Login without FB > present the same Form, but with additional password field

When he comes back and logs in with his FB Account, you can check if he is in the database already, only with the FB ID.

Never store the access token unless you REALLY need it. It´s only valid for 2 hours (or 60 days if you extend it) anyway.

For security reasons, you should re-check/confirm the ID of the user server. You get an access token in the login process, transfer that one to the server and call the Graph API to get the User ID (/me would be the API endpoint for that).