I'm developing an App which uses Facebook to authenticate. So far, what I have is the following:
- Client->FB: authentication data (fb user & password),
- FB->Client: FB id, FB token,...
- Client->AppServer: FB data (id, token,..)
- AppServer->Client: OK/Not OK, whatever necessary data.
Where:
- Client: The App installed in the user's device (in this case, iOS),
- FB: FB server (the client talks to it through FB's SDK),
- AppServer: My App's server.
The point of all these is to validate if the user is real. The problem is that in #3 the Client could be sending a random FB id or FB token to the AppServer, so the question is: is there anyway to check in the AppServer whether this FB data is indeed real?