I would very much like to use the Facebook Developer Toolkit to authentication users at my service, allowing anyone to signup using their Facebook-accounts.
My app should work both in and out-of-browser and I already have a fully working prototype that works properly and I'm able to query the user profile and retrieve the friends list. The problem comes when I want to communicate back to my own server.
On the Silverlight-client, after authentication, I can access a unique identifier for the Facebook-account. This would probably be the best mechanism for a unique ID in my own service. My own service allows users to store various data in a database using
WCF RIA Services.
Now the problem is this: Anyone can manipulate the data that is transported between the Silverlight client and the service. This means anyone could potentially manipulate the unique UserId and gain access to other peoples data. How should I go about an fix
this or is this really a non issue and there is a way for the Facebook Developer Toolkit to parse the Facebook-cookies that was written during authentication, in a similar manner as I'm doing on the client in Silverlight?
Suggestions? Pointers? Any help is appreciated =)