I have an existing Spring application which I wish to also allow users to register / sign in through facebook.
The facebook sign-in is working fine, and is currently executed from the client using the Actionscript-Facebook API ( which is essentially a wrapper for the Facebook JS API).
However I'm unsure as to what is an appropriate approach for me to take in using the client-side authenticated session to authenticate against my own app server / session (ie., the Spring session).
In my own application, the user registers/authenticates with an email address & password.
My first thoughts in a facebook authenticated solution is to use the facebook email and secret values returned from the login call. These would be stored in my database when the user performs registration via facebook, (or specifically, a hash of secret) and using these to authenticate during login in the same manner as a regular login.
However, I'm unsure of what the secret value actually is, and whether it's a appropriate to use in this scenario. (The Facebook API seems unclear in what the return values of the login call actually mean)
- Is this value bound to the user, or the session?
- Does this value change, should the user change their password on Facebook?
- Is this an appropriate value to store a hash of?
Finally, is there a more appropriate way of achieving this task?