如何安全地将Facebook ID从客户端传递到服务器(How to pass Facebook Id from client to server securely)

 我有一个Facebook的画布应用程序。 我使用JS SDK在浏览器端对用户进行身份验证，并通过FB.api（例如姓名，朋友等）请求各种信息。 
 
 我还想通过发出ajax调用来将一些额外的用户信息（不在Facebook上）保存到服务器上的数据库中： 
 
{ userFavouriteColour: "Red" }
 
 为了将其保存在服务器上并与正确的用户相关联，我需要知道Facebook的uid，这就提出了一个问题。 我如何将客户端的uid传递给服务器。 
 
 选项1：将uid添加到ajax请求中 ： 
 
{ uid: "1234567890",
  userFavouriteColour: "Red" }
 
 这显然不好。 任何人使用其他人的Facebook ID向我的网络服务发出ajax请求并改变他们最喜欢的颜色是微不足道的。 
 
 选项2：在服务器上，从cookie中提取uid ：这甚至可能吗？ 我读过Facebook设置了一个包含uid和访问令牌的cookie，但是我有权访问我的域上的这个cookie吗？ 更重要的是，我可以安全地从cookie中提取uid，或者可以像选项1那样公开欺骗。 
 
 选项3：服务器上的用户服务器端身份验证 ：我可以使用服务器端身份验证来验证服务器上的用户身份。 但是，如果我已经在浏览器上使用客户端身份验证，这将工作吗？ 我最终会得到两个不同的访问令牌吗？ 我想从浏览器发出FB.api请求，所以我需要客户端上的访问令牌（不只是在服务器上）。 
 
 这一定是非常普遍的情况，所以我认为我错过了一些基本的东西。 我已经阅读了大量的Facebook文档（各种认证流程，访问令牌，signed_request等）和许多帖子，但我仍不明白客户端身份验证和服务器端身份验证如何良好地结合在一起。 
 
 总之，我想知道用户在服务器上的身份，但仍然从客户端浏览器向Facebook API发出请求？ 
 
 （我正在使用ASP.NET和服务器上的Facebook C＃SDK） 
 
 编辑 ：增加赏金。 我希望得到一个更明确的官方建议如何处理这种情况，甚至是一个例子。 如上所述，我已经阅读了很多关于认证流程的官方FB文档，但我仍然无法找到关于客户端和服务器端认证如何协同工作的任何明确信息。 

I have a Facebook canvas app. I am using the JS SDK to authenticate the user on the browser-side and request various information via FB.api (e.g. name, friends, etc.).
 
I also want to persist some additional user information (not held on Facebook) to the database on my server by making an ajax call:
 
{ userFavouriteColour: "Red" }
 
To save this on the server and associate with the correct user, I need to know the Facebook uid and this presents a problem. How do I pass the uid from the client to the server.
 
Option 1: Add uid to the ajax request:
 
{ uid: "1234567890",
  userFavouriteColour: "Red" }
 
This is obviously no good. It would be trivial for anyone to make an ajax request to my web service using someone else's Facebook Id and change their favourite colour.
 
Option 2: On the server, extract the uid from a cookie: Is this even possible? I have read that Facebook sets a cookie containing the uid and access token but do I have access to this cookie on my domain? More importantly, can I securely extract the uid form the cookie or is this open to spoofing just like option 1.
 
Option 3: User server-side authentication on the server: I could use the server-side authentication to validate the user identity on my server. But will this work if I am already using client-side authentication on the browser? Will I end up with two different access tokens? I would like to make FB.api requests from the browser so I need the access token on the client (not just on the server).
 
This must be a very common scenario so I think I'm missing something fundamental. I have read a lot of the Facebook documentation (various authentication flows, access tokens, signed_request, etc.) and many posts on SO, but I still don't understand how client-side authentication and server-side authentication play nicely together.
 
In short, I want to know the user's identity on the server but still make requests to the Facebook api from the client browser?
 
(I am using ASP.NET and the Facebook C# SDK on the server)
 
EDIT: Added bounty. I was hoping to get a more deifnitive, official recommendation on how to handle this situation, or even an example. As said, I have already read a lot of the official FB docs on authentication flows but I still can't find anything definitive on how client-side and server-side authentication work together.

原文：https://stackoverflow.com/questions/10738068