2

We are building a web application and right now we are in the stage of deciding how to keep track of our users. Our default option is to maintain our own user registration system which is a lot of headache (user name uniqueness, registration process, etc...).

As an alternative we can use people's Facebook identity, meaning they will log in to our system using their Facebook's email and password. Then our back-end will fetch the user's Facebook id (Graph id), and store it in the DB. Any data that the user will change/upload to the application will be linked to this id.

The question is, can we trust the id as a permanent identifier, and build a complex back-end around it. How can we be sure that Facebook won't change someone's id ?

Does other identity management systems like Azure Access Control rely on this id?

Yaron Levi
  • 12,535
  • 16
  • 69
  • 118

1 Answers1

4

Facebook's platform policy discourages using user ids for anything except internal use. So, if you were planning to have a profile page whose url was something like /users/, it would probably violate facebook's privacy expectations. You're better off making a Users table with a surrogate primary key, and including their facebook id as a non-primary column.

Additionally, you might run into an instance where a user loses access to their old facebook account and wants to associate their account on your site with a new facebook identity. If you use their facebook id as a foreign key in several tables, you have unnecessarily tangled their old facebook id with your application's data.

tuxedo25
  • 4,798
  • 1
  • 16
  • 12
  • I didn't quite get what you said about "making a Users table with a surrogate primary key".You suggest ,for example, that in our User table the primary key will be some generated GUID that will be handed out to the user, so he can be identified in case something go wrong with his Facebook account? but what happens if he forgets the GUID ? (We can't send him an email because he didn't entered one, and if he did so it's actually a regular user management system but instead of a username you get a generated GUID. – Yaron Levi Jul 23 '11 at 23:51
  • That's a good point. If you wanted to support my hypothetical situation where a user loses access to their facebook account, you wouldn't be able to rely exclusively on facebook authentication. I was just trying to give an example where one user's facebook id may change for reasons outside of facebook itself. – tuxedo25 Jul 24 '11 at 00:56
  • Note: when the user authenticates via Facebook, you can request permission to email them. And of course, you could still allow them to set up a regular username and password in addition to facebook integration. StackOverflow uses a model like that. – tuxedo25 Jul 24 '11 at 01:03