authentication - How to pass Facebook Id from client to server securely

Question

I have a Facebook canvas app. I am using the JS SDK to authenticate the user on the browser-side and request various information via FB.api (e.g. name, friends, etc.).

I also want to persist some additional user information (not held on Facebook) to the database on my server by making an ajax call:

{ userFavouriteColour: "Red" }

To save this on the server and associate with the correct user, I need to know the Facebook uid and this presents a problem. How do I pass the uid from the client to the server.

Option 1: Add uid to the ajax request:

{ uid: "1234567890",
  userFavouriteColour: "Red" }

This is obviously no good. It would be trivial for anyone to make an ajax request to my web service using someone else's Facebook Id and change their favourite colour.

Option 2: On the server, extract the uid from a cookie: Is this even possible? I have read that Facebook sets a cookie containing the uid and access token but do I have access to this cookie on my domain? More importantly, can I securely extract the uid form the cookie or is this open to spoofing just like option 1.

Option 3: User server-side authentication on the server: I could use the server-side authentication to validate the user identity on my server. But will this work if I am already using client-side authentication on the browser? Will I end up with two different access tokens? I would like to make FB.api requests from the browser so I need the access token on the client (not just on the server).

This must be a very common scenario so I think I'm missing something fundamental. I have read a lot of the Facebook documentation (various authentication flows, access tokens, signed_request, etc.) and many posts on SO, but I still don't understand how client-side authentication and server-side authentication play nicely together.

In short, I want to know the user's identity on the server but still make requests to the Facebook api from the client browser?

(I am using ASP.NET and the Facebook C# SDK on the server)

EDIT: Added bounty. I was hoping to get a more deifnitive, official recommendation on how to handle this situation, or even an example. As said, I have already read a lot of the official FB docs on authentication flows but I still can't find anything definitive on how client-side and server-side authentication work together.

Answer 1

Option 1: The easiest way I can think of is to include the accessToken in JS and pass it with the ajax call.

Option 2: Using the same as option 1, but instead of sending just the accessToken, send the signedRequest.

On the server side you can decode it using (TryParseSignedRequest method) which will give you the UserID :-)

Note: signedRequest is encrypted with the application Secret. you are the only one who should know it, so you are safe on that end.

Disclaimer:

I have no coding experience in C#, but a little search in google gave me this:

Facebook C# SDK for ASP.NET

Making AJAX Requests with the Facebook C# SDK