Update
This was reported on Facebook via https://www.facebook.com/whitehat/report/ on December 16, 2013, and Facebook replied on December 17 that the error had long been fixed .
I tested this with my Facebook account (which I have not yet verified the email address) and when using the Grap API Tool it is not possible to get the email address of this account using the Graph API or using the FQL query.
Conclusion:. The email address that you get through Facebook using the Graph or FQL APIs is a verified email. If the account has not yet verified it by email, it is not yet available.
Original post
I am creating a web application with SSO that offers the user to log in using Google or Facebook. I would like users who have both types of accounts to appear as the same user on my system, regardless of the identity with which they log in. To achieve this, I am thinking of using an email address as an identifier to find out if I should create a new account or if the user already exists.
In order not to introduce any security issues, I should know that the email address is verified and actually belongs to the user. For Google, the userinfo API can tell me if the email is checked or not, so there is no problem here. But I can not find anything like it in the Facebook Graph API .
Is it possible to find out if the email address on Facebook is verified?
I know there is a verified field, but that only says if the account is being verified , not the email address.
At first it looked like you could use the Graph API for accounts that have an email address verified. If the address was not verified, I just received a message stating that I first had to confirm the email address before you could log in to any third-party site.
However, this is not like all accounts. In some cases, you can access all parts of Facebook, even if you donโt have a verified email address. One example of this is when you register with @ myopera.com mailing address.
When you sign up for Facebook with the @ myopera.com email address, you receive a message that your account has been temporarily suspended as soon as you submit the registration form. To continue, you need to provide your phone number in order to confirm your account and "keep Facebook safe and free from spam" (sorry for the Swedish in the screenshot, this was before I was able to get to Facebook and change the language to English) :
When you provide your phone number, you are logged in and Facebook no longer forces you to confirm your email address.
The only place where you can see that your email address is not yet verified is on the settings page:
Settings for mobile devices that are usually unavailable before you have confirmed your email address are available and the phone number entered during registration is listed:
In addition to this, you can also log in to third-party sites with an unverified email address:
When I connect to the api schedule with this user, I can get an unverified email address, and the verified field returns true as expected, since I verified the account by adding the phone number. Therefore, obviously, I canโt trust that the email address I get from Facebook really belongs to a user who has a Facebook account.
Is there any other way to find out if the email address is verified or not, or should I check it myself if I want to use it to identify the user?