[EGreg]

That's it? That sucks.

I don't have to change the token. I just have to change the data given by facebook (including the uid) before the website's dumb javascript uses it in a post back to the server. Since it's not signed by Facebook, how can the website's server trust the uid? Never trust your user input.

[sawyer]

The user logs in on Facebook's server, there is no opportunity to change a uid. Facebook might return the logged in user's id, however that's not useful, the only way to interact with their API will be with the access token (which only grants you access to the logged in user's scope).

[EGreg]

I am not talking about interacting with their API.

Facebook returns a uid. When the user takes an action, this uid is sent to the server. The server trusts the uid, and saves this action as taken by the user identified by this uid.

And let's say it's not the uid. Let's say it's the user's name.

It trusts the user input basically. But it should probably be getting it directly from facebook, or in a signed structure, right?