Update

This was reported to Facebook via https://www.facebook.com/whitehat/report/ on Dec 16th 2013 and Facebook responded on Dec 17th that the bug has long since been fixed.

I have retested this with my Facebook account (that I still haven't verified the email address on) and when using the Grap API Explorer tool it is not possible to get the email address of this account using the Graph API or using a FQL query.

Conclusion: The email address you get from Facebook using the Graph API or a FQL query is a verified email. If an account hasn't verified it's email yet it's not possible to get it.

Original Post

I am making a web app with SSO that is offering the user to sign in with either Google or Facebook. I would like users who have both types of accounts to show up as the same user in my system regardless of which identity they log in with. To achieve this I'm thinking of using the email address as the identifier to know if I should create a new account or if the user already exists.

To not introduce any security problems I must know that the email address is verified and actually belongs to the user. For Google the userinfo API can tell me if an email is verified or not, so there's no problem here. But I can not find anything like this in the Facebook Graph API.

Is it possible to know if an email address is confirmed on Facebook?

I know that there is a verified field, but that only tells if the account is verified and not the email address.

At first it looked like you are only able to use the Graph API for accounts where the email address has been confirmed. If the address wasn't confirmed I just got an error telling me that I had to confirm the email address first before being able to sign in to any third party site.

However this does not seem to be true for all accounts. In some cases it's possible to get accesses to all parts of Facebook even if you don't have a confirmed email address. One example of this is when you sign up with a @myopera.com mail address.

When you sign up to Facebook with a @myopera.com email address you get a message that your account has been temporarily locked as soon as you submit the sign up form. To continue you need to provide your phone number to verify your account and to "keep Facebook safe and free from spam" (sorry for the Swedish in the screenshot, this was before I could get into Facebook and change language to English):

When you provide your phone number you are logged in and Facebook doesn't nag you any further about that you have to verify your email address.

The only place where you can see that your email address is not yet verified is on the settings page:

The Mobile Settings that is usually not accessible before you have verified your email address is available and lists the phone number entered during sign up:

In addition to this it is also possible to log in to third party sites with an unconfirmed email address:

When I connect to the graph api with this user I can get the unconfirmed email address and the verified field returns true as expected since I have verified the account by adding a phone number. So obviously I can't trust that the email address I get from Facebook really belongs to the user that has the Facebook account.

Is there any other way of knowing if the email address is verified or not or do I have to verify it myself if I want to use it for identifying the user?

Based on that documentation it looks promising. However after some testing it looks like it can't be used after all. As mentioned in the following stackoverflow question it looks like you have to register the emails you want to get hashes for yourself before user.email_hashes returns anything: stackoverflow.com/questions/7620314/…

Are we looking at the same page? It clearly says you can rely on email address being verified. "After a successful login using Facebook, you will have the person's email address, Facebook ID, and access token. Your app should search for an existing account that has been created with that same email address. If one exists, you should merge the two accounts and add the Facebook info to the existing account - as recommended above."

Please check Adding manual login info to a Facebook Login created account > Ensure the Facebook Login email address is verified, then revalidate Your comment.

@RokKralj The answer is further down the page: "If you use an email address as the unique credential which identifies each account, your app should verify that the email address associated with the person's Facebook account (and obtained during Facebook Login) is valid. You can do this by creating code in your app to send a verification email to the address obtained after Facebook Login (you will probably need to have this step as part of your regular login system anyway)."