I am trying to register a user to my Web application using the Facebook login feature using Javascript and then pass the user information into my server side of the application, now I have to save the information so I could log in later as this user but it should be done without a password , what should I save in my application's db instead of the password in order to authenticate the user is really who he claims to be and not someone else who is trying to bypass my security? First thought was to save the Facebook user ID to authenticate a user, but it doesn't sound secure at all, is it a good idea or a bad one? Is there another of performing what I need?
I would recommend following Facebook's OAuth examples at developers.facebook.com.
It's been a while since I've done any OAuth work, but from what I remember, Facebook executes a callback to your server that you specify. When Facebook calls this callback, they provide you with an access token. You can then use this access token to get information about the user (i.e. email, first name, last name).
It's up to you to determine what to do when this callback is called. Perhaps you fetch the user's email, first and last name and automatically create the user an account on your back end if it doesn't exist. If you found a matching account (perhaps via their email) then just log them in (don't need to store any password for the user). I don't believe there is anything to really worry about with this approach because Facebook is providing a unique access token that resembles the user, and then your server is fetching an email based on this access token. The only way someone could crack this is if they got a hold of the access token for the user, which isn't easy (assuming your using SSL).
To determine if someone created an account using Facebook or another approach, I'd create a column under your "user" table which indicates this information.