Should you confirm email addresses obtained from external login providers?

I am working on a .NET application and I have set up an external login with facebook. Currently, when the user uses the external login functionality, signs in to Facebook and my app recieves his email address, I create a new user account and consider the email address verified. (otherwise he could not login)

Is this a good practice though? Is it possible that some attacker would change the email address midway or something? What is the best practice for letting users sign in using external login providers?

Any help would be much appriciated, thanks.

Edit: In this tutorial the guy sends a confirmation email to the email address he recieves from the external login providers. However this seems impractical to me. It kind of defeats the purpuse of simplifying the log in/sign in process, moreover I don't think I was ever asked to confirm my email when I had used external login providers to log in myself.

Is it possible that some attacker would change the email address midway or something?

No, because you are using facebook which implements openid + oauth2.

In oauth2, mail and its password are safe because you do not manage them. Those are managed by your oauth2 provider (facebook in your case)

Also according to the oauth2 flow which is the same in google, facebook, linkedin, etc the provider don't send you the email. It sends you the authorization code. The flow is:

• user go to your web.com
• user is redirected to https://www.facebook.com/v8.0/dialog/oauth?client_id={app_id}&redirect_uri={redirect_uri}
• oauth2 provider prompts a login if user was not logged in previously
• user accepts the consent form (next next)
• oauth2 provider (facebook in your case) at the end, perform a final redirect to your web.com (using the callback url previously registered) sending the authorization code: https://web.com?code=196da272-083c
• this code is required to generate the access_token and can be used just one time(another http invocation)
• the access_token is required to get the email ( with another http invocation. Usually this new api is called something like : user profile, user info. Check this

The only way to attack your site it could be send you fake authorization codes to https://web.com?code=**** but (thanks oauth2) in the next step (exchange auth code for a new access_token), facebook will return you an error because the attacker cannot create real authorization codes.

Confirmation email

As you said, if your web allows the user to login with some social network, add a new step with email confirmation is impractical. Is more, facebook allows the use of phone number instead of mail.

But there are some scenarios (not in the authentication) in which mail could be your ally:

• Offer an option for alert the user with something like this: Hi Bob, a new account was created with your social network... If you didn't, please click on the following...
• Mail validation or confirmation (classic link to the email to be clicked by the real user)