Okay so I know that similar questions have been asked in the past and there have been some discussions. I have looked at all of them and I still cannot find a definitive answer mainly because most of those posts are old and the Facebook documentation shared in those answers in deprecated and those Facebook documentation pages don't exist anymore.
I have 2 questions -
Question 1: While integrating with Facebook for SSO, can we blindly trust that the email returned by Facebook is verified? Or do we have to confirm it from our end by sending the user an email with a link in it? I know that today if you were to create an account with Facebook using your email, Facebook makes your verify it by sending a 6 digit code. But should I be concerned about accounts created decades ago when they may or may not have verified it? Also, I believe Facebook also allows you to add additional email addresses to your account. Do you know if they can log in using those email addresses and do they send any of those in the SSO callback?
Question 2: I know Facebook allows signup/login through phone number as well. My app uses emailId as the unique ID so if I don't get back and email I will not allow users to log in. So that flow isn't too complex. But do you know what happens if a user has created an account with their phone number and then adds an email to it? What does Facebook send in the callback? The email or the phone or both?
Any input is welcome. Also, what do most people do? Is it generally good practice to confirm the user by sending them an email with a verification link? Or do most apps trust Facebook and let the user in without much hassle?
While integrating with Facebook for SSO, can we blindly trust that the email returned by Facebook is verified?
Yes. Facebook has never given out a user's email that hasn't be verified, it has been this way since the very beginning of their API. Even if the docs might not state it explicitly any more, there is no good reason why they should change anything about that.
Also, I believe Facebook also allows you to add additional email addresses to your account. Do you know if they can log in using those email addresses and do they send any of those in the SSO callback?
For a while, the login dialog allowed users to pick which of their registered email addresses they wanted to share with an app, when they first grant the email permission. Not sure if that feature still exists though. But these would also only have been verified email addresses they let the user chose from.
If a user signing up to your service using one email address, and then switching to a different one (they could remove the app, and then grant it permissions again) would be a concern - then base the decision, whether you already have a record for their account, on the app-scoped user id, and not their email.
But do you know what happens if a user has created an account with their phone number and then adds an email to it? What does Facebook send in the callback? The email or the phone or both?
Facebook doesn't give out user's mobile numbers via API (might be different for the WhatsApp API, but that's not what you're dealing with here.)
If they have a verified email and you asked for the email field of the user object while requesting their data, then you will get that returned.
If they do not have a verified email - then you simply don't get an email property in what gets returned. But no phone number either.