At the end of the process I know that the user is logged in and I know their Facebook ID. I can then register them in my database via this ID, and let them use it to log in afterwards.
However, this seems terribly insecure. In order to let my server-side script know the user's ID, I have to send it via AJAX. However, I have no way of knowing whether it's the owner of the ID who's trying to log in. Anyone can send the POST request with an ID (especially of one gets hold of another user's ID).
My current idea is to let the user log in via JS SDK as usual, send the ID and Access Token via AJAX to the server and then use cURL in the PHP script to ensure the user is actually logged in.
Is this the way to go, or am I overlooking better alternatives?