Currently I am using facebook's php ask to login to my website. When they signup, I am storing their email address fetched from facebook. When they return on website and login through facebook, the fb email is matched with the one present in database and if matched, user is logged in.
But that's not a good practice. Because if user changed email in future, he/she couldn't login and also if user changed email address to someone's, it will let him/her log in.
I have found that we can store user access token, but it is not permanent. If anyone knows how we can achieve this with better security, it would be a great help.