Yes you are going right because every facebook user have a unique username and password.
$facebook_id = (int) $fb_user_profile['id'];
so there is no possibilities to two users have same facebook id so, you not need to worry about it.
Refer the Facebook Security Checklist for more information.
This list below should be considered the absolute minimum that all apps using Facebook Login should implement. Other features will be unique to your app and you will need to always think about how to make your app as secure as possible. Apps that are not secure will lose the trust of their audience and people will stop using them.
- Never include your App Secret in client-side or decompilable code.
- Sign all server-to-server Graph API calls with your App Secret.
- Use unique short-term tokens on clients.
- Don't trust that access tokens in use by your app were actually generated by your app.
- Use our official SDKs where possible.
- Reduce your app's attack surface area by locking down your Facebook app settings.
As per my experience if u using php sdk
is more safe than Js-SDK
that you already using.