Feedback Request on how to integrate server and client-side FB authentication with extended sessions

[JDeville]

Requirements:

• Some calls are made from the browser
• Some are made on the server
• offline_access permission is required for backend server work
• Request permissions from user as they are required

Challenges:

Handling logins client side and server side is a pain, because:

• On the server side, you don't know if the user is really logged in, until you try and invoke a service call and it fails.  
• offline_access can mean that the user is not logged in on the browser, but still has a valid access_token on the server.  
• offline_access tokens do eventually expire, so the user could be logged in on the client, but not the server as well.  

So what we have then is a lovely cluster-f of authentication scenarios.  It gets even worse when you consider that users can alter their permissions while not using your app, so if you are storing the permissions that were requested, you wind up with double the complexity when you add authorization to the mix.

Goal:

Authentication / Authorization module that:

• Is declarative, and trivial to use/configure. (ie: You don't want to have to think everything through for each controller action)
• Isn't chatty - I don't want to have to ping facebook from the server and client on every page.  The only solution for this is to handle things lazily.  Respond to exceptions, rather than be proactive about making sure everything is in place ahead of time.

Attached:

I've attached what appears to be the flow I need to implement.  I'm hoping that someone will see a way to dramatically simplify things, but lacking that, this will basically be my coding spec, so it'd be nice to have holes punched in the idea as well.