Desktop and Web application share Facebook Authentication

I am building an application that has a web front end and a desktop client application. The web front end allows users to login using Facebook. It exposes a web service to the Desktop application for uploading data. The web service needs to insure that the desktop application uploading data for a user is really from that user. I have already implem开发者_如何学Pythonented Facebook login on both the client and web interface using the Graph API. How would I go about using Facebook to validate that the user using the desktop application is who they say they are? Also, how can I make it so the user can login once and not need to login again on the desktop application?

After much struggle I figured out that it's possible to receive a session key that does not expire. You can do this by requesting offline access to a user's profile. I stored this in the database on the web side and retrieved and stored it on the desktop side. The only problem is the session key technically can be viewed and used by someone other than the user to make requests. Any other suggestion would be appreciated.