I am implementing JavaScript based Google or Facebook OAuth for a client login system, where I hope to use the Access Token and Email Id combination returned from Google/Facebook after successful authentication of the user to create session on the Server. I have a .NET based server application. I am hoping to send this Access Token and Email Id combination using some AJAX methods like $.ajax and creating a session for this email id on the server end.
Now I have a limitation, my server is behind a firewall and it cannot contact Google/Facebook to validate the access token.
One of my colleague pointed me out that as there is no communication between my Server and Google/Facebook, any malicious user can send me user A's email id with any random access token, and I have no way to check the validity of this token whether it actually belongs to User A.
My server is using SSL communication. So, how can I make this scenario secure.