我正在为一个网站构建一个Android应用程序,该网站使用FB connect通过FB id将他们的用户数据与FB用户数据链接起来。 当我允许用户通过Facebook的Android SDK登录时,我会获得一个访问令牌,我可以代表用户请求数据。 我想将访问令牌发送到服务器,然后让服务器请求用户的id创建本地会话并向我发回特定于该网站的用户数据。 Facebook是否允许以这种方式使用访问令牌(从设备进行身份验证,然后使用相同的令牌从服务器请求数据)? 另一种方法是使用设备上的SDK获取FB用户ID,然后将其传递给服务器,但我觉得允许仅使用FB用户ID创建会话并不十分安全。 这样做很容易冒充。
此用例的典型情况是什么(通过Facebook SDK登录以在您自己的Web应用程序上创建会话,其中用户数据已经链接)?
I am building an Android app for a website that uses FB connect to link their user data with FB user data by FB id. When I allow the user to log in via Facebook's Android SDK, I get an access token for which I can request data on the user's behalf. I would like to send the access token to the server and have the server then request the user's id to create a local session and send me back the user data specific to this website. Does Facebook allow the access token to be used in this way (authenticate from device and then request data from the server with the same token)? The alternative is to use the SDK on the device to get the FB user id and then pass that to the server, but I feel it's not very secure to allow a session to be created with just a FB user id. This would be an easy thing to impersonate.
What is the typical scenario for this use case (log in via Facebook SDK to create a session on your own web app where the user data is already linked)?
最满意答案
是的,这是FB允许的。 见下文:
https://developers.facebook.com/docs/facebook-login/access-tokens/#architecture
如上所述,访问令牌是便携式的。 这意味着一旦获得令牌,您通常可以从任何机器 - 服务器,客户端或其他方式使用它。
Yes, this is allowed by FB. See below:
https://developers.facebook.com/docs/facebook-login/access-tokens/#architecture
As noted above, access tokens are portable. This means that once you obtain a token, you can generally use it from any machine - server, client or otherwise.
更多推荐
发布评论