iOS客户端,Facebook API和服务器之间的安全通信
我想通过Facebook登录实现一个iOS应用程序。我希望我的应用程序的用户能够与他们的社交图表进行交互(即发布到他们的流)。为此,我将使用Facebook iOS SDK。
当用户已经通过Facebook进行身份验证时,他们也应该能够在我的应用程序的服务器端使用一些服务。如何验证用户对服务器上的服务?
I would like to implement an iOS app with Facebook login. I would like the users of my app to be able to interact with their social graph (i.e. post to their stream). For that purpose I would use the Facebook iOS SDK.
When the users are already authenticated with Facebook, they also should be able to use some services on the server side of my application. How can I verify a user against the services on my server?
在我的iOS应用程序中,我可以使用iOS Facebook SDK查询访问令牌(对于我的Facebook应用程序)。我应该将该访问令牌与Facebook用户ID一起发送到我的服务器吗?服务器可以验证访问令牌是否有效?还是应该只有我的iOS应用程序与Facebook API通信?可以将服务器发布到我的Facebook墙上,还是应该通过iOS应用程序完成?
In my iOS app I can query the access token (for my Facebook application) using the iOS Facebook SDK. Should I send that access token together with the facebook user ID to my server? Can the server verify whether the access token is valid? Or should only my iOS App communicate with the Facebook API? Can the server post to my Facebook wall, or should this be done exclusively throught the iOS app?
更新:
Facebook现在提供一个安全文件/清单:
https://developers.facebook.com/docs/facebook-login/security/
Facebook now provides a security documentation / checklist: https://developers.facebook.com/docs/facebook-login/security/
您至少有两个选项:
-
将访问令牌发送到您的服务器并使用该令牌处理对Facebook
的所有请求(如果令牌无效,您会收到错误,只需
将其传递给客户端)。
Send the access token to your Server and handle all requests to Facebook using that token (if the token is invalid you get an error and just pass it on to the client). => Safe but (a little) complicated.
分开
- $ b $之间的沟通b
- 您的客户端(iOS应用程序)和Facebook API,并且
- 您的客户端和您的服务器。
- your client (iOS App) and the Facebook API and
- your Client and your Server.
您的应用程序将通过Facebook iOS SDK处理对Facebook API的所有请求,然后将所产生的数据(如所有类型的Facebook ID)传达到您的服务器。这种方法是完全不安全的,没有某种加密;您可以向您的服务器发送一些加密哈希函数,并使用存储在服务器和iOS App上的密钥进行验证。 =>这种方法(一点点)更容易实现,但安全性较低,因为密钥可以通过逆向工程被盗。此外,您必须在将应用程序提交到应用商店时检查我正在使用加密复选标记。
Your app would handle all requests to the Facebook API through the Facebook iOS SDK and then communicate the resulting data, like all kind of Facebook ids, to your Server. This approach is totally insecure without some sort of encryption; you could send some cryptographic hash function to your server and validate it with a key stored on your server and the iOS App. => This method is (a little) easier to implement however less secure since the key can be stolen through reverse engineering. Moreover you would have to check the "I'm using encryption" check mark when submitting your app to the app store.
这实际上取决于你愿意承担多少风险,你做什么样的请求,你有什么样的服务等等。
It actually depends on how much risk you are willing to take, what kind of requests you make, what kind of services you have and so on.
服务器可以验证访问令牌是否有效?
Can the server verify whether the access token is valid?
是的,看看这里: iPhone访问令牌服务器端验证iPhone应用程序