从用户访问令牌获取应用程序标识（或验证令牌的源应用程序）

我发现这个问题，这有一个答案，但Facebook改变了令牌格式，现在它是这样的：

I found this question, which has an answer, but facebook changed the token format since then, now it is something like:

AAACEdEose0cBACgUMGMCRi9qVbqO3u7mdATQzg[more funny letters]ig8b3uss9WrhGZBYjr20rnJu263BAZDZD

简而言之，你不能推论任何东西。
我还发现了访问令牌调试器，它显示了我正在寻找的信息，如果您将一个令牌粘贴到这是很好的，但不帮助我以编程方式。

In short, you cannot infer anything from it. I also found the access token debugger, which shows the information I am looking for if you paste a token in, which is nice, but does not help me do it programmatically.

要点是，如果有人为用户获取令牌，他可以使用它来访问图形，这是我在我的应用程序中做的 - 我想确保人们正在转发由我的应用程序发给他们的令牌，而不是另一个。

Point is, if someone gets a token for a user, he can use it to access the graph, which is what I do in my application - I want to be sure that people are forwarding the token that was issued to them by my application, and not another.

我的应用程序流程是：

1. 从Facebook获取访问令牌（没有什么特别的，在这里，服务器端流（也是iPhone和Android，并使用，但如果我记得正确，它们有相似的流））$ $ $ $ $设备]


2. 使用该访问令牌，设备将使用令牌
   [device]< - >访问我的应用服务器[Jonathan的应用n]
   
   在我的服务器上，我将访问令牌附加到用户，并使用它来在我的应用程序中授予该用户的权限。 （使用Facebook连接来验证用户）
   

1. Get access token from facebook (nothing special, in the way it is described in here , Server-side Flow. (also iPhone and android and used, but they have similar flows if I recall correctly))
   [device] <-> [facebook]
2. With that access token, the device will access my application server with the token
   [device] <-> [Jonathan's application]
   At my server I attach the access token to the user and use that to give permissions to that user in my application. (using the facebook connect to authenticate users)
   

我的应用程序是安全的，完成的访问也被认证，无论Facebook，但是！在这个流程中，我确定的一个弱链接是，我无法验证我获得的访问令牌是否已经为我的应用程序签名 - 我不喜欢它，因为我缓存了用于离线使用的令牌，我想要100％肯定它们是我的应用程序，具有我的权限。

My application is secured, and the access done is also authenticated regardless of facebook, BUT! in this flow, the a weak link I identified is that I cannot authenticate for sure that the access token I got was signed for my application - I do not like it because I cache the tokens for offline use, I want to be 100% sure they are for my application, with my permissions.

那么（最好的）认证我得到的令牌与我的应用程序有关（关于用户，我使用令牌访问/我，看看这个令牌是哪个用户）

So what will be the (best) way to authenticate that the token I got is related to my application (for relation to user, I use the token to access /me and see which user this token is for)

我不需要解密令牌（我猜它的某种AES），我只是在寻找一个端点，告诉我匹配我的应用程序id的令牌。

I do not need to decrypt the token (i guess its some sort of AES), I am just looking for an endpoint that will tell me the token matched my application id.

（编辑：使用C＃SDK，如果它是重要的..但是图表/休息调用给出的信息也一样好:)）

( Using the C# SDK, if it matters.. But a graph/rest call to give that info is just as good as well :) )