从用户访问令牌中获取应用程序 ID(或验证令牌的源应用程序)

我发现了这个问题，有一个答案，但facebook从那时起改变了令牌格式，现在是这样的:

I found this question, which has an answer, but facebook changed the token format since then, now it is something like:

AAACEdEose0cBACgUMGMCRi9qVbqO3u7mdATQzg[more funny letters]ig8b3uss9WrhGZBYjr20rnJu263BAZDZD

简而言之，您无法从中推断出任何内容.我还找到了 访问令牌调试器，如果您粘贴令牌，它会显示我正在寻找的信息，这很好，但不能帮助我以编程方式进行.

In short, you cannot infer anything from it. I also found the access token debugger, which shows the information I am looking for if you paste a token in, which is nice, but does not help me do it programmatically.

重点是，如果有人为用户获取令牌，他可以使用它来访问图形，这就是我在我的应用程序中所做的 - 我想确保人们正在转发由我的应用程序，而不是另一个.

Point is, if someone gets a token for a user, he can use it to access the graph, which is what I do in my application - I want to be sure that people are forwarding the token that was issued to them by my application, and not another.

我的申请流程是:

1. 从 facebook 获取访问令牌(没什么特别的，按照 此处 中描述的方式，服务器端流程.(还有 iPhone 和 android 并使用过，但如果我没记错的话，它们也有类似的流程))
   [设备] [脸书]
2. 使用该访问令牌，设备将使用令牌访问我的应用服务器
   [设备] [乔纳森的应用程序]
   在我的服务器上，我将访问令牌附加到用户并使用它在我的应用程序中向该用户授予权限.(使用 facebook 连接验证用户)
   

1. Get access token from facebook (nothing special, in the way it is described in here , Server-side Flow. (also iPhone and android and used, but they have similar flows if I recall correctly))
   [device] <-> [facebook]
2. With that access token, the device will access my application server with the token
   [device] <-> [Jonathan's application]
   At my server I attach the access token to the user and use that to give permissions to that user in my application. (using the facebook connect to authenticate users)
   

我的应用程序是安全的，并且无论 Facebook 是什么，完成的访问也经过身份验证，但是！在这个流程中，我发现的一个薄弱环节是我无法确定我获得的访问令牌是为我的应用程序签名的 - 我不喜欢它，因为我缓存了令牌以供离线使用，我想 100% 确定它们用于我的应用程序，经过我的许可.

My application is secured, and the access done is also authenticated regardless of facebook, BUT! in this flow, the a weak link I identified is that I cannot authenticate for sure that the access token I got was signed for my application - I do not like it because I cache the tokens for offline use, I want to be 100% sure they are for my application, with my permissions.

那么，验证我获得的令牌与我的应用程序相关的(最佳)方法是什么(对于与用户的关系，我使用令牌访问/me 并查看此令牌适用于哪个用户)

So what will be the (best) way to authenticate that the token I got is related to my application (for relation to user, I use the token to access /me and see which user this token is for)

我不需要解密令牌(我猜它是某种 AES)，我只是在寻找一个端点，它会告诉我令牌与我的应用程序 ID 匹配.

I do not need to decrypt the token (i guess its some sort of AES), I am just looking for an endpoint that will tell me the token matched my application id.

(使用 C# SDK，如果重要的话......但是提供该信息的图形/休息调用也一样好:))

( Using the C# SDK, if it matters.. But a graph/rest call to give that info is just as good as well :) )