您的位置: 首页  >  技术问答  >  Facebook访问令牌服务器端验证iPhone应用程序

Facebook访问令牌服务器端验证iPhone应用程序

分类: 技术问答 2022-03-29 21:18:10

Facebook访问令牌服务器端验证iPhone应用程序

问题描述:

我正在开发基于与服务器通信的iPhone应用程序,我想使用Facebook身份验证机制。

I'm developing iPhone application, that is based on communication with server, and I want to use Facebook authentication mechanisms.

基本上,我认为它应该像这个:

Basically, I think it should work like this:


  1. 在我的iPhone应用程序中,用户使用他的电子邮件和密码登录Facebook。

  2. 用户可以访问他的相关Facebook应用程序的数据。

  3. 成功登录后,我的iPhone应用程序会收到访问令牌。

  4. 进一步沟通在我的服务器上,我的iPhone应用程序应该使用收到的Facebook访问令牌(例如:在查询中)。

  5. 当我的服务器从iPhone应用程序接收到一些查询令牌时,应该询问Facebook的这个令牌是有效的(对于谁),如果是的话,服务器应该假定用户通过Facebook进行身份验证。

  1. In my iPhone app, user logs in to Facebook, using his email and password.
  2. User allows access to his data for related Facebook application.
  3. My iPhone app receives access token, after successful log in.
  4. In further communication with my server, my iPhone application should use the received Facebook access token (for example: in queries).
  5. When my server receives some query from iPhone app, with access token, it should ask Facebook that this token is valid (and for who), and if yes, server should assume that user is authenticated with Facebook.

我的问题是:如果给定访问令牌有效,服务器应如何询问Facebook?我想我应该以某种方式检查令牌对我的Facebook应用程序是否有效。

My question is: how the server should ask Facebook if given access token is valid? I think I should somehow check if the token is valid for my Facebook app.

我已经尝试过许多Facebook查询来绘制API,我发现,但没有按照我的预期工作。你可以提供一些例子吗?

I've tried many Facebook queries to graph API, that I've found, but nothing worked as I expected. Can you provide me some example?


更新:这个答案似乎不安全,因为它不会将令牌
首先验证为属于您的应用程序,请参阅评论,原始答案为
如下:

Update: this answer seems insecure since it doesn't validate the token first as belonging to your app, see the comments, original answer as follows:

我假设你已经有访问令牌了。在这种情况下,验证访问令牌的最简单方法是发出以下请求。

I assume that you already have the access token in hand. In such a case the simplest way to validate an access token is to issue the following request

https://graph.facebook.com/me?fields=id&access_token=@accesstoken

这里用@accesstoken替换访问令牌有。我将分解URL,并解释每一个。

Here replace @accesstoken with the access token you have. I will breakdown the url and will explain each.

我们正在发出一个图形api请求,这将返回访问令牌的所有者的Facebook用户ID作为JSON串。关键字我表示当前登录的用户或访问令牌的所有者。对于此请求,访问令牌是必需的参数。

We are issuing a graph api request here which will return the Facebook User Id of the owner of the access token as a JSON string. The keyword 'me' represents the currently logged in user or the owner of the access token. For this request access token is a mandatory parameter.

如果提供的访问令牌无效或过期,Facebook将只返回某种错误消息。

If the provided access token is not valid or expired Facebook will just return an error message of some sort.

对于有效的访问令牌,结果将以某种方式看起来像这样

For a valid access token the result will somehow look like this

{
   "id": "ID_VALUE"
}

相关推荐