最佳实践(最佳为Android):与Facebook或谷歌登录用户进行身份验证 [英] Best practices (best for Android): authenticate a user with Facebook or Google login
问题描述
我正在开发与Facebook和谷歌的选择登录一个应用程序,以及经典的电子邮件+密码登录。我追赶我想知道关于签订与第三方的API几件事情:
I am developing an app with both Facebook and Google option for login, as well as a classic e-mail+password login. I am catching myself wondering about several things regarding signing in with third-party APIs:
1。 因为一个用户可以登录他的Facebook帐户,后来决定退出,并签署与他的谷歌帐户,用户应通过自己的E-mail地址被识别。所以,每当他签署在不同的帐户,电子邮件地址查找在数据库中,如果它被发现,它十分重视这项新的登入到pviously创建的帐户的$ P $。刚刚批准了这一点,请。
1. since one user could sign in with his Facebook account and later on decide to log out and sign in with his Google account, the user should be recognized by his e-mail address. So whenever he signs in with a different account, the e-mail address is searched in the database and if it is found, it attaches this new signin to the previously created account. Just approve this point,please.
2。 如果在用户登录使用Facebook登录,就可以得到一个accessToken,用户id,用户电子邮件等什么是如此,它仍然是最安全的方式来验证用户的最佳做法是什么?我应该直接送他的Facebook accessToken和E-mail地址的服务器?如果服务器对证的Facebook,如果accessToken真的存在的Facebook? 什么是产生在服务器端的应用程序和私营部门的访问令牌的最好,最安全的方法是什么?我听说过一些关于MD5哈希......那时候我只使用这种新生成的访问令牌的API调用,而不是使用任何Facebook的凭据?或者我应该使用Facebook的凭据,从而将它们保存在服务器/客户端? 我将使用Java应用程序引擎为我的应用程序的服务器端。
2. If the user signs in with Facebook login, you can get an accessToken, userId, user e-mail etc. What is the best practice to authenticate the user so that it is still the most secure way? Should I send his facebook accessToken and e-mail adress directly to the server? Should the server check against Facebook, if the accessToken really exists on Facebook? What is the best and most secure way to generate an application-private access token on the server side? I have heard something about MD5 hash...Should I then use only this newly generated access token in API calls and not use any of the facebook credentials? Or should I use the Facebook credentials and thus save them on the server/client side? I am going to use Java App-engine for the server side of my app.
3。 如果什么用户删除自己的帐号在Facebook?该应用程序将如何知道吗?如果它知道它无论如何,应该将其与帐户吗?
3. What if the user deletes his account on Facebook? How will the app know about this? If it knows it anyhow, what should it do with the account?
- 我应该定期检查对Facebook的访问令牌,如果它仍然是有效的吗?为什么以及如何和多久?
我不知道,如果我要求在正确的地方。如果我错了,请,重定向我的方式,我应该去,也许对这些最佳实践一定的联系?到目前为止,我haven't发现任何会回答我所有的问题。这是编码和安全相关的,我猜。 感谢您所有的技巧和窍门。
I am not sure if I am asking at the right place. If I am wrong, please, redirect me the way I should go, maybe some links on these best practices? So far, I haven´t found anything that would answer ALL my questions. It is both coding and security related, I guess. Thanks for all of your tips and tricks.
推荐答案
一些阅读,并要求我想出了这个之后:
After some reading and asking I have come up to this:
1。 是的,如果你希望你的用户注册使用他们的Facebook或谷歌帐户,您调用API,获得电子邮件地址(它甚至与Google's的AccountManager在Android上更容易),将其发送到服务器,将节省电子邮件地址,关联一个用户ID和生成it's自己的访问code。访问code将被发送回客户端应用程序来保存以备后用。每当用户想要做一些操作,服务器API将会被调用,使用user's的e-mail地址和访问code和你可以肯定它确实是用户。这是更难从外部调用的API,并正确地猜测这两个电子邮件地址,并获得code所以它是偏于安全。
1. Yes, if you want your users to sign up with their Facebook or Google account, you call the API, get the e-mail address (it is even easier with Google´s AccountManager on Android), send it to your server that will save the e-mail address, associate a userID and generate it´s own access code. The access code will be sent back to your client app to store it for later use. Whenever the user wants to do some operations, the server API will be called with the user´s e-mail address and access code and you can be sure it really is the user. It is much harder to call the API from outside and guess correctly both the e-mail address and access code so it is somewhat safe.
2。 由于Facebook登录仅用于对用户进行认证,这意味着只验证用户是否存在,并有一个账户,我们实际上鸵鸟政策需要FB accessToken。我们需要的FB accessToken仅用于Facebook的服务器API调用,因此,例如,当我们要检索的user's朋友等的列表。在这种情况下,你可以得到由Facebook的SDK中提供的活动会话,并从那里得到accessToken。
2. Since the Facebook login is only used to authenticate the user, which means to only verify that the user exists and has an account, we don´t actually need the FB accessToken. We would need the FB accessToken only for API calls for Facebook server, so for example when we want to retrieve a list of user´s friends and so on. In this case, you can get the active session that is provided by Facebook SDK and get the accessToken from there.
3。 这种情况下,再次pretty的简单。 如果您只使用Facebook登录验证用户,你鸵鸟政策护理如果用户删除他的帐户在未来。第一次登录后,你救了他的电子邮件地址,可能是图片,不再关心他的Facebook个人资料。 如果您使用Facebook登录获取等好友列表,你不保持这种类型的数据在本地存储,无论如何,所以只要用户删除自己的帐户,他失去了他的好友列表为好。或者,你可以保持自己的好友列表,并尝试更新它每次他使用你的应用程序,一旦他删除了他的帐户,好友列表停止更新,这是再次到你的用户不使用Facebook帐户。最后的想法是相当适合游戏应用程序使用的情况下....只是一个想法,没有什么正式接受为是最好的。
3. This case is again pretty simple. If you only use Facebook login to authenticate the user, you don´t care if the user deletes his account in the future. After the first login, you save his email address, possibly a picture and no longer care about his facebook profile. If you use the Facebook login for getting a friends list and so on, you do not keep this type of data in your local storage anyway, so as soon as the user deletes his account, he loses his friendlist as well. Or, you can keep his friendlist and try to update it everytime he uses your app and once he deletes his account, the friendlist stops being updated and it is, again, up to your user not to use the Facebook account. The last idea would rather suit game apps use cases....just an idea, not anything officially accepted as the best.
这篇关于最佳实践(最佳为Android):与Facebook或谷歌登录用户进行身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
