如何在Facebook上获取用于debug_token检查的应用访问令牌? [英] How does one get the app access token for debug_token inspection on Facebook?

问题描述

建议无论您的应用是使用代码还是令牌作为您的response_type，您都应该对access_token进行自动检查，以确认该令牌属于该应用期望的人，并且该令牌是您生成的应用令牌.

It is suggested that whether your app uses code or token as your response_type you should perform an automated check on the access_token to confirm that the token belongs to the person the app expects it to belong to and that it was your app that generated the token.

您应该在

GET graph.facebook.com/debug_token?
 input_token={token-to-inspect}
 &access_token={app-token-or-admin-token}

其中app-token是app_id | app_secret，token-to-inspect是用户的access_token.另外，我认为通过阅读文档，您可以通过使用app_id和app_secret进行客户端凭证调用来检索应用程序令牌.

where app-token is app_id|app_secret and token-to-inspect is the user's access_token. Also, I think from reading the documentation you can retrieve an app-token by doing a client-credentials call with the app_id and app_secret.

这在服务器端实现了授权流程是可以的，但是如果您使用隐式方法并选择response_type作为令牌(出于某种原因而不使用FB的javascript SDK)怎么办?您如何安全地获取该应用程序令牌而不泄漏您的app_secret? FB的SDK如何做到?

This is fine with an authorization flow implemented server-side, but what if you're using the implicit method and chose response_type as token (and for whatever reason aren't using FB's javascript SDK)? How do you safely get that app-token without leaking your app_secret? How does FB's SDK do it?

推荐答案

您可以在Facebook开发人员面板中生成一个app_token

You can generate an app_token in your Facebook developer panel here and then simply save it into a config file server side. From the developer's page:

应用令牌不会过期，应该将其保密，因为它们与您的应用机密有关.

App tokens do not expire and should be kept secret as they are related to your app secret.

在我的页面上，我使用以下流程:

On my page, I use the following flow:

1. 用户通过Facebook JS SDK进行身份验证，然后发送其 服务器的令牌+ uid.
2. 服务器验证给定令牌 通过调用"debug_token"与给定的人有关 您所说的方法.
3. 如果令牌+ uid组合有效， 它会验证用户服务器端.

1. The user authenticates with the Facebook JS SDK, and then sends his token + uid to the server.
2. The server validates that the given token is related to the given person via a call to the "debug_token" method, that you spoke of.
3. If the token + uid combination is valid, it authenticates the user server side.

我希望这会有所帮助.

这篇关于如何在Facebook上获取用于debug_token检查的应用访问令牌?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！