如何在Facebook上获取用于debug_token检查的应用访问令牌? [英] How does one get the app access token for debug_token inspection on Facebook?
问题描述
建议无论您的应用是使用代码还是令牌作为您的response_type,您都应该对access_token进行自动检查,以确认该令牌属于该应用期望的人,并且该令牌是您生成的应用令牌.
It is suggested that whether your app uses code or token as your response_type you should perform an automated check on the access_token to confirm that the token belongs to the person the app expects it to belong to and that it was your app that generated the token.
您应该在
GET graph.facebook.com/debug_token?
input_token={token-to-inspect}
&access_token={app-token-or-admin-token}
其中app-token是app_id | app_secret,token-to-inspect是用户的access_token.另外,我认为通过阅读文档,您可以通过使用app_id和app_secret进行客户端凭证调用来检索应用程序令牌.
where app-token is app_id|app_secret and token-to-inspect is the user's access_token. Also, I think from reading the documentation you can retrieve an app-token by doing a client-credentials call with the app_id and app_secret.
这在服务器端实现了授权流程是可以的,但是如果您使用隐式方法并选择response_type作为令牌(出于某种原因而不使用FB的javascript SDK)怎么办?您如何安全地获取该应用程序令牌而不泄漏您的app_secret? FB的SDK如何做到?
This is fine with an authorization flow implemented server-side, but what if you're using the implicit method and chose response_type as token (and for whatever reason aren't using FB's javascript SDK)? How do you safely get that app-token without leaking your app_secret? How does FB's SDK do it?
推荐答案
您可以在Facebook开发人员面板中生成一个app_token
You can generate an app_token in your Facebook developer panel here and then simply save it into a config file server side. From the developer's page:
应用令牌不会过期,应该将其保密,因为它们与您的应用机密有关.
App tokens do not expire and should be kept secret as they are related to your app secret.
在我的页面上,我使用以下流程:
On my page, I use the following flow:
- 用户通过Facebook JS SDK进行身份验证,然后发送其 服务器的令牌+ uid.
- 服务器验证给定令牌 通过调用"debug_token"与给定的人有关 您所说的方法.
- 如果令牌+ uid组合有效, 它会验证用户服务器端.
- The user authenticates with the Facebook JS SDK, and then sends his token + uid to the server.
- The server validates that the given token is related to the given person via a call to the "debug_token" method, that you spoke of.
- If the token + uid combination is valid, it authenticates the user server side.
我希望这会有所帮助.
这篇关于如何在Facebook上获取用于debug_token检查的应用访问令牌?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!