使用Javascript OAuth 2.0 SDK更新签名的请求 [英] Updating Signed Request using Javascript OAuth 2.0 SDK

问题描述

随着新Javascript SDK和OAuth 2.0的发布，我想知道是否可以在不重定向用户的情况下更新SignedRequest(和authtoken)，所以我使用了以下方法.基本上，这是让我的应用保持有效状态的一种方法，可以绕过令牌2小时的有效期.

With the release of the new Javascript SDK and OAuth 2.0, I was wondering if it's possible to update the SignedRequest (and authtoken) without redirecting the user, so I used the following approach. Basically, this is a keep-alive approach for my app to get around the 2 hour expiration window of tokens.

我的应用包含:

1. Flash前端+ Javascript
2. 使用Facebook C#SDK的Web服务(asmx)

要更新已签名的请求，请执行以下操作:

To update the signed request, I do the following:

1. 每20秒我使用getTimeout()调用FB.getLoginStatus
2. 这将返回一个新的signedRequest

3. 我更新了我的ajaxSetup，以便在每次对服务器的调用中都包含此参数.

1. Every 20 seconds I call FB.getLoginStatus using getTimeout()
2. This returns a new signedRequest

3. I update my ajaxSetup to include this parameter on every call to my server.

var signedRequest;
function updateSignedRequest(_signedRequest) {
    signedRequest = _signedRequest;
    $.ajaxSetup({ data: { "signed_request": signedRequest} });
}
(function ensureAuth() {
    setTimeout(function () { checkAuth(); ensureAuth(); }, 20000);
})();
function checkAuth() {
    FB.getLoginStatus(handleResCallback, true);
}
function handleResCallback(res) {
    if (!res.authResponse) {
        handleNotConnected();
    } else {
        signedRequest = res.authResponse.signedRequest;
    }
}

几个问题:

我相信Facebook C#SDK会在每个新请求中查看signed_request参数，而不是cookie.会一直这样吗?

I believe the Facebook C# SDK looks at the signed_request parameter on each new request, not the cookie. Will this always be the case?

您还可以通过这种方法看到其他任何漏洞吗?

Also, any other holes you can see in this approach?

推荐答案

对于用户而言，这可能不是最佳方法.如果他们因任何原因注销或验证失败，则需要通过显示弹出窗口或将其重定向到登录来进行处理.这意味着它们将在随机时间被中断，而不是等待让他们执行需要身份验证的操作，然后显示登录名等.您还可以订阅auth事件，而不是每20秒检查一次.当他们取消对应用程序的身份验证或注销时，您将能够将handleNotConnected()设置为回调.或者，您可以读取令牌的到期时间，并且只有在到期时间过去之后才能续签.

This may not be the best approach for the user. If they have logged out or fail auth for any reason, you will need to handle it by presenting a pop up, or redirecting them to log in. This means they will be interrupted from what they are doing at a random time - rather than waiting for them to do something which requires the authentication, and then presenting the login etc. You could also subscribe to auth events instead of checking every 20 seconds. You will be able to set your handleNotConnected() as the callback when they deauth the app or sign out. Or, you could read the expiry time of the token, and only renew after the expiry time has passed.

这篇关于使用Javascript OAuth 2.0 SDK更新签名的请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！