Facebook oauth2 API刷新令牌 [英] Facebook oauth2 API refresh tokens
问题描述
我正在构建没有客户端界面的应用程序.
I am building an application that does not have a client interface.
在设置步骤:用户使用oauth一次通过浏览器登录服务器,然后服务器确保已识别客户端.
At the setup step: The user logs into the server throught a browser once using oauth, and the server makes sure that the client is identified.
从那时起,没有浏览器受到侵害.这一切都在后台发生. 然后,只要可以验证用户身份,它就始终代表用户执行操作. 这意味着我的服务器有时需要调用oauth提供程序以验证用户是否仍然存在. 到目前为止,我只使用过google oauth:偶尔,我会调用refreshtoken api,并从服务器端无限期地获取新令牌. (获取用户令牌时,您需要请求离线访问").
From this point on, no browsers are invlovled. It all happens in the background. It then keeps acting on behalf of the user for as long as the user can be validated. That means that once in a while, my server needs to call the oauth provider to validate the user still exists. Until now, I have only used google oauth: Once in a while, I would call the refreshtoken api, and get a new token indefinitely from the server side. (you need to ask for "offline access" when you get the user token).
现在,我也想使用facebook,但是在阅读它们的API时,我没有提到服务器刷新令牌的可能性: https://developers.facebook.com/docs/facebook-login /access-tokens/refreshing/ 看来这一切都必须从客户端设备完成. 由于我没有客户端设备,这是否意味着我无法使用Facebook编写此类应用?
Now I would like to use facebook as well, but reading their APIs, I see no mention of a possibility for a server to refresh it's tokens: https://developers.facebook.com/docs/facebook-login/access-tokens/refreshing/ It looks like it all has to be done from the client device. As I have no client device, does this mean that I cannot write this sort of app with facebook?
推荐答案
我认为您的情况可以通过Facebook的机制来解决.但是,如果使用长期访问令牌时发生某些错误,则需要支持重新登录.发生这种情况的原因可能是Facebook采取了安全措施(例如:-数据泄露,密码泄露),或者是用户撤消了令牌或更改了密码,或者是较长时间不使用令牌时.
I think your scenario can be covered through Facebook's mechanism. But you need to support a re-login if some error occur while using long lived access token. This can happen due to security measure taken by Facebook (ex:- data breach, cryptographic breach) or when user revoke tokens or change password or when tokens are not used for a longer time.
要遵循的步骤(根据他们的文档)
Steps to follow (According to their docs),
这些是短暂的
寿命短的令牌的生命周期通常约为一两个小时
Short-lived tokens usually have a lifetime of about an hour or two
即使不使用它们,它们的使用寿命也可以达到60天左右.
These have life span of around 60 days, even when they are not used.
长寿令牌通常会持续约60天.
long-lived token generally lasts about 60 days.
基本上,一旦获得了长期存在的令牌,就可以从服务器应用程序中使用它.在此过程中,您需要一个仅使用浏览器的客户端来获取短暂的访问令牌.
Basically, once you obtain a long lived token, you can use it from the server application. During this process, you required a client which used browser only to obtain short lived access token.
但是如前所述,这些令牌可以过期,
But as previously mentioned, these tokens can expire,
当使用您的应用的人向Facebook的服务器发出请求时,这些令牌每天刷新一次. 如果没有请求,令牌将在约60天后过期,该人将不得不再次通过登录流程来获取新令牌.
因此,您将需要通过上述两个步骤来获取新的.
So you will require to obtain new ones by going through above two steps.
这篇关于Facebook oauth2 API刷新令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
