Facebook 访问令牌:服务器端与客户端流程 [英] Facebook access token: server-side vs client-side flows
问题描述
Facebook 平台支持两种不同的用户登录 OAuth 2.0 流程:服务器端(在规范中称为身份验证代码流)和客户端(称为隐式流).每当您需要从 Web 服务器调用 Graph API 时,都会使用服务器端流程.当您需要从客户端(例如在 Web 浏览器中运行的 JavaScript 或从本机移动或桌面应用程序中运行的 JavaScript)调用 Graph API 时,将使用客户端流程.
Facebook Platform supports two different OAuth 2.0 flows for user login: server-side (known as the authentication code flow in the specification) and client-side (known as the implicit flow). The server-side flow is used whenever you need to call the Graph API from your web server. The client-side flow is used when you need to make calls to the Graph API from a client, such as JavaScript running in a Web browser or from a native mobile or desktop app.
这些流获取的访问令牌之间有什么区别?它们的长度似乎不同.
What is the difference between access tokens taken by these flows? It seems like they length differ.
我们可以在客户端上使用服务器端流令牌吗?否则,我们可以在服务器上使用客户端流令牌吗?
Can we use server-side flow token on a client? And otherwise, can we use client-side flow token on a server?
推荐答案
目前,Facebook 表示这是关于 access_tokens.在服务器端 OAuth
Currently, Facebook says this about access_tokens. On Server-side OAuth
如果 access_token 是从服务器端 OAuth 调用生成的,则结果 access_token 将有更长的到期时间默认.如果调用时仍然存在有效的长寿命该用户的用户 access_token,从返回的用户 access_token这第二个调用可能是相同的,也可能已经改变,但在任何一个如果过期时间将设置为很长的过期时间.
if the access_token is generated from a server-side OAuth call, the resulting access_token will have the longer expiration time by default. If the call is made while there is still a valid long-lived user access_token for that user, the returned user access_token from this second call may be the same or may have changed, but in either case the expiration time will be set to a long expiration time.
客户端 OAuth 流程将为您提供现有的、未过期的、短期存在的用户 access_token.为了使这个 access_token 长期存在,facebook 提供了一个新的端点,将短期的 access_token 与寿命更长的 access_token 交换.终点是
Where as client-side OAuth flow will give you a existing, non-expired, short-lived user access_token. To make this access_token long lived, facebook is providing a new endpoint that exchanges the short lived access_token with an access_token with longer life. The endpoint is
https://graph.facebook.com/oauth/access_token?
client_id=APP_ID&
client_secret=APP_SECRET&
grant_type=fb_exchange_token&
fb_exchange_token=EXISTING_ACCESS_TOKEN
另外请注意
目前长寿命用户access_token有效期为60天而短期用户 access_tokens 当前有效时间为 1 到2 小时.
Currently the long-lived user access_token will be valid for 60 days while the short-lived user access_tokens are currently valid from 1 to 2 hours.
摘自 https://developers.facebook.com/docs/roadmap/完成更改/离线访问删除/
这篇关于Facebook 访问令牌:服务器端与客户端流程的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
