客户端应该如何将 facebook 访问令牌传递给服务器? [英] How should a client pass a facebook access token to the server?

问题描述

在每次调用我的 REST API 时，我都要求客户端传递用户的 facebook 访问令牌，以对用户进行身份验证.传递此令牌的最佳做法是什么?

On every call to my REST API, I require clients to pass user's facebook access token, which authenticates the user. What's best practice for passing this token?

1. 可能作为 HTTP 问号后面的参数

1. maybe as a parameter behind the HTTP question mark

GET /api/users/123/profile?access_token=pq8pgHWX95bLZCML

或者以某种方式在请求的头部，类似于 HTTP 基本认证

or somehow in the header of the request, similarly to HTTP basic authentication

推荐答案

如果您查看所有流行的 OAuth 提供商(Google、Facebook、Pocket、Git 等)提供的 API 端点，您会发现它们都有 HTTPS端点.

If you look at the API endpoints provided by all popular OAuth providers (Google, Facebook, Pocket, Git etc), you'd see that they all have HTTPS endpoints.

您可以将访问令牌传递给提供者的方式是 -

The ways in which you can pass an access token to the provider are -

i) 作为查询参数 -

https://yourwebsite.com/api/endpoint?access_token=YOUR_ACCESS_TOKEN

ii) 在请求头 -

 GET /api/users/123/profile HTTP/1.1
 Host: yourwebsite.com
 Date: Tue, 14 May 2013 12:00:00 GMT
 Authorization: <YOUR_ACCESS_TOKEN>

这两种是大多数 API 普遍支持的方法.你可以考虑做同样的事情.

These two are approaches that are generally supported by most APIs. You can think of doing the same.

iii) Pocket API 根本不使用 GET.他们将 POST 用于所有请求，甚至用于检索数据.检查此链接以查看他们的文档.请注意，它们使用 POST 来检索数据并传递 JSON 参数.

iii) Pocket API does not use GET at all. They use POST for all their requests, even for retrieving data. Check this link to see their documentation. Notice that they use POST for retrieving data and pass JSON parameters.

这篇关于客户端应该如何将 facebook 访问令牌传递给服务器?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！