迁移到 OAuth 2.0 后获取 access_token 的问题 [英] Problem getting access_token after migrating to OAuth 2.0

问题描述

我已尝试将我的应用程序迁移到 OAuth 2.0 例程.我无法从 JavaScript API 设置的 cookie 中获取 access_token.我解码了 cookie 中的信息，但我得到的是一个代码，而不是 access_token 和用户信息.这似乎是一个相当奇怪的变化.是否有任何解决方法，因为当您在获取代码时未指定 redirect_uri 时，似乎无法将代码交换为 access_token.

I have tried migrating my app to the OAuth 2.0 routine. I am having trouble getting the access_token from the cookie set by the JavaScript API. I decode the information in the cookie, but instead of an access_token and the user information I get a code. This seems like a rather weird change. Is there any workaround for this, because it seems that you can't get your code exchanged to an access_token when you haven't specified a redirect_uri when you acquired the code.

我曾考虑过从 JavaScript API 的响应中获取 access_token 并将其存储在 cookie 中，但这有点违背了扩展安全性的全部目的，我想问一下是否有适当的方法来做到这一点.

I have considered just taking the access_token from the response in the JavaScript API and storing it in a cookie, but that kinda defeats the whole purpose of the extended security and I wanted to ask if there was a proper way to do it.

可能是我做错了什么，如果是这样，请告诉我:)

Could be that I am doing something wrong though, and if that is the case please tell me :)

编辑我知道 cookie 保存了一个签名的请求，但根据文档，签名的请求应该保存我需要的信息，比如 access_token 和 uid，但在我的例子中它只保存代码.这基本上是我不明白的部分.

EDIT I am aware that the cookie holds a signed request, but according to the docs that signed request should hold the information I require like access_token and uid, but in my instance it only holds the code. That is basically the part I don't understand.

推荐答案

事实证明(即使没有记录)我们需要自己交换代码以获取 access_token.我认为这完全是浪费，因为那是旧饼干的好处.获取 access_token 既快速又容易.

Turns out that (even though it is not documented) we need to exchange the code for an access_token ourselves. I think this is a total waste since that was the nice thing about the old cookie. It was fast and easy to get the access_token.

无论如何.要从新 cookie 中获取 access_token，您需要执行以下操作:

Anyway. To get the access_token from the new cookie you need to do the following:

public string ReturnAccessToken()
{
    HttpCookie cookie = htc.Request.Cookies[string.Format("fbsr_{0}", facebookAppID)];
    string jsoncode = System.Text.ASCIIEncoding.ASCII.GetString(FromBase64ForUrlString(cookie.Value.Split(new char[] { '.' })[1]));

    JsonData data = JsonMapper.ToObject(jsoncode);

    getAccessToken(data["code"].ToJson()
}

private string getAccessToken(string code)
{
    //Notice the empty redirect_uri! And the replace on the code we get from the cookie.
    string url = string.Format("https://graph.facebook.com/oauth/access_token?client_id={0}&redirect_uri={1}&client_secret={2}&code={3}", "YOUR_APP_ID", "", "YOUR_APP_SECRET", code.Replace(""", ""));

    System.Net.HttpWebRequest request = System.Net.WebRequest.Create(url) as System.Net.HttpWebRequest;
    System.Net.HttpWebResponse response = null;

    using (response = request.GetResponse() as System.Net.HttpWebResponse)
    {
        System.IO.StreamReader reader = new System.IO.StreamReader(response.GetResponseStream());

        string retVal = reader.ReadToEnd();
        return retVal;
    }
}

public byte[] FromBase64ForUrlString(string base64ForUrlInput)
{
    int padChars = (base64ForUrlInput.Length % 4) == 0 ? 0 : (4 - (base64ForUrlInput.Length % 4));
    StringBuilder result = new StringBuilder(base64ForUrlInput, base64ForUrlInput.Length + padChars);
    result.Append(String.Empty.PadRight(padChars, '='));
    result.Replace('-', '+');
    result.Replace('_', '/');
    return Convert.FromBase64String(result.ToString());
}

这似乎有点多余，但我想您可以将 access_token 存储在会话变量中.如果您这样做并且 iFrame 是您在 Facebook 上的应用程序，您需要知道如果用户将其浏览器隐私设置设置为中等，它将无法在 IE 6、7 和 8 中运行.有一个解决方法，但由于它不是这个问题的一部分，我不会写它.如果人们真的想要它，请写评论，我会展示它:)

This may seem a bit redundant, but I suppose you can store the access_token in a session variable. If you do this and iFrame the your app on Facebook you need to know that it will not work in IE 6, 7 and 8 if the user have set his browser privacy settings to medium. There is a workaround for this, but as it is not a part of this question I will not write it. If people really want it, write a comment and I will show it :)

-----------------------------------编辑-------------------------------------------

-----------------------------------EDIT------------------------------------------

在使用任何旧版 IE 浏览器时，您不能在带有 Iframe 的页面中使用 cookie 或会话变量，例如您在 Facebook 上的页面.这是一个在编码中无法真正解决的问题.充分我的意思是解决方案不好.您需要在响应中设置 p3p-header.您当然可以在为您服务的所有页面编码时执行此操作，但最简单的解决方案(如果您使用 .NET 服务器来托管您的页面)是为 IIS 设置 p3p 策略.可以在 http://support.microsoft.com/kb/324013 中查看相关指南.你在 p3p 政策中写什么并不重要(如果你检查 Facebooks own 你可以看到他们使用我们没有 p3p 政策)，重要的部分是有一些东西.我在使用时遇到了麻烦虽然是随机文本，但如果您使用示例中的文本，应该没有问题:)

When using any of the old IE browsers you can't use cookies or session variables in pages that are Iframed in, like your pages on Facebook. This is a problem that can't really be solved sufficiently in coding. By sufficiently I mean that the solution is not nice. You need to set the p3p-header in your response. You can of course do this in coding for all the pages that you service, but the easiest solution (if you are using a .NET server to host your pages) is to set up a p3p policy for the IIS. A guide for this can be seen in http://support.microsoft.com/kb/324013. It shouldn't matter what you write in the p3p policy (if you check Facebooks own you can see that they use "We don't have a p3p policy), the important part is that there stands something. I have had troubles just using random text though, but if you use the text in the example there shouldn't be a problem :)

这让我花了很长时间才发现，所以我希望有人可以使用它:D

This took me forever to find out, so I hope someone can use it :D

这篇关于迁移到 OAuth 2.0 后获取 access_token 的问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！