为 iOS 应用程序中的 Facebook 身份验证设计,该应用程序还访问安全的 Web 服务 [英] Design for Facebook authentication in an iOS app that also accesses a secured web service
问题描述
目标:允许用户通过 Facebook 向需要访问我正在运行的受保护网络服务的 iOS 应用程序进行身份验证.
Goal: Allow a user to authentication with Facebook into an iOS application which requires access to a protected web service that I'm running.
假设:对于那些选择不使用 Facebook 登录的用户,有一个本地身份验证(和注册)系统.
Assumptions: There is a native authentication (and registration) system in place for those users that opt not to use Facebook for sign in.
详情:
- 假设我们希望为用户提供使用 Facebook 登录的选项,而无需为我们的系统创建单独的帐户/凭据.
- 因为我们支持我们自己的本机身份验证机制(用户名和密码),所以我们拥有自己的用户 ID 并颁发身份验证令牌,用于在初始凭据验证后进行后续交互.
我很惊讶 Facebook 在他们的开发者文档中没有这方面的最佳实践.所有现有文档都假设您正在将 FB auth 构建到网站中,或者假设您正在将 FB auth 构建到网站中,或者是没有需要身份验证的服务的独立移动应用程序.
I'm surprised that Facebook doesn't have best practices for this in their developer documentation. All the existing documentation is either assuming you are building FB auth into a website, or a standalone mobile app with no service that requires authentication.
这是我对如何设计的初步想法,但希望验证它是否正确.
Here's my initial thoughts on how this would be designed but want validation on whether it's correct.
- 客户端弹出 Facebook iOS 登录
- 用户界面用户使用 Facebook 凭据登录并获取访问令牌
- iOS 应用将访问令牌传递给我们的服务器
我们的服务器使用访问令牌与 FB 图形 API 对话,以 (a) 验证令牌并 (b) 获取该访问令牌的 FB 用户 ID.
- Client pops the Facebook iOS Login
- UI User signs in with Facebook credentials and gets access token
- iOS App passes access token to our server
Our server talks to FB graph API using access token to (a) validate the token and (b) get the FB user ID for that access token.
例如我们的服务器会调用 https://graph.facebook.com/me/?access_token=XYZ 将返回 JSON 对象中的配置文件信息
e.g. Our server would call https://graph.facebook.com/me/?access_token=XYZ which would return profile info in a JSON object
假设它是有效的,我们的服务器从 JSON 对象中提取用户 ID 并检查用户是否已经有一个帐户.如果是这样,我们向客户端发出我们自己的身份验证票以用于该会话.如果用户没有帐户,我们会使用 Facebook 用户 ID 创建一个新帐户,分配我们自己的唯一用户 ID 并签发我们的身份验证票.
Assuming it's valid, our server extracts the User ID from the JSON object and checks whether the user already has an account. If so, we issue our own auth ticket to client to use for that session. If user doesn't have an account, we create a new one with the Facebook User ID, assign our own unique UserID and issue our auth ticket.
这对我来说似乎是正确的方法,但不确定我是否错过了一些非常基本的东西并走上了错误(复杂)的道路.
This seems like the right approach to me but not sure if I'm missing something insanely basic and going down the wrong (complicated) path.
推荐答案
我自己刚刚处理了这个问题,下面是我咬我的部分:
I just dealt with this myself, and here's the part that bit me:
在您的第 5 步中... 用户可以在与您的 Facebook ID 完全不同的情况下注册一个帐户,对吗?然后他们又用 Facebook 登录……而你刚刚为他们创建了第二个帐户,却丢失了他们的第一个帐户.
In your step 5... It's possible for a user to register for an account with you entirely separate from their Facebook ID, right? Then some other time they log in with Facebook.... And you just created them a second account and lost their first one.
需要有一种方法可以登录到您的网络服务,然后登录到 facebook,并捕获 facebook ID 和本地帐户之间的关联.
There needs to be a way to be logged in to your web service, then log in to facebook, and capture the association between the facebook ID and the local account.
除此之外,你的计划听起来很可靠.
Apart from that, your plan sounds solid.
更新:Facebook 添加了一个文档,概述了这种情况 这里
Update: Facebook has added a doc outlining such a scenario HERE
这篇关于为 iOS 应用程序中的 Facebook 身份验证设计,该应用程序还访问安全的 Web 服务的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
