如何从客户端传递的Facebook的ID以服务器安全地 [英] How to pass Facebook Id from client to server securely
问题描述
我有一个Facebook应用程序的画布。我现在用的是JS SDK来验证在浏览器端的用户,并通过FB.api(如姓名,朋友等)要求的各种信息。
I have a Facebook canvas app. I am using the JS SDK to authenticate the user on the browser-side and request various information via FB.api (e.g. name, friends, etc.).
我也想通过一个Ajax调用坚持一些额外的用户信息(不举行在Facebook上),以我的服务器上的数据库:
I also want to persist some additional user information (not held on Facebook) to the database on my server by making an ajax call:
{ userFavouriteColour: "Red" }
要保存该服务器和准用正确的用户,我需要知道Facebook的uid和该presents一个问题。我如何通过从客户端的UID到服务器。
To save this on the server and associate with the correct user, I need to know the Facebook uid and this presents a problem. How do I pass the uid from the client to the server.
选项1:添加UID Ajax请求
{ uid: "1234567890",
userFavouriteColour: "Red" }
这显然是没有好处的。这将是微不足道的人用别人的Facebook的帐号做一个Ajax请求我的web服务,改变自己喜欢的颜色。
This is obviously no good. It would be trivial for anyone to make an ajax request to my web service using someone else's Facebook Id and change their favourite colour.
选项2:在服务器上,从cookie中提取UID :
这甚至可能?我已阅读,Facebook的设置包含uid和访问令牌的cookie但我有我的域名访问这个cookie?更重要的是,我的安全的提取UID形式的cookie,或者这是开放给欺骗就像选项1。
Option 2: On the server, extract the uid from a cookie: Is this even possible? I have read that Facebook sets a cookie containing the uid and access token but do I have access to this cookie on my domain? More importantly, can I securely extract the uid form the cookie or is this open to spoofing just like option 1.
选项3:用户服务器端的服务器上进行验证:
我可以使用服务器端身份验证来验证我的服务器上的用户身份。但这项工作,如果我已经在使用浏览器客户端验证?我将结束与两个不同的访问令牌?我想从浏览器让FB.api请求,所以我需要在客户端访问令牌(不仅仅是在服务器上)。
Option 3: User server-side authentication on the server: I could use the server-side authentication to validate the user identity on my server. But will this work if I am already using client-side authentication on the browser? Will I end up with two different access tokens? I would like to make FB.api requests from the browser so I need the access token on the client (not just on the server).
这必须是一个很常见的场景,所以我觉得我失去了一些东西根本。我已经读了很多Facebook的文档(各种认证流程,访问令牌,signed_request等)和这么多的帖子,但我还是不明白怎么客户端验证和服务器端验证发挥很好地在一起。
This must be a very common scenario so I think I'm missing something fundamental. I have read a lot of the Facebook documentation (various authentication flows, access tokens, signed_request, etc.) and many posts on SO, but I still don't understand how client-side authentication and server-side authentication play nicely together.
总之,我想知道用户在服务器上的身份,但仍然能够请求从客户端浏览器Facebook的API?
(我使用ASP.NET和服务器上Facebook的C#SDK)
(I am using ASP.NET and the Facebook C# SDK on the server)
修改:新增赏金。我希望得到有关如何处理这种情况,甚至一个例子更deifnitive,官方推荐。至于说,我已经阅读了大量的官方FB文档的身份验证流程,但我仍然无法找到任何东西最终如何客户端和服务器端的认证一起工作。
EDIT: Added bounty. I was hoping to get a more deifnitive, official recommendation on how to handle this situation, or even an example. As said, I have already read a lot of the official FB docs on authentication flows but I still can't find anything definitive on how client-side and server-side authentication work together.
推荐答案
选项1:
我能想到的最简单方法是包括在的accessToken JS和与Ajax调用传递。
Option 1: The easiest way I can think of is to include the accessToken in JS and pass it with the ajax call.
选项2:
使用相同的选项1,但不是刚刚发送的accessToken,发送signedRequest。
Option 2: Using the same as option 1, but instead of sending just the accessToken, send the signedRequest.
在服务器端,您可以c。使用( TryParseSignedRequest 法)它去$ C $,这将给你的用户名: - )
On the server side you can decode it using (TryParseSignedRequest method) which will give you the UserID :-)
请注意: signedRequest 加密与应用程序的秘密。 你是唯一一个谁应该知道吧,让你在这个目的的安全。
Note: signedRequest is encrypted with the application Secret. you are the only one who should know it, so you are safe on that end.
声明:
我在C#中没有编码的经验,但在谷歌搜索一点给了我这样的:
I have no coding experience in C#, but a little search in google gave me this:
这篇关于如何从客户端传递的Facebook的ID以服务器安全地的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
