我可以使用一个iPhone应用程序的Facebook auth服务器侧流,仍然有客户端交互? [英] Can I use Facebook auth server side flow on an iPhone app and still have client side interactions?
问题描述
我有一个使用Facebook的身份验证的用户登录一个网站。它使用身份验证的OAuth 2.0服务器端的流量,这一切工作正常。
我现在正在开发针对同一网站的iPhone应用程序,并希望允许用户登录使用通过FB authentication.The的Facebook的iOS SDK提供机制使用客户端流程做了认证,其中iPhone应用程序的网站在我的iPhone应用程序获取访问令牌。
<击>
现在来验证我的服务器的用户,也使访问令牌提供给我的服务器,我想(通过HTTPS)发送此访问令牌到我的服务器的身份验证和对我的数据库用户,并设置自己的会话cookie的相关。这是preferred或建议的方法?我需要我的服务器上的访问令牌,因为我问离线访问权限,并有我的web应用程序使用FB用户帐户直接从我的服务器进行交互。
对于我来说更容易的选择是只用于身份验证服务器端的流量在我的iPhone应用程序也一样,做什么新的需求和服务器端code是用于网站或iPhone应用程序相同。那可能吗?
我无法使用客户端身份验证和访问令牌传递给我的服务器进行认证对我的系统,也被储存备用。用于客户端身份验证接收的接入令牌是从服务器端认证完全不同的标记和两个不能互换使用。我将不得不使用服务器端验证。
<击>
一种解决方案(<一个href=\"http://stackoverflow.com/questions/6338189/facebook-sending-an-ios-access-token-server-side-and-signing-with-app-secret/6740359#6740359\">provided这里 - 到问题的第一个评论)是使用一个UIWebView并模拟服务器端的流量。下面的评论中提到这种方法的问题,我一直没能解决。
这已通过检查到的网页视图是在登录后重定向到URL解决。
另外一个问题是,我的iPhone应用程序做了一些客户端交互太(像FBShare,写朋友的墙壁等)。如果我使用模拟服务器端验证,我将不得不做这些相互作用的另一个客户端身份验证或采取痛苦的办法和途径,即使这些行动,通过我的服务器。后者绝对不是preferable。我怎么去呢?我能避免这种双重登录,因为这将是非常糟糕的用户体验?
我无法使用客户端身份验证和访问令牌传递给我的服务器进行认证对我的系统,并需要存储继续使用。对于客户端身份验证收到的访问令牌是从服务器端认证完全不同的令牌,两者不能互换使用。我将不得不使用服务器端验证。
我只是觉得恰恰相反。由客户端侧流和服务器侧流认证生成的访问令牌是完全一样的。他们是互换,其实一旦你的令牌,它可以在任何地方使用,只要用户仍然登录和令牌还没有到期。这工作。
卷曲https://graph.facebook.com/{the用户ID} /朋友?ACCESS_TOKEN = {令牌}I have a website that uses Facebook authentication for logging in users. It uses the oAuth 2.0 server side flow for authentication and it all works fine.
I am now developing an iPhone application for the same website and want to allow users to sign in to the website via the iPhone application using FB authentication.The Facebook iOS SDK provides mechanisms to do the authentication using the client side flow, where in my iPhone app gets the access token.
Now to authenticate the user with my server, and also make the access token available to my server, I thought of sending this access token to my server (over https) and authenticate the user against my DB and set my own session related cookie. Is this the preferred or advised method? I need the access token on my server as I ask for offline access permission and have my webapp interact with FB user account from my server directly.An easier option for me would be to just use the server side flow for authentication on my iPhone app too, as nothing new needs to be done and the server side code is the same for website or iPhone app. Is that possible?
I cannot use client side authentication and pass the access token to my server for authentication against my system and also to be stored for further use. The access token received for client side authentication is totally different from the server side authentication token and the two cannot be used interchangeably. I will have to use server side authentication.
One solution ( provided here - in the first comment to the question) is to use an UIWebView and simulate the server side flow. The following comment mentions the problems with this approach, that I have not been able to solve.This has been solved by examining the URL to which the webview is redirected to after the login.
Another problem is that, my iPhone app does some client side interactions too (like FBShare, writing to a friend's wall, etc). If I use the simulated server side authentication, I will have to do another client side authentication for these interactions or take the painful approach and route even these actions through my server. The latter is definitely not preferable. How do I go about this? Can I avoid this double login as it will be very bad user experience?
解决方案"I cannot use client side authentication and pass the access token to my server for authentication against my system and also to be stored for further use. The access token received for client side authentication is totally different from the server side authentication token and the two cannot be used interchangeably. I will have to use server side authentication."
I just found it opposite. The access tokens generated by the client-side flow and server-side flow authentication are exactly same. They are "interchangeable", in fact once you get the token, it can be used anywhere as long as the user is still logged in and the token is not expired yet. This works.
curl "https://graph.facebook.com/{the user id}/friends?access_token={the token}
这篇关于我可以使用一个iPhone应用程序的Facebook auth服务器侧流,仍然有客户端交互?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
