如何续订Facebook访问令牌? [英] How do you renew an expired Facebook access token?
问题描述
我正在从此参考资料工作,并尝试实施OAuth协议,以允许用户登录我的网站通过Facebook。但是,Facebook的文档是非常可怕的,在几个关键部分不清楚。
I am working from this reference, and trying to implement the OAuth protocol to allow users to log into my site via Facebook. However, Facebook's documentation is pretty terrible and it unclear in a few key parts.
它表示授权需要三个步骤:
It says that authorization takes three steps:
-
用户身份验证(将用户重定向到
https://facebook.com/dialog/oauth?client_id=...&redirect_uri= .. 。,并且希望使用代码调用redirect_uri页面。作品很棒!
User authentication (redirect the user to
https://facebook.com/dialog/oauth?client_id=...&redirect_uri=..., and expect theredirect_uripage to be called back with acode). Works great!
应用授权(由Facebook等处理)。工作非常好!
App authorization (handled by Facebook, etc). Works great!
应用验证(在回调页面上,抓住代码 code>的https://graph.facebook.com/oauth/access_token CLIENT_ID = ...&安培; REDIRECT_URI = ...&安培; client_secret = ...&安培;代码= ... 。响应的正文将包括一个 access_token ,我们需要做的东西)
App authentication (On the callback page, grab the code you get and call https://graph.facebook.com/oauth/access_token?client_id=...&redirect_uri=...&client_secret=...&code=.... The body of the response will include an access_token we need to do stuff)
我明白,使用 access_token ,我可以调用API等。但是,到期后会怎么样?我可以得到一个新的,但到目前为止,它将会有许多HTTP请求,我不再需要使用代码。我必须在 access_token 旁边存储代码?或者,我必须告诉用户再次登录,所以我得到一个新的代码来获取一个新的 access_token 或者,我在这里没有关键的部分吗?
I understand that with the access_token, I can call the APIs and such. But, what happens when it expires? I could get a new one, but by this point it will be many HTTP requests later, and I no longer have the code I used to get it in the first place. Do I have to store the code along side the access_token? Or, do I have to tell the user to log in again so I get a new code to get a new access_token?
我不需要一个 offline_access 令牌,因为我只会轮询数据以响应用户操作。
Or, am I missing a key part here? I don't need an offline_access token, as I will only be polling data in response to user actions .
推荐答案
当 access_token 过期时,用户将被Facebook视为注销。您的应用程序将首次执行相同的过程,但用户可能不会。
When the access_token expires, the user will be seen as "logged out" by Facebook. Your app will go through the same process as the first time, but the user may not.
如果用户没有撤销对您的应用的访问权限,而用户是当时登录Facebook,应用程序授权过程将自行处理,用户不需要执行任何操作,您将收到一个新的 access_token 。
If the user hasn't revoked access to your app, and the user is logged into Facebook at the time, the App Authorization process will take care of itself, with no actions required by the user, and you will receive a new access_token.
如果用户没有撤销对您的应用的访问权限,但未登录到Facebook,则他们将在App授权步骤中被提供Facebook登录。他们不会被要求再次提出您的应用程序权限,因为Facebook知道您的应用程序ID是该用户的授权。
If the user hasn't revoked access to your app, but isn't logged into Facebook, they will be presented with a Facebook login at the App Authorization step. They won't be asked to give your app permission again, as Facebook knows that your app id is authorized by that user.
最后,如果用户已撤销访问权限,那么他们将被提供给应用程序授权的原始请求,您将遵循原始流程。
Finally, if the user has revoked access, then they will be presented with the original request for App Authorization, and you'll follow the original flow.
本质上,您应该考虑 access_token 作为易失性的,不用担心存储,但是使用 access_token 作为用户登录过程的一部分,这是幕后所有时间,只有当用户注销Facebook或撤销对您的应用程序的访问时才涉及用户。
Essentially, you should consider the access_token as volatile, and not bother storing it, but using the access_token you receive as part of the user login process, which is happening behind the scenes all the time, and only involving the user when they log out of Facebook or revoke access to your application.
这与Twitter的OAuth不同,使用它。
This is different than Twitter's OAuth with which you can store and re-use it.
这篇关于如何续订Facebook访问令牌?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
