在迁移到OAuth 2.0之后获取access_token的问题 [英] Problem getting access_token after migrating to OAuth 2.0

问题描述

我尝试将我的应用迁移到OAuth 2.0例程。我无法从JavaScript API设置的cookie中获取access_token。我解码了cookie中的信息，而不是access_token和用户信息我得到一个代码。这似乎是一个相当奇怪的变化。
是否有任何解决方法，因为当您在获取代码时尚未指定redirect_uri，因为您似乎无法将代码交换到access_token。

I have tried migrating my app to the OAuth 2.0 routine. I am having trouble getting the access_token from the cookie set by the JavaScript API. I decode the information in the cookie, but instead of an access_token and the user information I get a code. This seems like a rather weird change. Is there any workaround for this, because it seems that you can't get your code exchanged to an access_token when you haven't specified a redirect_uri when you acquired the code.

我已经考虑过从JavaScript API中的响应中获取access_token并将其存储在一个cookie中，但是这种方式会破坏扩展安全性的整个目的，我想问是否有正确的方法

I have considered just taking the access_token from the response in the JavaScript API and storing it in a cookie, but that kinda defeats the whole purpose of the extended security and I wanted to ask if there was a proper way to do it.

可能是我在做错事，如果是这样的话请告诉我：）

Could be that I am doing something wrong though, and if that is the case please tell me :)

编辑
我知道该cookie持有已签名的请求，但根据签名请求的文档应该保存我需要的信息，如access_token和uid，但在我的实例中只保存代码。这基本上是我不明白的部分。

EDIT I am aware that the cookie holds a signed request, but according to the docs that signed request should hold the information I require like access_token and uid, but in my instance it only holds the code. That is basically the part I don't understand.

推荐答案

结果（即使没有记录），我们需要交换一个access_token的代码。我认为这是一个完整的浪费，因为这是旧的cookie的好东西。获取access_token是快速和容易的。

Turns out that (even though it is not documented) we need to exchange the code for an access_token ourselves. I think this is a total waste since that was the nice thing about the old cookie. It was fast and easy to get the access_token.

无论如何要从新的cookie获取access_token，您需要执行以下操作：

Anyway. To get the access_token from the new cookie you need to do the following:

public string ReturnAccessToken()
{
    HttpCookie cookie = htc.Request.Cookies[string.Format("fbsr_{0}", facebookAppID)];
    string jsoncode = System.Text.ASCIIEncoding.ASCII.GetString(FromBase64ForUrlString(cookie.Value.Split(new char[] { '.' })[1]));

    JsonData data = JsonMapper.ToObject(jsoncode);

    getAccessToken(data["code"].ToJson()
}

private string getAccessToken(string code)
{
    //Notice the empty redirect_uri! And the replace on the code we get from the cookie.
    string url = string.Format("https://graph.facebook.com/oauth/access_token?client_id={0}&redirect_uri={1}&client_secret={2}&code={3}", "YOUR_APP_ID", "", "YOUR_APP_SECRET", code.Replace("\"", ""));

    System.Net.HttpWebRequest request = System.Net.WebRequest.Create(url) as System.Net.HttpWebRequest;
    System.Net.HttpWebResponse response = null;

    using (response = request.GetResponse() as System.Net.HttpWebResponse)
    {
        System.IO.StreamReader reader = new System.IO.StreamReader(response.GetResponseStream());

        string retVal = reader.ReadToEnd();
        return retVal;
    }
}

public byte[] FromBase64ForUrlString(string base64ForUrlInput)
{
    int padChars = (base64ForUrlInput.Length % 4) == 0 ? 0 : (4 - (base64ForUrlInput.Length % 4));
    StringBuilder result = new StringBuilder(base64ForUrlInput, base64ForUrlInput.Length + padChars);
    result.Append(String.Empty.PadRight(padChars, '='));
    result.Replace('-', '+');
    result.Replace('_', '/');
    return Convert.FromBase64String(result.ToString());
}

这可能看起来有点多余，但我想你可以将access_token存储在会话变量。如果您这样做，并且将您的应用程序映射到Facebook，则需要知道如果用户将浏览器隐私设置设置为中等，IE 6，7和8将无法正常工作。这有一个解决方法，但由于这不是这个问题的一部分，我不会写。如果人们真的想要它，写一个评论，我会显示：）

This may seem a bit redundant, but I suppose you can store the access_token in a session variable. If you do this and iFrame the your app on Facebook you need to know that it will not work in IE 6, 7 and 8 if the user have set his browser privacy settings to medium. There is a workaround for this, but as it is not a part of this question I will not write it. If people really want it, write a comment and I will show it :)

------------------- ----------------的修改 -------------------------- ----------------

-----------------------------------EDIT------------------------------------------

使用任何旧的IE浏览器时，无法使用Cookie或会话iframed 页面中的变量，如您在Facebook上的页面。这是一个在编码中不能真正解决的问题。足够我的意思是解决方案不好。您需要在响应中设置p3p-header。您可以在编码所有服务的页面时执行此操作，但最简单的解决方案（如果使用.NET服务器托管网页）是为IIS设置p3p策略。有关这方面的指南可以在 http://support.microsoft.com/kb/324013 中看到。您在p3p策略中写的内容并不重要（如果您查看Facebook拥有者，您可以看到他们使用我们没有p3p策略），重要的是有一些东西，我已经遇到麻烦，只是使用随机文本，但如果您使用示例中的文本不应该有问题：）

When using any of the old IE browsers you can't use cookies or session variables in pages that are Iframed in, like your pages on Facebook. This is a problem that can't really be solved sufficiently in coding. By sufficiently I mean that the solution is not nice. You need to set the p3p-header in your response. You can of course do this in coding for all the pages that you service, but the easiest solution (if you are using a .NET server to host your pages) is to set up a p3p policy for the IIS. A guide for this can be seen in http://support.microsoft.com/kb/324013. It shouldn't matter what you write in the p3p policy (if you check Facebooks own you can see that they use "We don't have a p3p policy), the important part is that there stands something. I have had troubles just using random text though, but if you use the text in the example there shouldn't be a problem :)

这让我永远找到，所以我希望有人可以使用它：D

This took me forever to find out, so I hope someone can use it :D

这篇关于在迁移到OAuth 2.0之后获取access_token的问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！