Facebook访问令牌和AJAX调用 [英] Facebook access token and AJAX calls

问题描述

但是，我希望客户端在我的服务器上执行AJAX调用，然后基于Facebook userId在我的数据库中进行一些查询。我不能只接受一个userId变量，因为任何人只能欺骗它，所以我想我需要访问用户的accessToken。

然而，这是一个AJAX调用在服务器上的PHP文件中，我没有能力使用与示例中提供的相同的服务器端身份验证方法。

所以我认为客户端需要通过AJAX调用传递FB访问令牌，然后验证该访问令牌服务器端，然后使用它来获取用户的身份信息和其他信息。

但是，如果我使用服务器端身份验证，客户端从来没有从Facebook实际检索其访问令牌，只有服务器拥有它，这意味着客户端无法通过访问令牌。

我的问题是：一旦我做原始的服务器端验证，我应该根据cookie存储访问令牌服务器端，然后以这种方式获取access_token？

或者，是否有更好的做法为Facebook应用程序这样在我不需要担心通过cookie欺骗泄露访问令牌？

解决方案

首先，你不应该存储cookie中的访问令牌或通过ajax调用发送它。访问令牌是一个明智的数据，必须始终是不可见的。

我不知道这是否是最好的方法，但我总是使用signedRequest。这是一个安全的数据发送到您的服务器，因为它是加密与您的应用程序的秘密，谁没有人知道...

如果你传递signedRequest（从FB JS SDK）到您的服务器，您可以检索有效的访问令牌。在PHP中，假设您通过POST传递signedRequest，看起来像这样：

  $ signed_request = $ _POST ['signedRequest' ]。 
 $ data = parseSignedRequest（$ signed_request）; 
 $ token_url ='https://graph.facebook.com/oauth/access_token？'。 
'client_id ='。 YOUR_APP_ID。 
'& redirect_uri ='。 //当使用JS signedRequest时，请留空
'& client_secret ='。 YOUR_APP_SECRET。 
'& code ='。 $数据[ 代码]; 
 
 $ response = file_get_contents（$ token_url）; 
 $ params = null; 
 parse_str（$ response，$ params）; 
 $ access_token = $ params ['access_token']; //这里是您的访问令牌
  

您将需要这些功能：

 函数parseSignedRequest（$ signed_request）{
 list（$ encoded_sig，$ payload）= explode（'。'，$ signed_request，2）; 
 //解码数据
 $ sig = base64UrlDecode（$ encoded_sig）; 
 $ data = json_decode（base64UrlDecode（$ payload），true）; 
 
 if（strtoupper（$ data ['algorithm']）！=='HMAC-SHA256'）{
 return'未知算法。预期HMAC-SHA256'; 
} 
 
 //检查sig 
 $ expected_sig = hash_hmac（'sha256'，$ payload，YOUR_APP_SECRET，$ raw = true）; 
 if（$ sig！== $ expected_sig）{
 return'Bad Signed JSON signature！'; 
} 
 return $ data; 
} 
 
函数base64UrlDecode（$ input）{
 return base64_decode（strtr（$ input，'-_'，'+ /'））; 
} 
  

当然，如果将访问令牌存储在数据库中，那么如果用户已经授权您的应用并登录到Facevook，您可以从...获取signedRequest $ _COOKIE

I have an app that I originally coded as server-side authentication in PHP.

However, I want the client to do AJAX calls into my server, and then based on the Facebook userId do some queries in my database. I can't just accept a userId variable, because anyone can just spoof it, so I think I need to access the user's accessToken.

However, this being an AJAX call into a PHP file on the server, I don't have the ability to use the same server-side authentication methods as presented in the examples.

So I think the client needs to pass an FB access token through the AJAX call, and then I validate that access token server-side, and then use it to get the user's id and additional information.

However, if I use server-side authentication, the client never actually retrieves its access token from Facebook, only the server has it, which means the client can't pass the access token.

My question is: once I do the original server-side validation, should I store the access token server-side based on the cookie and then get the access_token that way?

Or, is there a better practice for Facebook apps so that I don't need to worry about leaking an access token via cookie spoofing?

解决方案

First of all, you should not store the access token in a cookie or send it through a ajax call. The access token is a sensible data that must be always invisible.

I don't know if it is the best way to do this, but I always use the signedRequest. This is a secure data to send to your server, because it is encrypted with your app secret, which nobody knows...

If you pass the signedRequest (from FB JS SDK) to your server, you can retrieve a valid access token. In PHP, it looks like this, assuming you are passing the signedRequest by POST:

$signed_request = $_POST['signedRequest'];
$data = parseSignedRequest($signed_request);
$token_url= 'https://graph.facebook.com/oauth/access_token?' .
            'client_id=' . YOUR_APP_ID .
            '&redirect_uri='  . // when using the JS signedRequest, leave this blank
            '&client_secret=' . YOUR_APP_SECRET .
            '&code=' . $data["code"];

$response = file_get_contents($token_url);
$params = null;
parse_str($response, $params);
$access_token = $params['access_token']; // here is your access token

You will need these functions:

function parseSignedRequest($signed_request) {
    list($encoded_sig, $payload) = explode('.', $signed_request, 2);
    // decode the data
    $sig = base64UrlDecode($encoded_sig);
    $data = json_decode(base64UrlDecode($payload), true);

    if (strtoupper($data['algorithm']) !== 'HMAC-SHA256') {
        return 'Unknown algorithm. Expected HMAC-SHA256';
    }

    // check sig
    $expected_sig = hash_hmac('sha256', $payload, YOUR_APP_SECRET, $raw = true);
    if ($sig !== $expected_sig) {
        return 'Bad Signed JSON signature!';
    }
    return $data;
}

function base64UrlDecode($input) {
    return base64_decode(strtr($input, '-_', '+/'));
}

Of course, if you store the access token in your DB, you'll not need to pass through this, but be careful with the token expiration.

If the user already authorized your app and is logged in Facevook, you can retrieve the signedRequest from the cookie $_COOKIE[('fbsr_' . YOUR_APP_ID)], but I don't trust very much on this data...

这篇关于Facebook访问令牌和AJAX调用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！