一个应用程序中处理用户身份验证（通过Facebook）和安全通信 [英] Handling User Auth (via Facebook) and secure communication within an app

问题描述

也许下面就莫名其妙地声和奇怪的，我有一些错误的假设，所以我希望你能在这个纵容。

maybe the following will sound somehow wierd and I have some false assumptions so I hope you can condone over this.

只是一些简要的介绍了我们想要实现的：

Just some brief introduction what we want to achieve:

目前，我们正在开发一个需要后端存储用户特定数据的应用程序（如图片，评论等）。当我们想摆脱掉所有的用户认证，我们希望使用Facebook的功能，我们也将让Facebook的做所有的东西认证，只是创建一个基于ID /电子邮件，他们验证后，我们会在收到用户。

Right now we are developing an app that needs a backend storing user specific data (eg images, comments, etc). As we want to get rid off all the user authentication and we want to use facebook functions, too, we will let Facebook do all the authentication stuff and just create a user based on the id/email we will receive after they have authenticated.

让我们只是简要介绍流程：

Let's just brief describe the flow:

1. 用户打开应用程序，并在没有登录（在Facbook SDK将处理会话，并坚持对自己的cookie）。


2. 用户通过Facebook进行身份验证。


3. 应用ID发送给服务器。服务器将返回如果有现有的ID并为此应用程序将表现出一定的登记（特定领域形式）或将登录用户立即

现在来我在哪里不知道如何处理这棘手的部分。

And now comes the tricky part where I am NOT sure how to handle this.

作为后端的API是公开的（HTTPS），我们需要以某种方式来保证，如果用户登录的他能够通过应用获取他的数据之前。

As the API of the backend is public (HTTPS) we need somehow to assure IF the user is logged in before he is able to get his data via the app.

这是不够的，只是说：哦，应用程序已经验证了他的用户，所以没有人会其他调用后端。后端如何可以验证API-consument真的是他的Facebook登录身份验证？我们希望避免随便谁都可以拨打我们的REST服务用他自己的设备上坚持Facebook的ID。

It is not enough to just say "Oh, the app has validated he is the user, so noone else will call the backend". How can the backend verify that the api-consument is REALLY authenticated with his Facebook login? We want to avoid that just anybody can call our REST service with the Facebook ID he has persisted on his device.

请记住：我们不希望时，他与Facebook身份验证的密码分配给用户。

Keep in mind: We do not want to assign a password to a user when he is authenticated with Facebook.

也许我有一些在这个用例奇怪的思维，所以光线我！
感谢所有的答案，并提前共享的知识。展望未来！

Maybe I have some kind of wierd thinking in this use case, so enlight me! Thanks for all answers and shared knowledge in advance. Looking forward!!

推荐答案

如果你让服务器使用的访问令牌，你可以做这样的事情抓取用户信息：

If you make the server fetch the user info using the access token you can do something like this:

1. 请客户端OAuth认证并获得访问令牌


2. 发送访问令牌后端，并获得用户信息，包括使用此令牌Facebook的API Facebook的ID


3. 服务器将存储散列ID（的cookie = ID +：+哈希（ID +密码））的一个HTTP cookie


4. 请您注册/登录的事情


5. 在每一个请求到服务器的后端将通过与秘密重新计算哈希，并将其与值从cookie验证比较从Cookie ID

1. do client side OAuth authentication and receive an access token
2. send the access token to your backend and get the user info including the Facebook ID with the Facebook API using this token
3. The server will store the hashed ID (cookie = id + ":" + hash(id + secret)) in an HTTP cookie
4. Do your registration/login thing
5. On each request to the backend of the server will validate the id from the cookie by recomputing the hash with the secret and comparing it with the value from the cookie

这篇关于一个应用程序中处理用户身份验证（通过Facebook）和安全通信的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！