删除offline_access权限的明智解决方案 [英] Sensible solutions to the removal of the offline_access permission

问题描述

在离开FB平台一段时间后，我又回到构建FB应用程序，我看到旧的offline_access权限已被删除，并替换为长(ish)到期令牌[1].

Am coming back to building a FB app after some time away from the FB Platform and I see that the old offline_access permission has been removed and replaced with long(ish)-expiry tokens[1].

因此，现在看来，任何需要根据外部应用程序中的日程安排或某些活动将数据推送到Facebook的外部应用程序都将需要应对已过期的长期访问令牌.这使用户更加沮丧，因为现在，从FB中注销的用户也将杀死任何长期有效的令牌[2]，而以前，即使用户注销，offline_access仍然存在.

So, it now seems like any external app that needs to push data to Facebook based on, say, a schedule or some activity in the external app will need to cope with that long-access token having expired. This is made more frustrating because now a user logging out of FB will also kill any long-expiry token[2], whereas before, offline_access lived on even when the user was logged out.

我仍处于深思熟虑的解决方案阶段，但是有两个想法浮现在脑海:

I'm still in the pondering-a-solution stage, but two ideas spring to mind:

1)每当我的应用程序联系具有FB集成的用户时，都要求他们单击一个链接，该链接将触发对FB的重新认证，以获取新的长期访问令牌.通常，我会在长期访问令牌的使用期限内与我的用户联系过几次，因此，应该在需要的时间范围内有效地持续更新长期访问令牌(即使这样做确实会增加一些烦人的麻烦)到我的应用中)

1) Whenever my app contacts a user who has FB integration, they are requested to click a link that will trigger re-auth with FB to get a new long-access token. My users are generally contacted several times within the lifespan of a long-access token, so this should effectively keep renewing the long-access token for as long as they need (even if it does add some annoying friction to my app)

2)因为我不能保证1)将一直有效(例如，由于用户未单击应用程序的电子邮件通知中的重新验证链接或他们退出了Facebook)，我还必须处理通过将FB交互置于等待队列中并向用户发送电子邮件以明确要求他们再次授予长期访问令牌，从而使FB交互失败.不酷，但我看不到其他选择.如果他们在X尝试要求他们重新授予许可后没有响应请求，那么我只需要对任务进行合并并通过电子邮件发送给他们，以说明这是由于FB限制而不是我的应用程序引起的.再次，不酷.

2) Because I can't guarantee that 1) will always work (due to users not clicking the re-auth link in my app's email notification or them logging out of Facebook, for example) I'll also have to handle failed FB interactions by placing them in a holding queue and emailing the user to explicitly ask them to grant a long-access token again. Not cool, but I see no other option. If they don't respond to the request after X attempts to ask them to re-grant permission, I'll just have to bin the task and email them to explain that it's due to an FB limitation, not my app. Again, not cool.

是否有人需要提出更好的解决方案来保持与具有身份验证/显式权限的用户帐户进行交互的能力?我很想听听你的所作所为.

Has anyone had to come up with any better solutions to maintain the ability to interact with a user's account with authentication/explicit permissions? I'd be keen to hear what you did.

(当然，这一切有待我重新阅读FB ToS，这完全有可能违反规则，这将更加令人沮丧)

(This is all pending me re-reading the FB ToS, of course - it's entirely possible that this is against the rules, which would be even more frustrating)

编辑/更新:我需要发送的数据是将图像发送到相册，该相册将从各种来源到达我的服务器，然后将其推送到适当的用户相册中(当然，需要事先获得他们的许可).我无法保证在图像到达我的服务器时会进行任何基于Web的最终用户交互，以便最终用户为我授予新的短寿命令牌.基本上，offline_access对于该海事组织确实是理想的.

EDIT/UPDATE: the data I need to push is images to a photo album which will arrive at my server from various sources and will then be pushed into an appropriate user's album (with their pre-granted permission, of course). I won't be able to guarantee having any web-based end-user interaction at the point in time the images hit my server in order to get the end user to grant me a new short-lifespan token. Basically, offline_access really would have been ideal for this IMO.

更新2:注意:对于我的用例而言，真正重要的一点是，当需要授予或扩展令牌时，用户不一定会使用我的应用程序或Facebook.

UPDATE 2: NB: it's really key to my use case that the user won't necessarily be using my app or Facebook when the token needs to be granted or extended.

[1] https://developers.facebook.com/roadmap/offline-访问删除/ [2] http://developers.facebook.com/blog/post/2011/05/13/how-to--handle-expired-access-tokens/

[1] https://developers.facebook.com/roadmap/offline-access-removal/ [2] http://developers.facebook.com/blog/post/2011/05/13/how-to--handle-expired-access-tokens/

推荐答案

您有正确的两个选择，但我会指出第三个选择和一个鲜为人知的事实，该事实可能与您无关需要将数据推送到Facebook"的特定场景

You've got the right two options, but I will point out a third option and a little-known-fact that may or may not be relevant for your specific scenario of "needs to push data to Facebook"

首先，假设您已为应用程序实现了移动网络或画布，则可用的另一个选项是应用程序对用户的请求或通知.在书签列表中，用户会在您的应用名称旁边看到一个小的通知计数器指示器.如果他们响应了请求，或者书签/通知计数器使他们点击了您的应用程序，则可以触发服务器端令牌续订/扩展过程.此过程对用户是透明的-假设他们仍然安装了您的应用程序，则看不到任何东西.

First, another option available assuming you either have mobile web or canvas implemented for your app is app to user requests or notifications. The user will get a little notification counter indicator next to your app name in the list of bookmarks. If they respond to the request or the bookmark/notification counter gets them to hit your app, you can trigger your server-side token renewal/extension process. This process is transparent to the user -- assuming they still have your app installed they see nothing.

第二，今天很多人使用offline_access只是将其发布到用户流中.如果仅此而已，并且不需要执行一堆FQL查询或在图形API上执行其他操作，那么如果您具有publish_stream权限，则实际上不需要脱机访问或当前用户令牌.借助publish_stream，您可以使用应用访问令牌在用户离线时进行发布.

Secondly, what a lot of people use offline_access for today is simply posting to the user's stream. If that is all you need and you don't need to do a bunch of FQL queries or hit other actions on the graph API, then you don't actually need offline_access or a current user token if you get the publish_stream permission. With publish_stream you can post while the user is offline by using your app access token.

这篇关于删除offline_access权限的明智解决方案的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！