为什么我的测试应用程序处于无尽的重定向循环中? [英] Why is my test application in an endless redirect loop?

问题描述

我正在使用PHP SDK版本3.1.1，以便对Graph API进行简单的调用.我在 http://local.fb-sandbox 本地运行. facebook应用程序设置的网站URL设置为 http://local.fb-sandbox/.

I am using the PHP SDK Version 3.1.1 in order to make a simple call to the Graph API. I am running it locally at http://local.fb-sandbox. The facebook application settings have the site URL set to http://local.fb-sandbox/.

当我转到 http://local时，我被重定向到Facebook登录页面，然后重定向到请求我的权限的页面. fb-sandbox ，但是应用程序随后进入URL之间的重定向循环，例如:

I am redirected to the facebook login page and then to the page requesting my permission when I go to http://local.fb-sandbox but the application then goes into a redirect loop between a URL like:

http://local.fb-sandbox/?state=e9c091bb61afe08139af4e3b153a1e9e&code=AQBDJ4yMWVOIrukx6nRkxhNbnPH9nX6OvuqOWhVJEAgLkq6Lz27iq_-B6AIAGQ_cOpBIZktCPLLs_G5Hpt8QO5PRhDUN8l-Yu3JuT0YTzwVQiAqBlgutgia60lRT-ZzE3IHguStHq4gtuPQYJh423TBer-mB8BsqERvNsoF1L4NNe90WAWU8--MFAU3Oc4eeXyI#_=_

和

https://www.facebook.com/dialog/oauth?client_id=375741229103324&redirect_uri=http%3A%2F%2Flocal.fb-sandbox%2F%3Fstate%3Dccd13778febb68d3eb1f4763a99b2ace%26code%3DAQBFegtkch4m34-2F9KMKgScrPhWzI0qeKJlvnM6uAD81BYm2xakv0S7DEbUrNwlECrgth5-YHdT8IR_vCBzW29QMh3ecOiiEk7P03wQG2V2gaxAUsMqOOZvTl_Oq3SefiLn9BvBAPQSGXQdRSZBVdsUqDT1aZ430Lcx8Ic6axaHSyHwlkkNK5EjRhYdkjYYz0YmENk64kRf4tvmX4WrH6f4&state=19a3862962dd0422628eb7c28a832380&scope=email%2Cread_stream%2Cpublish_stream%2Cuser_photos%2Cuser_videos&fbconnect=1#_=_

我在脚本顶部调用了session_start()，并尝试使用它或不使用它. PHP cookie设置得很好.

I have a call to session_start() at the top of my script and have tried both with and without it. The PHP cookie is being set fine.

我在这里看到了很多有关此重定向循环的类似问题，但是没有一个建议的答案可以解决这个问题，而且它们都已经很老了.这应该在本地主机上工作吗?我在Facebook的应用程序设置中缺少应用程序设置吗?

I've seen a lot of similar questions on here regarding this redirection loop but none of the suggested answers resolved it and they are all quite old. Should this work on localhost? AM I missing an application setting in the app settings on Facebook?

更新

因此，如果您使用此处的代码，则似乎是: http://developers.facebook.com /docs/authentication/即可. github上的php-sdk示例完全忽略了这一点，并且不包括您需要检查是否设置了代码"并生成自己的CSRF令牌的事实.然后，您需要先进行调用以获取访问令牌，然后才能调用Graph API.

So it seems that if you use the code from here: http://developers.facebook.com/docs/authentication/ then it works. The php-sdk example on github completely ignores this and does not include the fact that you need to check whether 'code' is set and generate your own CSRF token. You then need to make a call to grab an access token before being able to make a call to the Graph API.

此外，SDK的getLoginURL()方法返回的https://URL似乎无效.如果我使用自己的URL，那么它将起作用.

Also, the SDK's getLoginURL() method returns an https:// URL which doesn't seem to work. If I craft my own URL then it works.

工作代码:

WORKING CODE:

if(empty($code)) {
    $_SESSION['state'] = md5(uniqid(rand(), TRUE));
$login_url_params = array(
      'scope' => 'email,read_stream,publish_stream,user_photos,user_videos',
      'fbconnect' =>  1,
      'redirect_uri' => 'http://local.fb-sandbox/',
'state'=>$_SESSION['state']
   ); //using this array via the sdk does not work

    $dialog_url = "http://www.facebook.com/dialog/oauth?client_id=" 
       . $app_id . "&redirect_uri=" . urlencode($my_url) . "&state="
       . $_SESSION['state']; //this url works

    //var_dump($dialog_url);echo "<br />";
    $login_url = $facebook->getLoginUrl();
    //var_dump($login_url);
    header("Location:{$dialog_url}");//works
    //header("Location:{$login_url}");//does not work
    exit;
}



if($_REQUEST['state'] == $_SESSION['state']) {
 $token_url = "https://graph.facebook.com/oauth/access_token?"
       . "client_id=" . $app_id . "&redirect_uri=" . urlencode($my_url)
       . "&client_secret=" . $app_secret . "&code=" . $code;
$aContext = array(
    'http' => array(
        'proxy' => 'tcp://xxxx0:80',
        'request_fulluri' => true,
    ),
);
$cxContext = stream_context_create($aContext);
      $response = file_get_contents($token_url, FALSE, $cxContext);

      $params = null;
      parse_str($response, $params);

      $graph_url = "https://graph.facebook.com/me?access_token=" . $params['access_token'];

      $user = json_decode(file_get_contents($graph_url, FALSE, $cxContext));
      //var_dump($user);exit;
}

//var_dump($user);exit;
  return $app->render('test.html',array('myvar', $user));
  exit();

请注意，我要通过代理，因此必须为file_get_contents()调用设置上下文.

Note that I am going through a proxy so have to set a context for the file_get_contents() calls.

如果任何人都可以将我的代码转换为使用正确的SDK方法并使其正常运行(请记住，我需要它在代理之后运行)，那么您将获得赏金.

If anyone can convert my code to use the proper SDK methods and get it working (bearing in mind that I need it to work behind a proxy) then you'll get the bounty.

推荐答案

许多服务器端Facebook SDK均未按照Facebook在过去3个月或4个月内共享的文档和推荐做法来处理身份验证.您找到了一个很好的例子，说明PHP SDK如何使用(或不使用)code参数.还有其他示例，例如SDK可以直接读取Facebook cookie，这是Facebook工程师告诉开发人员的，他们不应该这样做，因为cookie只是实现细节"，而不是Facebook以外的开发人员应该建立依赖的东西.

Many of the various server-side Facebook SDKs do not handle authentication in accordance with the documentation and recommended practices Facebook has shared over the last 3 or 4 months. You found one good example of this in how the PHP SDK uses (or doesn't use) the code parameter. There are other examples such SDKs directly reading the Facebook cookies, something Facebook engineers tell developers they should not do since the cookies are just "an implementation detail" and not something developers outside of Facebook should be building dependencies on.

我不确定您的工作代码示例中的代码在哪里，但是我找不到对包含诸如fbconnect=1

I am not sure where you got that code in your working code example, but I couldn't find any support for including parameters such as fbconnect=1

因此，鉴于SDK未按照Facebook的建议和文档实施身份验证，并且Facebook在其文档中提供了完整的PHP实现，我建议您仅使用Facebook提供的版本，在此处复制并粘贴以供您参考此页面 http://developers.facebook.com/docs/authentication/:

So given that the SDK is not implementing authentication as per Facebook recommendations and documentation, and that Facebook has provided a complete PHP implementation in their documentation, I recommend you just use the version Facebook provides, copy and pasted here for your reference from this page http://developers.facebook.com/docs/authentication/ :

     <?php 

       $app_id = "YOUR_APP_ID";
       $app_secret = "YOUR_APP_SECRET";
       $my_url = "YOUR_URL";

       session_start();
       $code = $_REQUEST["code"];

       if(empty($code)) {
         $_SESSION['state'] = md5(uniqid(rand(), TRUE)); //CSRF protection
         $dialog_url = "http://www.facebook.com/dialog/oauth?client_id=" 
           . $app_id . "&redirect_uri=" . urlencode($my_url) . "&state="
           . $_SESSION['state'];

         echo("<script> top.location.href='" . $dialog_url . "'</script>");
       }

       if($_REQUEST['state'] == $_SESSION['state']) {
         $token_url = "https://graph.facebook.com/oauth/access_token?"
           . "client_id=" . $app_id . "&redirect_uri=" . urlencode($my_url)
           . "&client_secret=" . $app_secret . "&code=" . $code;

         $response = @file_get_contents($token_url);
         $params = null;
         parse_str($response, $params);

         $graph_url = "https://graph.facebook.com/me?access_token=" 
           . $params['access_token'];

         $user = json_decode(file_get_contents($graph_url));
         echo("Hello " . $user->name);
       }
       else {
         echo("The state does not match. You may be a victim of CSRF.");
       }

     ?>

这篇关于为什么我的测试应用程序处于无尽的重定向循环中?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！