保护应用程序秘密以供extendAccessToken使用 [英] Protecting app secret for extendAccessToken usage

问题描述

我正在为Android开发，目前使用facebook-android-sdk进行身份验证. 据我所知，该代码中没有使用应用程序密码，这太棒了.

I'm developing for Android and currently use facebook-android-sdk for authentication. From what I can see there is no use of the app secret in that code which is great.

现在，Facebook将要删除offline_access权限，我需要扩展访问令牌.不幸的是，sdk的extendAccessToken方法并不是一个独立的方法，需要安装官方的Facebook应用程序，这对我来说是不可接受的.

Now that Facebook are going to remove the offline_access permission I need to extend the access token. Unfortunately the sdk's extendAccessToken method isn't stand alone and requires the official Facebook application to be installed which is unacceptable for me.

因此，我决定直接实现extendAccessToken(类似于iphone sdk的实现). 问题是扩展访问令牌的HTTP请求需要client_secret字段，这意味着我需要在代码本身中放入应用程序密码.对于可以轻松进行逆向工程的Android/Java应用程序，这根本不安全.

So I decided to implement extendAccessToken directly (similar to the iphone sdk implementation). The problem is the HTTP request for extending an access token requires the client_secret field which means I need to put the app secret in the code itself. This doesn't feel safe at all for an Android/Java application that can be reverse engineered easily.

还有其他选择吗?

推荐答案

为什么不在自己的服务器上托管用于执行此操作的代码，并让客户端通过对服务器的调用来扩展令牌?

Why not host the code for doing this on your own server, and have the client extend the token via a call to your server?

这篇关于保护应用程序秘密以供extendAccessToken使用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！