可再生访问令牌的目的是什么? [英] What's the purpose of renewable access tokens?
问题描述
随着最近对offline_access的弃用,Facebook允许应用程序将寿命短的令牌扩展"到寿命长的令牌.令牌还可以更新",只要它们尚未过期即可. [1]
With the recent deprecation of offline_access, Facebook is allowing apps to "extend" short-lived tokens to long-lived ones. The tokens can also be "renewed" as long as they haven't expired yet. [1]
如果扩展"要求明确的用户选择加入(例如旧的offline_access许可),那么从安全/隐私角度来看这对我来说很有意义.但似乎应用程序可以透明地扩展和更新,而无需用户操作.例如. iOS应用程序通过一个简单的HTTP请求执行此操作. [2] [3] [4]
This would make sense to me from a security/privacy perspective if the "extend" required explicit user opt-in (like the old offline_access permission). But it seems that apps can both extend and renew transparently, without user action. E.g. iOS apps do this with a simple HTTP request. [2][3][4]
鉴于此,此功能的目的是什么?似乎没有比过期令牌更安全/更私有的方法,对于应用程序来说,似乎没有比生存期令牌(例如Twitter和LinkedIn)更方便的
Given that, what's the purpose of this feature? It doesn't seem more secure/private than expiring tokens, and it doesn't seem more convenient for apps than lifetime tokens (e.g. Twitter and LinkedIn).
[1] https://developers.facebook.com/roadmap/offline-访问删除/
[2] https://developers.facebook.com/docs/移动/ios/build/#extend_token
[3] https://developers.facebook.com/docs/reference/iossdk/authentication/
[4] https ://github.com/facebook/facebook-ios-sdk/blob/v1.2/src/Facebook.m#L352-L359
推荐答案
没有听到更好的答案,我的最佳猜测是他们确实希望应用具有长期访问权限(而无需反复询问用户),而减少损坏的令牌可能造成的损害(因为它会过期).
Not having heard any better answer, my best guess is that they do want apps to have long-term access (without having to ask the user repeatedly), while reducing the damage a compromised token could do (because it expires).
我不确定是否是这种情况,因为我不确定在实践中是否确实存在泄露令牌(因为应用程序开发人员仍然可以轻松撤消泄露令牌).
I'm not sure if that's the case, because I'm not sure whether compromised tokens have actually been an issue in practice (since the app developer can still easy revoke a compromised token).
朋友提到的另一种可能性是,这可以帮助Facebook收集有关应用使用情况的更多数据/分析.但是我不确定是否也是这种情况,因为似乎令牌可以在无需用户输入或干预的情况下进行更新.
Another possibility a friend mentioned is that this helps Facebook collect more data/analytics on app usage. But I'm not sure if that's the case either, given that it seems tokens can be renewed without user input or intervention.
因此,在这一点上,我最好的猜测是在略微提高安全性的同时仍允许应用程序具有长期访问权限.
So at this point, my best guess is for slightly improved security while still allowing apps to have long-term access.
这篇关于可再生访问令牌的目的是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
