如何实现一个安全的Facebook登录/注册/为移动应用程序连接网络服务? [英] How to implement a safe Facebook login/register/connect web service for a mobile application?
问题描述
我有支持与用户名/密码,令牌认证注册古典/登入移动应用程序的Web REST API。
I have a web REST API for a mobile application which supports classic signup/signin with user/password and token authentication.
由于注册是没有电子邮件确认我怎么能实现安全注册/登入/与Facebook连接服务?
Since the signup is without email confirmation how could I implement a safe signup/signin/connect with facebook service?
我的第一个办法:我是从移动应用获得 facebook_id , facebook_email , facebook_name :
My first approach: I get from mobile application facebook_id, facebook_email, facebook_name:
-
搜索按Facebook的用户,如果不存在完美的回报用户,否则创建这些PARAMS新用户
search user by facebook, if exists perfect return that user, else create a new user with these params
问题:我认为一个 facebook_id 可通过任何其他应用程序很容易找到了..所以没有什么阻止我假设我是别人,他facebook_id登录
issue: I assume that a facebook_id can be easily found out by any other application.. so nothing is stopping me for assuming I'm someone else and login with his facebook_id
可能的解决方案:获取的access_token 从移动应用程序也并检查服务器端的的access_token 是正确的与关系 facebook_email 接受
possible solution: Get the access_token also from the mobile application and check on server side that the access_token is the correct one in relation with the facebook_email received
另一个问题可能是:
- 某甲是建立一个经典的帐户
personB@fake.com电子邮件 - 某乙,一个星期后,连它的Facebook帐户(使用相同的
personB@fake.com电子邮件)。第一个想法是将CLASIC帐户与此Facebook帐户链接。但随后某乙将接管一个人的帐户。
- Person A is creating an classic account with
personB@fake.comemail - Person B, a week later, connects it's facebook account (with the same
personB@fake.comemail). The first idea would be to link the clasic account with this facebook account. But then the Person B would take over Person A's account.
可选同时会是什么是移动应用程序令牌到期的最佳实践。我读过一些关于2个小时,但还是一年半后,我觉得的Facebook 应用程序仍在记录。
Optional: Also what would is the best practice for token expiration on mobile applications. I've read something about 2 hours, but still facebook application is still logged after half of year I think.
有关确保安全,让我们假设我可以在我的web服务获得客户端重要的东西(的access_token,电子邮件,...):那是什么能够确保在这种情况下最安全的最佳做法:即使客户端规则:应该有2个不同的服务,登录和注册?无论如何,一个快速guildeline /一步一步的流量将是完美的。
For assuring the security, let's assume I can get anything important (access_token, email, ...) from client side in my webservice: what is the best practice that could ensure best security in this case: even client-side rules: should there be 2 distinct services for Login and SignUp? Anyway, a quick guildeline/step-by-step flow would be perfect.
推荐答案
你检查的的Facebook开发人员登录文档?它们涵盖登录流程并的生成用户放大器;应用令牌(通过调用FB SDK对JavaScript( FB.GetAuthResponse ),在这种情况下的 AuthResponse包括userid参数,你可以映射你的应用程序的ID来)。令牌到期也由FB的SDK处理。 Android的登录流程看起来相当简单,而iOS登录流程看起来就更简单了。
Have you checked the Facebook Developer Login documentation? They cover login flow and generating user & app tokens (by calling the FB SDK for JavaScript (FB.GetAuthResponse), in which case the AuthResponse includes a userID parameter that you can map your app's id to). Token expiration is also handled by the FB SDK. Android login flow looks fairly straightforward, and iOS login flow looks even simpler.
这篇关于如何实现一个安全的Facebook登录/注册/为移动应用程序连接网络服务?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
