Facebook的授权与其他第三方用户连接 [英] Authorizing facebook connect users with other third parties
问题描述
我的工作有用户通过Facebook连接登录的大部分网站,所以他们没有为我们的网站用户名和密码。我们提供给自己的用户进行身份验证使用基本身份验证API,但这并不让Facebook的用户连接使用我们的API与客户进行身份验证。
I'm working on a site that has a large proportion of users signing in via Facebook Connect, so they don't have a username and password for our site. We offer our own user-authenticated API using basic auth, but this doesn't allow facebook connect users to authenticate with clients using our API.
有没有不破Facebook的服务条款使用Facebook的身份验证凭据来授权其他第三方任何方式?例如,如果其他网站Facebook的实现连接,并将会话数据反馈给我们?是否有Facebook的野生任何实例连接正在通过使用OAuth作为一种解决方案,而不像Foursquare的网站以外的API供应商成功地使用?
Is there any way that doesn't break Facebook's TOS to authorize other third parties using Facebook authentication credentials? For instance, if the other site implements facebook connect and passes session data back to us? Are there any examples in the wild of facebook connect being used successfully by an API provider other than sites like Foursquare that use oAuth as a solution?
推荐答案
我已经开发了这样的功能,我的应用程序。用户可以通过Facebook或Twitter上我们的网站前台登录,他们也可以验证自己对我们的iPhone / Android应用程序的API相同的方式。
I have developed such a feature for my application. User can sign in with Facebook or Twitter on our web front, and they can also authenticate themselves the same way on our API from iPhone/Android app.
我不知道我的方法是最好的,这就是为什么我asked什么可能是最好的方法的问题。不过,我要说明我在做什么,到目前为止,这是工作得非常好。
I am not sure my method is the best one, that's why I asked the question about what could be the best approach. Still, I'm going to explain what I'm doing and so far this is working very well.
首先,你需要实现你的API在登录方法。这种方法的交流凭据针对API令牌随后将用于所有未来的呼叫。
First, you need to implement a login method in your API. This method exchanges your credentials against an API token which will then used for all the future calls.
下面是登录与基本身份验证参数API调用:
Here is the login API call with your basic authentication parameters:
http://login:password@api.myapp.com/login
(这仅仅是一个重新presentation解释你发送的凭据,而不是实际的方式来做到这一点)
(this is just a representation to explain you are sending the credentials, not the actual way to do it)
在返回后,此API调用发送给您的 api_token
In return, this API call sends you the api_token
{ "api_token": "xxxx-xxxx-xxxx-xxxx" }
服务器端,有一个表关联 api_token 和 USER_ID (以及到期日如果需要的话,等。)
Server side, you have a table associating api_token and user_id (as well as expiration date if needed, etc.)
您会再使用 api_token 每次你需要经过身份验证的通话时间:
You'll then use api_token each time you need to make an authenticated call:
http://api.myapp.com/request?api_token=xxxx-xxxx-xxxx-xxxx
现在,您已经修改了认证的实施,你会做Facebook的的access_token 通过Facebook连接SDK送回一模一样。你交换使用下面的API调用标记:
Now that you have modified your authentication implementation, you will do exactly the same with the Facebook access_token sent back by the Facebook Connect SDK. You exchange tokens using the following API call:
http://api.myapp.com/login/facebook?access_token=<facebook_access_token>
服务器端,您验证的access_token 的有效性用一个简单的
wget -qO- https://graph.facebook.com/me?access_token=<facebook_access_token>
它发送回你一个JSON的所有用户信息,包括用户的Facebook ID。假设已经连他账户的Facebook用户,你可以查找在 USER_ID 并发送回一个 api_token 。
问题是,如果用户拒绝从Facebook应用程序,这会不会对 api_token 和用户产生任何影响仍然可以访问API。可能有也有一些安全问题(HTTPS肯定会更好地保护用户的Facebook访问令牌)。
Problem is that if user rejects your application from Facebook, this won't have any effect on the api_token and user will still have access to the API. There could be also some security issues (https would certainly be better to protect user's facebook access token).
我不能保证这种方法的美感,但它的工作原理,并可以与许多其他厂商使用。由于Facebook的访问令牌是住在同一个生态系统,我是pretty确保这不会违反Facebook的服务条款。我已阅读什么也没有找人。
I can't vouch for the beauty of this method, but it works and can be used with many other vendors. As the Facebook access token is staying in the same ecosystem, I'm pretty sure this doesn't violate Facebook's TOS. I have read nothing there looking against it.
这篇关于Facebook的授权与其他第三方用户连接的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
