授权 Facebook 将用户与其他第三方联系起来 [英] Authorizing facebook connect users with other third parties
问题描述
我正在处理的网站有很大比例的用户通过 Facebook Connect 登录,因此他们没有我们网站的用户名和密码.我们使用基本身份验证提供自己的用户身份验证 API,但这不允许 facebook connect 用户使用我们的 API 向客户端进行身份验证.
I'm working on a site that has a large proportion of users signing in via Facebook Connect, so they don't have a username and password for our site. We offer our own user-authenticated API using basic auth, but this doesn't allow facebook connect users to authenticate with clients using our API.
有什么方法可以不违反 Facebook 的 TOS 来授权其他第三方使用 Facebook 身份验证凭据?例如,如果另一个站点实现了 facebook connect 并将会话数据传回给我们?除了像 Foursquare 这样使用 oAuth 作为解决方案的网站之外,API 提供商是否成功使用了 facebook connect 的任何例子?
Is there any way that doesn't break Facebook's TOS to authorize other third parties using Facebook authentication credentials? For instance, if the other site implements facebook connect and passes session data back to us? Are there any examples in the wild of facebook connect being used successfully by an API provider other than sites like Foursquare that use oAuth as a solution?
推荐答案
我已经为我的应用程序开发了这样一个功能.用户可以在我们的 Web 前端使用 Facebook 或 Twitter 登录,他们也可以通过 iPhone/Android 应用程序在我们的 API 上以相同的方式进行身份验证.
I have developed such a feature for my application. User can sign in with Facebook or Twitter on our web front, and they can also authenticate themselves the same way on our API from iPhone/Android app.
我不确定我的方法是最好的,这就是为什么我 提出问题关于什么是最好的方法.尽管如此,我还是要解释一下我在做什么,到目前为止,这工作得很好.
I am not sure my method is the best one, that's why I asked the question about what could be the best approach. Still, I'm going to explain what I'm doing and so far this is working very well.
首先,您需要在 API 中实现一个 login 方法.此方法将您的凭据与 API 令牌交换,然后该令牌将用于所有未来的调用.
First, you need to implement a login method in your API. This method exchanges your credentials against an API token which will then used for all the future calls.
这是带有基本身份验证参数的 login API 调用:
Here is the login API call with your basic authentication parameters:
http://login:password@api.myapp.com/login
(这只是说明您正在发送凭据,而不是实际的发送方式)
(this is just a representation to explain you are sending the credentials, not the actual way to do it)
作为回报,此 API 调用会向您发送 api_token
In return, this API call sends you the api_token
{ "api_token": "xxxx-xxxx-xxxx-xxxx" }
服务器端,您有一个表关联 api_token 和 user_id(如果需要,还有到期日期等)
Server side, you have a table associating api_token and user_id (as well as expiration date if needed, etc.)
然后,您每次需要进行身份验证调用时都将使用 api_token:
You'll then use api_token each time you need to make an authenticated call:
http://api.myapp.com/request?api_token=xxxx-xxxx-xxxx-xxxx
现在您已经修改了您的身份验证实现,您将对 Facebook Connect SDK 发回的 Facebook access_token 执行完全相同的操作.您可以使用以下 API 调用交换令牌:
Now that you have modified your authentication implementation, you will do exactly the same with the Facebook access_token sent back by the Facebook Connect SDK. You exchange tokens using the following API call:
http://api.myapp.com/login/facebook?access_token=<facebook_access_token>
服务器端,你用一个简单的
Server side, you verify validity of the access_token with a simple
wget -qO- https://graph.facebook.com/me?access_token=<facebook_access_token>
这会向您发送回包含所有用户信息的 JSON,包括用户的 Facebook ID.假设用户已经将他的帐户连接到 Facebook,您可以查找 user_id 并发送回 api_token.
Which sends you back a JSON with all user information, including user's Facebook ID. Assuming the user has already connected his account to Facebook, you can lookup the user_id and send back an api_token.
问题是,如果用户从 Facebook 拒绝您的应用程序,这不会对 api_token 产生任何影响,并且用户仍然可以访问 API.也可能存在一些安全问题(https 肯定会更好地保护用户的 Facebook 访问令牌).
Problem is that if user rejects your application from Facebook, this won't have any effect on the api_token and user will still have access to the API. There could be also some security issues (https would certainly be better to protect user's facebook access token).
我不能保证这种方法的美妙,但它有效并且可以与许多其他供应商一起使用.由于 Facebook 访问令牌保留在同一个生态系统中,我很确定这不会违反 Facebook 的 TOS.我没有读到任何反对它的内容.
I can't vouch for the beauty of this method, but it works and can be used with many other vendors. As the Facebook access token is staying in the same ecosystem, I'm pretty sure this doesn't violate Facebook's TOS. I have read nothing there looking against it.
这篇关于授权 Facebook 将用户与其他第三方联系起来的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
