Facebook OAuth 2.0“代码"和“令牌" [英] Facebook OAuth 2.0 "code" and "token"

问题描述

为什么在 Facebook OAuth2 身份验证流程中需要代码"和令牌"，如下所述:https://developers.facebook.com/docs/authentication/ ?

Why do you need both a "code" and a "token" in the Facebook OAuth2 authentication flow as described here: https://developers.facebook.com/docs/authentication/ ?

如果您查看 OAuth 对话框参考 (https://developers.facebook.com/docs/reference/dialogs/oauth/)，似乎您只使用令牌来获取有关用户的信息，并且如果您将 response_type 参数指定为 token 或 code,token ，那么你第一次得到令牌.

If you look at the OAuth dialog reference (https://developers.facebook.com/docs/reference/dialogs/oauth/), it seems like you only ever use the token to fetch information about the user, and if you specify the response_type parameter as token or code,token, then you get the token on the first time.

为什么要先拿到code"，然后用code拿到token"，而不是直接拿到token?

Why do you need to get a "code" and then use the code to get a "token" as opposed to getting the token directly?

我想我误解了一些关于 OAuth 工作原理的基本知识，但是如果您获得令牌，您似乎完全避免了对 https://graph.facebook.com/oauth/access_token 的请求第一次使用对话框.

I guess I'm misunderstanding something basic about how OAuth works, but it seems you avoid the request to https://graph.facebook.com/oauth/access_token entirely if you get the token the first time with the dialog.

推荐答案

让我们举一个简单的例子来区分身份验证代码和访问令牌.

Let us take a simple example to differentiate authentication code vs access token.

您作为用户想要尝试一款名为 Highjack 的新 Facebook 应用.因此，您单击该应用程序，Highjack 应用程序会要求您登录您的 Facebook 帐户.完成后，Facebook 会为您生成验证码.

You as a user want to try a new Facebook app called Highjack. So you click on the application and the Highjack app asks you to log into your Facebook account. When you are done, Facebook generates an authentication code for you.

然后将此代码传递给 Highjack 服务器，该服务器使用其自己的 FB 客户端 ID、FB 机密和您的身份验证代码来获取访问令牌.

This code is then passed to the Highjack server which uses its own FB client id, FB secret and your authentication code to get an access token.

在上面的示例中，身份验证代码确认您是一个有效的 FB 用户.但第二步说作为 FB 用户，您可以访问 Highjack 应用以获取某些资源".

In the above example the authentication code is confirming you as a user is a valid FB user. But the second steps says "you as a FB user is giving access to the Highjack app for certain resources".

如果 Highjack 应用程序想要隐式授权(即直接访问令牌)，那么您也可以看到访问令牌，因为它正在与浏览器交换.这意味着您现在可以使用访问令牌代表 Highjack 调用所有 Facebook API.(您只能使用访问令牌来获取您的个人信息，但 Facebook 无法知道谁在调用他们的 API.)

If the Highjack app wanted implicit grant (i.e direct access token), then the access token would be visible to you also since it is being exchanged with the browser. This means you can now call all Facebook APIs on behalf of Highjack using the access token. (You can only use the access token to get your personal information but Facebook has no way of knowing who is calling their APIs.)

由于我们有 2 方(您和 Highjack)通过 Facebook 进行身份验证，因此我们采用了这种 2 折机制.

Since we have 2 parties (You and Highjack) authenticating with Facebook we have this 2 fold mechanism.

这篇关于Facebook OAuth 2.0“代码"和“令牌"的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！