如何更新过期的 Facebook 访问令牌? [英] How do you renew an expired Facebook access token?

问题描述

我正在使用此参考，并尝试实施 OAuth 协议以允许用户登录我的网站通过脸书.但是，Facebook 的文档非常糟糕，并且在几个关键部分不清楚.

I am working from this reference, and trying to implement the OAuth protocol to allow users to log into my site via Facebook. However, Facebook's documentation is pretty terrible and it unclear in a few key parts.

它说授权需要三个步骤:

It says that authorization takes three steps:

1. 用户身份验证(将用户重定向到 https://facebook.com/dialog/oauth?client_id=...&redirect_uri=...，并期待 redirect_uri 页面用 code 回调).效果很好！

1. User authentication (redirect the user to https://facebook.com/dialog/oauth?client_id=...&redirect_uri=..., and expect the redirect_uri page to be called back with a code). Works great!

应用授权(由 Facebook 等处理).效果很好！

App authorization (handled by Facebook, etc). Works great!

应用认证(在回调页面，获取你得到的code并调用https://graph.facebook.com/oauth/access_token?client_id=...&redirect_uri=...&client_secret=...&code=....响应的正文将包含一个access_token 我们需要做的事情)p>

App authentication (On the callback page, grab the code you get and call https://graph.facebook.com/oauth/access_token?client_id=...&redirect_uri=...&client_secret=...&code=.... The body of the response will include an access_token we need to do stuff)

我知道使用 access_token，我可以调用 API 等.但是，当它到期时会发生什么?我可以得到一个新的，但此时将有很多 HTTP 请求，而且我不再拥有最初用来获取它的 code.我是否必须将 code 与 access_token 一起存储?或者，我是否必须告诉用户重新登录，以便获得新的 code 以获取新的 access_token?

I understand that with the access_token, I can call the APIs and such. But, what happens when it expires? I could get a new one, but by this point it will be many HTTP requests later, and I no longer have the code I used to get it in the first place. Do I have to store the code along side the access_token? Or, do I have to tell the user to log in again so I get a new code to get a new access_token?

或者，我在这里遗漏了一个关键部分?我不需要 offline_access 令牌，因为我只会轮询数据以响应用户操作.

Or, am I missing a key part here? I don't need an offline_access token, as I will only be polling data in response to user actions .

推荐答案

当 access_token 过期时，用户将被 Facebook 视为已注销".您的应用将经历与第一次相同的过程，但用户可能不会.

When the access_token expires, the user will be seen as "logged out" by Facebook. Your app will go through the same process as the first time, but the user may not.

如果用户尚未撤销对您应用的访问权限，并且用户当时已登录 Facebook，则应用授权流程将自行处理，无需用户执行任何操作，您将收到一个新的access_token.

If the user hasn't revoked access to your app, and the user is logged into Facebook at the time, the App Authorization process will take care of itself, with no actions required by the user, and you will receive a new access_token.

如果用户尚未撤销对您应用的访问权限，但未登录 Facebook，他们将在应用授权步骤中看到 Facebook 登录信息.他们不会再被要求授予您的应用权限，因为 Facebook 知道您的应用 ID 已获得该用户的授权.

If the user hasn't revoked access to your app, but isn't logged into Facebook, they will be presented with a Facebook login at the App Authorization step. They won't be asked to give your app permission again, as Facebook knows that your app id is authorized by that user.

最后，如果用户撤消了访问权限，那么他们将看到原始应用授权请求，您将按照原始流程进行操作.

Finally, if the user has revoked access, then they will be presented with the original request for App Authorization, and you'll follow the original flow.

本质上，您应该将 access_token 视为易失性的，而不是费心存储它，而是使用您在用户登录过程中收到的 access_token，这是正在发生的一直在幕后，只有当用户退出 Facebook 或撤销对您的应用程序的访问权限时才会涉及到用户.

Essentially, you should consider the access_token as volatile, and not bother storing it, but using the access_token you receive as part of the user login process, which is happening behind the scenes all the time, and only involving the user when they log out of Facebook or revoke access to your application.

这与 Twitter 的 OAuth 不同，您可以使用它来存储和重复使用它.

This is different than Twitter's OAuth with which you can store and re-use it.

这篇关于如何更新过期的 Facebook 访问令牌?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！