我可以肯定地验证只有Facebook网站上签名请求Facebook的用户? [英] Can I safely authenticate a Facebook user with just Facebook Signed Request?
问题描述
我想使我的用户将他们的用户帐户与Facebook或Twitter联系起来,让他们与我他们的Facebook / Twitter帐户服务器上登录使用传统的用户名/密码代替。基本上同样的想法在计算器。
I want to enable my users to associate their user account with a Facebook or Twitter and allow them to login on my server with their Facebook/Twitter account instead of using the classic username/password. Basically the same idea as the login in StackOverflow.
我目前对于Facebook的方法:
客户端应用程序将执行的OAuth,然后使用自己的Facebook ID登录我的服务器上。在此基础上Facebook的ID,服务器将查找相关的用户帐户,并且不要求用户名/ pasword进行登录。但是仅仅依靠Facebook的ID登录不是很安全,因为这是一样的只使用一个用户名进行登录,而不是用户名和放大器;密码。
My current approach for Facebook: The client application will perform OAuth and then use their Facebook id to login on my server. Based on this Facebook id, the server will lookup the associated user account and perform login without asking for username/pasword. However just relying on the Facebook id to login is not very safe, as that is the same as using only a username to login instead of username & password.
因此,要确保Facebook的ID是真实的,客户端应用程序也将提供FBSR(脸谱签名的请求,请参阅:的https://developers.facebook.com/docs/facebook-login/using-login-with-games/#checklogin)与登录请求。结果
服务器将检查两件事情与此FBSR:
So to make sure the Facebook id is authentic, the client application will also provide a FBSR (Facebook Signed Request, see: https://developers.facebook.com/docs/facebook-login/using-login-with-games/#checklogin) with the login request.
The server will check two things with this FBSR:
-
在请求Facebook的ID必须是同一个藏在FBSR
The Facebook id in the request must be the same as the one hidden in the FBSR
服务器将重新计算通过Facebook的秘密密钥签名的一部分。这必须与FBSR签名相匹配。
Server will recalculate the signature part via the Facebook secret key. This must match with the signature in the FBSR .
通常情况下,服务器应具有的oauth_token Facebook服务器进行检查,以确保用户身份的100%。不过,我需要为了避免我们的服务器上的依赖于Facebook服务器跳过此。
Normally the server should perform a check with the Facebook server with the oauth_token to be 100% sure of the users identity. However I need skip this in order to avoid dependency to Facebook server on our server.
我有2个问题:
1),这是上面的做法不够好?它可以改善(无服务器到服务器的通信)?
1) Is this above approach good enough? Can it be improved (without server-to-server communication)?
2)我想要做同样的Twitter帐户,但他们签名的请求是不同的那么Facebook。看来Twitter的用户ID嵌入在组oauth_token,所以我的方法可能有小调整工作,但我不知道该用户ID是否始终是组oauth_token的一部分,并不能得到这个搜索互联网后确认。
2) I want to do the same with a Twitter account, but the their signed request is different then Facebook. It seems the Twitter user id is embedded in the oauth_token, so my approach may work with a little tweak, but I am not sure whether the user id is always part of the oauth_token and cannot get this confirmed after searching the internet.
推荐答案
我认为你的做法是不够好,并没有看到任何方式,以避免与签名的请求服务器到服务器的通信。要记住的是,与Facebook图形API版本2中,为了保护用户的隐私,Facebook将送出不是真正的用户ID,但一个应用程序生成的。它也将有可能启用匿名登录。
I think that your approach is good enough and don't see any way to avoid server-to-server communication with a signed request. Bear in mind that, with Facebook Graph Api Version 2, in order to protect the privacy of the user, Facebook will send out not the real user id, but one generated for apps. It will also be possible to enable anonymous login.
我不知道你正试图与Twitter做什么,以及为什么你比较的API(它们是完全不同的)。该微博登录,也知道作为登录与Twitter,用于任何网站或移动应用程序,应为你工作了。
I am not sure of what you're trying to do with Twitter, and why you compare the APIs (they're quite different). The Twitter login, also know as Sign in with Twitter, used for any website or mobile app, should work for you too.
这篇关于我可以肯定地验证只有Facebook网站上签名请求Facebook的用户?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
