Facebook登录到现有的用户数据库，访问令牌 [英] Facebook login to existing user database, and access tokens

问题描述

尝试Facebook登录添加到现有的登录系统的一个项目我工作。建有角，使用FB JS SDK。这主要是让摩擦登录，而不是目前的大惊小怪使用访问令牌，使与FB API的电话。

Trying to add facebook login to an existing login system on a project I am working on. Built with angular, using the FB JS SDK. This is primarily to allow frictionless login, and not currently that fussed about using the access tokens to make further calls with the FB API.

因此​​，作为一个新的用户，他们打FB的登录，接受权限等，它激发了我回一个访问令牌等新用户在我的数据库中创建，以的accessToken ，FB 用户ID 等

So as a new user, they hit the FB login, accept permissions etc, and it fires me back an access token etc. The new user is created in my DB, along with the accesstoken, FB userid, etc.

我现在该如何进行身份验证与用户ID用户和的accessToken 现在存储在我的数据库？据我所看到的，访问令牌几乎每一个页面加载/请求，那么下一次用户点击FB登录改变，或者我检查FB登录状态我唯一不变的就是用户ID 。

How do I now authenticate the user with the userid and accesstoken now stored in my DB? As far as I can see, the access token changes on virtually every page load / request, so next time the user hits the FB login, or I check the FB login status the only constant thing I have is the userid.

曾做过不同的阅读对SO和FB文档如：

Have done various reading on SO and FB docs eg:

https://developers.facebook.com/docs/facebook-login/web
https://developers.facebook.com/docs/facebook-login/multiple-providers
的https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow#checktoken

<一个href=\"http://stackoverflow.com/questions/27294165/how-should-a-facebook-user-access-token-be-consumed-on-the-server-side\">How应该Facebook的用户访问令牌可以在服务器端的消耗？

......虽然这只是将进一步混淆的东西。

... although that has only served to confuse things further.

我想我会采取保存的accessToken 然后检查其有效性，但由于访问令牌到期和正无效的各种情况下，这也似乎是一种不完整的解决方案

I imagine I would take that stored accesstoken then check its validity, however due to the various instances of access tokens expiring and being invalidated, this also seems like an incomplete solution.

所以我的问题：如何安全地在自己的数据库对口的用户进行身份验证我的FB用户

So my question: How do I securely authenticate my FB users with their counterpart user in my own DB?

推荐答案

Facebook登录请求返回用户ID +短暂的访问令牌（客户端）。

The Facebook login request returns user id + short lived access token (client side).

使用服务器端的Facebook SDK来检查访问令牌的有效性（将返回user_ID的和APP_ID领域如果有效）。

Use the server side Facebook SDK to check the validity of the access token (will return user_id and app_id fields if valid).

您可以信任USER_ID字段从Facebook的API返回要检查现有的用户数据库。

You can trust the user_id field returned from the Facebook API to check against your existing user database.

这篇关于Facebook登录到现有的用户数据库，访问令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！