FB登录验证机制 [英] FB login authentication mechanics

问题描述

我在线阅读和理解如何使用FB连接以及如何创建一个使用FB登录的应用程序。我想知道的是，是否可以操纵认证之间的数据。

I read online and understand how to use the FB connect and how to create an app that uses the fb login. What I want to know is whether it is possible to manipulate the data between the authentication.

因此​​，这里是什么我迷惑的。因此，我们有

So here's what I am confuse about. So we have

1. FB服务器


2. 我的应用


3. 我的服务器。

所以，当我打开我的申请，我的应用程序会要求FB登录和PW，我们把那些信息，以FB服务器。该FB服务器然后给我的应用程序的令牌，那么我的应用程序将令牌发送到我的服务器，然后我的服务器将与FB服务器验证？这是它是如何工作？

So when I open my application, my application will ask for fb login and pw, we send those info to FB server. The FB server then give my application a token, then my application will send the token to my server, then my server will verify with FB server? Is this how it works?

如果这就是它的工作原理为什么有FB中没有登录盗号的方式，不能让人们令牌假？

If that's the way it works why there's no hacking in FB login, can't people make fake tokens?

推荐答案

Facebook的使用OAuth 2.0，这是开放授权的现行标准。这是维基百科的简短说明：

Facebook uses OAuth 2.0, which is a current standard for open authorization. This is a short description from wikipedia:

的OAuth提供客户端应用程序安全委派访问来
  代表一个资源所有者的服务器资源。它指定一个过程
  为资源拥有者授权的第三方访问其服务器
  没有资源共享凭据。专为
  与超文本传输​​协议（HTTP）的工作，OAuth的基本上可以让
  访问令牌由授权发放给第三方客户
  服务器与资源所有者，或最终用户的认可。该
  然后，客户端使用访问令牌以访问受保护的资源
  由资源服务器托管。[1]的OAuth是常用的一种方式
  网民登录到使用他们的谷歌的第三方网站，
  Facebook或Twitter的密码，而不用担心他们的访问
  凭据被泄露。

OAuth provides client applications a 'secure delegated access' to server resources on behalf of a resource owner. It specifies a process for resource owners to authorize third-party access to their server resources without sharing their credentials. Designed specifically to work with Hypertext Transfer Protocol (HTTP), OAuth essentially allows access tokens to be issued to third-party clients by an authorization server, with the approval of the resource owner, or end-user. The client then uses the access token to access the protected resources hosted by the resource server.[1] OAuth is commonly used as a way for web surfers to log into third party web sites using their Google, Facebook or Twitter passwords, without worrying about their access credentials being compromised.

您可以阅读更多细节RFC规范： http://tool​​s.ietf.org/html/ rfc6749
您还可以了解不同的集成信息： http://oauth.net/2/

You can read the RFC specification for more details: http://tools.ietf.org/html/rfc6749 You can also read information about the different integrations: http://oauth.net/2/

您不能创建一个假的令牌。用户输入自己的用户名和密码，这意味着窃取他的令牌相当于偷了他的证件，如令牌随机生成后收到令牌。

You cannot create a fake token. The user receives a token after typing his username and passwords, which means stealing his token is equivalent to stealing his credentials, as the token is randomly generated.

我将简要解释了流程：
我是一个用户，使用一般的Facebook和你的应用程序。我登录Facebook和Facebook中或通过外部链接访问你的应用程序并点击它。那么Facebook会问我，如果我想与你分享的应用我的个人信息（这是因为我在登录。如果我不是的话，那就让我为我的用户名和密码）。如果我同意，Facebook将发送一个访问令牌到你的应用程序，有了它你将要访问我的个人信息。因此，该访问将被严格限制，你将无法做任何事情有害的，还有一对夫妇的时间后就会到期，根据实现，而应该是一小时左右。

I will explain the flow shortly: I'm an user, using in general facebook and your application. I log in facebook and reach your application in facebook or via external link and click on it. Then facebook will ask me if I want to share my personal information with your application (this is because I am logged in. If I were not, then it would ask me for my username and password). If I agree, facebook will send an access token to your application and with it you will access of my personal information. Thus this access will be highly restricted and you won't be able to do anything harmful and as well it will expire after a couple of time, depending on the implementation, but should be around one hour.

这篇关于FB登录验证机制的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！