在iOS应用程序中设计Facebook身份验证，还可以访问受保护的Web服务 [英] Design for Facebook authentication in an iOS app that also accesses a secured web service

问题描述

目标：
允许用户使用Facebook进行身份验证，进入需要访问受保护的Web服务的iOS应用程序。

假设：
为那些选择不使用Facebook进行登录的用户提供了本地认证（和注册）系统。

详细信息：

• 假设我们要为用户提供选项使用Facebook登录，无需为我们的系统创建单独的帐户/凭据。


• 由于我们支持我们自己的本机身份验证机制（用户名和密码），因此我们拥有自己的用户ID并发出身份验证令牌在初始凭证验证后用于后续交互。

我很惊讶，Facebook没有这方面的最佳做法在他们的开发文档。所有现有的文档都是假设您正在将网站建立在一个网站，或者一个独立的移动应用程序，没有需要身份验证的服务。

这是我最初的想法将被设计，但需要验证是否正确。

1. 客户端弹出Facebook iOS登录


2. UI用户使用Facebook凭据登录并获取访问令牌


3. iOS应用程序将访问令牌传递到我们的服务器



4. 我们的服务器使用访问令牌与FB图API对话，以（a）验证令牌和（b）获取该访问令牌的FB用户ID。

   
   
   

   例如我们的服务器将致电 https://graph.facebook.com/me/?access_token=XYZ将在JSON对象中返回个人资料信息




5. 假设它有效，我们的服务器从JSON对象中提取用户ID，并检查用户是否已经一个帐户。如果是这样，我们发给我们自己的认证机票给客户端用于该会话。如果用户没有帐号，我们使用Facebook用户ID创建一个新的帐户，分配我们自己的唯一的UserID并发出我们的验证凭证。



6. 客户端然后通过验证

这似乎是对我的正确方法，但不知道我是否错过了一些疯狂的东西基本和错误（复杂的）路径。

解决方案

我只是自己处理，这里是我的一部分：

在您的步骤5 ...用户可以注册一个完全独立于Facebook ID的帐户，对吧？然后还有一些时间他们用Facebook登录....你刚刚创建了他们的第二个帐户，失去了他们的第一个帐户。

需要一种方式登录到您的Web服务，然后登录到Facebook，并捕获Facebook ID和本地帐户之间的关联。 / p>

除此之外，您的计划听起来很棒。

Goal: Allow a user to authentication with Facebook into an iOS application which requires access to a protected web service that I'm running.

Assumptions: There is a native authentication (and registration) system in place for those users that opt not to use Facebook for sign in.

Details:

• Assume we want to offer the option for a user to sign in with Facebook without creating a separate account/credential for our system.
• Because we support our own native auth mechanism (username and password) we have our own user IDs and issue an authentication token that is used for subsequent interactions after the initial credential validation.

I'm surprised that Facebook doesn't have best practices for this in their developer documentation. All the existing documentation is either assuming you are building FB auth into a website, or a standalone mobile app with no service that requires authentication.

Here's my initial thoughts on how this would be designed but want validation on whether it's correct.

1. Client pops the Facebook iOS Login
2. UI User signs in with Facebook credentials and gets access token
3. iOS App passes access token to our server

4. Our server talks to FB graph API using access token to (a) validate the token and (b) get the FB user ID for that access token.

   e.g. Our server would call https://graph.facebook.com/me/?access_token=XYZ which would return profile info in a JSON object

5. Assuming it's valid, our server extracts the User ID from the JSON object and checks whether the user already has an account. If so, we issue our own auth ticket to client to use for that session. If user doesn't have an account, we create a new one with the Facebook User ID, assign our own unique UserID and issue our auth ticket.

6. Client then passes auth ticket back on subsequent interactions that need authentication.

This seems like the right approach to me but not sure if I'm missing something insanely basic and going down the wrong (complicated) path.

解决方案

I just dealt with this myself, and here's the part that bit me:

In your step 5... It's possible for a user to register for an account with you entirely separate from their Facebook ID, right? Then some other time they log in with Facebook.... And you just created them a second account and lost their first one.

There needs to be a way to be logged in to your web service, then log in to facebook, and capture the association between the facebook ID and the local account.

Apart from that, your plan sounds solid.

这篇关于在iOS应用程序中设计Facebook身份验证，还可以访问受保护的Web服务的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！