REST API用于使用Facebook进行身份验证的网站 [英] REST API for website which uses Facebook for authentication

查看:141
本文介绍了REST API用于使用Facebook进行身份验证的网站的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我们有一个网站,只有的方式登录和验证您的网站是与Facebook(这不是我的选择)。您首次使用Facebook登录时,会自动为您创建一个帐户。



我们现在要为我们的网站创建一个iPhone应用程序,并为其他用户创建一个公共API使用我们的服务。



这个问题是关于如何使用我们的网站从app / API进行身份验证,分为两部分:


  1. 从API到仅使用Facebook OAuth作为身份验证方法的网站处理REST身份验证的正确方法是什么?



    我已经阅读并研究了REST API的标准认证方法。我们无法使用基本身份验证通过HTTPS 等方法,因为没有凭据用户本身像这个似乎只是为了使用API​​验证应用程序。



    目前,我认为最好的方法是在API上点击/授权终点,然后重定向到Facebook OAuth,然后重定向返回网站,并提供API的用户可以用来验证后续请求的令牌。


  2. 对于我们创建的官方应用程序,不一定需要以相同的方式使用公共API。那么那么最好的方法是跟我们的网站进行交流,并验证用户?


我明白(我想)使用API​​(公共)密钥和秘密(私人)密钥来验证正在使用我们的API的第三方应用程序。然而,当涉及到正在使用该应用程序的用户进行身份验证时,当我们对用户进行身份验证的唯一方式是Facebook时,我对此感到非常困惑。



/ p>

解决方案

更新:见下文



我一直在想这个问题。对我来说还不是很清楚,但这里是我正在想的路线。我正在创建一个REST API,我的用户只有使用Facebook连接验证。



在客户端:


  1. 使用Facebook API登录并获取OAUTH2代码。

  2. 将此代码交换为访问令牌。

  3. 在每次调用我的自定义API时,我将包括Facebook用户标识和访问令牌。

API(对于需要用户认证的每种方法):


  1. 使用上面的访问令牌向/ me Facebook图形发出请求。 / li>
  2. 验证返回的Facebook用户ID是否与上面传递给我的API的用户ID相匹配。

  3. 如果访问令牌已过期,则需要额外的通信。

我还没有测试这个。如何发音?



---更新:2014年7月27日回答问题---



我只能在登录时使用上述交换机一次。一旦我确定哪个用户正在登录,我创建了我自己的访问令牌,并从那一点开始使用该令牌。所以新的流程看起来像这样...



在客户端:


  1. 使用Facebook API登录并获取OAUTH2代码。

  2. 将此代码交换为访问令牌。

  3. 请求访问令牌>我的 API,包括Facebook令牌作为参数

在API上


  1. 接收访问令牌请求。

  2. 使用Facebook访问令牌向/ me Facebook图形请求

  3. 验证Facebook用户是否存在并与我的数据库中的用户匹配

  4. 创建我自己的访问令牌,保存并将其返回给客户端,以便从此向前使用


We have a website where the only way to login and authenticate yourself with the site is with Facebook (this was not my choice). The first time you login with Facebook, an account gets automatically created for you.

We now want to create an iPhone application for our site and also a public API for others to use our service.

This question is about how to authenticate with our website from the app/API and is broken into 2 parts:

  1. What is the correct way to handle REST authentication from an API to a website which only uses Facebook OAuth as an authentication method?

    I have read and researched a lot about standard methods of authentication for REST API. We can't use such methods as Basic Auth over HTTPS, as there are no credentials for a user as such. Something like this seems to be only for authenticating applications using the API.

    Currently, the best way I can think is you hit an /authorize end-point on our API, it redirects to Facebook OAuth, then redirects back to the site and provides a 'token' which the user of the API can use to authenticate subsequent requests.

  2. For an official application that we create, we wouldn't necessarily need to use the public API in the same way. What would be the best way then to talk to our website and authenticate users?

I understand (I think) how to authenticate 3rd-party applications that are using our API, using API (public) keys and secret (private) keys. However, when it comes to authenticating the user who is using the app, I am getting rather confused about how to go about it when the only way we have to authenticate a user is Facebook.

I feel like I'm missing something very obvious, or don't fully understand how public REST APIs should work, so any advice and help would be greatly appreciated.

解决方案

UPDATE: see below

I've been thinking hard about this question too. It's not entirely clear to me yet but here's the route I am thinking of going. I am creating a REST API an my users only auth with Facebook connect.

On the CLIENT:

  1. Use the Facebook API to login and get an OAUTH2 code.
  2. Exchange this code for an access token.
  3. In every call to my custom API I'll include the Facebook user id and the access token.

On the API (for every method that requires user authentication):

  1. Make a request to the /me Facebook graph using the access token from above.
  2. Verify that the Facebook user id returned matches the user id passed to my API from above.
  3. If the access token has expired additional communication is required.

I have yet to test this. How does it sound?

--- Update: July 27th, 2014 to answer question ---

I only use the above exchange once upon login. Once I determine which user is logging in, I create my own access token, and that token is used from that point going forward. So the new flow looks like this...

On the CLIENT:

  1. Use the Facebook API to login and get an OAUTH2 code.
  2. Exchange this code for an access token.
  3. Request an access token from my API, including the Facebook token as a parameter

On the API

  1. Receive access token request.
  2. Make a request to the /me Facebook graph using the facebook access token
  3. Verify that the Facebook user exists and match to a user in my database
  4. Create my own access token, save it and return it to the client to be used from this point forward

这篇关于REST API用于使用Facebook进行身份验证的网站的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆