通过Android应用程序通过Facebook令牌对WebAPI进行身份验证访问 [英] Authenticated access to WebAPI via Facebook token from Android App

问题描述

我试图让我的Android应用程序登录到我的WebAPI服务。我想分享我的想法，以验证他们。

I'm trying to make my Android Application to log into my WebAPI services. I want to share my ideas in order to verify them.

如果通过WebSite执行对WebAPI的访问，步骤如下：

If the access to WebAPI is performed via WebSite the steps are:

1-调用WebAPI方法登录

1- Call WebAPI method for logging in

2- WebAPI将客户端重定向到Facebook

2- WebAPI redirect client to facebook

3- Facebook登录并返回令牌

3- Facebook login and returns a Token

4-如果我在下次呼叫中使用该令牌，我将被认证为正确的用户。

4- If I use that token in the next calls I'll be authenticated as the right user.

这样做。

如果通过Android APP执行对WebAPI的访问，我该如何获取访问令牌？
其实我在做这样的事情：

If the access to WebAPI is performed via Android APP, how can I get the access token? Actually I'm doing something like:

1-通过登录按钮联系Facebook

1- Contact Facebook via Login Button

2 - 将登录的ID记录到接收令牌的Facebook

2- Getting logged id to Facebook receiving a Token

3-尝试执行WebAPI调用，将认证：承载CODE添加到我的呼叫中

3- Trying to perform WebAPI calls adding the Authentication: Bearer CODE to my calls

在那一刻我正在徘徊..

At that point I'm wandering..

我的应用程序现在是我特别的用户？如果我执行类似

How can my application now that I'm THAT particular user? If I perform something like

GET /API/METHOD1
Authentication: Bearer CODE

如果Android应用从未告诉过他，那么它如何知道CODE是我？应用程序是否自动与Facebook联系以便收到一个答案，如是的，我发布该令牌，它与...有关

How can it knows that the CODE is me if the Android Application never told him? Does the application automatically contact Facebook in order to receive an answer like "yeah! I release that token, it is related to..."

或者我误会了一切？

另一种方法我可以弄清楚，我必须使用混合方法，如：

The other way I can figure it out is that I must use an "hybrid approach" like:

1-呼叫WebAPI（通过浏览器）
2-获取重定向链接到Facebook
3-获取令牌

1- Call WebAPI (as via browser) 2- Get Redirect link to Facebook 3- Get the token

但是在那点，我怎么可以在Facebook应用程序/ Facebook网站之间切换到我的Android应用程序？

But.. At that point, how can I swith between Facebook App / Facebook Site to my Android application again?

对不起，我想找出这个验证旁边的逻辑

Sorry for the mess, I'm trying to find out the logic beside this auth process.

推荐答案

好吧，我想我已经有了！

Ok, I think I've got it!

当WebAPI收到Facebook令牌不知道任何关于用户和授权。但是，由于令牌，可以访问Facebook作为呼叫者。

when WebAPI receives the Facebook Token doesn't know anything about user and authorizations. BUT, due to the token, can access to Facebook "as the caller".

通过这种方式，应用程序可以执行如下操作：

By this way the application could perform something like:

1. Android - > Facebook登录 - >获取FBToken

1. Android -> Facebook Login -> Get FBToken

Android - > Web API - >发送FBToken

Android -> Web API -> Send FBToken

Web API - > Facebook - > / me发送FBToken

Web API -> Facebook -> /me Sending FBToken

Facebook - > Web API - >身份

Facebook -> Web API -> Identity

Web API - > Andoid - >这是您身份的令牌

Web API -> Andoid -> This is the token for you Identity

Android - > Web API - >给我Auth方法，授权：承载WebAPIToken

Android -> Web API -> Give me Auth Method, Authorization: Bearer WebAPIToken

我在线发现了一个有用的类：（基于 WebApi ASP.NET Identity Facebook登录）

I found out a useful class online: (based on WebApi ASP.NET Identity Facebook login)

private async Task<FacebookUserViewModel> VerifyFacebookAccessToken(string accessToken)
{
    FacebookUserViewModel fbUser = null;
     var path = "https://graph.facebook.com/me?access_token=" + accessToken;
     var client = new HttpClient();
     var uri = new Uri(path);     
     var response = await client.GetAsync(uri);
     if (response.IsSuccessStatusCode)
     {
         var content = await response.Content.ReadAsStringAsync();
         fbUser = Newtonsoft.Json.JsonConvert.DeserializeObject<FacebookUserViewModel>     (content);
     }

     return fbUser;
 }


 public class FacebookUserViewModel
 {
     [JsonProperty("id")]
     public string ID { get; set; }
     [JsonProperty("first_name")]
     public string FirstName { get; set; }
     [JsonProperty("last_name")]
     public string LastName { get; set; }
     [JsonProperty("username")]
     public string Username { get; set; }
     [JsonProperty("email")]
     public string Email { get; set; }
 }

所以，你可以有一个WebAPI，如：

So, you could have a WebAPI like:

    [HttpGet]
    [AllowAnonymous]
    public async Task<string> GetTokenFromFacebook(string accessToken)
    {
        var user = await VerifyFacebookAccessToken(accessToken);
        //Search on your DB for the user ID or email
        //Get token for user
        return token;
    }

完整而完美的解释如下：
http ：//thewayofcode.wordpress.com/2014/03/01/asp-net-webapi-identity-system-how-to-login-with-facebook-access-token/

A complete and perfect explanation is here: http://thewayofcode.wordpress.com/2014/03/01/asp-net-webapi-identity-system-how-to-login-with-facebook-access-token/

创建标记示例

        var tokenExpirationTimeSpan = TimeSpan.FromDays(14);            
        var identity = new ClaimsIdentity(Startup.OAuthBearerOptions.AuthenticationType);
        identity.AddClaim(new Claim(ClaimTypes.Name, UserName, null, "Facebook"));
        identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, user.ToString(), null, "LOCAL_AUTHORITY"));
        AuthenticationTicket ticket = new AuthenticationTicket(identity, new AuthenticationProperties());
        var currentUtc = new Microsoft.Owin.Infrastructure.SystemClock().UtcNow;
        ticket.Properties.IssuedUtc = currentUtc;
        ticket.Properties.ExpiresUtc = currentUtc.Add(tokenExpirationTimeSpan);
        var accesstoken = Startup.OAuthBearerOptions.AccessTokenFormat.Protect(ticket);

我希望它有帮助！

这篇关于通过Android应用程序通过Facebook令牌对WebAPI进行身份验证访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！