来自Android的Facebook注册流程 [英] Facebook registration flow from Android

问题描述

我正在开发一个具有自己的注册流程的webapp + android应用程序 - 使用电子邮件和密码进行简单的身份验证。

我轻松地从网站上整合了facebook登录信息，遵循这个页面。


现在，我需要使用一键验证Android应用程序。主要的一点是，在Android应用程序进行身份验证之后，我需要从用户想要执行某些操作的过程中向我的服务器发送一些需要进行权限检查的特定Cookie。


问题是我无法通过Facebook令牌进行身份验证：从我所看到的，令牌即使是从另一个应用程序中获取，因此我无法发送只有信任的私人数据令牌（即使是由SSL发送），因为它可能是另一个假装是用户的应用程序。
有没有注册流程类似于上述用于验证Android应用程序？

还是有任何建议来解决这个问题？

I'm developing a webapp+android app that has its own registration flow - simple authentication using email and password.
I easily integrated the facebook login from the website, following the second scheme in this page.

Now, I need to 1-click authenticate the Android application with facebook. The main point is that, after the Android app is authenticated, i need to send from my server some specific cookies that are needed for permissions checks when the user wants to do some operations.

The problem is that I cannot authenticate through the facebook token: from what i see, the token would work even if it was taken from another application, so I cant send private data trusting only the fb token (even if it was sent by SSL), since it could be another app pretending it's the user. Is there any registration flow similar to the one above for authenticating android apps?
Or there is any advice to overcome this issue?

推荐答案

好的，Facebook已经通过弃用修正了offline_token并从客户端提供更长的访问令牌。这个令牌可以通过这个新的端点对我的应用程序ID和应用程序密码进行验证服务器端：

Ok, facebook has fixed this by deprecating the offline_token and providing a longer access token from the client. This Token can be validated server side against my app id and app secret with this new endpoint:

https://graph.facebook.com/oauth/access_token?             
    client_id=APP_ID&
    client_secret=APP_SECRET&
    grant_type=fb_exchange_token&
    fb_exchange_token=EXISTING_ACCESS_TOKEN 

所以我可以确定用户身份。

so I can be sure about the user identity.

这篇关于来自Android的Facebook注册流程的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！