可再生访问令牌的目的是什么? [英] What's the purpose of renewable access tokens?
问题描述
随着最近不推荐使用 offline_access ,Facebook正在允许应用程序将短命令令牌延长到长期使用的令牌。令牌也可以续订,只要它们还没有过期。 [1]
如果扩展需要明确的用户选择(如旧的
鉴于此功能的目的是什么?它似乎比过期的令牌更安全/不公开,对于应用程序来说似乎比一般令牌更方便(例如Twitter和LinkedIn)。
[1 ] https://developers.facebook.com/roadmap/offline-access-removal/
[2] https://developers.facebook.com/docs/mobile/ios/build/#extend_token
[3] https://developers.facebook.com/docs/reference/iossdk/authentication/
[4] https://github.com/facebook/facebook-ios-sdk/blob/v1.2/src/Facebook.m#L352-L359
没听说过最好的答案是,他们希望应用程序可以长期访问(而不必多次询问用户),同时减少受损的令牌可能会造成的损坏(因为它会过期)。
我不知道是否是这样,因为我不知道受损的令牌在实践中是否真的成为一个问题(因为应用程序开发人员仍然可以轻松撤销受损的令牌)。 p>
朋友提到的另一种可能性是,这有助于Facebook收集更多关于应用使用情况的数据/分析。但是我不知道是否也是这样,因为似乎令牌可以在没有用户输入或干预的情况下被更新。
所以在这一点上,我最好的猜测是稍微改善安全性,同时仍允许应用程序长期访问。
With the recent deprecation of offline_access, Facebook is allowing apps to "extend" short-lived tokens to long-lived ones. The tokens can also be "renewed" as long as they haven't expired yet. [1]
This would make sense to me from a security/privacy perspective if the "extend" required explicit user opt-in (like the old offline_access permission). But it seems that apps can both extend and renew transparently, without user action. E.g. iOS apps do this with a simple HTTP request. [2][3][4]
Given that, what's the purpose of this feature? It doesn't seem more secure/private than expiring tokens, and it doesn't seem more convenient for apps than lifetime tokens (e.g. Twitter and LinkedIn).
[1] https://developers.facebook.com/roadmap/offline-access-removal/
[2] https://developers.facebook.com/docs/mobile/ios/build/#extend_token
[3] https://developers.facebook.com/docs/reference/iossdk/authentication/
[4] https://github.com/facebook/facebook-ios-sdk/blob/v1.2/src/Facebook.m#L352-L359
Not having heard any better answer, my best guess is that they do want apps to have long-term access (without having to ask the user repeatedly), while reducing the damage a compromised token could do (because it expires).
I'm not sure if that's the case, because I'm not sure whether compromised tokens have actually been an issue in practice (since the app developer can still easy revoke a compromised token).
Another possibility a friend mentioned is that this helps Facebook collect more data/analytics on app usage. But I'm not sure if that's the case either, given that it seems tokens can be renewed without user input or intervention.
So at this point, my best guess is for slightly improved security while still allowing apps to have long-term access.
这篇关于可再生访问令牌的目的是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
