Facebook认证工作流程 - 过于复杂? [英] Facebook Authentication Workflow - Overly Complicated?
问题描述
我正在尝试为Facebook建立一个画布iframe应用程序。应用程序需要做几件事:
I'm trying to build a canvas iframe application for Facebook. The app needs to do a couple of things:
- 在Facebook中显示一个排行榜,将您与您的朋友进行比较
- 发布消息到你的墙上
Facebook建议将所有新的应用程序构建为iframe应用程序,因此使用此API。
我已经下载了PHP SDK并将该示例安装为我的应用程序。
Facebook recommend building all new apps as iframe apps, hence using this API. I've downloaded the PHP SDK and installed the example as my app.
我很困惑,为什么example.php向用户显示一个登录按钮 - 目前的用户是不是已经登录到Facebook的想法?
I'm confused as to why the example.php presents a login button to a user - isn't the idea that the current user is already logged into Facebook?
我目前的解决方案将用户重定向到 http: //graph.facebook.com/oauth/authorize 进行授权,然后抓取OAuth令牌(稍后发布消息),并返回到Facebook画布中的应用页面。
My current solution redirects the user to http://graph.facebook.com/oauth/authorize for authorisation, then grabs the OAuth token (for posting messages later) and heads back to an application page within the Facebook canvas.
这是真正的获取当前Facebook用户与我的应用程序相关联的唯一方法,以及以后发送邮件的权限?
Is this really the only way to get the current Facebook user associated with my app, and to get permissions for posting messages later?
推荐答案
如果要在服务器端获取当前登录的用户,最好的方法是尝试进行API调用:
If you want to get the current logged in user on the server side, the best way I've found to do this is to try to make an API call:
try {
$response = $facebook->api('/me');
}
catch (FacebookApiException $e) {
//User not logged in
}
如果呼叫成功,您现在可以访问登录的用户ID,访问令牌,名称和其他一些基本内容(例如$ facebook-> getUser()或$ facebook- >的getSession())。否则,如果您遇到FacebookApiException,您知道用户未登录,并且需要重定向用户以获取访问令牌。最简单的方法是重定向到$ facebook-> getLoginUrl()( http://github.com/facebook/php-sdk/blob/master/src/facebook.php 第322行),您可以传递所需的权限:
If the call is successful you now have access to the logged in user id, access token, name, and some other basic stuff (ex. $facebook->getUser() or $facebook->getSession()). Otherwise if you catch a FacebookApiException, you know the user is not logged in and will need to redirect the user to get an access token. The simplest way is just redirect to the url returned by $facebook->getLoginUrl() (http://github.com/facebook/php-sdk/blob/master/src/facebook.php line 322) which you can pass in required permissions:
$facebook->getLoginUrl(
array('req_params' => 'email,publish_stream',
'next' => 'http://www.redirct-upon-login.com',
'cancel' => 'http://www.redirect-if-user-clicks-cancel'));
您可以在Javascript中基本上做同样的事情(我喜欢,因为有一个弹出对话框/窗口的重定向):
You can basically do the same thing in Javascript (which I prefer since there's a popup dialog/window instead of a redirect):
FB.login(function(response) {
if (response.session) {
if (response.perms.indexOf('publish_stream') != -1) {
//User has logged in and given us publish_stream permissions
);
else {
//User has logged in but not given us publish_stream
}
}
else {
//User is not logged in
}, {perms:'offline_access,publish_stream'});
要在example.php上回答您的其他问题,它只能显示登录按钮如果没有用户登录,否则显示一个注销按钮。
To answer your other question on the example.php, it looks like the login button should only be shown if no user is logged in. Otherwise, it shows a logout button.
关于重定向,这基本上是为了服务于OAuth的目的安全地允许第三方代表用户采取行动(例如,您的应用程序在用户墙上发布)。 Facebook需要用户批准您的第三方应用程序采取行动,因此需要用户证明他/她的身份才能给予这个好处(否则你只能模仿用户)。 Facebook需要是一个要求这个好的人,而不是您的应用程序(因此重定向到Facebook的网站),因为如果您的应用程序只能为用户说话,那么它不会非常安全。这是一个痛苦,虽然我会同意,Facebook的文档没有帮助这一点。
With regards to redirects, that's basically how OAuth need to work if it is to serve the purpose of securely allowing a third party to take actions on a user's behalf (your app posting on the user's wall for example). Facebook needs the user to approve your 3rd party app to take actions so it needs the user to prove his/her identity to give this okay (otherwise you could just impersonate the user). Facebook needs to be the one asking for this okay too, not your app (hence the redirect to Facebook's site) because it would not be very secure at all if your app could just speak for the user. It is a pain though I will agree and Facebook's documentation does not help this in the slightest.
这篇关于Facebook认证工作流程 - 过于复杂?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
