使用Facebook的SSO在Android上后，我如何可以验证我的应用程序web服务？ [英] How can I authenticate to my applications webservice after using Facebook SSO on Android?

问题描述

我创建一个Android应用程序，使用Facebook的SSO登录，我不知道如何用我自己的Web服务进行身份验证后，我登录到FB。当用户第一次打开我的应用程序，他们登录Facebook的，授权我的应用程序的一些特权，并持续到我的应用程序。该零件也很大，但现在用我的应用程序，他们需要创建我的服务器上的帐户，并跟我的web服务。

I am creating an Android app that uses Facebook SSO to login and I'm not sure how to authenticate with my own webservices after I login to FB. When a user first opens my app they login to Facebook, authorize my application some privileges, and continue into my app. This part works great, but now to use my app they need to create an account on my server and talk to my webservices.

现在我有，增加了他们的Facebook号码等最基本的信息到数据库中，并在同一时间做了的Diffie-Hellman密钥交换，以便将来调用Web服务可以通过加密的呼叫到我的服务器上的身份验证Web服务一个共享密钥。但问题是，第一个初始调用创建此帐户并创建该共享密钥，我该如何鉴别呢？我怎么知道这个人是真的谁只是验证与Facebook和一个不只是一个人谁发现的URL，我的web服务并创建帐户和保存键？

Right now I have a call to an authenticate webservice on my server that adds their Facebook ID and other basic info into a database and at the same time does a Diffie–Hellman key exchange so any future calls to webservices can be encrypted by a shared key. But the problem is that very first initial call to create this account and create this shared key, how do I authenticate that? How do I know this person is really the one who just authenticated with Facebook and not just someone who found the URL for my webservice and is creating accounts and saving the keys?

推荐答案

Facebook的SSO返回一个访问令牌。如果你愿意，你可以传递沿着你的服务器和服务器可以调用Facebook的API来检查，这是对用户的有效访问令牌（例如，通过调用<一href="https://graph.facebook.com/me?access_token=ACCESS_TOKEN">https://graph.facebook.com/me?access_token=ACCESS_TOKEN) - 如果是，你是好，已经验证该用户是谁他们说他们是（或者是有足够的访问黑客有一个有效的身份验证令牌你的应用程序对于Facebook，此时他们的身份已经失密在Facebook上的端）。

Facebook SSO returns an access token. If you'd like, you can pass that along to your server and your server can make a call to the Facebook APIs to check that it's a valid access token for that user (eg by calling https://graph.facebook.com/me?access_token=ACCESS_TOKEN) -- if it is, you're good and have verified that the user is who they say they are (or is a hacker with enough access to have a valid auth token for your app for Facebook, at which point their identity has been compromised on Facebook's end).

这篇关于使用Facebook的SSO在Android上后，我如何可以验证我的应用程序web服务？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！