问题描述
我正在创建一个使用Facebook SSO登录的Android应用程序,我不知道如何在登录FB之后验证我自己的Web服务。当用户首次打开我的应用程序,他们登录到Facebook,授权我的应用程序一些特权,并继续到我的应用程序。这部分功能非常好,但现在使用我的应用程序,他们需要在我的服务器上创建一个帐户,并与我的webservices通话。
I am creating an Android app that uses Facebook SSO to login and I'm not sure how to authenticate with my own webservices after I login to FB. When a user first opens my app they login to Facebook, authorize my application some privileges, and continue into my app. This part works great, but now to use my app they need to create an account on my server and talk to my webservices.
现在我打电话给我的服务器上的一个身份验证的webservice,将他们的Facebook ID和其他基本信息添加到一个数据库中,同时做一个Diffie-Hellman密钥交换,所以将来对webservices的调用可以通过共享密钥进行加密。但是问题是,第一次初次调用创建这个帐号并创建这个共享密钥,我该如何验证呢?我怎么知道这个人真的是刚刚通过Facebook认证的人,而不只是那些找到我的网络服务的URL,并且正在创建帐户并保存密钥的人。
Right now I have a call to an authenticate webservice on my server that adds their Facebook ID and other basic info into a database and at the same time does a Diffie–Hellman key exchange so any future calls to webservices can be encrypted by a shared key. But the problem is that very first initial call to create this account and create this shared key, how do I authenticate that? How do I know this person is really the one who just authenticated with Facebook and not just someone who found the URL for my webservice and is creating accounts and saving the keys?
推荐答案
Facebook SSO返回访问令牌。如果您愿意,您可以将其传递到您的服务器,您的服务器可以调用Facebook API来检查该用户是否为该用户提供有效的访问令牌(例如,通过调用) - 如果是,你很好,已经验证用户是谁他们说他们是(或是一个黑客,具有足够的访问权限,为Facebook的应用程序拥有一个有效的身份验证令牌,此时他们的身份已经在Facebook的端点受到威胁)。
Facebook SSO returns an access token. If you'd like, you can pass that along to your server and your server can make a call to the Facebook APIs to check that it's a valid access token for that user (eg by calling https://graph.facebook.com/me?access_token=ACCESS_TOKEN) -- if it is, you're good and have verified that the user is who they say they are (or is a hacker with enough access to have a valid auth token for your app for Facebook, at which point their identity has been compromised on Facebook's end).
这篇关于在Android上使用Facebook SSO后,如何验证我的应用程序webservice?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!