oAuth 2.0,access_token,Facebook,Twitter
[英]oAuth 2.0, access_token, Facebook, Twitter
问题描述
I spent a lot of time looking for any clarifications about using oAuth with FB and Twitter. 
我花了很多时间寻找有关在FB和Twitter上使用oAuth的任何说明。 I have to do application which will be using access_token. 我必须做将要使用access_token的应用程序。 This token will be used also on diffrent devices to access user account via API. 此令牌还将在其他设备上使用,以通过API访问用户帐户。 When I'm looking for "how to use access_token" I only finding "how to get token". 当我寻找“如何使用access_token”时,我只找到“如何获取令牌”。 If I something miss reading documentation please let me know, especially where is example - how to use this token on other devices to access API to send eg. 如果我错过了阅读文档的权限,请告诉我,尤其是示例位置-如何在其他设备上使用此令牌访问API以发送例如。 post. 发布。 I have found Twiiter4j and Facebook4j these libs helped me... I've got this access_token and now what next, how connect to API... I know that it's no possible to get access to Twiiter API - ok, but what about FB and "client side" 我发现Twiiter4j和Facebook4j这些库对我有帮助...我有这个access_token,接下来是什么,如何连接到API ...我知道无法访问Twiiter API-好的,但是关于FB呢?和“客户端”
please help. 请帮忙。
1 个解决方案
解决方案1
0 2014-07-18 18:35:56
Oauth can be complicated so let me try to explain it simply. Oauth可能很复杂,所以让我尝试简单地解释一下。
- User visits your website 用户访问您的网站
- Your website checks if it has seen this visitor before (usually with a cookie) 您的网站检查它是否曾经见过此访客(通常带有cookie)
- If not, send them to FB/Twitter/Whatever's oauth url. 如果不是,请将其发送到FB / Twitter /任何oauth网址。 In that redirect, we tell FB/Twitter/Whatever that we're going to need x,y,z permissions (access a users timeline, see a users friends, etc). 在该重定向中,我们告诉FB / Twitter /无论我们将需要x,y,z权限(访问用户时间轴,查看用户朋友等)。 We also tell FB/Twitter/Whatever that when the user says ok, send them back to www.myurl... Finally, we take everything in this request and "encrypt" it, to prove it's really our site asking. 我们还告诉FB / Twitter /无论如何,当用户说确定时,将其发送回www.myurl ...最后,我们接受此请求中的所有内容并对其进行“加密”,以证明这确实是我们的网站所要求的。 The key to this is only saved on our backend, so the frontend (javascript/html) never sees it. 此操作的密钥仅保存在我们的后端,因此前端(javascript / html)永远不会看到它。
- FB/Twitter/Whatever sees the request. FB / Twitter /无论看到什么请求。 They also see the "encryped" form of the requests. 他们还看到了请求的“加密”形式。 Fb/Twitter/Whatever knows this key too (they gave it to us, it's usually called the "secret" when you're configuring your oauth) They can verify it's really your backend asking for permission. Fb / Twitter /也知道此密钥(他们将其提供给我们,在您配置oauth时通常将其称为“秘密”),他们可以验证它确实是您的后端请求许可。
- If the user agrees, we get a token. 如果用户同意,我们将获得令牌。 We store that token (on our backend, php, java, ruby, etc) and remember it belongs to that user. 我们存储该令牌(在我们的后端,php,java,ruby等),并记住它属于该用户。
The main thing to stress here is that in order to do the oauth handshake, you need a secret key that you never output to the browser. 这里要强调的主要事情是,为了进行oauth握手,您需要一个永远不会输出到浏览器的密钥。 That means you'll need to implement part of this on your backend. 这意味着您需要在后端上实现其中的一部分。 You've tagged this with java so maybe that means you're using java as your backend, maybe with Google app engine or something. 您已经用java标记了它,所以也许这意味着您正在使用Java作为后端,也许是通过Google应用程序引擎之类的。 You'll need to find the oauth library for that, and work it out from there. 您需要为此找到oauth库,然后从那里开始工作。
You can't create the oauth handshake only with frontend code. 您不能仅使用前端代码创建oauth握手。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.