堆栈内存溢出
  简体   繁体   English

如何在浏览器中获取JS代码的长期身份提供者令牌

[英]How to get long-lived indentity provider tokens for JS code in browser

 原文  2015-09-08 06:23:11       javascript/ facebook-graph-api/ twitter-oauth/ amazon-cognito/ google-identity

问题描述

I am implementing Js browser side code login with Fb, Amazon,Twitter,google with cognito. 我正在使用cognito通过Fb,Amazon,Twitter,google实现Js浏览器侧代码登录。

Have gotten to the stage where I can get client tokens for all 4, but the problem these tokens are short-lived and expire in 1-2 hours. 到了我可以获取所有4个客户端令牌的阶段,但是这些令牌的生存期很短,并且会在1-2小时内失效。

Research shows Google token lasts only 1 hour, to extend life requires server-side code. 研究表明,Google令牌仅可持续1个小时,要延长使用寿命,需要服务器端代码。

FB token lasts 2 hrs, auto-refreshes, but only while the user is logged-in. FB令牌持续2个小时,自动刷新,但仅在用户登录时有效。 The token Will have expired next time user comes back (say after 2 days). 令牌将在用户下次返回时过期(例如2天后)。 Once again, this requires server-side code to get longer-lived token. 再一次,这需要服务器端代码来获取更长寿的令牌。

Amazon token is valid for 1 hour and Twitter tokens do not expire. Amazon令牌的有效期为1小时,Twitter令牌不会过期。

All help appreciated (links to documentation, experience etc.). 感谢所有帮助(指向文档,经验等的链接)。

JS on browser (not node.js) 浏览器上的JS(不是node.js)

Using Cognito, but AFAIK it doesn't have any bearing on the life of tokens. 使用Cognito,但使用AFAIK,它与令牌的寿命无关。

Corrections are also welcome. 也欢迎进行更正。

1 个解决方案

解决方案1
 3 已采纳  2015-09-08 06:51:48

It's not a good idea to try to prolongue the short-lived access tokens in the browser (although it would be possible, at least for FB), because then you'd have to expose your app's secret in you JS application, where everybody could theoretically steal it from. 试图延长浏览器中的短暂访问令牌不是一个好主意(尽管可能,至少对于FB而言),因为那样的话,您就必须在JS应用程序中公开应用程序的秘密,每个人都可以理论上是从中窃取的

You could loose the access to your social apps that way. 您可以通过这种方式来松开对社交应用程序的访问。 So, it makes much more sense to do this on the server side. 因此,在服务器端执行此操作更有意义。

See 看到

Note that because this request uses your app secret, it must never be made in client-side code or in an app binary that could be decompiled. 请注意,由于此请求使用您的应用程序密钥,因此绝不能以客户端代码或可以反编译的应用程序二进制文件形式进行请求。 It is important that your app secret is never shared with anyone. 重要的是,永远不要与任何人共享您的应用程序秘密。 Therefore, this API call should only be made using server-side code. 因此,此API调用仅应使用服务器端代码进行。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Facebook 图 API 长寿命令牌 - Facebook Graph API Long-Lived Token Background.js 到 content.js 使用端口和长寿命消息传递 - Background.js to content.js using Port & Long-lived messaging 将短期访问令牌交换为长期有效 - Exchange short-lived access token for long-lived, not working 在 React Base chrome 扩展中使用长寿命连接时无法获取状态值 - Unable to get state value in when using long-lived connection in react base chrome extension 如何建立与jQuery的长期连接以进行推送通知? - How can I establish a long-lived connection with jQuery for push notification? JavaScript最佳实践:如何实现长期存在的应用程序(单页Web应用程序)? - JavaScript Best Practices: How to implement long-lived apps (one-page web apps)? Chrome扩展程序的长期消息连接-如何使用回调函数? - Chrome extension long-lived message connection - how to use callback functions? 使用Apache / PHP / Javascript的长期连接(异步服务器推送)? - Long-lived connections (asynchronous server push) with Apache/PHP/Javascript? Recoil:将长期存在的客户端 object 传递给选择器 - Recoil: Passing a long-lived client object to a selector 如何从vkontakte获取长期访问令牌? - How to get long lived access token from vkontakte?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM