现在已不赞成使用offline_access来处理服务器端身份验证?
[英]How do I deal with server-side authentication now that offline_access is being deprecated?
问题描述
With the impending demise of access tokens with no expiration I am hoping someone can help with my rather unique problem. 
随着访问令牌即将消亡且没有到期,我希望有人可以帮助解决我这个相当独特的问题。
I've read all of the documentation surrounding https://developers.facebook.com/roadmap/offline-access-removal/ 我已经阅读了有关https://developers.facebook.com/roadmap/offline-access-removal/的所有文档
And I think my application falls into an entirely different category. 而且我认为我的应用程序属于完全不同的类别。 We have an application that posts messages to facebook rarely (it could be years between them) ,but the postings are quite important. 我们有一个应用程序很少将消息发布到Facebook(它们之间可能要花费数年),但是发布非常重要。 These postings are initiated within a JVM running tomcat, but are not necessarily initiated by anything a user does. 这些发布是在运行tomcat的JVM中启动的,但不一定由用户执行的任何启动。
When the user installs their version of the application they go through the normal server-side authentication process using a browser 当用户安装其应用程序版本时,他们将使用浏览器执行正常的服务器端身份验证过程
https://graph.facebook.com/oauth/authorize?client_id=APP_ID&scope=publish_stream,manage_pages,offline_access&response_type=token&redirect_uri=MY_REDIRECT_URL https://graph.facebook.com/oauth/authorize?client_id=APP_ID&scope=publish_stream,manage_pages,offline_access&response_type=token&redirect_uri=MY_REDIRECT_URL
Historically my application then stores the access token generated (which never expired) in a database. 从历史上看,我的应用程序然后将生成的访问令牌(从未过期)存储在数据库中。 Now, with the offline_access deprecation, this access token is now a short-lived token which apparently can be exchanged to a 60 day token by going to 现在,由于对offline_access的弃用,此访问令牌现在是短期令牌,显然可以通过以下方法将其交换为60天令牌:
https://graph.facebook.com/oauth/access_token?client_id=AP_ID&client_secret=APP_SECRET&grant_type=fb_exchange_token&fb_exchange_token=OLD_SHORT_TOKEN https://graph.facebook.com/oauth/access_token?client_id=AP_ID&client_secret=APP_SECRET&grant_type=fb_exchange_token&fb_exchange_token=OLD_SHORT_TOKEN
So I could go to the above URL and store the long-term access token returned. 因此,我可以转到上面的URL并存储返回的长期访问令牌。 So far, so good. 到现在为止还挺好。 Here's the problem.... 这是问题。。。
As stated earlier, my application might not try to post to facebook for months or years (ie after my 60 day token has expired). 如前所述,我的应用程序可能数月或数年(即在我的60天令牌过期后)都不会尝试发布到Facebook。 According to the documentation I can use the fb_exchange_token option to exchange a short-lived token for a 60 day token, but I can't exchange a 60 day token that is about to expire for a new 60 day token. 根据文档,我可以使用fb_exchange_token选项将短期令牌替换为60天令牌,但是不能将即将到期的60天令牌交换为新的60天令牌。 And the only way I have found to get a new short-lived token is by having the user log in and generate it. 我发现获得新的短暂令牌的唯一方法是让用户登录并生成它。 That's my problem. 那是我的问题。 As I understand it I can't get the new short-lived token without having a user log in again. 据我了解,如果没有用户再次登录,我将无法获得新的短期令牌。
I was trying to think of an analogy that would be simpler to understand and this is the best I've come up with. 我试图想到一个比喻更容易理解的类比,这是我提出的最好的类比。
Assume I have a bash script that runs in cron every 90 days to post a message to a company's facebook page announcing that the quarterly reports are available. 假设我有一个bash脚本,每90天以cron运行一次,以将消息发布到公司的Facebook页面,宣布有季度报告可用。 In the new, deprecated offline_access world how could I make this cron job work? 在新的,已弃用的offline_access世界中,我如何使此Cron作业正常工作? The only customer-specific data I store is a 60 day access token and the bash script has no user interface. 我存储的唯一特定于客户的数据是60天访问令牌,bash脚本没有用户界面。
If I did the hackiest solution and required the person who installed our application to include their fb username and password as part of the installation how would that even work. 如果我做的是最骇人听闻的解决方案,并且要求安装我们的应用程序的人在安装过程中包括他们的fb用户名和密码,那怎么办呢? Is there a way to provide the username and password to the graph api and then simulate logging in and oauth click streams with something like HttpClient? 有没有一种方法可以将用户名和密码提供给图形api,然后使用HttpClient之类的方法来模拟登录和oauth点击流?
Ideally if I had something like fb_exchange_token option that could exchange a 60-day token for a new 60-day token I could write something that samples facebook once a day to see how close my 60-day token is to expiration and when it gets within a day or two perform a new fb_exchange_token and save the new 60-day token. 理想情况下,如果我有类似fb_exchange_token选项的东西,可以将60天令牌交换为新的60天令牌,则可以编写每天对Facebook进行一次采样的示例,以查看我的60天令牌离到期有多近以及何时到达一两天执行一次新的fb_exchange_token并保存新的60天令牌。
Sorry if this is a wordy posting. 抱歉,如果这是一个冗长的帖子。 I tried to get all of the info out there so someone could help without having to ask followup questions. 我试图将所有信息都收集到那里,以便有人可以提供帮助而不必提出后续问题。
1 个解决方案
解决方案1
1 已采纳 2012-06-28 09:24:54
As I understand it I can't get the new short-lived token without having a user log in again.
Well, that's the whole point of removing offline_access … 嗯,这是消除offline_access整点 ...
Assume I have a bash script that runs in cron every 90 days to post a message to a company's facebook page announcing that the quarterly reports are available.
With a page access token instead of a user access token – page access tokens don't expire (as long as the user you've got them from does not change his password or leaves the platform completely). 使用页面访问令牌而不是用户访问令牌– 页面访问令牌不会过期(只要您从中获得的用户不会更改其密码或完全离开平台)。
If I did the hackiest solution and required the person who installed our application to include their fb username and password as part of the installation how would that even work.
That would be a clear violation of FB Platform Policies. 这将明显违反FB平台政策。 You should not even consider doing that. 您甚至不应该考虑这样做。
Ideally if I had something like fb_exchange_token option that could exchange a 60-day token for a new 60-day token […]
Again, if Facebook would want that to be possible, they would not have needed to remove offline_access in the first place. 同样,如果Facebook希望做到这一点,则他们首先不需要删除offline_access。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.