堆栈内存溢出
  简体   繁体   English

Facebook应用程序:服务器端访问令牌验证

[英]Facebook app: server-side access token verification

 原文  2012-10-11 17:58:40       php/ facebook/ authentication

问题描述

Simple facebook application communicate with a database server (with wrapper). 简单的Facebook应用程序与数据库服务器(使用包装器)进行通信。 For security reasons there is needed to check if an user asking server for some action is really an owner of his id (sent in request). 出于安全原因,需要检查询问服务器某些操作的用户是否真的是他的id的所有者(在请求中发送)。

For this purpose request to server contains access_token and id of user from a web application based on javascript SDK. 为此,对服务器的请求包含来自基于javascript SDK的Web应用程序的access_token和user的id。 I want to check if id of owner of access token and id of user is the same. 我想检查访问令牌的所有者的ID和用户的ID是否相同。 First step is to getting id of owner of access token from Facebook. 第一步是从Facebook获取访问令牌的所有者的ID。 Using code: 使用代码: 

class SessionValidator {
    private $userId;            //id of user
    private $accessToken;       //facebook user's access token
    private $fb;
    public function __construct($userId, $accessToken){
        $this->userId = $userId;
        $this->accessToken = $accessToken;
        $app_id = @appId; 
        $app_secret = @secret;

        $fb = new Facebook(array('appId' => $app_id, 'secret' => $app_secret));
        $fb->setAccessToken($accessToken);

        $this->fb = $fb;
    }
    public function authUserSession(){
        $url = 'https://graph.facebook.com/';
        $data['fields'] = $this->userId;
        $data['access_token'] = $this->accessToken;

        $response = $this->post_request($url, $data);

        return $response;
    }
    private function post_request($url, $data){
        return $this->fb->api('/me', 'POST', $data);
    }
}

Facebook has been giving response: Facebook一直在回应:

Uncaught OAuthException: (#10) Application does not have permission for this action 未捕获的OAuthException:(#10)应用程序没有此操作的权限

The same response is if I have removed line: $fb->setAccessToken($accessToken); 如果我删除了行,则回复相同: $fb->setAccessToken($accessToken); . I'm sure that appId and appSecure are correct. 我确定appId和appSecure是正确的。 Client-side app and server-side app are placing on different hosts, but both domains are added as domain of app, on facebook developers site. 客户端应用程序和服务器端应用程序放置在不同的主机上,但这两个域都作为应用程序域添加到Facebook开发人员站点上。 Any idea why I received this error? 知道为什么我收到这个错误吗?

1 个解决方案

解决方案1
 8  2012-10-11 18:21:43

The problem is with your call you're making there! 问题出在你打电话的时候!

You should do a GET request and not POST request. 您应该执行GET请求而不是POST请求。

Also your fields key should be id as its value and not user's ID. 您的fields键也应该是id作为其值而不是用户的ID。

Here's a fixed version: 这是一个固定版本: 

class SessionValidator {
private $userId;            //id of user
private $accessToken;       //facebook user's access token
private $fb;
public function __construct($userId, $accessToken){
    $this->userId = $userId;
    $this->accessToken = $accessToken;
    $app_id = @appId; 
    $app_secret = @secret;

    $fb = new Facebook(array('appId' => $app_id, 'secret' => $app_secret));
    $fb->setAccessToken($accessToken);

    $this->fb = $fb;
}
public function authUserSession(){
    $url = 'https://graph.facebook.com/';
    $data['fields'] = 'id';
    $data['access_token'] = $this->accessToken;

    $response = $this->get_request($url, $data);

    return $response;
}
private function get_request($url, $data){
    return $this->fb->api('/me', 'GET', $data);
}
}

If you do a GET request with fields value as your User's ID ie $this->userId then it'll return an error saying: 如果您使用fields值作为User's ID进行GET请求,即$this->userId那么它将返回错误说:

(#100) Unknown fields: [User ID you Pass] (#100)未知字段:[您传递的用户ID]

EDIT: Here's another version which you could use to verify the user ID. 编辑:这是您可以用来验证用户ID的另一个版本。 If the user id matches with the user id returned by facebook, then the method will return true or false. 如果用户标识与facebook返回的用户标识匹配,则该方法将返回true或false。 If you're doing something else with the returned response, then this might not be the right version for you and you can use the above version. 如果您正在使用返回的响应执行其他操作,那么这可能不是适合您的版本,您可以使用上述版本。 

class SessionValidator {
    private $userId;            //id of user
    private $accessToken;       //facebook user's access token
    private $fb;
    public function __construct($userId, $accessToken){
        $this->userId = $userId;
        $this->accessToken = $accessToken;
        $app_id = @appId; 
        $app_secret = @secret;

        $fb = new Facebook(array('appId' => $app_id, 'secret' => $app_secret));
        $fb->setAccessToken($accessToken);

        $this->fb = $fb;
    }

    public function authUserSession(){
        $url = 'https://graph.facebook.com/';
        $data['fields'] = 'id';
        $data['access_token'] = $this->accessToken;

        $response = $this->get_request($url, $data);

        if($this->userId == $response['id']) {
            return true;
        }
        return false;
    }

    private function get_request($url, $data){
        return $this->fb->api('/me', 'GET', $data);
    }
}

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Facebook访问令牌 - 服务器端身份验证 - Facebook Access Tokens - Server-Side Authentication 如何通过服务器端身份验证获取用户访问令牌 - How to get user access token though server-side authentication 服务器端验证不起作用 - Server-side verification doesn't work 在服务器端使用Facebook访问令牌 - Using facebook access token on the Server side 没有PHP的Facebook服务器端登录 - Facebook server-side login without PHP 使用PHP验证Android Market许可响应的服务器端 - Server-side verification of Android Market Licensing responses with PHP OAuth2-我的访问令牌是服务器端的机密,是的,那么如何将其与AJAX一起使用? - OAuth2 - my access token is a server-side secret, yes, so how do I use it with AJAX? 如何从此Android应用获取此Google登录ID令牌以验证服务器端? - How can I get this Google Login ID Token from this Android app to verify server-side? PHP Google+平台服务器端用户验证和获取访问令牌 - PHP Google+ Plaform server side user verification and get access token Facebook服务器端oauth令牌 - Facebook server side oauth token
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM