The behaviour I want is simple:
There are a few problems with this behaviour, as far as I can see.
You cannot login programmatically, according to the terms of service; sign on must be done via the Facebook website or SDK, both of which are interactive. Therefore, I cannot create my own form, pass the username and password to my web server, login there and respond with the successful cookie set.
Security
If the user logs in via the application, they are authenticated for the application only. Passing the Facebook ID to my web server could be done, but considering how easy it is to find out a user's FB ID, it would be very easy to spoof the server. I've considered auto-generating a password in the application, but this only reduces the window for spoofing and doesn't close the hole entirely.
(Security isn't actually a big deal for my project, but I don't want to leave such an obvious hole.)
My technology is iOS 3.0+ for the mobile application and Google App Engine for the server, running a modified version of Django.
The solution I've worked out, which I believe works around the limitations, is as follows:
So, my question: am I doing the right thing? Are any of my assumptions wrong?
您可以尝试使用OAuth框架
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.