stackoom
  简体   繁体   中英

Security of Offline Access Tokens

 原文  2011-09-12 20:32:48       facebook/ access-token/ news-feed

Question

I created an app and an offline access token so I could display a news feed on my website without requiring a Facebook login. I created two test versions in PHP and JavaScript that work fine. But I took down the JavaScript version because I was concerned about the lack of security in explicitly stating the access token in a client-side script. Is server-side the only way to go for security reasons?

1 answers

solution1
 0  2011-09-12 20:51:31

I think you are correct to take out your access token from javascript. As long as that access token is valid - even if it hasn't been obtained with offline_access permissions - it can be used to perform actions on behalf of that user/app/page. All you need to make calls is the user/app/page ID which is easily obtainable and a valid access token...

I recommend you leave your access token management to your server-side scripts. Perhaps making ajax calls to refresh the posts at regular intervals...

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How long do 'offline_access' OAuth tokens last for? Facebook access tokens, permissions and offline publish_actions Facebook long-lived and short-lived access tokens, and their expirancy after offline_access removal Why Facebook deprecated offline_access and support access_tokens with a long-lived expiration time ? Facebook Access Tokens 'Offline' access with HybridAuth Feed Offline Access Is offline_access removed? facebook offline_access Facebook API offline access
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM