问题
maybe the following will sound somehow wierd and I have some false assumptions so I hope you can condone over this.
Just some brief introduction what we want to achieve:
Right now we are developing an app that needs a backend storing user specific data (eg images, comments, etc). As we want to get rid off all the user authentication and we want to use facebook functions, too, we will let Facebook do all the authentication stuff and just create a user based on the id/email we will receive after they have authenticated.
Let's just brief describe the flow:
- User opens app and is not logged in (the Facbook SDK will handle session and persisting the cookie on its own).
- User authenticates via Facebook.
- App sends id to server. Server will return if there IS an id existing and therefor the app will show some kind of registration (domain specific form) or will login the user immediately
And now comes the tricky part where I am NOT sure how to handle this.
As the API of the backend is public (HTTPS) we need somehow to assure IF the user is logged in before he is able to get his data via the app.
It is not enough to just say "Oh, the app has validated he is the user, so noone else will call the backend". How can the backend verify that the api-consument is REALLY authenticated with his Facebook login? We want to avoid that just anybody can call our REST service with the Facebook ID he has persisted on his device.
Keep in mind: We do not want to assign a password to a user when he is authenticated with Facebook.
Maybe I have some kind of wierd thinking in this use case, so enlight me! Thanks for all answers and shared knowledge in advance. Looking forward!!
回答1:
If you make the server fetch the user info using the access token you can do something like this:
- do client side OAuth authentication and receive an access token
- send the access token to your backend and get the user info including the Facebook ID with the Facebook API using this token
- The server will store the hashed ID (
cookie = id + ":" + hash(id + secret)) in an HTTP cookie - Do your registration/login thing
- On each request to the backend of the server will validate the id from the cookie by recomputing the hash with the secret and comparing it with the value from the cookie
回答2:
I don't know if you could authenticate your app with facebook module but take a look at backend as a service providers like this one: apiOmat the also offer "private beta modules" which means you can ask for features.
来源:https://stackoverflow.com/questions/17725389/handling-user-auth-via-facebook-and-secure-communication-within-an-app