When I use Facebook s JS SDK to authenticate my app (using FB.init method) all I need is my App ID. It does not require my app secret and/or app key. However when I used PHP SDK, it required my app secret (atleast the example I used to learn used the app ID and app secret both).
是否安全并建议使用JS SDK进行身份验证?JS SDK的身份验证流程到底是如何实现的?
Thanks, Vineet
我也在研究身份验证的安全性——我认为自从你问这个问题以来,情况已经发生了变化,所以当你问的时候,这个信息可能不正确。
JS SDK的新版本使用了OAuth 2.0。这是有据可查的-查看OAuth 2.0站点了解详细信息。
关于SDK是否需要应用程序机密的问题,我对此有点困惑。在应用服务器端,库表明JS SDK使用应用机密对cookie进行签名(请参阅facebook python sdk)-然而,我完全不清楚JS sdk是如何知道应用程序的秘密的。我猜测,当它在身份验证过程中直接与FB对话时,它可以从FB动态获取它,但我不确定。
(编辑:我认为JS SDK直接从FB获得用应用程序秘密签名的cookie——JS SDK永远不知道应用程序秘密)。
没有完全回答你的问题,但也许可以进一步了解这是如何运作的。
另一个需要注意的问题是,不要将从客户端获得的FB用户对象用于服务器端的任何内容。这是因为有人可以很容易地制作一个脚本,而不是调用fb.api/me,将一个带有另一个用户ID的“假”JSON用户对象发送到你的应用程序。如果您正在对用户进行任何类型的服务器端处理,那么我认为您还需要进行某种服务器端身份验证。
这是不安全的,这就是为什么您在高级注册文档:
When you request facebook data, we verify the form fields before packaging them up in the
signed_request. This lets you assume that all the data is genuine and saves you from having to verify things. The one problem that could arise, is a smart attacker could change the form fields and submit them to you, thereby giving you unverified data.
阅读该文档了解更多信息,我还写了一篇教程(关于插件的介绍),并展示了如何处理来自客户端的字段属性。
How to get a selected text inside a iframe. I my page i m having a iframe which is editable true. So how can i get the selected text in that iframe.
I would like to click a link in my page using javascript. I would like to Fire event handlers on the link without navigating. How can this be done? This has to work both in firefox and Internet ...
Heres the problem, In Masterpage, the google analytics code were pasted before the end of body tag. In ASPX page, I need to generate a script (google addItem tracker) using codebehind ClientScript ...
Is there a reliable way to access the client machine s clipboard using Javascript? I continue to run into permissions issues when attempting to do this. How does Google Docs do this? Do they use ...
I have a large javascript which I didn t write but I need to use it and I m slowely going trough it trying to figure out what does it do and how, I m using alert to print out what it does but now I ...
Is it possible for someone to give me a few pointers on how to display a multidimensional array in the form of a bar graph? The array is multidimensional, with three elements in each part - and the ...
Is it possible to reload a form after file-input change? I have a form where the user can chose an image for upload. I also have a php script which displays that image resized. I only wonder if it ...
I ve made a little forum and I want parse the date on newest posts like twitter, you know "posted 40 minutes ago ","posted 1 hour ago"... What s the best way ? Thanx.
