Facebook的身份验证使用的是Android我的服务器我的、的是、身份验证、服务器
我要建一个应用程序具有以下块:
I'm building an application with the following blocks:
Android的 - 客户端, Java小 - Sever的侧面, Facebook应用 - 为了authenicate用户和他们的数据进行工作所使用
Android - Client Side, Java Servlets - Sever Side, Facebook app - used in order to authenicate users and work with their data.
我的问题是这样的: 我想通过Facebook来验证我的用户(如使用Facebook的Android的SDK给Facebook Android客户端发送的请求),但是我想请求发送到我的服务器(这是由servlet来实现它),并验证某种方式在发送请求的用户进行身份验证,以Facebook和我的应用程序。
My Problem is the following: I would like to authenticate my users via facebook (such as a request sent from the android client using facebook-android-sdk to facebook) but then I would like to send requests to my server (which is implemented by servlets) and to validate somehow that the user sending the request is authenticated to facebook and my application.
因此,这些步骤如下:
So these are the steps:
用户X被authenicated到Facebook和使用Facebook的Android的SDK我的Facebook应用程序。 X被发送请求到服务器
user X is authenicated to facebook and my facebook app using facebook-android-sdk. X is sending a request to my server
至于服务器,我只想知道这是一个正确的用户这与我一起工作,我不需要服务器执行任何图形API的请求。
As for the server, I would only like to know it's a proper user which is working with me, I don't need the server to perform any Graph API requests.
我怎么能知道,X是有效的在我的服务器?被在客户端在这种情况下执行的认证
How can I know that X is valid in my server? The authentication was performed on client side in that case.
推荐答案
所以,你必须:Facebook的 - Android应用程序 - 你的Web服务器。和Web服务器需要知道你是Facebook的用户,你是presenting。问题是,你不能信任Android客户端为它提供给您的任何数据。
So you have: Facebook - Android Application - Your web server. And your web server needs to know that you are the Facebook user you are presenting. The problem is that you can not trust the Android client for any data it gives to you.
我解决了这样的问题:
从Android应用程序验证用户对Facebook的, 获取FB身份验证令牌的Android应用程序, 转发身份验证令牌和放大器; Facebook的UID从机器人到网络服务器, 在Web服务器,使Facebook的API调用与提交的令牌。如果从Web服务器Facebook的API调用返回有效的验证,用户ID等于提交的Android应用程序之一,您的服务器可以信任的ID(功放,可以肯定的是,Android的认证实)
If the Facebook API call from web server returns valid authentication, and the user id is equal to the one submitted by Android application, your server can trust the id (& you can be sure that the Android authentication real)
