使用 HTTP 引荐来源网址遇到 Facebook OAuth 问题
我今天收到一封电子邮件,内容是:
在我们检查过的每一个案例中, 该信息通过 用户的 HTTP Referer 标头 浏览器。使用时可能会发生这种情况 我们的遗留身份验证系统和 包括 , 或 页面中来自第三方的内容 接收身份验证数据 Facebook。我们的遗留机制通过了 URL中的认证信息 查询字符串,如果处理的话 错误,可以传递到第三个 各方通过浏览器。我们目前的 OAuth 2.0认证系统, 一年多前发布,通过了这个 URL 片段中的信息,其中 不会被传递给第 3 方 浏览器。
我有点困惑,因为我集成的方式是使用 PHP API,使用与 example.php 文件类似的响应:
https://github.com/facebook/php-sdk
这是我提出请求的方式:
$facebook = new Facebook(array(
'appId' => FACEBOOKAPPID,
'secret' => FACEBOOKSECRET,
'cookie' => false,
));
$fb_session = $facebook->getSession();
$fb_me = null;
// Session based API call.
if ($fb_session) {
try {
$fb_uid = $facebook->getUser();
$fb_me = $facebook->api('/me');
$fb_me['photo'] = 'http://graph.facebook.com/'.$fb_uid.'/picture?type=large';
$_SESSION['register_api'] = 1;
$_SESSION['register_api_details'] = $fb_me;
$_SESSION['register_api_user_id'] = $fb_uid;
header_redirect(SITEURL.'/register');
} catch (FacebookApiException $e) {
error_log($e);
}
}
else{
# LOGIN URL FOR FACE BOOK & request extra stuff
$fb_login_url = $facebook->getLoginUrl(array('req_perms'=>'email,user_about_me,user_birthday,user_website'));
header_redirect($fb_login_url);
}
一切正常,但我不明白我做错了什么。据我所知,我正在使用 OAuth。
I got an email today saying:
In every case that we have examined,
this information is passed via the
HTTP Referer Header by the user's
browser. This can happen when using
our legacy authentication system and
including , or
content from 3rd parties in the page
that receives authentication data from
Facebook. Our legacy mechanism passes
authentication information in the URL
query string which, if handled
incorrectly, can be passed to 3rd
parties by the browser. Our current
OAuth 2.0 authentication system,
released over a year ago, passes this
information in the URL fragment, which
is not passed to 3rd parties by the
browser.
I'm a bit confused as the way I have integrated is using the PHP API using a similar response as per the example.php file:
https://github.com/facebook/php-sdk
Here is how I'm making the request:
$facebook = new Facebook(array(
'appId' => FACEBOOKAPPID,
'secret' => FACEBOOKSECRET,
'cookie' => false,
));
$fb_session = $facebook->getSession();
$fb_me = null;
// Session based API call.
if ($fb_session) {
try {
$fb_uid = $facebook->getUser();
$fb_me = $facebook->api('/me');
$fb_me['photo'] = 'http://graph.facebook.com/'.$fb_uid.'/picture?type=large';
$_SESSION['register_api'] = 1;
$_SESSION['register_api_details'] = $fb_me;
$_SESSION['register_api_user_id'] = $fb_uid;
header_redirect(SITEURL.'/register');
} catch (FacebookApiException $e) {
error_log($e);
}
}
else{
# LOGIN URL FOR FACE BOOK & request extra stuff
$fb_login_url = $facebook->getLoginUrl(array('req_perms'=>'email,user_about_me,user_birthday,user_website'));
header_redirect($fb_login_url);
}
Everything is working fine, but I don't understand what I am doing wrong. As far as I was aware, I am using OAuth.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
事实证明,他们正要发布新版本的 API 来解决这个问题。
It turns out that they were just about to release a new version of the API which solved this problem.