当前位置: 文江博客话题详情

扩展身份验证令牌而不刷新页面

发布于 2024-12-04 21:10:25 字数 157 浏览 5 评论 0原文

用户希望在不刷新浏览器的情况下使用我的 Facebook 应用程序几个小时。
但令牌将在 2 小时后过期。现在我要求用户刷新页面,但这很烦人。
我不想询问离线访问权限,因为这会吓到一些用户。

最好的解决方案是以某种方式“重新登录”并获取新令牌而不刷新页面。 是否可以?

原文

Users want to use my facebook app for many hours without refreshing the browser.
But token expires in 2 hours. Now I ask users to refresh the page but that's annoying.
I don't want to ask offline access permissions because it will scare some users.

The best solution will be somehow "relogin" and get new token without refreshing the page.
Is it possible?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(9

回眸一遍 2024-12-11 21:10:25

我会订阅到期触发器(我认为这是 authResponseChange),然后自动执行另一个登录检查。这不会是一个完美的解决方案,因为它可能会自动触发弹出窗口(例如,如果他们已经注销),而许多浏览器可能会阻止该弹出窗口。相反,您可以在令牌过期时检查他们是否需要完成弹出窗口,并在页面上的某处显示一条通知,说明“Facebook 需要您的注意才能继续”,然后仅从他们的响应中启动弹出窗口,这将停止弹出窗口被阻止。

FB.Event.subscribe('auth.authResponseChange', function(response) {
  // do something with response
  FB.login(){
    // refresh their session - or use JS to display a notification they can 
    // click to prevent pop up issues
  }
});

I would subscribe to the expiry trigger (I think this is authResponseChange), then automate another login check. It won't be a perfect solution as it could trigger a pop up (if they have logged out for example) automatically, which a lot of browsers may block. You could instead, when the token expires, check if they will need to complete a pop up, and display a notification on your page somewhere saying 'Facebook needs your attention to continue', then only launch the pop up from their response, which would stop the pop up being blocked.

FB.Event.subscribe('auth.authResponseChange', function(response) {
  // do something with response
  FB.login(){
    // refresh their session - or use JS to display a notification they can 
    // click to prevent pop up issues
  }
});
回复 原文
花辞树 2024-12-11 21:10:25

解决此问题的算法

  1. 请求用户许可
  2. 保存令牌
  3. 定期检查访问令牌是否即将过期
  4. 如果过期,则嵌入一些虚拟 iframe,该 iframe 会重定向到 Facebook 主页。 - 扩展身份验证令牌而不刷新页面
  5. 这应该刷新令牌。您可能需要生成另一个令牌或继续使用相同的令牌。无论需要什么,都可以在不刷新页面的情况下完成。

An algorithm to workout on this

  1. Ask for permission from the user
  2. Save the token
  3. Periodically check for an access token is near to expire or not
  4. If its in verse of expiry, embed some dummy iframe, which redirects to the facebook homepage. - Extend auth token without refreshing the page
  5. This should refresh the token. You might need to generate another token or continue with the same. Whatever be required, can be done without refreshing the page.
回复 原文
横笛休吹塞上声 2024-12-11 21:10:25

你有没有想过使用ajax?两个小时后,您将检查用户是否仍处于活动状态。如果是这样,您将 axax 请求发送到 URL,他的会话详细信息将在其中更新。示例:

$(document).ready(function(){
    setInterval('update_session()', 5500000);
})
update_session(){
    $.post({
        URL: ..., // script to update session on server
        data:{ /* username, password */ },
    })
}

服务器端仅从帖子中获取用户名和密码,然后运行重新登录。

Have you thought of using ajax? After two hours you will check, if user is still active. If so, you send axax request to URL, where his session details will be updated. example:

$(document).ready(function(){
    setInterval('update_session()', 5500000);
})
update_session(){
    $.post({
        URL: ..., // script to update session on server
        data:{ /* username, password */ },
    })
}

and the server-side just takes username and password from post or and runs relogin.

回复 原文
萌能量女王 2024-12-11 21:10:25

尝试使用offline_access权限获取令牌。

Try acquiring tokens with the offline_access permission.

回复 原文
紧拥背影 2024-12-11 21:10:25

我猜想,猜想这是不可能的,FB 架构不允许这样做。为什么offline_access是一个这样的问题!!!!!!...无论如何offline_access是我认为最好的最优解决方案....

I presume, guess this is not possible,FB architecture would not allow it. And why is offline_access such a problem!!!!!!...anyway offline_access is the best optimal solution I guess....

回复 原文
丢了幸福的猪 2024-12-11 21:10:25

不幸的是,我相信这在设计上是不可能的(如果你的意思是在没有用户干预的情况下发生)。如果用户仍然登录到 Facebook,您可以将顶级页面重定向到 Facebook,它会立即用新代码将您弹回(听起来您已经在这样做了),但这只能是因为 Facebook它可以检查的cookie。如果您尝试从服务器执行任何操作,它将被拒绝,因为该 cookie 不会伴随请求。尝试从 javascript 调用 Facebook 也是如此——因为您的代码在不同的域中运行,所以 cookie 不会伴随调用,Facebook 将拒绝它。 Facebook 甚至可以知道用户是谁以及他们是否仍然登录的唯一方法就是查看该 cookie。唯一可能发生的情况是浏览器本身重定向到 facebook.com 域。

还值得一提的是,Facebook 阻止了唯一合乎逻辑的解决方法,即在 iframe 中加载 oauth url。如果你尝试一下,你会发现他们检测到页面正在 iframe 中加载,并输出一个带有链接的页面,该链接执行顶级重定向以突破框架。因此,这种方法不仅行不通,而且很明显,Facebook 在其架构中特意让它变得不可能。

编辑:如果您想要做的不是完全避免刷新,而是在需要新令牌时自动发生刷新,您可以执行以下操作:

$status=0;
$data=@file_get_contents("https://graph.facebook.com/me?access_token=$token");
foreach ($http_response_header as $rh) if (substr($rh, 0, 4)=='HTTP') list(,$status,)=explode(' ', $rh, 3);
if ($status==200)
  {
  //token is good, proceed
  }
else
  {
  //token is expired, get new one
  $fburl="http://www.facebook.com/dialog/oauth?client_id=APP_ID&redirect_uri=".urlencode('http://apps.facebook.com/yourapp/thispage.php');
  echo "<html>\n<body>\n<script>top.location='$fburl';</script>\n</body>\n</html>\n";
  exit;
  }

假设您在此代码之前有一些内容将处理signed_request参数,如果它存在并为 $token 分配一个值(您自己的显式代码或适当的 SDK 条目)。然后可以在任何需要检查 $token 是否仍然有效的地方使用显示的代码,然后再继续。

Unfortunately I believe this is impossible by design (if you mean for it to happen without user intervention). If the user is still logged in to Facebook you can redirect the top-level page to Facebook and it will bounce you right back with a new code (as it sounds like you are doing already), but that is only possible because of the Facebook cookie that it can check. If you try to do anything from your server, it will be rejected because that cookie will not accompany the request. Same goes for trying to make a call to facebook from javascript -- since your code is running in a different domain, the cookie will not accompany the call and Facebook will reject it. The only way that Facebook can even know who the user is, and that they are still logged in, is to see that cookie. And the only way that can happen is if the browser itself is redirected to the facebook.com domain.

It's worth mentioning also that Facebook has blocked the only logical workaround, i.e. loading the oauth url in an iframe. If you try it you will see that they detect the page is being loaded in an iframe and output a page with a link on it which does a top-level redirect to break out of the frame. So not only does this approach not work, it's clear that Facebook has specifically made it impossible as part of their architecture.

Edit: If what you mean to do is not avoid the refresh altogether but just have it happen automatically when a new token is needed, you can do something like this:

$status=0;
$data=@file_get_contents("https://graph.facebook.com/me?access_token=$token");
foreach ($http_response_header as $rh) if (substr($rh, 0, 4)=='HTTP') list(,$status,)=explode(' ', $rh, 3);
if ($status==200)
  {
  //token is good, proceed
  }
else
  {
  //token is expired, get new one
  $fburl="http://www.facebook.com/dialog/oauth?client_id=APP_ID&redirect_uri=".urlencode('http://apps.facebook.com/yourapp/thispage.php');
  echo "<html>\n<body>\n<script>top.location='$fburl';</script>\n</body>\n</html>\n";
  exit;
  }

This is assuming you have something before this code that will process a signed_request parameter if it is present and assign a value to $token (either explicit code of your own or the appropriate SDK entries). The shown code can then be used anywhere you need to check if $token is still valid before proceeding.

回复 原文
梦旅人picnic 2024-12-11 21:10:25

如果您获取 access_token 时未指定任何过期时间,则它们不会过期。
至少直到用户更改他的 Facebook 凭据或取消注册您的应用程序为止。

If you get the access_token without specifying any expiry to them they will not expire ..
atleast not till the time user either changes his Fb credentials or de registers your application ..

回复 原文
咋地 2024-12-11 21:10:25

我假设您正在使用 iframe signed_request 参数来获取访问令牌。实现您所需的一种方法是使用 oAuth 2.0 方法来获取访问令牌。首先,这个时间更长;您的服务器和 Facebook 必须交换凭证,这可能会很慢,但这意味着您将获得一个可以定期交换访问令牌的代码,这意味着您的服务器可以定期维护会话(可能来自客户端的 ajax 调用)。然后,您可以将此新的 access_token 传递给客户端,并在您的请求(礼物)的对话调用中使用它。

希望有帮助。

斯巴比

I presume you are using the iframe signed_request parameter to get your access token. One method of achieving what you require is to use the oAuth 2.0 method of aquiring an access token. This is more prolonged in the first instance; your server and Facebook's have to exchange credentials which can be slow, but it means that you will be given a code that can be exchanged for an access token regularly, meaning your server can maintain the session periodically (probably from an ajax call from the client). You would then pass this new access_token to the client, and use it in your dialog call for your requests (gifts).

Hope that helps.

Spabby

回复 原文
-小熊_ 2024-12-11 21:10:25

看看 https://developers.facebook.com/docs/offline- access-deprecation/#extend_token

基本上,您可以扩展令牌

https://graph.facebook.com/oauth/access_token?             
client_id=APP_ID&
client_secret=APP_SECRET&
grant_type=fb_exchange_token&
fb_exchange_token=EXISTING_ACCESS_TOKEN

,这将为您提供具有新到期时间的新令牌(应该是 60d,但我注意到类似的错误,如此处所述 https://developers.facebook.com/bugs/347831145255847/?browse=search_4f5b6e51b18170786854060

Have a look at https://developers.facebook.com/docs/offline-access-deprecation/#extend_token

basically you extend the token with

https://graph.facebook.com/oauth/access_token?             
client_id=APP_ID&
client_secret=APP_SECRET&
grant_type=fb_exchange_token&
fb_exchange_token=EXISTING_ACCESS_TOKEN

that will give you new token with new expiry time (it should be 60d but I'm noticing similar bug like described here https://developers.facebook.com/bugs/347831145255847/?browse=search_4f5b6e51b18170786854060 )

回复 原文
~没有更多了~

关于作者

半世晨晓

暂无简介

文章
评论
25 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

IDC-hncloud

文章 0 评论 0

薆情海

文章 0 评论 0

mb_VjXiXQg5

文章 0 评论 0

爱,才寂寞

文章 0 评论 0

BE WATER

文章 0 评论 0

微信用户

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文