站外应用登录验证设计探讨 (参考 facebook )

开放平台  auth.createToken, auth.getSession 设计原理

 

 

 


1.用户未登录时,先调auth.createToken,后端程序生成 token ,并和应用id进行绑定

2.应用 再拿 这个 token 让用户去登录,登录成功后跳到后端,进行用户和token的绑定,生成 session_key

3.用户用 token 调用  auth.getSession ,后端返回 对应的 session 



 
站外应用登录验证设计探讨    (   参考   facebook )
 

 

 

大致请求流程

 

1.     生成 auth token
 
请求需要参数
       api_key 
       sig 
根据 secret key 和当前请求参数形成的 md5 签名

返回 token ,内容由 api_key + time() + 请求自增序号 组成,来保证每次生成的唯一



应用创建的token (该表需要在内存中维护)

应用API_key

请求时间

自增序号

token

3e4a22bb2f5ed75114b0fc9995ea85f1

2010-4-23 16:57

1

7634a22d75114b0fc9995ea85a3

4e4a22bb2f5ed75114b0fc9995ea85f1

2010-4-23 16:57

2

 

 

 

2.     用户正常登录
  
转到或弹出盛大统一登录网页,带上第一步取得的 token ,用户输入帐号、密码后提交到服务端进行验证,生成 session key ,并保存到由  token session_key user 等组成的表内,供下次查询用

应用用户登录状态表

应用api_key

当前请求TOKEN

登录用户ID

登录时间

Session_key

123

7634a22d75114b0fc9995ea85a3

124

2010-4-23 16:57

5f34e11bfb97c762e439e6a5-8055

 

3.     取得当前用户登录信息
第三方可以通过取到的 token 调接口来得到 用户的登录信息

 

 

 

 

以下附上facebook 登录验证接口

Auth.createToken

生成一个auth_token作为 Auth.getSession 下的一个参数,在用户完成登录以后调用Auth.getSession 得到一个session_key,适用站外应用

Parameters

Required

Name

Type

Description

required

api_key

string

The application key associated with the calling application. If you specify the API key in your client, you don't need to pass it with every call.

sig

string

An MD5 hash of the current request and your secret key, as described in the How Facebook Authenticates Your Application. Facebook computes the signature for you automatically.

v

string

This must be set to 1.0 to use this version of the API. If you specify the version in your client, you don't need to pass it with every call.

optional

format

string

The desired response format, which can be either XML or JSON. (Default value is XML.)

callback

string

Name of a function to call. This is primarily to enable cross-domain JavaScript requests using the <script> tag, also known as JSONP, and works with both the XML and JSON formats. The function will be called with the response passed as the parameter.

Example Return JSON

"3e4a22bb2f5ed75114b0fc9995ea85f1"

Auth.getSession

生成一个用户的session_key

 

Required

Name

Type

Description

required

api_key

string

The application key associated with the calling application. If you specify the API key in your client, you don't need to pass it with every call.

sig

string

An MD5 hash of the current request and your secret key, as described in the How Facebook Authenticates Your Application. Facebook computes the signature for you automatically.

v

string

This must be set to 1.0 to use this version of the API. If you specify the version in your client, you don't need to pass it with every call.

auth_token

string

The token returned by auth.createToken and passed into login.php

optional

format

string

The desired response format, which can be either XML or JSON. (Default value is XML.)

callback

string

Name of a function to call. This is primarily to enable cross-domain JavaScript requests using the <script> tag, also known as JSONP, and works with both the XML and JSON formats. The function will be called with the response passed as the parameter.

generate_session_secret

bool

Whether to generate a temporary session secret associated with this session. This is for use only with regular sessions where the user hasn't granted your site or application the offline_access extended permission, for applications and sites that want to use a client-side component without exposing the application secret. Note that the application secret is still required for all server-side calls, for security reasons.

host_url

string

The full URL of the page being constructed. By providing the host URL, we can determine what base domain to use when setting cookies on the client's browser.

返回

{"session_key":"5f34e11bfb97c762e439e6a5-8055","uid":"8055","expires":1173309298}

 

 

你可能感兴趣的:(session,String,function,application,token,Facebook)