设置
1. A LAMP web application that uses SOLELYFacebook for authent./author
(i.e. NO credentials set/asked by the web app)
2. A smartphone app that uses ONLY Facebook for authent./author.
3. A web service provided by -1- for -2- to communicate. https, of course.
4. A client-side Javascript that uses the same web service (-3-) for asynchronous CRUD
使用情况:
A. The user signs in to - 1 - and Facebook id is saved on
server-side as well as a custom id.
B. The user signs in to - 2 - and the same happens on client-side.
C. The user enters data into - 2- which is stored locally.
D. Now comes the tricky part: 2 must send the data to 1 via 3.
E. Now even trickier: 4 must do the same.
我的问题:
我的问题是找到一种策略来验证&授权在D& D中进行沟通E.如果用户要输入凭证,那将很容易。这些将存储在本地,他是触发器。他只是!但是,当仅使用Facebook进行身份验证/作者时,请确认。永远不会发生在客户端。因此,据我所知,服务器必须提供某种合法化。例如,这可以是密钥或令牌。
我的问题: 客户端应用-3-应该如何最初验证用户到服务器(Facebook ID?)?如何阻止某人将facebook id发送到服务器服务,从而获得对CRUD的访问权限?是某种应用程序密钥(如facebooks访问令牌)是否足够?
如果是这样,那么浏览器中的Javascript怎么样?存储应用程序密钥的位置?窃取该令牌是不是太容易了,用它来验证-1-然后访问某个Facebook用户的所有数据?