问题描述
我试图让我的Android应用程序登录到我的WebAPI服务。我想分享我的想法,以验证他们。
I'm trying to make my Android Application to log into my WebAPI services. I want to share my ideas in order to verify them.
如果通过WebSite执行对WebAPI的访问,步骤如下:
If the access to WebAPI is performed via WebSite the steps are:
1-调用WebAPI方法登录
1- Call WebAPI method for logging in
2- WebAPI将客户端重定向到Facebook
2- WebAPI redirect client to facebook
3- Facebook登录并返回令牌
3- Facebook login and returns a Token
4-如果我在下次呼叫中使用该令牌,我将被认证为正确的用户。
4- If I use that token in the next calls I'll be authenticated as the right user.
这样做。
如果通过Android APP执行对WebAPI的访问,我该如何获取访问令牌?
其实我在做这样的事情:
If the access to WebAPI is performed via Android APP, how can I get the access token?Actually I'm doing something like:
1-通过登录按钮联系Facebook
1- Contact Facebook via Login Button
2 - 将登录的ID记录到接收令牌的Facebook
2- Getting logged id to Facebook receiving a Token
3-尝试执行WebAPI调用,将认证:承载CODE添加到我的呼叫中
3- Trying to perform WebAPI calls adding the Authentication: Bearer CODE to my calls
在那一刻我正在徘徊..
At that point I'm wandering..
我的应用程序现在是我特别的用户?如果我执行类似
How can my application now that I'm THAT particular user? If I perform something like
GET /API/METHOD1
Authentication: Bearer CODE
如果Android应用从未告诉过他,那么它如何知道CODE是我?应用程序是否自动与Facebook联系以便收到一个答案,如是的,我发布该令牌,它与...有关
How can it knows that the CODE is me if the Android Application never told him? Does the application automatically contact Facebook in order to receive an answer like "yeah! I release that token, it is related to..."
或者我误会了一切?
另一种方法我可以弄清楚,我必须使用混合方法,如:
The other way I can figure it out is that I must use an "hybrid approach" like:
1-呼叫WebAPI(通过浏览器)
2-获取重定向链接到Facebook
3-获取令牌
1- Call WebAPI (as via browser)2- Get Redirect link to Facebook3- Get the token
但是在那点,我怎么可以在Facebook应用程序/ Facebook网站之间切换到我的Android应用程序?
But.. At that point, how can I swith between Facebook App / Facebook Site to my Android application again?
对不起,我想找出这个验证旁边的逻辑
Sorry for the mess, I'm trying to find out the logic beside this auth process.
推荐答案
好吧,我想我已经有了!
Ok, I think I've got it!
当WebAPI收到Facebook令牌不知道任何关于用户和授权。但是,由于令牌,可以访问Facebook作为呼叫者。
when WebAPI receives the Facebook Token doesn't know anything about user and authorizations. BUT, due to the token, can access to Facebook "as the caller".
通过这种方式,应用程序可以执行如下操作:
By this way the application could perform something like:
-
Android - > Facebook登录 - >获取FBToken
Android -> Facebook Login -> Get FBToken
Android - > Web API - >发送FBToken
Android -> Web API -> Send FBToken
Web API - > Facebook - > / me发送FBToken
Web API -> Facebook -> /me Sending FBToken
Facebook - > Web API - >身份
Facebook -> Web API -> Identity
Web API - > Andoid - >这是您身份的令牌
Web API -> Andoid -> This is the token for you Identity
Android - > Web API - >给我Auth方法,授权:承载WebAPIToken
Android -> Web API -> Give me Auth Method, Authorization: Bearer WebAPIToken
我在线发现了一个有用的类:(基于)
I found out a useful class online: (based on WebApi ASP.NET Identity Facebook login)
private async Task<FacebookUserViewModel> VerifyFacebookAccessToken(string accessToken)
{
FacebookUserViewModel fbUser = null;
var path = "https://graph.facebook.com/me?access_token=" + accessToken;
var client = new HttpClient();
var uri = new Uri(path);
var response = await client.GetAsync(uri);
if (response.IsSuccessStatusCode)
{
var content = await response.Content.ReadAsStringAsync();
fbUser = Newtonsoft.Json.JsonConvert.DeserializeObject<FacebookUserViewModel> (content);
}
return fbUser;
}
public class FacebookUserViewModel
{
[JsonProperty("id")]
public string ID { get; set; }
[JsonProperty("first_name")]
public string FirstName { get; set; }
[JsonProperty("last_name")]
public string LastName { get; set; }
[JsonProperty("username")]
public string Username { get; set; }
[JsonProperty("email")]
public string Email { get; set; }
}
所以,你可以有一个WebAPI,如:
So, you could have a WebAPI like:
[HttpGet]
[AllowAnonymous]
public async Task<string> GetTokenFromFacebook(string accessToken)
{
var user = await VerifyFacebookAccessToken(accessToken);
//Search on your DB for the user ID or email
//Get token for user
return token;
}
完整而完美的解释如下:
A complete and perfect explanation is here:http://thewayofcode.wordpress.com/2014/03/01/asp-net-webapi-identity-system-how-to-login-with-facebook-access-token/
创建标记示例
var tokenExpirationTimeSpan = TimeSpan.FromDays(14);
var identity = new ClaimsIdentity(Startup.OAuthBearerOptions.AuthenticationType);
identity.AddClaim(new Claim(ClaimTypes.Name, UserName, null, "Facebook"));
identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, user.ToString(), null, "LOCAL_AUTHORITY"));
AuthenticationTicket ticket = new AuthenticationTicket(identity, new AuthenticationProperties());
var currentUtc = new Microsoft.Owin.Infrastructure.SystemClock().UtcNow;
ticket.Properties.IssuedUtc = currentUtc;
ticket.Properties.ExpiresUtc = currentUtc.Add(tokenExpirationTimeSpan);
var accesstoken = Startup.OAuthBearerOptions.AccessTokenFormat.Protect(ticket);
我希望它有帮助!
这篇关于通过Android应用程序通过Facebook令牌对WebAPI进行身份验证访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!