facebook-oauth

问题 Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers. Want to improve this question? Update the question so it's on-topic for Stack Overflow. Closed 4 years ago . Improve this question My question is similar to this, but I'm writing from a developer's perspective rather than the company's. I prefer to keep my personal and professional lives separate, and thus would like to be able to create Facebook apps not tied to my personal FB account. Per

问题 Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers. Want to improve this question? Update the question so it's on-topic for Stack Overflow. Closed 4 years ago . Improve this question My question is similar to this, but I'm writing from a developer's perspective rather than the company's. I prefer to keep my personal and professional lives separate, and thus would like to be able to create Facebook apps not tied to my personal FB account. Per

问题 I am fairly new to facebook integration. I got to add "Sign up/in with Facebook" option to register new users with my web site. I am following these steps: Server-Side Authentication 1) Which account do I use to test this? Will my personal account be suspended or banned if I use it to play with the api? 2) To test the api, do I have to create test users like this? test users 3) Also, to create test users, looks like I need to authenticate as App Can someone explain why I should authenticate

问题 I am currently using a client-side React component to have a user login to Facebook via OAuth in my application. On the server-side, I use the npm package passport-facebook-token to validate the authenticity of the accessToken after a successful client-side login. One practice I do not see often is in addition to asking Facebook if the accessToken is valid, shouldn't the server also check if the email provided by the client's payload matches the e-mail coming back from Facebook? Allow me to

问题 I am currently using a client-side React component to have a user login to Facebook via OAuth in my application. On the server-side, I use the npm package passport-facebook-token to validate the authenticity of the accessToken after a successful client-side login. One practice I do not see often is in addition to asking Facebook if the accessToken is valid, shouldn't the server also check if the email provided by the client's payload matches the e-mail coming back from Facebook? Allow me to

问题 I'm storing long-lived access tokens for users of my application that have associated their Facebook accounts to it. Since the demise of the offline_access tokens, these long-lived tokens have an expiry date of "about 60 days." However, they can refresh themselves when the user interacts with Facebook. According to the documentation: These tokens will be refreshed once per day when the person using your app makes a request to Facebook's servers. If no requests are made, the token will expire

问题 I'm storing long-lived access tokens for users of my application that have associated their Facebook accounts to it. Since the demise of the offline_access tokens, these long-lived tokens have an expiry date of "about 60 days." However, they can refresh themselves when the user interacts with Facebook. According to the documentation: These tokens will be refreshed once per day when the person using your app makes a request to Facebook's servers. If no requests are made, the token will expire

来源： https://stackoverflow.com/questions/41972081/what-are-the-security-risks-of-implicit-flow

问题 I'm just curious - do I need to keep the client_secret from Google/FaceBook/another OAuth 2.0 providers in a 'secret' place? As far as I can see, there're very little things that could be done with client-secret parameter, as soon as I specify very restrictive callback-urls. So is it safe, for instance, to commit 'secret' keys to github/bitbucket/etc as a public repository for some live web-project? As far as I know, client-secret has nothing in common with the developer account on google

问题 I'm just curious - do I need to keep the client_secret from Google/FaceBook/another OAuth 2.0 providers in a 'secret' place? As far as I can see, there're very little things that could be done with client-secret parameter, as soon as I specify very restrictive callback-urls. So is it safe, for instance, to commit 'secret' keys to github/bitbucket/etc as a public repository for some live web-project? As far as I know, client-secret has nothing in common with the developer account on google