天道酬勤,学无止境

facebook-oauth

隐式流的安全风险有哪些(What are the security risks of Implicit flow)

问题 隐式流被认为是不安全的。 我知道有两个问题: 困惑的副手。 但是要克服它,您只需要检查是否为您的应用程序提供了 access_token。 没什么大不了的。 XSS 攻击。 因此,如果我们的 access_token 通过 XSS 攻击被盗,它可以用于发出请求(这是我们最初请求的范围的一部分)。 它很糟糕,但很难窃取 access_token,因为很可能我们只在我们的登录页面上拥有它并且没有存储在应用程序状态中,因为它是短暂的(我想这就是隐式工作流不支持刷新令牌的原因)。 看起来还不错。 是否还有其他我不知道的安全漏洞? 回答1 正确的说法应该是 相对于代码流,隐式流是不安全的。 如果攻击者想使用代码流从应用程序中窃取用户访问令牌,则攻击者必须闯入服务器网络并发现应用程序机密或窃听从服务器到 Google(即 HTTPS)的网络流量以获取控制权到访问令牌。 在隐式流中,访问令牌驻留在浏览器中。 在这种情况下,攻击者还有许多其他可能性可以窃取代币而无需破坏网络。 XSS(正如你已经解释过的) 困惑的副手问题(正如你已经解释过的) 会话修复问题(在用户 B 的会话中使用用户 A 的令牌。https://www.facebook.com/FacebookforDevelopers/videos/10152795636318553/) redirect_url 参数操作 (可能

2021-12-01 09:09:52    分类:技术分享    oauth-2.0   google-oauth   facebook-oauth   oauth2

Fix Rails oauth facebook x-frame-options sameorigin error

I can't for the life of me get my Facebook canvas app to display. Chrome console displays this error and nothing shows up inside the iframe - it's blank: Refused to display 'http://mysite.dev/' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'. I'm using Rails 4.0.0.rc1 and omniauth-facebook 1.4.1, following the Railscast on Facebook Authentication as a guide. I didn't use any of the Javascript code since it was optional and ideally the app should only be accessed within Facebook. routes.rb match 'auth/:provider/callback', to: 'sessions#create', via: [:get, :post] match 'auth/failure

2021-11-28 23:48:50    分类:问答    ruby-on-rails   facebook   authentication   facebook-oauth

Universal Analytics and signup with Facebook

I have a website (theneeds.com) that allows signup via Facebook. We're running several campaigns, e.g. on Facebook itself, and we'd like to properly track signups from the different campaigns. The problem is with Universal Analytics: when a user signs up with Facebook, she triggers a new session thus loosing the campaign reference. Two possible solutions are: remove the analytics tracking on the signup form (i.e. the page that causes the new session to start) add facebook.com to the referral exclusion list Unfortuantely both have disadvantages, so I'm wondering if there is any best practice or

2021-11-28 00:04:59    分类:问答    oauth   google-analytics   facebook-oauth

Passport-Facebook not providing email even if it is in scope

In my application i register the facebook-strategie as follows: But the returned profile does not contain the email-field.... passport.use(new FacebookStrategy({ clientID: config.facebook.clientID, clientSecret: config.facebook.clientSecret, callbackURL: config.facebook.callbackURL, passReqToCallback: true }, function(req, accessToken, refreshToken, profile, done) { // No email in the following colsole.log console.log(JSON.stringify(profile)); })); The get is as follows: app.get('/oauth/facebook', passport.authenticate('facebook', { failureRedirect: '/login', scope:['email'] })); (So i am

2021-11-27 23:20:31    分类:问答    node.js   facebook   oauth   passport.js   facebook-oauth

facebook API 中的刷新令牌和访问令牌(Refresh token and Access token in facebook API)

问题 When we do oauth2 on google api, we get an access token and a refresh token. Suppose I'm writing a service and I want to periodically poll for changes I can just use refresh token to get fresh access tokens every time the current access token gets invalidated. This is called offline access. Is there any way to do the same in facebook? Is there an offline access version similar to that of google api. Thanks. 回答1 对于离线访问,您需要在短期访问令牌过期之前将其交换为新的访问令牌。 Facebook 有单一类型的访问令牌(无刷新令牌)。 一个即将到期的访问令牌应该为您获取一个新的访问令牌。 使用图形 API 端点手动扩展令牌 :: GET /oauth/access_token? grant_type=fb_exchange_token& client_id={app-id

2021-11-26 17:51:21    分类:技术分享    facebook-graph-api   google-api   oauth-2.0   facebook-oauth   google-oauth

为 facebook OAuth2 指定多个重定向 URI(Specify multiple redirect URIs for facebook OAuth2)

问题 我的 Web 应用程序部署到生产站点,但我还需要执行本地开发。 此外,我有几个测试服务器,我在其中执行不同的测试活动。 我想为 Facebook OAuth2 指定所有这些 URI。 使用 Google OAuth2 没有问题:我可以根据需要指定任意数量的重定向 URI。 这可以用 Facebook 实现吗? 如何? 我正在使用“带有 Facebook 登录的网站”选项与 Facebook 集成。 目前我得到: { error: { message: "Invalid redirect_uri: Given URL is not allowed by the Application configuration.", type: "OAuthException", code: 191 } } 回答1 我不确定他们是什么时候添加的,但我刚刚在我的 Facebook 应用程序的“高级”设置中发现了一个“有效的 OAuth 重定向 URI”字段。 我只是把http://localhost放在那里,它似乎允许重定向到我的本地主机上的任何 URI。 不再有重复的应用程序! 回答2 您将不得不根据您的要求为不同的用例创建不同的应用程序。 这是您必须处理的一个奇怪的限制。 虽然无关,但 Heroku(它是合作伙伴云服务提供商)的 Facebook

2021-11-26 17:31:57    分类:技术分享    facebook   oauth   oauth-2.0   facebook-oauth

(OAuthException) (#200) User must have accepted TOS on C# - Facebook

Well, I am trying make a app to write comments to facebook in C#. Searching in google I know that I need an Application (I did it) and I need select the permissions. I did it.. Now I wrote my code in C#: private string MyAppId = "XXX"; private string MyAppSecret = "XXX"; private void button1_Click(object sender, EventArgs e) { FacebookClient FB = new FacebookClient(MyAppId, MyAppSecret); Dictionary<string,string> data = new Dictionary<string,string>(); data.Add("message","test"); FB.Post("OBJECT_ID/comments", data); } But when I click the button I get this error: (OAuthException) (#200) User

2021-11-25 16:30:55    分类:问答    c#   facebook   facebook-graph-api   facebook-oauth

Sentry 2 Facebook Oauth On Laravel says Call to undefined method ::profile()

I am using Laravel 4.1, and using facebook/php-sdk with sentry actually it's derived from this questions answer: Facebook Login with Sentry, A password is required for user [email], none given This code isn't working any more: $profile = $user->profiles()->save($profile); throws this error: How to resolve it? route for that is available here Route code My models are as bellows: Profile model: <?php class Profile extends \Eloquent { public function user() { return $this->belongsTo('User'); } } User model contains: public function profiles() { return $this->hasMany('Profile'); }

2021-11-24 14:27:35    分类:问答    php   laravel-4   oauth-2.0   facebook-oauth   cartalyst-sentry

Facebook Authentication - Unsafe JavaScript attempt to access frame with URL

I am trying to implement Facebook Login System into my website. While it try to connect to facebook, I get an error from console log: Unsafe JavaScript attempt to access frame with URL https://s-static.ak.fbcdn.net/connect/xd_proxy.php?xxxxxxxxxxxxxxxx I am using JavaScript SDK I added this in the body tag: <div id="fb-root"></div> <script> window.fbAsyncInit = function() { FB.init({ appId : 'xxxxxxxxxxxxxx', status : true, cookie : true, xfbml : true }); }; (function(d){ var js, id = 'facebook-jssdk'; if (d.getElementById(id)) {return;} js = d.createElement('script'); js.id = id; js.async =

2021-11-23 11:29:53    分类:问答    php   javascript   facebook   facebook-oauth

What are the security risks of Implicit flow

Implicit flow is considered to be insecure. I'm aware of two problems: Confused deputy. But to overcome it you just need to check whether access_token was given to your application. Not a big deal. XSS attack. So if our access_token was stolen via XSS attack, it can be used to make requests (that are part of the scope we originally requested). It sucks but it's hard to steal access_token as most likely we had it only on our login page and didn't store in app state as it's short-living (I guess that's why Implicit workflow does not support refresh tokens). It doesn't look too bad. Are there any

2021-11-23 11:02:05    分类:问答    oauth-2.0   google-oauth   facebook-oauth   oauth2