开放平台 auth.createToken, auth.getSession 设计原理
1.用户未登录时,先调auth.createToken,后端程序生成 token ,并和应用id进行绑定
大致请求流程
1. 生成 auth token
请求需要参数
api_key
sig 根据 secret key 和当前请求参数形成的 md5 签名
返回 token 窜,内容由 api_key + time() + 请求自增序号 组成,来保证每次生成的唯一
应用创建的token表 (该表需要在内存中维护)
应用API_key | 请求时间 | 自增序号 | token |
3e4a22bb2f5ed75114b0fc9995ea85f1 | 2010-4-23 16:57 | 1 | 7634a22d75114b0fc9995ea85a3 |
4e4a22bb2f5ed75114b0fc9995ea85f1 | 2010-4-23 16:57 | 2 |
|
2. 用户正常登录
转到或弹出盛大统一登录网页,带上第一步取得的 token ,用户输入帐号、密码后提交到服务端进行验证,生成 session key ,并保存到由 token, session_key ,user 等组成的表内,供下次查询用
应用用户登录状态表
应用api_key | 当前请求TOKEN | 登录用户ID | 登录时间 | Session_key |
123 | 7634a22d75114b0fc9995ea85a3 | 124 | 2010-4-23 16:57 | 5f34e11bfb97c762e439e6a5-8055 |
3. 取得当前用户登录信息
第三方可以通过取到的 token 调接口来得到 用户的登录信息
以下附上facebook 登录验证接口
Auth.createToken
生成一个auth_token作为 Auth.getSession 下的一个参数,在用户完成登录以后调用Auth.getSession 得到一个session_key,适用站外应用
Parameters
Required | Name | Type | Description | |
required | api_key | The application key associated with the calling application. If you specify the API key in your client, you don't need to pass it with every call. | ||
sig | An MD5 hash of the current request and your secret key, as described in the How Facebook Authenticates Your Application. Facebook computes the signature for you automatically. | |||
v | This must be set to | |||
optional | format | The desired response format, which can be either | ||
callback | Name of a function to call. This is primarily to enable cross-domain JavaScript requests using the <script> tag, also known as JSONP, and works with both the XML and JSON formats. The function will be called with the response passed as the parameter. |
Example Return JSON
"3e4a22bb2f5ed75114b0fc9995ea85f1"
Auth.getSession
生成一个用户的session_key
Required | Name | Type | Description | |
required | api_key | The application key associated with the calling application. If you specify the API key in your client, you don't need to pass it with every call. | ||
sig | An MD5 hash of the current request and your secret key, as described in the How Facebook Authenticates Your Application. Facebook computes the signature for you automatically. | |||
v | This must be set to | |||
auth_token | The token returned by auth.createToken and passed into login.php | |||
optional | format | The desired response format, which can be either | ||
callback | Name of a function to call. This is primarily to enable cross-domain JavaScript requests using the <script> tag, also known as JSONP, and works with both the XML and JSON formats. The function will be called with the response passed as the parameter. | |||
generate_session_secret | Whether to generate a temporary session secret associated with this session. This is for use only with regular sessions where the user hasn't granted your site or application the | |||
host_url | The full URL of the page being constructed. By providing the host URL, we can determine what base domain to use when setting cookies on the client's browser. |
返回
{"session_key":"5f34e11bfb97c762e439e6a5-8055","uid":"8055","expires":1173309298}