开放平台 auth.createToken, auth.getSession 设计原理
1.用户未登录时,先调auth.createToken,后端程序生成 token ,并和应用id进行绑定
大致请求流程
1. 生成 auth token
请求需要参数
api_key
sig 根据 secret key 和当前请求参数形成的 md5 签名
返回 token 窜,内容由 api_key + time() + 请求自增序号 组成,来保证每次生成的唯一
应用创建的token表 (该表需要在内存中维护)
|
应用API_key |
请求时间 |
自增序号 |
token |
|
3e4a22bb2f5ed75114b0fc9995ea85f1 |
2010-4-23 16:57 |
1 |
7634a22d75114b0fc9995ea85a3 |
|
4e4a22bb2f5ed75114b0fc9995ea85f1 |
2010-4-23 16:57 |
2 |
|
2. 用户正常登录
转到或弹出盛大统一登录网页,带上第一步取得的 token ,用户输入帐号、密码后提交到服务端进行验证,生成 session key ,并保存到由 token, session_key ,user 等组成的表内,供下次查询用
应用用户登录状态表
|
应用api_key |
当前请求TOKEN |
登录用户ID |
登录时间 |
Session_key |
|
123 |
7634a22d75114b0fc9995ea85a3 |
124 |
2010-4-23 16:57 |
5f34e11bfb97c762e439e6a5-8055 |
3. 取得当前用户登录信息
第三方可以通过取到的 token 调接口来得到 用户的登录信息
以下附上facebook 登录验证接口
Auth.createToken
生成一个auth_token作为 Auth.getSession 下的一个参数,在用户完成登录以后调用Auth.getSession 得到一个session_key,适用站外应用
Parameters
|
Required |
Name |
Type |
Description |
|
|
required |
api_key |
The application key associated with the calling application. If you specify the API key in your client, you don't need to pass it with every call. |
||
|
sig |
An MD5 hash of the current request and your secret key, as described in the How Facebook Authenticates Your Application. Facebook computes the signature for you automatically. |
|||
|
v |
This must be set to |
|||
|
optional |
format |
The desired response format, which can be either |
||
|
callback |
Name of a function to call. This is primarily to enable cross-domain JavaScript requests using the <script> tag, also known as JSONP, and works with both the XML and JSON formats. The function will be called with the response passed as the parameter. |
Example Return JSON
"3e4a22bb2f5ed75114b0fc9995ea85f1"
Auth.getSession
生成一个用户的session_key
|
Required |
Name |
Type |
Description |
|
|
required |
api_key |
The application key associated with the calling application. If you specify the API key in your client, you don't need to pass it with every call. |
||
|
sig |
An MD5 hash of the current request and your secret key, as described in the How Facebook Authenticates Your Application. Facebook computes the signature for you automatically. |
|||
|
v |
This must be set to |
|||
|
auth_token |
The token returned by auth.createToken and passed into login.php |
|||
|
optional |
format |
The desired response format, which can be either |
||
|
callback |
Name of a function to call. This is primarily to enable cross-domain JavaScript requests using the <script> tag, also known as JSONP, and works with both the XML and JSON formats. The function will be called with the response passed as the parameter. |
|||
|
generate_session_secret |
Whether to generate a temporary session secret associated with this session. This is for use only with regular sessions where the user hasn't granted your site or application the |
|||
|
host_url |
The full URL of the page being constructed. By providing the host URL, we can determine what base domain to use when setting cookies on the client's browser. |
返回
{"session_key":"5f34e11bfb97c762e439e6a5-8055","uid":"8055","expires":1173309298}