开发者

What security threats does the access_token for Facebook Graph API pose?

I have made a custom ajax script to parse the JSON returned from the facebook graph API feed.

I have come to terms with the fact that the access token expires, so in order to get another one I can make a request to

https://graph.facebook.com/oauth/access_token?grant_type=client_credentials&client_id=APP_ID&client_secret=APP_SECU开发者_开发技巧RITY 

where APP_ID is the app id and APP_SECURITY is the app security values registered with my facebook app development account.

However I'm worried, because I'm making these requests via ajax, therefore anybody with basic chrome/firebug knowledge could access my app_id, app_security and access_token variables (from now on known as 'The Variables') held within my javascript file.

I am unsure as to what users can do this this kind of information?

Does the access token provide purely a read-only JSON output of my facebook page? Or can this information be used for more malicious purposes?

Now: before anybody replies saying that I should use php to get fetch the JSON and parse etc... I cannot, because the customer requirement is to use ajax, for the obvious asynchronous benefits.

If the variables pose no threat to my facebook account and can be only used for read only purposes, then I'll get on with my programming!

If however they must be kept secure... How can I securely pass the variables to javascript in order to keep the variable hidden?

PS. I already have pre-written php scripts to attain the variables. Just after a method to keep them secure when passing to the javascript (if necessary)

Thanks

Alex


As Commented, Never Display APP_ID and APP_SECRET publicly.

Read This. You will find out a way to automatically find your access token using php.

Using this php file, make an ajax call to it, and it will return your new access token.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜