Facebook oAuth needs secret key?
Facebook oAuth requires your secre开发者_Python百科t key? I thought you weren't supposed to share that. Am I using the wrong secret key?
Your secret key is a shared secret between you and Facebook. Thus you can send it over secure channels (such as SSL)
Are you talking about when your program requests an access token? If so, you need to supply the secret you're going to be using so it can be known by Facebook and associated with the access token they're issuing to you. Once you have your access token, you shouldn't have to send your secret to Facebook anymore...just use it to hash your API requests.
The api keys reside in php and you are not supposed to print them anywhere. Just use them to initialize the php facebook api. Here is tutorial i have written to write Facebook apps.
http://www.dreamincode.net/forums/topic/153919-facebook-php-api-and-xfbml-on-iframe/
The answer is, it depends. My understanding is that you are asking about the client_secret or app_secret.
If you are doing server side connection to Facebook, then you use the client_secret. This is the authorization grant type of the oauth protocol.
If you are doing client side connection to Facebook, you don't want to include the client_secret as your code can be decompiled and others can access it, and start interacting with facebook using your credentials. In this instance, you are using the implicit grant type of the oauth protocol. Facebook does not require the client secret in this instance, and in fact, their security page checklist says never to include the client secret: https://developers.facebook.com/docs/facebook-login/security#checklist
The best (opinion) run down on oauth from a conceptual perspective (rather than nitty gritty code) that I've found is here: https://stormpath.com/blog/what-the-heck-is-oauth (I have no association, just like this page).
Hope this helps, D
精彩评论