How to make Facebook Authentication from Silverlight secure?
I have the following scenario I want to complete:
- Website running some HTTP(S) services that returns data for a user.
- Same website is additionally hosting a Silverlight 4 app which calls these services.
- The Silverlight app is integrating with Facebook u开发者_如何学运维sing the Facebook Developer Toolkit (http://facebooktoolkit.codeplex.com/).
I have not fully decided whether I want Facebook-integration to be a "opt-in" option such as Spotify, or if I want to "lock" down my service with Facebook-only authentication. That's another discussion.
How do I protect my API Key and Secret that I receive from Facebook in a Silverlight app? To me it's obvious that this is impossible as the code is running on the client, but is there a way I can make it harder or should I just live with the fact that third parties could potentially "act" as my own app?
Using the Facebook Developer Toolkit, there is a following C# method in Silverlight that is executed from the JavaScript when the user has fully authenticated with Facebook using the Facebook Connect APIs.
[ScriptableMember]
public void LoggedIn(string sessionKey, string secret, int expires, long userId)
{
this.SessionKey = sessionKey;
this.UserId = userId;
Obvious the problem here is the fact that JavaScript is injection the userId, which is nothing but a simple number. This means anyone could potentially inject a different userId in JavaScript and have my app think it's someone else. This means someone could hijack the data within the services running on my website.
The alternative that comes to mind is authenticating the users on my website, this way I'm never exposing any secrets and I can return an auth-cookie to the users after the initial authentication. Though this scenario doesn't work very well in an out-of-browser scenario where the user is running the Silverlight app locally and not from my website.
I had the exact same problem and this is my work around:
- Do the Authentication in ASP.NET or MVC
- Pass the AccessToken (string) through the parameters of your SL App.
- Create a new FB App object using the AccessToken in SL.
The access token doesn't reveal your information, but it does give you the UserID and access to API calls in Silverlight. Worst case scenario is someone tries to mess with the AccessToken, but FB can probably trace back what user the token was originally assigned to.
http://facebooksdk.codeplex.com/
I would not add the API Secret in your Silverlight app. You need to find a way to do it through calls to the server.
I admit I don't know the Facebook Connect APIs that well, it's something that I will be looking into soon, since I need to do something similar for my Silverlight app.
精彩评论