After calling FB.login, I get the following fields in reply:
- accessToken
- expiresIn
- signedRequest
- userID
for VK there is documentation how to check authorization on the server
Authorization on the remote side
Is it possible to do the same for FB?
Valery Tutaev Valery Tutaev
63 7 bronze marks
|
1 answer
Facebook has its own decoding and verification logic
https://developers.facebook.com/docs/games/gamesonfacebook/login#parsingsr
algorithm:
- Split de signed by a '.' character (eg. 238fsdfsd.oijdoifjsidf899)
- Decode the first part - the encoded signature - from base64url
- Decode the second part - the payload - from base64url and then decode the resultant JSON object
Php code:
function parse_signed_request($signed_request) { list($encoded_sig, $payload) = explode('.', $signed_request, 2); $secret = "appsecret"; // Use your app secret here // decode the data $sig = base64_url_decode($encoded_sig); $data = json_decode(base64_url_decode($payload), true); // confirm the signature $expected_sig = hash_hmac('sha256', $payload, $secret, $raw = true); if ($sig !== $expected_sig) { error_log('Bad Signed JSON signature!'); return null; } return $data; } function base64_url_decode($input) { return base64_decode(strtr($input, '-_', '+/')); } Valery Tutaev Valery Tutaev
63 7 bronze marks
- Although the link can find the answer to the question, it is better to point out the most important thing here, and give the link as a source. If the page to which the link leads will be changed, the response link may become invalid. - From the queue of checks - cheops
- @cheops ok, got it! - Valery Tutaev
|