Facebook Platform supports two different OAuth 2.0 flows for user login: server-side (known as the authentication code flow in the specification) and client-side (known as the implicit flow). The server-side flow is used whenever you need to call the Graph API from your web server. The client-side flow is used when you need to make calls to the Graph API from a client, such as JavaScript running in a Web browser or from a native mobile or desktop app.
这些流获取的访问 token 有什么区别? 看起来它们的长度不同。
我们可以在客户端使用服务器端流 token 吗?否则,我们可以在服务器上使用客户端流 token 吗?
最佳答案
目前,Facebook 是关于 access_tokens 的。在服务器端 OAuth
if the access_token is generated from a server-side OAuth call, the resulting access_token will have the longer expiration time by default. If the call is made while there is still a valid long-lived user access_token for that user, the returned user access_token from this second call may be the same or may have changed, but in either case the expiration time will be set to a long expiration time.
客户端 OAuth 流程将为您提供一个现有的、未过期的、短期的用户 access_token。为了让这个 access_token 长寿,facebook 提供了一个新的端点,可以将短命的 access_token 与生命周期更长的 access_token 交换。终点是
https://graph.facebook.com/oauth/access_token?
client_id=APP_ID&
client_secret=APP_SECRET&
grant_type=fb_exchange_token&
fb_exchange_token=EXISTING_ACCESS_TOKEN
另请注意
Currently the long-lived user access_token will be valid for 60 days while the short-lived user access_tokens are currently valid from 1 to 2 hours.
摘自 https://developers.facebook.com/docs/roadmap/completed-changes/offline-access-removal/
关于Facebook 访问 token : server-side vs client-side flows,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/9067947/