Decrypt OAuth 2.0 access token_问答_开发者_运维开发者技术经验分享

Is it possible to decrypt Facebook's new OAuth 2.0 access_token ?

I need to somehow get user_id and app_id from th开发者_JAVA百科e access_token.

PS:

I need to get the user_id and app_id ONLY from the access_token as Facebook Linter used to do.

As others have already pointed out, the access_token is a unique random string, so it cannot be decrypted as such. Also, we all know that the user_id and app_id are prerequesites to generate the token in the first place.

However, let's assume you stored your token(s) in a database and lost the associated user_id and app_id. In that case, it is a valid question on how to retrieve them having only the token at hand. If your token is still valid, this is possible. If it is expired, you're out of luck.

To retrieve the user_id, make a call to:

https://graph.facebook.com/me?fields=id&access_token=xxx

To retrieve the app_id, make a call to:

https://graph.facebook.com/app?fields=id&access_token=xxx

In both cases, the associated id's will be part of the JSON response, regardless of the access_token being an encrypted or unencrypted one.

Let's illustrate this with an example. Let's assume Mark Zuckerberg uses the Graph API Explorer to generate an access_token. Calling the /me endpoint gives you:

{
  "id": "68310606562"
}

and calling the /app endpoint gives you:

{
  "id": "145634995501895"
}

The ids you were looking for are part of the response.

Please note that this does not work with the access_token shown on https://developers.facebook.com/apps (not sure if this is a Facebook mistake or intentional). Please use the access_token that your app receives via OAuth.

If the access token is in the encrypted format, there's no programmatic way to determine the User ID and App ID.

I struggle to think of a legitimate way you could have come across an access token without already having those two pieces of information since presumably you know your own App ID and the User ID you stored the access token against.

Nevertheless, assuming there's a legitimate use-case for this: a call to /me?fields=id will return the user ID and/or you can use the debug tool at https://developers.facebook.com/tools/debug to debug the other properties of the access token

Generally you use the access_token to access other data from your application. So for example, your application would authenticate the user then use the access token to access other functions in FB's API, such as the graph:

https://graph.facebook.com/me?access_token=<access_token>

There is no public way of decrypting an access token to get the user id and app id. This is also very likely a massive breach of Facebook policy.

To get an access token in the first place you have to have access to the user and the app id anyway so you shouldn't need to do this. If you don't actually have access to the user or the app id then my guess would be you probably shouldn't even have their access token and have probably obtained it 'illegally'...

This is actually a very simple task, if you look closely at the access token itself. It consists of 3 segments, separated by a pipe character, |:

APP_ID|SOME_STUFF.NUMBER-USERID|SOME_MORE_STUFF

I'm not sure what SOME_STUFF, NUMBER, and SOME_MORE_STUFF are; presumably timestamps, signatures, or other encoded data that facebook uses to keep track of the access_token's validity and so on.

Unless you've obtained the acces_token in question by fowl means, I don't see a problem with being able to access the APP_ID and USER_ID from them (and neither does Facebook, apparently). So all I'll say on that is be responsible :)

The other thing to keep in mind is that this isn't a standard or anything, and is subject to change. So, watch out for that, too.

you don't have to decrypt accesstoken

As far as AppID is concerned,you should get it from facebook whn you make an app there,its your id to connect to facebook.

facebook sends the userId along with accesstoken.. just check your cookies in browser or in oauth case check entire string returned when request for acess token.

Are you sure you're talking about the Access Token here and not the signed request?

When you're Facebook Application is loaded you have a signed request object, which has the information I believe you are looking for (however if the user has not authorized your application their user ID will not be in the signed request, Facebook security)

The only way currently available is to use to Facebook Access Token Lint Tool. You can consider to automate the process.