I
I
ideas4ru2012-10-23 08:19:31
In contact with
ideas4ru, 2012-10-23 08:19:31

VK API: how to check that access_token matches uid with minimal permissions?

Hello everyone,
There is the following scenario: a client and a server written in Java.
The client goes through VKontakte authentication and receives a uid and access_token that it sends to the server.
Next, the server makes a test request to the API with the received access_token and uid and receives the username.
But how do you make sure that the access_token matches a fixed uid?
At the same time, I do not want to scare the user by asking permission to extract such data, where this match is possible and will be checked.
For example, a client, having passed authentication, can send its access_token and not its uid to the server. But since the access_token will be correct, then the requests will be fine

Answer the question

In order to leave comments, you need to log in

4 answer(s)
P
Pavel Gromadchuk, 2013-01-26
@Gromadchuk

I hope it's not too late to write an answer, but you can check the user id through the received access_token. To do this, you need to execute the users.get method, passing it the received access_token ( https://api.vk.com/method/users.get?access_token=TOKEN ).

D
Damir Abdullin, 2012-10-23
@damirazo

I didn’t quite understand the question, but the uid match is checked by auth_key, which should be equal to md5(viewer_id(uid)+'_'+app_id+'_'+app_secret_key),
where viewer_id is the ID of the user viewing the page, app_id is the ID of the application and auth_secret_key this is the secret key of the application. The hash of this expression must be equal to the auth_key parameter, otherwise the specified user does not match the real one.

N
nixan, 2013-01-22
@nixan

If we are talking about Android, then kick the vkontakte developers to implement normal work with AccountManager)

D
Denis Morozov, 2014-03-12
@morozovdenis

here's what I did:
vk.com/dev/users.search - this request needs an access_token and thus by making a request here you can check the validity of the access_token
url:

https://api.vk.com/method/users.search?access_token=<access_token>&sig=<sig>

where sig
+ this is the concatenation of
SECRET this is the secret field from the VKAccessToken structure iOS ( Android )

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question