I’m thinking of distributing a Flash game that can embed Facebook JS on any web page that will host it (many free portals for Flash games). I can window.open the Facebook login dialog when the host page sets allowScriptAccess .
One of my ideas on how to get around the crossdomain login problem (how to access Token on my Flash game hosted in an unknown domain, without struggling with the JS cross domain and all these browser issues)
- Flash generates a unique token (tag)
- Flash opens a comet connection with a tag on our server
- Flash opens the OAUTH dialog by forwarding the
redirect_uri tag to the allowed domain - A user subscribes with Facebook credentials and is redirected to
redirect_uri with active accessToken (CODE) and tag - Facebook redirects to our server, skipping accessToken
- Our server grabs the CODE and tag from the GET parameters and retrieves the accessToken
- Our server redirects accessToken to the Flash comet recognized by the Tag
- Finally - Flash can use facebook functions with valid access.
Since I am not a lawyer, and these facebook policy documents are not clear to me ...
Question: Can facebook allow this type of login to any domain? I feel that I will work on such security.
facebook cross-domain policy
mizi_sk
source share