的Oauth 2.0：客户端ID和客户端秘密暴露出来，它是一个安全问题？ [英] Oauth 2.0: client id and client secret exposed, is it a security issue?

问题描述

当一个安卓的OAuth 2.0客户端应用程序都有凭证（客户端ID和客户端密钥）硬codeD很容易反编译的应用程序和检索的凭据。
什么是暴露的后果客户端ID和秘密？

When an Android oauth 2.0 client application has its credentials (client ID and client Secret) hard-coded is very easy to decompile the application and retrieve the credentials.
What are the consequences in exposing the client ID and Secret?

推荐答案

我知道这不会是一个很好的StackOverflow的答案，但我不觉得能解释它比威胁模型和安全注意事项（RFC 6819更好）。因此，这里是如何获得一个客户端秘密及其相关后果的段落。

I know this won't be a good StackOverflow answer, but I don't feel able to explain it better than the Threat Model and Security Considerations (RFC 6819). So here is the paragraph about obtaining a Client Secret and its relative consequences.

请注意，一个Android应用程序是一个公共客户端（本机应用程序更具体），因此，正如你所说的，无法保密的凭据，但仍然能够保护令牌和授权code

Note that an Android app is a Public Client (a Native Application to be more specific) so, as you say, unable to keep confidential its credentials, but still able to protect Tokens and Authorization Code.

另外有趣的案例是关于为例智能手机。

Also interesting for your case is an example about smartphones.

我知道，RFC是不是最有趣的阅读，但这些都是pretty的清晰。

I know that RFCs aren't the most funny reading, but those are pretty clear.

这篇关于的Oauth 2.0：客户端ID和客户端秘密暴露出来，它是一个安全问题？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！