Oauth 2.0隐式授予的安全性如何? [英] How secure is Oauth 2.0 Implicit Grant?

问题描述

在隐式授予"中，访问令牌在回调URL中发送回.这不是安全隐患吗，因为如果此回调URL缓存在跃点中.通常建议不要在URL参数中发送敏感数据，并且此访问令牌将是访问所有受保护用户资源的令牌.那么为什么它作为URL中的片段被传递

In Implicit Grant, the access token is sent back in the callback URL. Is this not a security risk because, if this callback URL is cached in the hop. In general it is advised, not to send sensitive data in URL params, and this access token will be a token to access all secured user resources. So why is it getting passed as fragment in URL

推荐答案

详细说明@vlatko的响应...

Elaborating on @vlatko's response...

为减轻在片段中(或通过任何其他OAuth2授予​​)发送令牌的风险:

To mitigate the risk of sending the token in the fragment (or via any other OAuth2 grant):

• 确保OAuth端点和回调端点是TLS(https)(请参阅对策)
• 发送状态参数，以防止跨站点伪造(另请参见: http://tools.ietf.org/html/rfc6749#section-4.2.1 )

• ensure that the OAuth endpoint and the callback endpoint are TLS (https) (See countermeasures)
• send a state parameter to prevent cross-site forgery (Also see: http://tools.ietf.org/html/rfc6749#section-4.2.1)

发出短期访问令牌(如@vlatko所说)将减少令牌泄漏的影响，但这不是预防措施.

Issuing short-lived access token (as @vlatko said) will reduce the impact of a leaked token, but is not a preventative measure.

这篇关于Oauth 2.0隐式授予的安全性如何?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！