OAuth 2.0-客户端秘密必须为“秘密"吗? [英] OAuth 2.0 - does the client-secret has to be "secret"?
问题描述
我只是很好奇-我需要将Google/FaceBook/其他OAuth 2.0提供商的 client_secret 保留在秘密"位置吗?据我所知,一旦我指定了非常严格的callback-url,使用client-secret参数就可以完成很少的事情.
I'm just curious - do I need to keep the client_secret from Google/FaceBook/another OAuth 2.0 providers in a 'secret' place? As far as I can see, there're very little things that could be done with client-secret parameter, as soon as I specify very restrictive callback-urls.
例如,将秘密"密钥作为某些实时Web项目的公共存储库提交给github/bitbucket/etc的安全性是吗?
So is it safe, for instance, to commit 'secret' keys to github/bitbucket/etc as a public repository for some live web-project?
据我所知,client-secret与google/facebook上的开发者帐户没有任何共同之处,因此无法将其用于劫持或欺骗.
As far as I know, client-secret has nothing in common with the developer account on google/facebook, so it's not possible to use it for hjacking or spoofing.
我错过了什么吗?谢谢!
Am I missing something? Thanks!
推荐答案
尝试将其尽可能保密.
对于Web应用程序,将其保密至关重要,整个流程的安全性取决于此.
For a web app it is crucial to keep it secret, the security of the whole flow relies on that.
对于本机应用程序,请尽力而为.它总是可以从您的二进制文件进行逆向工程,但是在某些情况下可能并不容易.如果可能的话,不要简单地提交给github之类的东西.您可以在构建过程中添加它.
For native apps do your best. It can always be reverse engineered from your binary, but in some cases that may not be trivial. If possible don't commit in plain to github or such. You can add it as part of the build process.
这篇关于OAuth 2.0-客户端秘密必须为“秘密"吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
