重置客户端密码OAuth2-客户端是否需要重新授予访问权限? [英] Reset Client Secret OAuth2 - Do clients need to re-grant access?

问题描述

作为一项安全性最佳实践，当工程师/实习生离开团队时，我想重置Google API控制台项目的客户端密码.

As a security best practice, when an engineer/intern leaves the team, I want to reset the client secret of my Google API console project.

该项目具有一群人授予的OAuth2访问权限，我需要确保这些权限(授予令牌和刷新令牌)不会停止工作.不幸的是，我找不到能明确说明这一点的文档.

The project has OAuth2 access granted by a bunch of people, and I need to ensure that those (grants as well as refresh tokens) will not stop working. Unfortunately, I've not been able to find documentation that explicitly states this.

推荐答案

是.客户端密码重置将立即(在Google OAuth 2.0中可能会有几分钟的延迟)使任何授权"代码无效"或刷新颁发给客户端的令牌.

Yes. Client Secret reset will immediately (in Google OAuth 2.0, there may be a few minutes delay) invalidate any authorization "code" or refresh token issued to the client.

重置客户机密是针对私人客户滥用已披露的客户机密的对策.因此，一旦重设机密，就需要重新授予许可.

Client secret reset is a countermeasure against abuse of revealed client secrets for private clients. So it makes sense to require re-grant once the secret is reset.

我也没有找到任何Google文档明确指出这一点.但是我的实践证明，重置会影响用户，您也可以对此进行测试.

I did not find any Google document states this explicitly either. But my practice proves that reset will impact users, also you can do a test on it.

在我们的工作中，我们程序员没有触碰产品的秘密，我们有测试客户.只有极少数产品运维人员可以解决这一问题.因此，我认为您需要尽最大努力来缩小团队中秘密的可见性.休息不是一个好方法.

And in our work, we programmers do not touch product's secret, we have test clients. Only a very few product ops guys can touch that. So I think you need to try your best to narrow down the visibility of the secret in your team. Rest is not a good way.

这篇关于重置客户端密码OAuth2-客户端是否需要重新授予访问权限?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！