Google OAuth-客户端ID的存储位置 [英] Google OAuth - Where to Store Client ID
问题描述
我点击了此链接,以允许我的用户通过google进行身份验证:
https://dev.to/jorgecf/integrating-google-authentication-with-your-angular-app-4j2a
但是,我必须在我的UI代码中包含我的Google客户ID:
返回pload.then(async()=> {等待gapi.auth2.init({client_id:'abc123'})//将我的客户ID放在此处.我应该如何储存呢?.then(auth => {this.gapiSetup = true;this.authInstance =身份验证;});}); 这是一个安全问题吗?如果是这样,我将在哪里/如何存储它?
我收到了类似的问题,所以我认为这是一个有效的问题.
Oauth2流需要在浏览器中使用client_id,所以这不是安全问题.
为什么?:因为这就是 OAUTH2规范
的定义方式为什么需要client_id?
您的角度代码需要client_id生成 auth url ,然后执行到该URL的重定向.无论使用oauth2提供程序(google,facebook等),该网址都具有以下语法:
https://auth.acme.com/auth?response_type=code&redirect_uri=https://myweb.com/callback&client_id=********** 请注意 redirect_uri 和 client_id 字段.
此 auth url 负责显示登录表单,接收凭据并执行重定向到 redirect_uri 并发送 code 值
会有什么问题?
要在您的前端(角)中拥有秘密,就是安全性问题.
此秘密必须与客户ID和其他字段一起使用,以从Google检索您的情况下的access_token.如果您具有正确的权限,此令牌将允许您使用Google API(驱动器,地图等).
此流程必须在您的后端
如何部分隐藏它?
在后端创建 auth url ,并使用302 http代码将其返回到前端.浏览器将执行即时重定向.
我之所以说是局部的,是因为好奇的伙伴可以停止重定向(esc键)或使用浏览器控制台并查看包含 client_id 字段的 auth url >
可随意使用此会议室 https://chat.stackoverflow.com/rooms/215054/oauth2-budy提出与oauth2有关的另一个问题
I followed this link to allow my users to authenticate via google:
https://dev.to/jorgecf/integrating-google-authentication-with-your-angular-app-4j2a
However, I have to have my Google Client ID in my UI code:
return pload.then(async () => {
await gapi.auth2
.init({ client_id: 'abc123' }) // Put my client ID here. How should I store this?
.then(auth => {
this.gapiSetup = true;
this.authInstance = auth;
});
});
Is that a security issue? If so, where/how would I store that?
I received similar questions so I think is a valid question.
Oauth2 flow needs the client_id int the browser, so is not a security issue.
Why? : Because that's how it's defined the OAUTH2 SPECIFICATION
Why client_id is required?
Your angular code needs the client_id to generate the auth url and then perform a redirection to that url. No matter the oauth2 provider (google, facebook, etc), that url has the following syntax:
https://auth.acme.com/auth?response_type=code&redirect_uri=https://myweb.com/callback&client_id=******
Note redirect_uri and client_id fields.
This auth url is responsible to show the login form, receive the credentials and perform the redirection to redirect_uri sending the code value
What would be an issue?
To have the secret in your frontend(angular) woull be the security issue.
This secret must be used together with client id and another fields to retrieve the access_token in your case from google. This token will permit you consume google apis (drive, map, etc) if you have the correct permissions.
This flow must be in your backend
How partial hide it?
Create the auth url in your backend and return it to your frontend with a 302 http code. Browser will perform a instantaneous redirection.
I said partial, because a curious budy could stop the redirection (esc key) or use the browser console and view your auth url which contains the client_id field
Feel free to use this room https://chat.stackoverflow.com/rooms/215054/oauth2-budy to ask another questions related to oauth2
这篇关于Google OAuth-客户端ID的存储位置的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
