OAuth 秘密和桌面应用程序 [英] OAuth Secrets and Desktop Application
问题描述
我正在考虑用一种可访问 Google API 的解释性语言创建桌面应用程序.据我所知,有一个安全漏洞.客户端机密将在代码中公开,即使我使用 C++ 或 Java 创建应用程序,代码也可能被反编译\反汇编,并且理论上可以找到机密.除了混淆代码之外还有其他方法吗?我希望能够将代码分发给其他人使用.
I am looking into creating a desktop app in an interpreted language that accesses Google's APIs. From what I can tell, there is a security hole. The client secret would be exposed within the code, and even if I created the application in C++ or Java, the code could be decompiled\disassembled and the secret could in theory be found. Is there anyway around that besides obfuscating the code? I'd like to be able to distribute the code for others to use.
推荐答案
OAuth2.0 威胁模型和安全注意事项(rfc6819) 已将获取客户端机密列为威胁.
OAuth 2.0 Threat Model and Security Considerations(rfc6819) has listed Obtaining Client Secrets as a threat.
Google doc Using OAuth 2.0 for Installed Applications 说:
And as Google doc Using OAuth 2.0 for Installed Applications says:
这些应用程序分布在单独的机器上,假设这些应用程序不能保密.
These applications are distributed to individual machines, and it is assumed that these applications cannot keep secrets.
所以实际上没有客户秘密".试图混淆已安装应用程序中的秘密是徒劳的,因为使用大量逆向工程和调试工具始终可以恢复秘密.
So there are no Client "Secrets" in fact. Trying to obfuscate a secret in installed applications is a futile effort as the secrets can always be recovered using the abundance of reverse-engineering and debugging tools.
当然,您应该尽最大努力保护机密,但最终,积极进取的黑客总是可以在已安装的应用程序中获取机密.所以这是秘密的价值与提取的难度.客户端密钥的值是模拟应用程序.它不允许访问用户数据.
Of course, you should do your best to protect secrets but at the end, a highly motivated hacker can always get it in an installed application. So it's the value of the secret vs. difficulty of extraction. The value of the client secret is impersonating the application. It doesn't give any access to user data.
我的建议:只是冒险去混淆它.或者你可以考虑使用代理模式(将机密移至充当 API 代理的 Web 服务器).
My suggestions: Just take the risk go ahead and obfuscate it. Or you can consider using the proxy pattern(move the secret to a web server acting as an API proxy).
这篇关于OAuth 秘密和桌面应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
