在 Chrome 扩展和 Gmail 小工具中安全处理 OAuth 消费者密钥和秘密 [英] Secure handling of OAuth Consumer Key and Secret in Chrome Extensions and Gmail Gadgets
问题描述
我想获得一些有关在 Chrome 扩展程序和 Gmail 小工具中正确处理 Salesforce OAuth 消费者密钥和秘密的想法.Chrome 扩展程序本质上是用 zip 兼容格式包装的 Javascript.如果我需要构建一个代表用户调用 Salesforce API 的扩展,我必须将 Salesforce 生成的 App OAuth Consumer Key 和 Secret 嵌入到扩展的 JavaScript 中.这可能会导致 OAuth 使用者密钥和秘密泄露以及可能被滥用.
I would like to get some ideas on to properly handle Salesforce OAuth Consumer Key and Secret in Chrome Extensions and Gmail Gadgets. Chrome extensions are essentially Javascript wrapped up in a zip compatible format. If I need to build an extension that calls Salesforce APIs on behalf of the user, I have to embed the Salesforce generated App OAuth Consumer Key and Secret in Javascript for the extension. This creates the possibility of disclosure of the OAuth Consumer Key and Secret, and possible misuse.
我很好奇其他开发者如何处理 Chrome 扩展程序中的这些 OAuth 消费者密钥和秘密.
I am curious as to how other developers are handling these OAuth Consumer Key and Secrets in Chrome Extensions.
Google 为需要访问 Google API 的 Chrome 扩展程序提供匿名使用者密钥和机密.但是 Salesforce 不提供类似的 OAuth 设置.这是否在 Salesforce OAuth 2.0 实施的路线图上?
Google provides anonymous Consumer Keys and Secrets for Chrome Extensions that need to access Google APIs. However Salesforce doesn't provide similar OAuth setup. Is this on the roadmap for the Salesforce OAuth 2.0 implementation?
推荐答案
这里有几个选项.
1) 通过您自己的服务器运行代理,通过您自己的 API 保护机密并限制允许的方法.这也将允许您立即更新 API 密钥,而不是更新扩展程序的潜在天数.
1) Run a proxy through your own server that protects the secrets and limits the allowed methods through your own API. This will also allow you to update the API keys in moments instead of the potential days to update an extension.
2) 混淆扩展/小工具代码中的秘密.您可能很难找到它,但使用 Chrome 可以很容易地在开发工具网络选项卡中挑选出密钥.
2) Obfuscate the secrets in the extension/gadget code. You can make it difficult to find but with Chrome it will be easy to pick out the keys in the dev tools network tab.
3) 把它搞砸,把它们留在代码中,并确保使用这些秘密不会造成实际损害.
3) Say screw it, leave them in the code, and make sure no actual damage can be done using the secrets.
至于 Salesforce 的路线图,您可能需要询问他们,他们可能不会发表评论.
As for Salesforce's roadmap you will likely have to ask them and they probably won't comment.
这篇关于在 Chrome 扩展和 Gmail 小工具中安全处理 OAuth 消费者密钥和秘密的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
