Oauth 2.0:暴露了客户端 ID 和客户端机密，是否存在安全问题? [英] Oauth 2.0: client id and client secret exposed, is it a security issue?

问题描述

当 Android oauth 2.0 客户端应用程序将其凭据(客户端 ID 和客户端密钥)进行硬编码时，很容易反编译应用程序并检索凭据.
暴露客户端 ID 和机密会有什么后果?

When an Android oauth 2.0 client application has its credentials (client ID and client Secret) hard-coded is very easy to decompile the application and retrieve the credentials.
What are the consequences in exposing the client ID and Secret?

推荐答案

我知道这不会是一个好的 StackOverflow 答案，但我觉得没有比威胁模型和安全注意事项 (RFC 6819) 更好的解释了).所以这里是关于获取客户端秘密及其相对后果.

I know this won't be a good StackOverflow answer, but I don't feel able to explain it better than the Threat Model and Security Considerations (RFC 6819). So here is the paragraph about obtaining a Client Secret and its relative consequences.

请注意，Android 应用程序是一个公共客户端(更具体地说是本机应用程序)，因此，如您所说，无法对其凭据保密，但仍然能够保护令牌和授权代码.

Note that an Android app is a Public Client (a Native Application to be more specific) so, as you say, unable to keep confidential its credentials, but still able to protect Tokens and Authorization Code.

对于您的案例，另一个有趣的例子是关于 智能手机.

Also interesting for your case is an example about smartphones.

我知道 RFC 并不是最有趣的读物，但它们非常清楚.

I know that RFCs aren't the most funny reading, but those are pretty clear.

这篇关于Oauth 2.0:暴露了客户端 ID 和客户端机密，是否存在安全问题?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！