在移动应用程序的OAuth的秘密 [英] OAuth secrets in mobile apps

问题描述

在使用OAuth协议，你需要从要委托给服务获取的秘密字符串。如果你这样做是在一个web应用程序，你可以简单地存储秘密在你的数据库或文件系统上，但什么是处理它的移动应用程序的最佳方式（或与此有关桌面应用程序）？

When using the OAuth protocol, you need a secret string obtained from the service you want to delegate to. If you are doing this in a web app, you can simply store the secret in your data base or on the file system, but what is the best way to handle it in a mobile app (or a desktop app for that matter)?

存放字符串中的应用是显然效果不好，因为人可以很容易地找到它，并滥用它。

Storing the string in the app is obviously not good, as someone could easily find it and abuse it.

另一种方法是将其存储在服务器上，并有应用程序获取它在每次运行时，从来没有将其存储在手机上。这几乎一样糟糕，因为你必须包括在应用程序的URL。

Another approach would be to store it on your server, and have the app fetch it on every run, never storing it on the phone. This is almost as bad, because you have to include the URL in the app.

唯一可行的解​​决方案，我能想出是第一个（pferably使用的应用程序内的Web视图$ P $）获得访问令牌正常，然后借道我们的服务器的所有进一步的沟通，这将追加的秘密于该请求数据和与该提供者进行通信。再说，我是一个安全的小白，所以我真的想听到一些懂行的人民对这个观点。它不是在我看来，大多数应用程序都将这些长度，以保证安全不（例如，Facebook连接，似乎假设你把这个秘密为一个字符串就在你的应用程序）。

The only workable solution I can come up with is to first obtain the Access Token as normal (preferably using a web view inside the app), and then route all further communication through our server, which would append the secret to the request data and communicate with the provider. Then again, I'm a security noob, so I'd really like to hear some knowledgeable peoples' opinions on this. It doesn't seem to me that most apps are going to these lengths to guarantee security (for example, Facebook Connect seems to assume that you put the secret into a string right in your app).

另一件事：我不相信这个秘密参与了最初请求访问令牌，这样可以在不涉及我们自己的服务器来完成。我是正确？

Another thing: I don't believe the secret is involved in initially requesting the Access Token, so that could be done without involving our own server. Am I correct?

推荐答案

是的，这是一个问题，我们正面临自己的OAuth的设计。我们选择代理通过我们自己的服务器上的所有呼叫。 OAuth的不完全冲洗掉就桌面应用程序。没有prefect解决这一问题，我已经在不改变OAuth的发现。

Yes, this is an issue with the OAuth design that we are facing ourselves. We opted to proxy all calls through our own server. OAuth wasn't entirely flushed out in respect of desktop apps. There is no prefect solution to the issue that I've found without changing OAuth.

如果你想想看，问的问题，为什么我们有不可告人的秘密，主要是为提供和禁用应用程序。如果我们的秘密被泄露，那么供应商真的只能取消整个应用程序。既然我们已经嵌入我们的桌面应用程序的秘密，我们是八九不离十拧紧。

If you think about it and ask the question why we have secrets, is mostly for provision and disabling apps. If our secret is compromised, then the provider can only really revoke the entire app. Since we have to embed our secret in the desktop app, we are sorta screwed.

解决的办法是有不同的密码为每个桌面应用程序。 OAuth的不会使这个概念容易。一种方式是让用户去创造自己的秘密，并输入自己的钥匙到您的桌面应用程序（一些Facebook应用程序做了类似的时间长一些，让用户去创建Facebook的设置自​​己的定制测验和废话）。这不是为用户带来丰富的经验。

The solution is to have a different secret for each desktop app. OAuth doesn't make this concept easy. One way is have the user go and create an secret on their own and enter the key on their own into your desktop app (some facebook apps did something similar for a long time, having the user go and create facebook to setup their custom quizes and crap). It's not a great experience for the user.

我工作的提案进行OAuth的代表团系统。这个概念是，用我们自己的密钥我们从供应商得到的，我们可以发出我们自己的委派秘密，我们自己的桌面客户端（每个桌面应用程序基本上），然后在身份验证过程中，我们发送键切换到顶层供应商的要求反馈给我们，并重新验证和我们在一起。这样，我们就可以在自己的秘密撤销我们发给每个桌面客户端。 （借用了很多如何工作的SSL）。这整个系统将是prefect的增值web服务，以及该传递调用第三方Web服务。

I'm working on proposal for a delegation system for OAuth. The concept is that using our own secret key we get from our provider, we could issue our own delegated secret to our own desktop clients (one for each desktop app basically) and then during the auth process we send that key over to the top level provider that calls back to us and re-validates with us. That way we can revoke on own secrets we issue to each desktop client. (Borrowing a lot of how this works from SSL). This entire system would be prefect for value-add webservices as well that pass on calls to a third party webservice.

这个过程也可以不委托核查回调做，如果顶级供应商提供了一个API来生成和撤销新委派的秘密。 Facebook正在做的，允许Facebook应用程序，允许用户创建子应用程序类似的东西。

The process could also be done without delegation verification callbacks if the top level provider provides an API to generate and revoke new delegated secrets. Facebook is doing something similar by allowing facebook apps to allow users to create sub-apps.

有对这个问题的一些谈话在线：

There are some talks about the issue online:

http://blog.atebits.com/2009/02/fixing-oauth / <一href="http://groups.google.com/group/twitter-development-talk/browse_thread/thread/629b03475a3d78a1/de1071bf4b820c14#de1071bf4b820c14" rel="nofollow">http://groups.google.com/group/twitter-development-talk/browse_thread/thread/629b03475a3d78a1/de1071bf4b820c14#de1071bf4b820c14

Twitter和Yammer的的解决方案是一个验证销的解决方案： https://dev.twitter.com/oauth/pin-based https://www.yammer.com/api_oauth_security_addendum.html

Twitter and Yammer's solution is a authentication pin solution: https://dev.twitter.com/oauth/pin-based https://www.yammer.com/api_oauth_security_addendum.html

这篇关于在移动应用程序的OAuth的秘密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！