什么可以保护单页webapp(SPA)中的访问凭据? [英] What secures access credentials inside a single page webapp (SPA)?
问题描述
假设黑客使用单页webapp https://example.com?secure=maybe 已经过身份验证并获得了用于访问微服务的 OpenID Connect 令牌。
Suppose a hacker using a single page webapp https://example.com?secure=maybe has authenticated and obtained a OpenID Connect token that is used to access micro services.
黑客设法从应用程序中获取这些凭据。 (关注关于这里的问题)
The hacker manages to fish these credentials out of the application. (Follow up question on that here)
黑客创建另一个在localhost上运行的应用程序,用于加载获得的凭据。黑客还将localhost指向 https://example.com 在 / etc / hosts 中,以便现在打开地址 https://example.com 运行黑客网络应用程序而不是真实应用程序。
The hacker creates another application running on localhost that loads the credentials obtained. The hacker also points localhost to https://example.com in /etc/hosts such that now opening the address https://example.com runs the hackers web application instead of the real one.
黑客应用程序现在可以使用 OpenID Connect 令牌访问原始应用程序使用它的相同微服务?
Can the hackers application now use the OpenID Connect token to access the same microservices that the original application uses it for?
显而易见的答案似乎没有,因为 https://example.com 仍然解析为localhost的ip地址,这是浏览器知道要与之交谈的唯一地址,但只是想通过询问来确保这种情况......
The obvious answer seems like no because https://example.com still resolves to the localhost ip address, and that's the only address that the browser knows to talk to, but just wanted to make sure that's the case by asking...
推荐答案
您可以并且可能应该使用授权代码授予SPA应用程序以及(因为没有客户端密钥)代码E的证明密钥OAuth公共客户端的xchange 。
You can and perhaps should use the Authorization Code Grant with SPA apps along with the (Since there is no client Secret) Proof Key for Code Exchange by OAuth Public Clients.
这篇关于什么可以保护单页webapp(SPA)中的访问凭据?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
