为什么谷歌原生oauth2流需要客户端的秘密？ [英] Why Google native oauth2 flow require client secret?

问题描述

据Facebook的oauth2文档，客户端流量不需要客户端秘密参数。客户端的流量可用于本地和移动网络应用程序。

According to facebook oauth2 docs, client side flow doesn't require client secret param. Client side flow can be used on both native and mobile web apps.

不过谷歌的原生oauth2流程要求客户端秘密<一href="http://$c$c.google.com/apis/accounts/docs/OAuth2.html#IA">http://$c$c.google.com/apis/accounts/docs/OAuth2.html#IA.

However google's native oauth2 flow require client secret http://code.google.com/apis/accounts/docs/OAuth2.html#IA.

在这种情况下，客户端秘密可以通过黑客利用逆向工程工具被窃取。

In this case client secret can be stolen by hacker using reverse engineering tools.

有人可以解释，为什么有人做过这样？

Can somebody clarify why it was done this way?

推荐答案

据来自Google员工后，主要的原因是，他们使用的服务器端应用程序和本地应用程序一样的库。这听起来像他们不考虑client_secret是在上下文中的本机应用程序的敏感，但他们打算结束其工作所安装的应用程序流量也说不定。

According to a post from a Googler, the main reason is that they use the same libraries for server-side apps and native apps. It sounds like they don't consider client_secret to be sensitive in the context a native app, but they plan to phase it out for the installed app flow eventually.

从<一个href="https://groups.google.com/group/oauth2-dev/browse_thread/thread/1e714924ebcc7e60/edfaaad5830ff2e8">https://groups.google.com/group/oauth2-dev/browse_thread/thread/1e714924ebcc7e60/edfaaad5830ff2e8

我们并不指望这些秘密保持秘密，到目前为止我们包括他们大多所以它的便利今天的库使用，并希望阻止，要求他们在未来的某个时候。

We don't expect those secrets to stay secret—so far we're including them mostly so it's convenient to use with libraries today, and expect to stop requiring them at some point in the future.

虽然听起来不错，请记住，OAuth的绝不是为了prevent恶意攻击者伪造的请求在您的移动/桌面应用程序的情况下。

While that might sound bad, keep in mind that OAuth was never intended to prevent malicious users from forging requests in the context of your mobile/desktop app.

如果您担心暴露client_secret，还有这里描述的客户端流量：<一href="http://$c$c.google.com/apis/accounts/docs/OAuth2.html#CS">http://$c$c.google.com/apis/accounts/docs/OAuth2.html#CS据我所知道的，客户端流量不需要client_secret并会正常工作，从桌面或移动应用程序。

If you're concerned about exposing client_secret, there is also the client-side flow described here: http://code.google.com/apis/accounts/docs/OAuth2.html#CS As far as I can tell, the client-side flow doesn't require client_secret and would work fine from a desktop or mobile app.

克里斯

这篇关于为什么谷歌原生oauth2流需要客户端的秘密？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！