OAuth2中的客户机密的目的是什么? [英] What's the purpose of the client secret in OAuth2?

问题描述

我有一个提供API的应用.这个应用程式是OAuth2提供者.

I have an app that offers an API. This app is an OAuth2 provider.

我想使用仅客户端应用程序访问此API(读和写).我正在使用 JSO 来简化此操作.

I want to access this API (read & write) with a client-side only app. I'm using JSO to make this easier.

效果很好.

问题是，我不必在任何地方输入我在我的应用程序中注册的应用程序的客户端密码.而且我知道为什么，然后任何人都可以使用它.

The thing is, I don't have to enter my client secret (of the application I registered in my app) anywhere. And I understand why, it would then be available to anyone.

因此，如果我可以在没有客户端机密的情况下访问我的api，您能告诉我它的用途是什么吗?

So, if I can access my api without the client secret, could you explain to me what is its purpose?

推荐答案

OAuth 1.0中使用了Client Secret来对请求进行签名，因此是必需的.某些OAuth2服务器(例如Google Web Server API)要求发送客户端机密以接收访问令牌(来自请求令牌或刷新令牌).

Client Secret was used in OAuth 1.0 to sign the request, so it was required. Some OAuth2 servers (such as Google Web Server API) required the client secret to be sent to receive the access token (either from request token or refresh token).

OAuth 2.0显着降低了客户端机密的作用，但仍将其传递给使用它的服务器.

OAuth 2.0 has reduced the role of the client secret significantly, but it is still passed along for the servers that use it.

这篇关于OAuth2中的客户机密的目的是什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！