开源项目，但对API密钥保持机密 [英] Open source a project but keep API keys confidential

问题描述

我想使用GitHub API创建一个开放源代码项目，但是遇到一个在源代码中包含我的密钥的问题.我从各个地方读过，从来没有在源中包含任何秘密密钥，对此我表示同意.我还发现了一些关于通过Web服务器进行身份验证而不是使用户获得自己的API密钥的模糊引用.

I'd like to create an open source project using the GitHub API, but I came across a problem having my secret key in the source code. I've read from various places to never include any secret keys in the source and I agree with that. I've also found a couple vague references about authenticating through a web sever instead of making users acquire their own API keys.

据我了解，它将是这样的:

From my understanding it would go something like this:

当需要通过GitHub进行身份验证时，我会让用户向我的服务器发送请求.从那里，我将使用自己的API密钥向GitHub进行身份验证，并在成功身份验证之后，将签名返回给提出请求的用户.从那时起，他们可以直接与GitHub通信.那是对的吗?

When it comes time to authenticate with GitHub, I would have the user send a request to my server. From there, I would authenticate with GitHub using my own API keys and after a successful authentication, return the signature to the user who made the request. From that point on they could communicate directly with GitHub. Is that correct?

如果这是它的工作方式，那么我想了解更多有关该过程的信息.这是我第一次使用API​​，所以我对此很陌生.

If that is how it works, I would love to know a little more about the process. It's my first time working with APIs so I'm pretty new to this.

推荐答案

我从来没有收到这个问题的答案，所以我想我会顺其自然.

I never received an answer to this question so I thought I would pass along what I found in the mean time.

使用API​​开源项目的主要问题是公开您的客户机密(至少在GitHub的情况下，这就是我发布此问题的原因).您绝对不应在源代码中包含客户机密.如果有人拥有您的客户机密和客户ID，他们可以有效地模拟您的应用程序.

The main concern with open sourcing a project that utilizes an API is disclosing your client secret (at least in the case of GitHub, which is why I posted this question). You should never include your client secret in the source. If someone has your client secret and client id they can effectively impersonate your application.

因此，剩下两个选择.

So, that leaves two options.

1).运行您自己的简单服务器.

1). Run your own simple server.

2).要求每个派生您的项目的人都拥有自己的GitHub API密钥.

2). Require everyone who forks your project to get their own GitHub API keys.

我建议选择选项2.如果您开源应用程序，那么它就不再属于您，并且您对于其他人将如何使用它也没有发言权.那么，为什么要在使用客户端ID和机密时对别人的应用程序的行为负责?

I would suggest going with option 2. If you open source an application, it's no longer yours, and you don't have a say in what other people will do with it. So, why would you want to be accountable for what someone else's application does while using your client id and secret?

这里还有另一个问题.在通过GitHub进行身份验证并获得Auth令牌后，您需要以某种方式安全地存储该Auth令牌.最初我没有意识到，但基本上是一个密码.如果您以纯文本格式存储身份验证令牌，而其他人则将其恢复，则他们可以向API发出请求并检索所有用户数据. (这使用的是OAuth2和不记名令牌.)

There is also another problem here. Once you authenticate with GitHub and get an Auth Token, you need to somehow securely store that Auth Token. I didn't realize it initially, but it's basically a password. If you store the Auth Token in plain text and someone else recovers it, they can make a request to the API and retrieve all of the users data. (This is using OAuth2 and bearer tokens.)

实际上没有一种在客户端上存储身份验证令牌的好方法.当您尝试开源项目时，这也带来了另一个问题.谁使用您的开放源代码项目，本质上都将需要使用他们自己的服务器进行初始身份验证，然后再存储auth令牌.

There's really not a good way to store the auth token on the client. Which also presents another problem when you are trying to open source your project. Whoever uses your open source project will essentially need to use their own server for the initial authentication and then also to store the auth token.

请记住一些注意事项.

Just some things to keep in mind.

这篇关于开源项目，但对API密钥保持机密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！