在免费/开源软件中使用OAuth [英] Using OAuth in free/open source software

问题描述

我现在正在阅读有关OAuth的一些介绍材料，并有在免费软件中使用它的想法.

I'm now reading some introduction materials about OAuth, having the idea to use it in a free software.

我读到这个:

决不能是消费者的秘密 向任何人透露.不要包括它 在任何请求中，以任何代码显示 样本(包括开源)或 任何方式都可以显示出来.

The consumer secret must never be revealed to anyone. DO NOT include it in any requests, show it in any code samples (including open source) or in any way reveal it.

如果我使用OAuth为特定网站编写免费客户端，那么我必须在源代码中包含消费者秘密，否则从源代码制作将使该软件无法使用.但是，正如所说的那样，机密不应该与源一起发布.

If I am writing a free client for a specific website using OAuth, then I have to include the consumer secret in the source code, otherwise making from source would make the software unusable. However, as it is said, the secret should not be release along with the source.

我完全了解安全注意事项，但是，如何解决这个难题，并在免费软件中使用OAuth?

I completely understand the security considerations, but, how can I solve this dilemma, and use OAuth in free software?

我想到了使用外部网站作为身份验证的代理，但这非常复杂.你有更好的主意吗?

I thought of using an external website as a proxy for authentication, but this is very much complicated. Do you have better ideas?

像 Gwibber 这样的某些客户端也使用OAuth，但我尚未检查其代码.

Some clients like Gwibber also use OAuth, but I haven't checked its code.

推荐答案

如果您的服务提供商是一个Web应用程序，则您的服务器需要使用方注册页面，该页面在用户注册其使用方时提供使用方的秘密.这与Twitter应用程序所经历的过程相同.尝试在那里注册并查看他们的工作流程，您将完成所有步骤.

If your service provider is a webapp, your server needs consumer signup pages that provides the consumer secret as the user signs up their consumer. This is the same process Twitter applications go through. Try signing up there and look at their workflow, you'll have all the steps.

如果您的软件是对等的，则每个应用程序都必须既是服务提供商，又是消费者.下面的Jira和Confluence用例概述了该实例.

If your software is peer-to-peer, each application needs to be both a service provider and a consumer. The Jira and Confluence use cases below outline that instance.

在我的评论之一中，我提到 https://twitter.com/apps/new 为Twitter应用程序开发人员生成消费者机密的位置.如何制作这样的页面取决于系统架构.如果所有使用者都在与一台服务器通信，则该服务器将必须具有类似 https://twitter的页面. com/apps/new .如果有多个服务器(即客户端联盟)，则每个联盟都需要一个带有此页面的服务器.

In one of my comments, I mention https://twitter.com/apps/new as the location of where Twitter app developers generate a consumer secret. How you would make such a page depends on the system architecture. If all the consumers will be talking to one server, that one server will have to have a page like https://twitter.com/apps/new. If there are multiple servers (i.e. federations of clients), each federation will need one server with this page.

要考虑的另一个示例是Atlassian应用如何使用OAuth.他们是对等的.设置Jira和Confluence进行通话仍然在每个应用程序中都有一个设置页面 ，但是它与

Another example to consider is how Atlassian apps use OAuth. They are peer-to-peer. Setting up Jira and Confluence to talk to one another still has a setup page in each app, but it is nowhere near as complex as https://twitter.com/apps/new. Both apps are consumers and service providers at the same time. Visiting the setup in each app allows that app to be set up as a service provider with a one-way trust on the other app, as consumer. To make a two-way trust, the user must visit both app's service provider setup page and tell it the URL of the other app.

这篇关于在免费/开源软件中使用OAuth的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！