OAuth令牌安全 [英] OAuth token security

问题描述

据我所知，OAuth标准对于OAuth的实际行为非常松懈，但是...

As far as I know, the OAuth standard is very lax on how OAuth really should behave, but...

我存储了各种OAuth服务的OAuth访问令牌在数据库中。如果这些令牌被盗用，它们可以被第三方使用吗？即，给定的令牌是否仅绑定到我的api和秘密密钥？

I store OAuth access tokens for various OAuth services in a database. If these tokens were compromised, could they be used by a third party? I.e., are the given tokens bound to only my api and secret keys?

推荐答案

令牌与给定的服务和用户相关联。有了这些，就可以假装是该用户。
例如，它不与任何IP地址或设备UUID绑定（尽管可以作为附加预防措施来这样做，但这不是OAuth的一部分）。

The tokens are tied to a given service and user. With those, one can pretend to be that user. It is not tied to any IP address or device UUID for example (although one could do that as an additional precaution, but that is not part of OAuth).

如果它们遭到破坏，您将对其授权，从而使其一文不值。

If they were compromised, you'd deauthorize them, thus making them worthless.

它们可以与其他API和秘密密钥一起使用吗？

could they be used with different API and secret keys?

否。

通过这种方式，用户可以在逐个应用程序的基础上取消授权，并且每个应用程序都可以拥有一个不同的权限集（例如，只读访问权限）。

This way the user can de-authorize on a by-application basis, and every app can have a different set of permissions (e.g. read-only access).

这篇关于OAuth令牌安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！