适用于已安装应用程序的Google OAuth 2.0和Client Secret不是秘密 [英] Google's OAuth 2.0 for installed apps and Client Secret not being a secret
问题描述
似乎Google一直在对本机应用程序进行OAuth交互现代化,如最初在此处宣布的那样 https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html
It appears that Google has been modernizing OAuth interactions for native apps as announced initially here https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html
,并由他们当前的文档页面证明 https://developers.google.com/identity/protocols/OAuth2InstalledApp
and as evidenced by their current documentation pages https://developers.google.com/identity/protocols/OAuth2InstalledApp
我已经能够在引用的github存储库中成功运行示例控制台应用程序.
I have been able to run the sample console app in the referenced github repo successfully.
此流使用其他参数之间的客户机密钥交换访问令牌的授权代码.但是,众所周知(如引用的文章所述),客户端机密无法安全地存储在已安装的应用程序中.同一篇文章通过以下方式陈述了这一事实
This flow exchanges the authorization code for an access token using the client secret among other parameters. However, it is well known (and as stated in the referenced article) client secrets cannot be securely stored in installed apps. The same article states this fact in the following way
该过程将产生一个客户端ID,在某些情况下还会产生一个客户端机密,您将其嵌入到应用程序的源代码中. (在这种情况下,显然不会将客户机密视为机密.)
因此,如果此流程是已安装应用程序的建议流程,我们是否应该不必担心保护client_secret并将其正确嵌入到应用程序中?如果是这样,那么该流程如何呢?
So if this flow is the recommended flow for installed app, should we just not worry about protecting the client_secret and embed it right in the app? If so, what about this flow makes it so?
此外,如该示例所示,本地会生成一个随机的http重定向url,该URL并未在Google Developer Console的凭据"页面中的任何位置进行注册.这与Azure AD不同,在Azure AD中,注册本地应用程序时必须具体说明重定向uri.
Also, as the sample shows, a random http redirect url is generated locally which is not registered anywhere in Google Developer Console's Credentials page. This is unlike Azure AD where you have to be specific about the redirect uri when registering a native app.
推荐答案
Google授权服务器的行为取决于您注册的客户端的类型.
The behavior of Google's authorization server is gated on the type of client you register.
奇怪的是,台式机和电视客户端需要客户端机密",而iOS和Android不需要,但是对于所有4种本机应用程序类型,服务器将客户端视为非机密,客户端机密"值实际上是客户端ID的扩展.这与Web客户端相反,后者假定客户端的机密性得到维护,因此可以对它们进行不同的处理,例如增量身份验证.
It's an oddity that the "client secret" is required for Desktop and TV clients, but not iOS and Android, however for all 4 native app types, the server treats the clients as non-confidential, and the "client secret" value is effectively an extension of the client id. This is in contrast to web-clients, where it is assumed the client secret confidentiality is maintained, and thus they can be treated differently for actions like incremental auth.
关于重定向URI的注册,这也取决于客户端类型.对于某些类型的网站(如Web),需要手动注册.对于其他类型(如桌面),重定向URI是预先注册的(对于桌面,为http://127.0.0.1:*/*).
Regarding the registration of redirect URIs, this is also gated on client types. For some types like Web, manual registration is required. For other types like Desktop, the redirect URI is pre-registered (in the case of desktop, http://127.0.0.1:*/*).
这篇关于适用于已安装应用程序的Google OAuth 2.0和Client Secret不是秘密的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
