我是否应该在可公开下载的本机应用程序中使用client_secret? [英] Should I use client_secret in a native, public downloadable application?
问题描述
我已经阅读了很多有关不同流程的信息(授权码,隐式,混合以及某些扩展,例如PKCE).现在,我正在使用PKCE进行授权代码流程.
I've read a lot about the different flows (authorization code, implicit, hybrid and some extensions such as PKCE). Now I'm on the authorization code flow with PKCE.
PKCE确保发起者与交换访问令牌的授权码的用户是同一用户.很好,很好.
PKCE ensures the initiator is the same user as the users who exchanges the authorization code for an access token. That is nice and OK.
在不使用client_secret(对于SPA/Javscript应用程序建议使用)的情况下使用此流时,不能保证该客户端是已知/原始客户端.因此,用户给出的同意"没有任何价值.嗯?
When using this flow without a client_secret (which is recommended for SPA/Javscript applications) there is no warranty that the client is the known/original client. So, the 'consent' the user gave, is of no value. uhh?
我正在开发一个诱人的客户端(可下载的公共二进制文件).秘密在二进制文件中烘烤后不能视为机密,例如可以反编译.
I am working on a nativate client (a public downloadable binary). A secret cannot be considered confidential when baked in the binary, it can be decompiled for example.
现在我在杜比奥.更好的做法是,将二进制代码中的秘密烘烤出去,以使客户端有更多的保证层,即客户端是已知的客户端,或者停止请求同意",并仅依赖于用户凭据,向整个世界提供相同的client_id.
Now I'm in dubio. What is better, bake the secret in the binary so that there is some extra layer of assurance the client is the known client or stop asking for 'consent' and give the same client_id to the whole world, only relying on the user-credentials.
或者我的故事有问题吗?
Or is there something wrong with my story?
推荐答案
一个很好的问题,使我意识到自己的理解存在空白.重定向uri的作用是应对这种风险.在web/https的情况下,唯一可行的破解方法是编辑用户的hosts文件.我是本地案例,它不够完美,下面将讨论您的问题.通常,我们最好的选择是遵循建议/标准-但它们有很多问题! https://web-in-security.blogspot.com/2017/01/pkce-what-cannot-be-protected.html?m=1
Very good question and made me realise a gap in my understanding. It is the role of the redirect uri to deal with this risk. In the web / https case the only hack that could work would be to edit the hosts file of the user. I'm the native case it is less perfect and your question is covered below. Generally our best bet is to follow recommendations / standards - but they have plenty of problems! https://web-in-security.blogspot.com/2017/01/pkce-what-cannot-be-protected.html?m=1
这篇关于我是否应该在可公开下载的本机应用程序中使用client_secret?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
