Google为什么为本机应用程序提供客户端密码? [英] Why does Google provide a client secret for a Native application?

问题描述

我正在编写与Google API兼容的本机应用程序.注册我的应用程序后，尽管其明确指定为本机"，但Google Developers Console仍向我提供了一个客户端机密.

I'm writing a native application that works against a Google API. Upon registering my application, and despite its explicit designation as Native, the Google Developers Console provides me with a client secret.

据我了解OAuth 2.0协议，本机应用程序永远不应具有客户端机密，因为它们不能保证其机密性.Google是否错误地实施了OAuth 2.0?我应该如何进行?

As far as I understand the OAuth 2.0 protocol, native apps should never have a client secret, since they cannot guarantee its secrecy. Is Google mistaken in its implementation of OAuth 2.0? How should I proceed?

推荐答案

您是正确的，从机密性的角度来看，客户端机密在本机应用程序中并不是非常有用.我怀疑它的存在主要是为了与Web应用程序流程保持一致.

You are correct, the client secret isn't terribly useful in a native application from a being kept secret perspective. I suspect it's there mainly for consistency with the web application flow.

但是它确实至少具有1个有用的功能...原始开发人员可以随时重置它，从而有效地吊销绑定到该客户端ID的所有刷新令牌.

It does however have at least 1 useful feature... the original developer can reset it at any time, effectively revoking all refresh tokens bound to that client ID.

这篇关于Google为什么为本机应用程序提供客户端密码?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！