Google为什么为本机应用程序提供客户端密码? [英] Why does Google provide a client secret for a Native application?
问题描述
我正在编写与Google API兼容的本机应用程序.注册我的应用程序后,尽管其明确指定为本机",但Google Developers Console仍向我提供了一个客户端机密.
I'm writing a native application that works against a Google API. Upon registering my application, and despite its explicit designation as Native, the Google Developers Console provides me with a client secret.
据我了解OAuth 2.0协议,本机应用程序永远不应具有客户端机密,因为它们不能保证其机密性.Google是否错误地实施了OAuth 2.0?我应该如何进行?
As far as I understand the OAuth 2.0 protocol, native apps should never have a client secret, since they cannot guarantee its secrecy. Is Google mistaken in its implementation of OAuth 2.0? How should I proceed?
推荐答案
您是正确的,从机密性的角度来看,客户端机密在本机应用程序中并不是非常有用.我怀疑它的存在主要是为了与Web应用程序流程保持一致.
You are correct, the client secret isn't terribly useful in a native application from a being kept secret perspective. I suspect it's there mainly for consistency with the web application flow.
但是它确实至少具有1个有用的功能...原始开发人员可以随时重置它,从而有效地吊销绑定到该客户端ID的所有刷新令牌.
It does however have at least 1 useful feature... the original developer can reset it at any time, effectively revoking all refresh tokens bound to that client ID.
这篇关于Google为什么为本机应用程序提供客户端密码?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!