OAuth - 在您的应用程序中嵌入客户端机密? [英] OAuth - embedding client secret in your application?

问题描述

我正在查看 Twitter 在此处提出的 oauth 实现:

I'm looking at the oauth implementation twitter proposes here:

https://dev.twitter.com/docs/auth/oauth

和像路标这样的 oauth 库:

and oauth libraries like signpost:

http://code.google.com/p/oauth-signpost/

他们都谈到在 oauth 流程中使用客户端机密，这意味着对于我的客户端应用程序，我需要将机密存储在应用程序本身中.这可能是有风险的，因为有人可以从我的应用程序中窃取秘密.是否有任何方法可以在我的应用程序中存储秘密?我是否误解了 oauth 流程?

they both talk about using the client secret during the oauth flow, which means for my client application, I'd need to store the secret in the application itself. This is probably risky as someone could grab the secret out of my app. Are there any methods around storing the secret within my app? Am I misunderstanding the oauth flow?

谢谢

推荐答案

没有任何方法可以在本地或 JavaScript 应用程序中存储客户端凭据而不将它们公开.此外，将这些凭据放在代理服务器上并使客户端与服务器通信(以便不公开凭据)也不能真正解决任何问题.现在您遇到了向代理验证客户端的问题.

There are no ways of storing client credentials in a native or JavaScript application without making them practically public. Also, putting those credentials on a proxy server and having the client talk to the server (so that the credentials are not exposed) doesn't really solve anything either. Now you have a problem of authenticating the client to the proxy.

正确的解决方案是对 OAuth 服务提供的原生应用程序提供特殊支持.OAuth 2.0 使用预先注册的重定向 URI 和其他技术来为此类客户端完成合理的客户端身份验证.

The right solution is to have special support for native applications provided by the OAuth service. OAuth 2.0 uses pre-registered redirection URIs and other techniques to accomplish a reasonable client identity verification for such clients.

这篇关于OAuth - 在您的应用程序中嵌入客户端机密?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！