OAuth2 - 将访问令牌返回给用户是否安全? [英] OAuth2 - Is it safe to return the access-token to the user?

问题描述

我是 OAuth(1 和 2)的新手，我正在开发一个移动应用程序的服务器端，该应用程序有一个带有从 Google 帐户填写详细信息"按钮的表单.我不需要任何远程身份验证\授权.

I'm new to OAuth (1 & 2), and I'm developing the server side of a mobile app that has a form with a "Fill Details from Google account" button. I don't need any long-range authentication\authorization.

从 这里(清单 2)我了解到服务器应该有一个控制器:

From here (Listing 2) I understand that the server should have a controller that:

• 当在查询中没有 code 的情况下调用时，它将推荐用户获取一个(在 AuthorizationEndpoint 中，例如:https://accounts.google.com/o/oauth2/auth).
• 当在查询中使用 code 调用时，服务器 将向 TokenEndpoint (https://accounts.google.com/o/oauth2/token) 将代码转换为访问令牌(使用密钥在请求中传递).

• When called without a code in the query it will refer the user to get one (in an AuthorizationEndpoint such as: https://accounts.google.com/o/oauth2/auth).
• When called with a code in the query, the server will send an HTTP request to the TokenEndpoint (https://accounts.google.com/o/oauth2/token) to convert the code to an access-token (using a secret-key that is passed in the request).

在这个阶段，我的服务器应该能够使用访问令牌从 https://www.googleapis.com/plus/v1/people/me - 然后将详细信息返回给用户的应用，以填写其表单.

At this stage, my server is suppose to be able to use the access-token to fetch the user's details from https://www.googleapis.com/plus/v1/people/me - and then return the details to the user's app, to fill in its form.

我(服务器开发人员)是否可以懒惰地将访问令牌而不是其详细信息返回给用户?即，让用户应用向 https://www.googleapis.com/plus 发出请求/v1/people/me.

Am I (the server developer) allowed to be lazy and return the access-token to the user, instead of its details? i.e., let the user app make the request to https://www.googleapis.com/plus/v1/people/me.

这将允许在未来为客户端应用程序提供更多功能，而无需更改我服务器上的代码.

This will allow, in the future, to give more power to the client app without changing the code on my server.

谢谢

推荐答案

出于多种原因，您的服务器不应向客户端应用程序公开其访问令牌.

Your server should not expose its access token to client applications for several reasons.

1. OAuth 协议的全部意义在于在不暴露您自己的凭据(例如标识符、密码等)的情况下向第 3 方授予安全且有限的访问权限.你不应该忽视这一点.

1. The whole point of the OAuth protocol is to give safe and limited access rights to a 3rd party without exposing your own credentials (e.g. identifiers, passwords, etc). You shouldn't ignore this.

令牌颁发给特定的 OAuth 客户端，在您的情况下是服务器.共享令牌不会改变这一点.仍代表您的服务器而不是客户端应用访问用户详细信息，如果出现任何问题，您需要负责.

A token is issued to a specific OAuth client, in your case it's the server. Sharing the token does not change this. User details are still accessed on your server's behalf instead of the client app's, you're responsible in case of any problem.

访问令牌应该是短暂的，它通常会在几分钟内过期.除非客户端立即获取数据，否则没有用.刷新令牌用作永久授权，但除非您有意破坏服务器安全性，否则永远不应共享它们.

An access token is supposed to be short living, it usually expires in a few minutes. Unless the client fetches the data immediately, it's no use. Refresh tokens are used as permanent grants, but you should never ever share them unless you intentionally want to screw up your server security.

这篇关于OAuth2 - 将访问令牌返回给用户是否安全?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！