将 OAuth 的访问令牌保密有多重要? [英] How important is it to keep OAuth's access token secret?

问题描述

一旦我使用 OAuth 收到我的网站(比如 facebook)的访问令牌，保守这个秘密有多重要?如果有人抓住了，会发生什么恶意的事情吗?

Once I receive my access token for a site (say facebook) using OAuth, how important is it to keep this secret? Could anything malicious happen if someone got a hold of one?

我想知道将令牌保存在 cookie 或会话中是否是一个坏主意.

I was wondering if it would be a bad idea to save the token in a cookie or session.

推荐答案

更新:如果您让用户连接到 javascript sdk，则用户 ID 和访问令牌已经存储在您站点的 cookie 中.检查正在发送的 http cookie.如果不是，请检查 FB.Init 文档，作为 FB.Init 有一个 cookie 布尔参数，您可以设置它，以便它为您创建一个名为 fbs_{APPID} 的 cookie.这篇帖子讨论了那个 cookie.

Update: if you are having the user connect with the javascript sdk, the user id and access tokens are already be stored in cookies for your site. Check the http cookies being sent. If they are not, check the FB.Init documentation, as FB.Init has a cookies boolean parameter you can set so that it will create a cookie for you named fbs_{APPID}. This post talks about that cookie.

这篇关于将 OAuth 的访问令牌保密有多重要?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！