OAuth - 开源应用程序中的消费者秘密 [英] OAuth - Consumer secret in open-source applications
问题描述
我正在创建一个用于共同管理 Twitter 的 Wordpress 插件帐户.我想允许用户通过管理面板添加帐户类似于 twitterfeed.com 的方式.
I'm creating a Wordpress plugin for collectively managing a Twitter account. I want to allow the user to add accounts via the Admin panel similar to the way twitterfeed.com does.
然而,我能看到的唯一方法是让用户签名在他们的帐户中,以唯一的名称注册应用程序,然后将 Consumer Key 和 Consumer Secret 粘贴到我的应用程序中.
However, the only way I can see of doing it is to get the user to sign in to their account, register the application under a unique name and paste in the Consumer Key and Consumer Secret to my application.
简单的安全影响是什么使用我的插件分发单个消费者密钥和消费者秘密,这样我就可以获得请求令牌和访问令牌并最小化用户所需的努力?
What are the security repercussions of simply distributing a single Consumer Key and Consumer Secret with my plugin, so that I can get the Request Token and Access Token and minimise the effort required by the user?
推荐答案
据我所知,最大的问题(我不确定这是否一定是安全问题)是有人会不恰当地使用您的密钥/秘密(假设垃圾邮件应用程序)导致它被撤销.那时,您插件的每个实例都将无法通过身份验证,您必须生成一个新实例,将其合并到您的插件中并让所有用户进行更新.这可能并不理想...
As I understand it, the biggest issue (I'm not sure it's necessarily a security issue) is that someone will use your Key/Secret inappropriately (let's say a spamming application) causing it to get revoked. At that point, every instance of your plug-in will fail to authenticate and you'll have to generate a new one, incorporate it in your plug-in and get all the users to update. Which is probably not ideal...
Ars Technica 对此有很好的描述 这里
Ars Technica had a pretty good write-up about it here
这篇关于OAuth - 开源应用程序中的消费者秘密的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
