在代码中使用 client_secret 的 Chrome 扩展 [英] Chrome extension using client_secret in code
问题描述
我已经使用自己的 oAuth 授权开发了 Google chrome 扩展.当然,我必须使用 client_id 和 client_secret 作为请求令牌.有什么办法可以向用户隐藏这些数据吗?由于此请求只是 javascript 中源代码的一部分,我不知道如何防止读取此数据.感谢您的回答.
I've developing Google chrome extension with own oAuth authorization. Of course I have to use client_id and client_secret for request token. Is there any way how to hide this data from user? As this request is only part of source code in javascript I have no idea how to prevent this data from reading. Thanks for answers.
推荐答案
很好地使用 OAuth 2.0 for已安装的应用程序被描述为:
Well using OAuth 2.0 for Installed Applications it is describe as:
Google OAuth 2.0 端点支持安装在计算机、手机或平板电脑等设备上的应用程序.安装的应用程序分发到单个机器上,假设这些应用程序不能保密.当用户在应用中或应用在后台运行时,这些应用可能会访问 Google API.
The Google OAuth 2.0 endpoint supports applications that are installed on a device such as a computer, a cell phone, or a tablet. Installed apps are distributed to individual machines, and it is assumed that these apps cannot keep secrets. These apps might access a Google API while the user is present at the app, or when the app is running in the background.
注意:从开发者控制台获得的客户端 ID 和客户端密码嵌入在您的应用程序的源代码中.在这种情况下,客户端机密显然不会被视为机密.
Note: The client ID and client secret obtained from the Developers Console are embedded in the source code of your application. In this context, the client secret is obviously not treated as a secret.
基于这些描述,在服务提供者和应用程序之间没有既定的消费者密钥/秘密.也就是说,在批准过程之后,没有供用户重定向到的 Web 应用程序 URL.在已安装的应用程序 OAuth 舞蹈中,消费者密钥/秘密是匿名"/匿名",您为用户提供应用程序名称授予对(而不是应用程序 URL)的访问权".
Base on these description, "there is no established consumer key/secret between the service provider and the application. That is, there is no web application URL for the user to be redirected to after the approval process.In the installed applications OAuth dance, the consumer key/secret are ‘anonymous’/’anonymous’ and you provide an application name for the user to grant access to (instead of an application URL)".
教程 link 以正确实施 OAuth.
Tutorial link for proper implementation of OAuth.
希望能帮到你
这篇关于在代码中使用 client_secret 的 Chrome 扩展的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
