OAuth2 中客户端密钥的目的是什么? [英] What's the purpose of the client secret in OAuth2?

问题描述

我有一个提供 API 的应用.此应用是 OAuth2 提供程序.

I have an app that offers an API. This app is an OAuth2 provider.

我想使用仅限客户端的应用程序访问此 API(读取和写入).我正在使用 JSO 来简化此操作.

I want to access this API (read & write) with a client-side only app. I'm using JSO to make this easier.

效果很好.

问题是，我不必在任何地方输入我的客户端机密(我在我的应用程序中注册的应用程序的).我明白为什么，然后任何人都可以使用它.

The thing is, I don't have to enter my client secret (of the application I registered in my app) anywhere. And I understand why, it would then be available to anyone.

那么，如果我可以在没有客户端密钥的情况下访问我的 api，你能向我解释一下它的目的是什么吗?

So, if I can access my api without the client secret, could you explain to me what is its purpose?

推荐答案

Client Secret 在 OAuth 1.0 中用于对请求进行签名，因此它是必需的.某些 OAuth2 服务器(例如 Google Web Server API)需要发送客户端密钥以接收访问令牌(来自请求令牌或刷新令牌).

Client Secret was used in OAuth 1.0 to sign the request, so it was required. Some OAuth2 servers (such as Google Web Server API) required the client secret to be sent to receive the access token (either from request token or refresh token).

OAuth 2.0 显着降低了客户端机密的作用，但它仍会传递给使用它的服务器.

OAuth 2.0 has reduced the role of the client secret significantly, but it is still passed along for the servers that use it.

这篇关于OAuth2 中客户端密钥的目的是什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！