OAuth 令牌安全 [英] OAuth token security

问题描述

据我所知，OAuth 标准对 OAuth 的实际行为方式非常宽松，但是...

As far as I know, the OAuth standard is very lax on how OAuth really should behave, but...

我将各种 OAuth 服务的 OAuth 访问令牌存储在数据库中.如果这些代币被泄露，它们会被第三方使用吗?即，给定的令牌是否仅绑定到我的 api 和密钥?

I store OAuth access tokens for various OAuth services in a database. If these tokens were compromised, could they be used by a third party? I.e., are the given tokens bound to only my api and secret keys?

推荐答案

令牌与给定的服务和用户相关联.有了这些，你就可以假装成那个用户了.例如，它不与任何 IP 地址或设备 UUID 绑定(尽管可以这样做作为额外的预防措施，但这不是 OAuth 的一部分).

The tokens are tied to a given service and user. With those, one can pretend to be that user. It is not tied to any IP address or device UUID for example (although one could do that as an additional precaution, but that is not part of OAuth).

如果它们被盗用，您将取消它们的授权，从而使它们变得一文不值.

If they were compromised, you'd deauthorize them, thus making them worthless.

它们可以与不同的 API 和密钥一起使用吗?

could they be used with different API and secret keys?

没有.访问令牌还与为其颁发的应用程序相关联.

No. The access token are also tied to the application they were issued for.

通过这种方式，用户可以根据应用程序取消授权，并且每个应用程序都可以拥有一组不同的权限(例如只读访问权限).

This way the user can de-authorize on a by-application basis, and every app can have a different set of permissions (e.g. read-only access).

这篇关于OAuth 令牌安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！