带有 Auth0 的 Angular2,我需要隐藏我的 ClientID 和域吗? [英] Angular2 with Auth0, do I need to hide my ClientID and domain?
问题描述
我一直在使用 Auth0 来构建我网站的前端用户身份验证部分,但我不确定我应该完全遵循文档.
I've been using Auth0 to build the front-end user authentication part of my site, but am unsure if I should be following the documentation exactly.
如果我想构建一个商业产品,我应该隐藏客户端 ID 和域吗?这会导致安全漏洞吗?
If I want to build a commercial product, should I be hiding the client ID and domain? Is this something that would lead to a security breach?
目前任何人都可以查看我的 Angular2 源代码并查看客户端 ID 和域.
Currently anyone can view my Angular2 source code and look at the client ID and domain.
推荐答案
客户端标识符和您的域(我假设您指的是类似于 的分配的 Auth0 域[account].auth0.com) 都被认为是不需要保密的信息.
The client identifier and your domain (which I'm assuming you're referring to the assigned Auth0 domain similar to [account].auth0.com) are both considered information that does not need to be kept secret.
域代表处理认证的实体;相当于您的应用程序的 accounts.google.com.
The domain represents the entity handling the authentication; the equivalent of accounts.google.com for your application.
客户端标识符是在 OAuth 2.0 规范中定义的,它清楚地表明不是机密信息:
The client identifier is defined within the OAuth 2.0 specification which clearly indicates that is not confidential information:
客户端标识符不是秘密;它向资源所有者公开,不得单独用于客户端身份验证.
The client identifier is not a secret; it is exposed to the resource owner and MUST NOT be used alone for client authentication.
在基于浏览器或其他实际代码位于客户端环境中的应用程序中,为了身份验证的目的而将信息存储在那里是不可避免的.您只需要确保存储的信息可以像您提供的两个示例一样公开.
In browser-based or other application where the actual code is located in a client environment it's unavoidable to have information stored there for authentication purposes. You just need to be sure that the information stored is okay to be disclosed like it is with the two examples you gave.
另一方面,这些类型的应用程序无法安全地使用 OAuth 2.0 定义的客户端密钥,因为正如您所说,任何人都可以通过检查代码看到它.
On the other hand these types of application could not securely use a client secret as it is defined by OAuth 2.0, because like you said, anyone could see it by inspecting the code.
这篇关于带有 Auth0 的 Angular2,我需要隐藏我的 ClientID 和域吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
