Oauth 2.0 隐式授予的安全性如何? [英] How secure is Oauth 2.0 Implicit Grant?

问题描述

在隐式授予中，访问令牌在回调 URL 中发送回.这不是安全风险，因为如果此回调 URL 缓存在跃点中.一般来说，建议不要在 URL 参数中发送敏感数据，此访问令牌将是访问所有受保护用户资源的令牌.那么为什么它会在 URL 中作为片段传递

In Implicit Grant, the access token is sent back in the callback URL. Is this not a security risk because, if this callback URL is cached in the hop. In general it is advised, not to send sensitive data in URL params, and this access token will be a token to access all secured user resources. So why is it getting passed as fragment in URL

推荐答案

详细说明@vlatko 的回应...

Elaborating on @vlatko's response...

为了降低在片段中(或通过任何其他 OAuth2 授权)发送令牌的风险:

To mitigate the risk of sending the token in the fragment (or via any other OAuth2 grant):

• 确保 OAuth 端点和回调端点是 TLS (https)(参见 对策)
• 发送状态参数以防止跨站点伪造(另请参阅:https://www.rfc-editor.org/rfc/rfc6749#section-4.2.1)

• ensure that the OAuth endpoint and the callback endpoint are TLS (https) (See countermeasures)
• send a state parameter to prevent cross-site forgery (Also see: https://www.rfc-editor.org/rfc/rfc6749#section-4.2.1)

颁发短期访问令牌(如@vlatko 所说)将减少泄漏令牌的影响，但不是预防措施.

Issuing short-lived access token (as @vlatko said) will reduce the impact of a leaked token, but is not a preventative measure.

这篇关于Oauth 2.0 隐式授予的安全性如何?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！