用于已安装应用程序的 Google OAuth 2.0 和客户端机密不是秘密 [英] Google's OAuth 2.0 for installed apps and Client Secret not being a secret
问题描述
Google 似乎一直在为本地应用程序实现 OAuth 交互的现代化,正如最初在此处宣布的那样https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html
It appears that Google has been modernizing OAuth interactions for native apps as announced initially here https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html
并且正如他们当前的文档页面所证明的那样https://developers.google.com/identity/protocols/OAuth2InstalledApp
and as evidenced by their current documentation pages https://developers.google.com/identity/protocols/OAuth2InstalledApp
我已经能够在引用的 github 存储库中成功运行示例控制台应用程序.
I have been able to run the sample console app in the referenced github repo successfully.
此流程使用客户端密码和其他参数交换访问令牌的授权代码.但是,众所周知(并且如参考文章中所述)客户端机密无法安全地存储在已安装的应用程序中.同一篇文章以下列方式陈述了这一事实
This flow exchanges the authorization code for an access token using the client secret among other parameters. However, it is well known (and as stated in the referenced article) client secrets cannot be securely stored in installed apps. The same article states this fact in the following way
该过程会生成一个客户端 ID,在某些情况下还会生成一个客户端机密,您将其嵌入到应用程序的源代码中.(在这种情况下,客户端机密显然不被视为机密.)
The process results in a client ID and, in some cases, a client secret, which you embed in the source code of your application. (In this context, the client secret is obviously not treated as a secret.)
因此,如果此流程是已安装应用程序的推荐流程,我们是否应该不必担心保护 client_secret 并将其嵌入到应用程序中?如果是这样,那么这个流程是怎么做到的?
So if this flow is the recommended flow for installed app, should we just not worry about protecting the client_secret and embed it right in the app? If so, what about this flow makes it so?
此外,如示例所示,本地生成的随机 http 重定向 url 未在 Google Developer Console 的凭据页面中的任何位置注册.这与 Azure AD 不同,在 Azure AD 中,您必须在注册本机应用程序时具体说明重定向 uri.
Also, as the sample shows, a random http redirect url is generated locally which is not registered anywhere in Google Developer Console's Credentials page. This is unlike Azure AD where you have to be specific about the redirect uri when registering a native app.
推荐答案
Google 授权服务器的行为取决于您注册的客户端类型.
The behavior of Google's authorization server is gated on the type of client you register.
奇怪的是,桌面和电视客户端需要客户端机密",但 iOS 和 Android 不需要,但是对于所有 4 种本机应用程序类型,服务器将客户端视为非机密,客户端机密"value 实际上是客户端 ID 的扩展.这与 Web 客户端形成对比,后者假设客户端的机密性得到维护,因此可以对增量身份验证等操作进行不同的处理.
It's an oddity that the "client secret" is required for Desktop and TV clients, but not iOS and Android, however for all 4 native app types, the server treats the clients as non-confidential, and the "client secret" value is effectively an extension of the client id. This is in contrast to web-clients, where it is assumed the client secret confidentiality is maintained, and thus they can be treated differently for actions like incremental auth.
关于重定向 URI 的注册,这也受客户端类型的限制.对于某些类型(如 Web),需要手动注册.对于桌面等其他类型,重定向 URI 是预先注册的(在桌面的情况下,http://127.0.0.1:*/*).
Regarding the registration of redirect URIs, this is also gated on client types. For some types like Web, manual registration is required. For other types like Desktop, the redirect URI is pre-registered (in the case of desktop, http://127.0.0.1:*/*).
这篇关于用于已安装应用程序的 Google OAuth 2.0 和客户端机密不是秘密的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
