使用 OAuth2 安全验证移动访问的选项 [英] Options to securely authenticate mobile access using OAuth2

问题描述

我们目前正在实施 OAuth2 以保护我们的新 API，但不确定如何安全地提供所需的功能.我们需要允许从移动设备执行以下操作:

We're currently in the process of implementing OAuth2 to secure our new API and not sure how to securely provide required functionality. We need to allow the following from a mobile device:

下载应用后，用户可以立即拍照并提交，而无需先登录.

Immediately after downloading the app the user is able to take a picture and submit it without having to first log in.

虽然我们希望允许匿名用户访问，用户无需登录或注册即可使用某些功能，但我们不希望允许未经身份验证的 API 访问.这通常可以使用 客户端凭据授权来完成流程 获取和应用程序访问令牌，但这需要知道客户端机密.据我所知，移动设备不被视为受信任的客户端，不应包含客户端机密，因此不应该能够自行生成应用访问令牌.

While we want to allow anonymous user access, where a user does not need to log in or register to use certain functionality, we do not want to allow unauthenticated access to the API. This would normally be accomplished using the client credentials authorization flow to obtain and app access token, however this requires knowing the client secret. From what I've read, a mobile device is not considered a trusted client and should not contain the client secret, and hence should not be able to generate an app access token on its own.

我们已经提出了几个选项来满足此要求，但希望对它们提供一些意见:

We've come up with a few options to accomplish this requirement, but would like some input on them:

1. 在应用中嵌入客户端密钥.从安全的角度来看似乎并不理想，但也许我们缺少一种明显的保护方法?我们的目标至少是 iOS 和 Android.
2. 离线生成应用访问令牌并将其嵌入到应用中.仍然不是很安全，但至少秘密没有暴露.
3. 允许仅使用客户端 ID 而不是访问令牌访问某些功能.这可能是最简单的，但它会引入不一致，并且需要多种方式对客户端进行身份验证.
4. 构建并使用配套的网络应用为移动应用生成应用访问令牌.从表面上看似乎是赢家，但现在您必须确保可以访问配套应用！

如何在不要求用户先登录的情况下安全地验证从移动设备使用 OAuth2 对 API 的访问?

How would you securely authenticate access to an API using OAuth2 from a mobile device without requiring the user to first log in?

推荐答案

同意 Q 的评论.要么:

Agree with the comments on the Q. Either:

1.) 在 OAuth 2 中使用客户端凭据授权类型 - 在您的应用程序中嵌入一个秘密.了解这不是超级安全，最终有人会对其进行逆向工程.理想情况下，每个客户端都会获得一个唯一的秘密 - 因此，如果客户端滥用其使用权，您可以撤销该客户端.

1.) Use Client Credentials grant type in OAuth 2 - with an embedded secret in your App. Understand that this isn't super secure and someone will reverse engineer it eventually. Ideally each client would get a unique secret - so you could revoke a client if they're abusing its use.

2.) 使用开放的 API - 因此根本不需要 OAuth 2 访问令牌.也许该 API 只有您的应用知道 - 但同样，有人对其进行逆向工程只是时间问题.

2.) Live with that API being open - thereby not requiring an OAuth 2 access token at all. Maybe that API would be known only to your app - but again, it would only be a matter of time before someone reverse engineers it.

这篇关于使用 OAuth2 安全验证移动访问的选项的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！