为什么 Google 原生 oauth2 流需要客户端密码? [英] Why Google native oauth2 flow require client secret?

问题描述

根据 facebook oauth2 文档，客户端流程不需要客户端机密参数.客户端流程可用于本机和移动网络应用.

According to facebook oauth2 docs, client side flow doesn't require client secret param. Client side flow can be used on both native and mobile web apps.

但是，谷歌的原生 oauth2 流程需要客户端机密 http://code.google.com/apis/accounts/docs/OAuth2.html#IA.

However google's native oauth2 flow require client secret http://code.google.com/apis/accounts/docs/OAuth2.html#IA.

在这种情况下，黑客可以使用逆向工程工具窃取客户端机密.

In this case client secret can be stolen by hacker using reverse engineering tools.

有人能解释一下为什么这样做吗?

Can somebody clarify why it was done this way?

推荐答案

根据一位 Google 员工的帖子，主要原因是他们对服务器端应用程序和本机应用程序使用相同的库.听起来他们不认为 client_secret 在本机应用的上下文中敏感，但他们计划最终在已安装的应用流程中逐步淘汰它.

According to a post from a Googler, the main reason is that they use the same libraries for server-side apps and native apps. It sounds like they don't consider client_secret to be sensitive in the context a native app, but they plan to phase it out for the installed app flow eventually.

来自 https://groups.google.com/group/oauth2-dev/浏览线程/线程/1e714924ebcc7e60/edfaaad5830ff2e8:

我们不希望这些秘密保持秘密——到目前为止，我们主要将它们包括在内，以便今天可以方便地与图书馆一起使用，并希望在未来的某个时候不再需要它们.

We don't expect those secrets to stay secret—so far we're including them mostly so it's convenient to use with libraries today, and expect to stop requiring them at some point in the future.

虽然这听起来很糟糕，但请记住，OAuth 从来都不是为了防止恶意用户在您的移动/桌面应用环境中伪造请求.

While that might sound bad, keep in mind that OAuth was never intended to prevent malicious users from forging requests in the context of your mobile/desktop app.

如果您担心暴露 client_secret，这里还介绍了客户端流程:http://code.google.com/apis/accounts/docs/OAuth2.html#CS 据我所知，客户端流程不需要 client_secret 并且可以在桌面上正常工作或移动应用.

If you're concerned about exposing client_secret, there is also the client-side flow described here: http://code.google.com/apis/accounts/docs/OAuth2.html#CS As far as I can tell, the client-side flow doesn't require client_secret and would work fine from a desktop or mobile app.

-克里斯

这篇关于为什么 Google 原生 oauth2 流需要客户端密码?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！