如何在Safari扩展中使用Github的OAuth [英] How to use OAuth with Github in a Safari extension
问题描述
我是浏览器扩展的新手。我正在尝试创建一个Safari扩展程序,允许我在我的Github帐户中执行基本任务(例如,创建一个回购站)。我主要是为了学习如何在练习我的JS时开发扩展。
问题是,为了连接到Github,我想使用OAuth,但是我不知道如何做到这一点。我搜索了一下,看看我是否可以找到一个我可以使用但没有任何结果的库。主要的问题是,当试图用Github注册我的应用程序时,我不知道为主应用程序和回调提供了什么URL,因为它不是我正在开发的Web应用程序;这是一个扩展。
有没有人有这方面的经验,并可以告诉我如何进行?我应该使用什么URL来注册Github?完全可以使用扩展来使用OAuth吗?有没有图书馆,软件开发工具包,有什么可以帮助完成这项工作?
如果这个问题可以扩大到任何浏览器,只需告诉我,我将改变标题以帮助其他人在相同的情况。
感谢所有帮助。
我在Safari扩展中使用了OAuth,欢迎您查看我的代码以获取示例下面的链接),但是这个 Github的JS库可能只是你所需要的。我没有使用它,但它看起来很不错,它支持个人访问令牌,我认为它是Github的一种OAuth令牌,不需要指定重定向URI。
我的Safari扩展程序(Github链接)使用OAuth 2.0与< a href =https://getpocket.com/ =nofollow> Pocket API。它不使用库。对于重定向URI,我使用与启动整个授权过程的页面相同的URL,但在其后附加了?status = done。该页面的脚本检查其URL,如果URL以该字符串结尾,那么它知道该页面是由授权窗口加载的,因此它可以继续获取访问令牌。
在任何类型的客户端应用程序(如浏览器扩展)中使用OAuth时,应注意的一件事是您的OAuth应用程序令牌将暴露给您的应用程序的用户。即使您在应用程序中对其进行加密或通过https从服务器检索它,用户也可以使用浏览器的内置JS调试器来获取令牌,因为您必须在某个时刻解密它才能使用它。如果有人窃取了您的令牌,他们可以用来欺骗人们授权他们伪装成您的恶意应用程序。您需要决定这种风险是否可以承受。避免这种风险的唯一方法是让您自己的服务器端应用程序与第三方API进行通信,并且您的扩展与之通信。但是,有人可以从你的扩展的代码中学习如何与你的服务器端应用进行交流,所以我不确定这是否真的会给你带来什么。
I'm new to browser extensions. i'm trying to create a Safari extension that allows me to perform basic tasks in my Github account (Create a repo, for example). I'm doing it mostly to learn how to develop extensions while practicing my JS.
The issue is that in order to connect to Github I want to use OAuth, but I have no clue of how to do that. I have googled to see if I can find a library that I can use without any results. The main problem is that when trying to register my "application" with Github, I have no idea of what URL to provide for the main application and the callback, since it is not a web application what I'm developing; it's an extension.
Does anyone have any experience with this and can give me a tip on how to proceed? What URL should I use to register with Github? Is it possible to use OAuth from an extension at all? Is there a library, SDK, anything that can help do this job? If this question can be broaden to any browser, just tell me and I will change the title to help others in the same situation.
Thanks to all for helping.
I have used OAuth in a Safari extension and you're welcome to look at my code for an example (see link below), but this JS library for Github might have all you need. I haven't used it, but it looks nice, and it supports "personal access tokens", which I take to be a kind of OAuth token for Github that doesn't require specifying a redirect URI.
My Safari extension (Github link) uses OAuth 2.0 to talk to the Pocket API. It doesn't use a library. For the redirect URI, I use the same URL as that of the page that initiates the whole authorization process, but with "?status=done" appended to it. The page's script checks its URL, and if the URL ends in that string, then it knows that the page was loaded by the authorization window and so it can proceed with getting the access token.
One thing you should be mindful of when using OAuth in any kind of client-side application, such as a browser extension, is that your OAuth app token will be exposed to the users of your app. Even if you encrypt it in the app or retrieve it from a server over https, a user can use the browser's built-in JS debugger to get the token, because you have to decrypt it at some point in order to use it. If someone steals your token, they can use to trick people into authorizing their nefarious app that pretends to be yours. It's up to you to decide whether this risk is tolerable. The only way to avoid this risk is to have your own server-side app that communicates with the third-party API, and your extension communicates with that. But then someone could learn from your extension's code how to talk to your server-side app, so I'm not sure whether that really buys you anything.
这篇关于如何在Safari扩展中使用Github的OAuth的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
