我真的不能使用客户端ID发布开源代码? [英] Can I really not ship open source with Client ID?
问题描述
开发人员凭据(例如密码,密钥和客户端ID)旨在供您使用并标识您的API客户端。您将保证您的凭据保密,并做出合理的努力来阻止和阻止其他API客户端使用您的凭证。 开发人员凭证可能不会嵌入到开源项目中。 https://developers.google.com/terms/ ,我的重点)
这是否意味着我的开源驱动器命令行客户端需要强制我的软件的每个用户在Google Cloud控制台中设置一个新项目?有没有更好的选择?
这不是很难从非开源中提取客户端ID和客户端秘密,为什么区分? b
$ b安装应用程序客户端ID和机密信息并非真正的秘密,Google文档似乎也同意:
这个过程产生了一个客户端ID,在某些情况下还产生了一个客户端密钥,您将其嵌入到应用程序的源代码中。 (在这种情况下,客户秘密显然不被视为秘密。)
( https://developers.google.com/accounts/docs/OAuth2 ,再次强调)
解决方案2014年11月5日
像你一样,我遇到了一个问题。
要求开发人员合理地努力保持其私人
密钥不公开,并且不要将它们嵌入到开源代码中项目。
我在GitHub上有几个开源项目,它们基本上都是使用Google API的教程,其中一些API仍处于测试阶段并且需要时间才能获得测试版访问权限。我在我的项目中嵌入了我的客户端ID,以便我的用户能够测试应用程序。
现在我在谷歌有一些联系人,所以我希望我能在这里得到某种安排。我设法追踪了Dan Ciruli以上冒犯性变化的作者,并给他发了一封电子邮件。
我的电子邮件相当详细,您可以在这里阅读:服务变更
长话短说不,你不能在你的开源项目中发布你的客户id,这里是Dan的电子邮件回复我解释原因。
然而,你可以让他们在谷歌眼中模仿你。
如果我们的滥用系统检测到滥用行为(比如说,如果有人试图使用您的密钥为我们的服务中的一个
做DoS),那么您就有可能因为它而终止您的帐户(和请注意 - 他们不会
只是切断对密钥的访问,他们会关闭您的控制台
帐户)。此外,您已被授予白名单访问API
的权限,这些权限对普通公众不可用(并且很可能
需要同意单独的服务条款),并且共享
的权限给任何想要它的人。毫无疑问,这是违反
的条款。很抱歉,没有找到答案,但
键是我们必须告诉谁在调用我们的服务的一种方式。
这只是他邮件中的一部分。您可以在上面的链接中阅读完整的文章。所以,如果你给他们的源代码,他们可以看到客户端ID。您的用户将不得不在Google云端控制台上创建自己的项目。这是没有办法的。
我希望这有助于。
Developer credentials (such as passwords, keys, and client IDs) are intended to be used by you and identify your API Client. You will keep your credentials confidential and make reasonable efforts to prevent and discourage other API Clients from using your credentials. Developer credentials may not be embedded in open source projects.
(https://developers.google.com/terms/, my emphasis)
Does this mean that my Open Source Drive command line client needs to force every user of my software to set up a new project in the Google Cloud console? Is there a better option?
It's not like it's hard to extract client ID and client "secret" from non-opensource, so why the distinction?
"Install applications" client IDs and secrets aren't really secrets, and Google documentation seems to agree:
The process results in a client ID and, in some cases, a client secret, which you embed in the source code of your application. (In this context, the client secret is obviously not treated as a secret.)
(https://developers.google.com/accounts/docs/OAuth2, again my emphasis)
解决方案On November 5th 2014 Google made some changes to the APIs terms of Service.
Like you I had an issue with the following line.
Asking developers to make reasonable efforts to keep their private keys private and not embed them in open source projects.
I have several open source projects on GitHub they are basically tutorials for using the Google APIs some of the APIs are still in beta and it takes time to get beta access. I had my client id imbedded in my projects to that my users would be able to test the applications out.
Now I have some contacts at Google so I was hoping I could get some kind of dispensation here. I managed to track down the author of the above offending change of service Dan Ciruli and sent him an email.
My email was quite log you can read it here: Changes of service
To make a long story short No you can't release your client id with your open source project here is Dan's email back to me explaining why.
You are, however, allowing them to "impersonate" you in Google’s eyes. If our abuse systems detect abuse (say, should someone try to DoS one of our services using your key), you run the risk that they would terminate your account because of it (and please note — they wouldn’t just cut access to the key, they would shut down your console account). Moreover, you’ve been granted whitelisted access to APIs that are not available to the general public (and, in all likelihood required agreeing to a separate Terms of Service) and are sharing access to anyone who wants it. There is no doubt that is a violation of those terms. Sorry to not have the answer you are looking for, but keys are the one way we have to tell who is calling our services.
That is just part of his email back to me. You can read the full post in the link above. So if you are giving them the source code and they can see the client id. Your users are going to have to create there own project on the Google Cloud console. There is no way around this.
I hope this helped.
这篇关于我真的不能使用客户端ID发布开源代码?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
