我们需要隐藏谷歌oauth客户端ID吗？ [英] Do we need to hide the google oauth client id?

问题描述

大家。我最近正在学习OAuth身份验证。我正在玩谷歌的oauth api。在用于服务器端应用程序的Google Sign-In的教程中< a>，在第三步中 - 初始化GoogleAuth对象，您需要提供客户端ID来初始化GoogleAuth对象。我只是想知道我们是否需要保持客户端的密码，因为现在任何人都可以通过查看JavaScript来找出客户端的ID。

everyone. I'm recently learning OAuth authentication. I'm playing around with google's oauth api. In the tutorial for Google Sign-In for server-side apps, in the third step - Initialize the GoogleAuth object, you need to provide the client id to initialize the GoogleAuth object. I'm just wondering if we need to keep the client id secret because right now anyone can find out what the client id is by looking into the javascript.

推荐答案

您不需要隐藏客户端ID，只要您限制访问特定JavaScript起源并重定向URI服务器端。在这个Quora线程或这个IETF线程。

You don't need to hide the client ID, provided that you restricted access to specific JavaScript origins and redirect URI's on the server side. See more details on this Quora thread or this IETF thread.

这篇关于我们需要隐藏谷歌oauth客户端ID吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！