在Chrome扩展和Gmail小工具中安全处理OAuth使用者密钥和秘密 [英] Secure handling of OAuth Consumer Key and Secret in Chrome Extensions and Gmail Gadgets
问题描述
我希望得到一些想法,以正确处理Chrome扩展和Gmail小工具中的Salesforce OAuth使用者密钥和秘密。 Chrome扩展程序本质上是以zip压缩格式包装的。如果我需要构建一个代表用户调用Salesforce API的扩展,则必须在JavaScript中为扩展嵌入Salesforce生成的App OAuth使用者密钥和秘密。这可能会泄露OAuth使用者密钥和秘密,以及可能的滥用。
我很好奇其他开发人员如何处理这些OAuth使用者密钥和秘密Chrome扩展程序。
Google为需要访问Google API的Chrome扩展程序提供匿名使用者密钥和秘密。但是,Salesforce不提供类似的OAuth设置。这是Salesforce OAuth 2.0实施的路线图吗?
以下是几个选项。
$ b 1)通过您自己的服务器运行代理,保护秘密并通过您自己的API限制允许的方法。这还允许您在瞬间更新API密钥,而不是更新扩展程序的潜在天数。
$ b 2)混淆扩展/小配件代码中的秘密。您可以很难找到,但使用Chrome可以很容易地在开发工具网络选项卡中选择密钥。
3)说一下,拧紧它,让它们进入代码,并确保使用这些秘密不会造成实际损害。
至于Salesforce的路线图,您可能不得不问他们,他们可能不会发表评论。
I would like to get some ideas on to properly handle Salesforce OAuth Consumer Key and Secret in Chrome Extensions and Gmail Gadgets. Chrome extensions are essentially Javascript wrapped up in a zip compatible format. If I need to build an extension that calls Salesforce APIs on behalf of the user, I have to embed the Salesforce generated App OAuth Consumer Key and Secret in Javascript for the extension. This creates the possibility of disclosure of the OAuth Consumer Key and Secret, and possible misuse.
I am curious as to how other developers are handling these OAuth Consumer Key and Secrets in Chrome Extensions.
Google provides anonymous Consumer Keys and Secrets for Chrome Extensions that need to access Google APIs. However Salesforce doesn't provide similar OAuth setup. Is this on the roadmap for the Salesforce OAuth 2.0 implementation?
Here are a couple of options.
1) Run a proxy through your own server that protects the secrets and limits the allowed methods through your own API. This will also allow you to update the API keys in moments instead of the potential days to update an extension.
2) Obfuscate the secrets in the extension/gadget code. You can make it difficult to find but with Chrome it will be easy to pick out the keys in the dev tools network tab.
3) Say screw it, leave them in the code, and make sure no actual damage can be done using the secrets.
As for Salesforce's roadmap you will likely have to ask them and they probably won't comment.
这篇关于在Chrome扩展和Gmail小工具中安全处理OAuth使用者密钥和秘密的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
