在Chrome扩展中嵌入客户端ID [英] Embedding client Id in chrome extension
问题描述
我正在构建一个与salesforce-chatter api交互的chrome扩展。但对于使用oAuth(用户代理流)身份验证的用户,我需要将我的客户端密钥嵌入到我的扩展中。
这会导致任何安全问题吗?还是有没有办法使用oAuth,而不在客户端ID中嵌入我的扩展?
>必须包含在请求中,因此提供者知道请求来自您,正如@Matt Lacey已经指出的那样。通常,提供商还会发布另外包含在访问令牌请求中的机密客户端密钥,以便提供商可以验证您的应用是否被允许使用该客户端ID 。Chrome扩展程序在开放平台上运行,平台本身不提供任何方法来对服务器验证扩展程序(然后salesforce也会必须支持)或安全地存储属性(在开放式平台上很难,如果不是不可能的话),因此保持客户机密不可能是保密的。
由于这是一个常见的问题,所以已经在OAuth规范中考虑过了(请参阅 10.1节客户端身份验证和 10.2客户端模拟)。因此,提供者需要做额外的检查,但在客户端,你无法做任何事情来有效地提高安全性。
如果您想了解更多将来会在Android设备上处理,请查看我的答案此处。
I am building a chrome extension which will interact with salesforce-chatter api. But for a user using oAuth(User agent flow) authentication, I need to embed my client key in my extension.
Will this cause any security problem? Or is there a way to use oAuth without embedding client id in my extension?
The client id has to be included into a request, so the provider knows that the request came from you, as @Matt Lacey already pointed out. Normally, the provider also issues a confidential client secret that is additionally included into the access token request, so the provider can verify that your app is allowed to use that client id.
Chrome extensions run on an open platform and the platform itself provides no methods for either authenticating the extension against a server (which salesforce would then also have to support) or storing properties securely (would be hard, if not impossible on an open platform), so keeping the client secret confidential is unfortunately not possible.
As this is a common problem, it is already considered in the OAuth specification (see section 10.1 Client Authentication and 10.2 Client Impersonation). The provider is therefore required to do additional checks, but on the client side you can't do anything to effectively improve security.
If you want some more insight into how this will be handled on Android devices in the future, check out my answer here.
这篇关于在Chrome扩展中嵌入客户端ID的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
