移动iOS / Android上的Facebook / Twitter oauth,如何在应用程序端保护我的App_id和机密?
[英]Facebook/Twitter oauth on mobile ios / android , How to protect my App_id and secret on the app side?
问题描述
In order to initiate oauth on the mobile, I have to provide the application keys, which are very sensitive and must not be revealed, How do I protect them? 
为了在移动设备上启动oauth,我必须提供非常敏感的应用程序密钥,并且不得透露这些密钥,如何保护它们? It's possible to hardcode it in the app, or to acquire it every time they are needed using a web service call, in any case, it looks like it is not well protected. 可以在应用程序中对其进行硬编码,也可以在每次需要使用Web服务调用时将其获取,无论如何,它似乎都没有得到很好的保护。 Any suggestions? 有什么建议么?
1 个解决方案
解决方案1
1 2013-10-19 17:16:07
In order to initiate oauth on the mobile, I have to provide the application keys.
You don't, you can use TWRequest (iOS 5) or SLRequest (iOS 6+) to perform OAuth requests. 否,您可以使用TWRequest(iOS 5)或SLRequest (iOS 6+)执行OAuth请求。
If, for some reason, you want to use your own consumer keys (in order to access direct messages for instance) then you can implement the reverse auth flow. 如果由于某种原因要使用自己的使用者密钥(例如,访问直接消息),则可以实现反向身份验证流程。
You keep your consumer secret on your own server. 您可以在自己的服务器上为消费者保密。 Your server will request some tokens that will then be retrieved from your app and sent again through TWRequest / SLRequest. 您的服务器将请求一些令牌,然后将这些令牌从您的应用中检索并通过TWRequest / SLRequest重新发送。 The response will be tokens valid for the user and your app , and you will be able to access the user's account from your server. 响应将是对用户和您的应用有效的令牌,您将能够从服务器访问用户的帐户。
You can implement reverse auth by yourself or use the STTwitter library to do so. 您可以自己实现反向身份验证,也可以使用STTwitter库来实现。
I don't know if the following scheme is enlightening or not but it can help. 我不知道以下方案是否具有启发性,但可以提供帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.