个人访问令牌,用户令牌
[英]Personal Access Tokens, User Tokens
问题描述
I am writing a basic python script and I am trying to use the Github API. 
我正在编写一个基本的python脚本,并且试图使用Github API。 Because I am new to the development scene, I am unsure of what I can share with other developers. 因为我是开发人员的新手,所以我不确定我可以与其他开发人员分享什么。 Do I generate a new personal access token (that I assume can be revoked) or do I give them Client ID and Client Secret? 我是否生成一个新的个人访问令牌(假定可以撤销),或者给他们提供客户端ID和客户端密钥?
Can someone explain how OAuth (Client ID and Client Secret) is different from a personal access keys? 有人可以解释OAuth(客户端ID和客户端密钥)与个人访问密钥有何不同吗?
Does this logic work across all APIs (not just on Github's)? 这种逻辑是否适用于所有API(不仅适用于Github)?
1 个解决方案
解决方案1
0 2016-09-14 16:47:58
The Short, Simple Answer 简短的答案
You should probably give them none of those things. 您可能不应该给他们任何东西。 They are equivalent to handing over your username and password to someone. 它们等效于将您的用户名和密码移交给某人。
The Longer Answer 更长的答案
It depends... 这取决于...
Personal Access Tokens 个人访问令牌
Your personal access token is a unique token that authorises and represents you during API calls, the same way that logging via the web interface authorises you to perform actions there. 您的个人访问令牌是在API调用期间授权并代表您的唯一令牌,与通过Web界面进行记录授权您在其中执行操作的方式相同。 So when you call an API function with a personal access token, you are performing that API action as if you yourself had logged in and performed the same action. 因此,当您使用个人访问令牌调用API函数时,您将执行该API操作,就像您自己已经登录并执行相同的操作一样。 Therefore, if you were to give someone else your token, they would have the same access to the site as they would have if you gave them you username and password combination. 因此,如果您将其他人的令牌授予他人,则他们将拥有与用户名和密码组合相同的访问权限。
Personal access tokens have attached scopes . 个人访问令牌具有附加范围 。 Scopes control exactly how much access to GitHub a particular token has. 范围可精确控制特定令牌对GitHub的访问量。 For example, one token my have access to all private repositories, but another token only to public ones. 例如,一个令牌可以访问所有私有存储库,而另一个令牌只能访问公共存储库。
Client IDs 客户编号
A client ID represents your application, rather than you. 客户ID代表您的应用程序,而不是您。 So when you create an application, GitHub gives you an ID that you use to identify your application to GitHub. 因此,当您创建应用程序时,GitHub会为您提供一个ID,您可以使用该ID将应用程序标识到GitHub。
Chiefly this allows someone logging into your application using OAuth to see on the GitHub web interface that it's your particular application requesting access to their account. 首先,这允许某人使用OAuth登录到您的应用程序,从而在GitHub Web界面上看到是您的特定应用程序请求访问其帐户。
Client Secrets 客户机密
A client secret is a random, unguessable string that is used to provide an extra layer of authentication between your application and GitHub. 客户机密是一个随机的,不可猜测的字符串,用于在您的应用程序和GitHub之间提供额外的身份验证层。 If you think of the client ID as the username of your application, you can think of the client secret as the password. 如果您将客户端ID视为应用程序的用户名,则可以将客户端密钥视为密码。
Should I Share Them? 我应该分享他们吗?
Whether you wish to share any of these things depends largely on how much you trust the other developers. 您是否愿意共享这些东西中的任何一个,在很大程度上取决于您对其他开发人员的信任程度。 If you are all working on the same application, it's likely that you will all know the client ID and client secret. 如果您都在同一个应用程序上工作,那么很可能您都会知道客户端ID和客户端密码。 But if you want to develop an open-source application that people will install on their own machines, they should generate their own client ID and secrets for their own instances of the app. 但是,如果您要开发一个人们可以在自己的计算机上安装的开源应用程序,则他们应该为自己的应用程序实例生成自己的客户端ID和密码。
It's unlikely that you should ever share a personal access token, but if you have a bot account used by the whole team, then sharing the tokens could also be okay. 您不太可能共享个人访问令牌,但是如果您有整个团队都使用的机器人帐户,则共享令牌也可以。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.