[英]REST API authentication in anonymous JavaScript client
I have a JavaScript client (HTML page) invoking a REST endpoint. 我有一个调用REST端点的JavaScript客户端(HTML页面)。 I want to have some kind of authentication. 我想进行某种身份验证。 My problem is that anyone can view the source of the webpage and see the JavaScript. 我的问题是,任何人都可以查看网页的源代码并查看JavaScript。 How can I store some secret/key to invoke the API from JavaScript? 如何存储一些秘密/密钥以从JavaScript调用API?
A little secure way is to store the key in local-storage / indexeddb .. instead of hard coding it in javascript. 一种安全的方法是将密钥存储在local-storage / indexeddb ..中,而不是在javascript中进行硬编码。
Or either obfuscate the javascript code. 或混淆JavaScript代码。 Try services like 尝试类似的服务
https://javascriptobfuscator.com https://javascriptobfuscator.com
or any similar to obfuscate the js code. 或任何类似于混淆js代码的内容。
The OAuth2 specification makes provisions for a pure browser clients via the OAuth2 "implicit grant" . OAuth2规范通过OAuth2“隐式授予”为纯浏览器客户端提供了准备。
The implicit grant type is used to obtain access tokens (it does not support the issuance of refresh tokens) and is optimized for public clients known to operate a particular redirection URI. 隐式授予类型用于获取访问令牌(它不支持刷新令牌的发布),并且已针对已知操作特定重定向URI的公共客户端进行了优化。 These clients are typically implemented in a browser using a scripting language such as JavaScript. 这些客户端通常是在浏览器中使用脚本语言(例如JavaScript)实现的。
If the service provider you are interacting with supports the OAuth2 implicit grant flow - you are home free. 如果您正在与之交互的服务提供商支持OAuth2隐式授予流程-您将无家可归。
It requires that the client identifier (the client key) is linked to a specific redirect_uri, so that even if the client identifier is lost, nobody else can use it - because the oauth flow always redirects to the same URI. 它要求将客户端标识符(客户端密钥)链接到特定的redirect_uri,以便即使客户端标识符丢失,也没有其他人可以使用它-因为oauth流始终重定向到相同的URI。
Therefore it becomes unimportant to safeguard the actual client identifier, even if it is intercepted, nobody else can use it to get hold of an access token. 因此,保护实际的客户端标识符变得不重要,即使它被截获,其他人也不能使用它来获取访问令牌。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.