堆栈内存溢出
  简体   繁体   English

OAuth2客户端ID和客户端密钥的安全性

[英]Security of OAuth2 Client Id and Client Secret

 原文  2017-06-14 12:28:00       android/ spring/ security/ spring-security/ oauth-2.0

问题描述

I am developing a REST API secured via OAuth2 with Spring that will be used from an Android application (the client). 我正在使用Spring开发通过OAuth2保护的REST API,该API将在Android应用程序(客户端)中使用。 In order to access any endpoint of my API, a OAuth2 access token is required and handed over to the endpoint via Authorization Header in a way similar to this: 为了访问我的API的任何端点,需要使用OAuth2访问令牌并将其通过授权标头以类似于以下方式的方式移交给端点:

"Authorization" - "Bearer accesstokenhere" “授权”-“承载accesstokenhere”

In order to acquire an access token, a username and password must be provided, as well as a client ID and client secret (they represent the Android app). 为了获取访问令牌,必须提供用户名和密码,以及客户端ID和客户端密码(它们代表Android应用)。 The clientID and client secret are handed over to the token endpoint via Authorization Header in a way similar to this, which is specified by Spring: 客户机ID和客户机机密通过授权标头以类似于Spring的指定方式移交给令牌端点:

"Authorization" - "Basic clientId:clientSecret" “授权”-“基本clientId:clientSecret”

If the client ID and client secret match a client defined on the server and if the user exists and the password is correct, access token and refresh token are returned. 如果客户端ID和客户端密码与服务器上定义的客户端匹配,并且用户存在并且密码正确,则返回访问令牌和刷新令牌。

Now my question is how I can securely store my clientId and client secret inside the Android application, making sure someone who reverse engineers my app does not get access to them? 现在我的问题是我如何安全地将我的clientId和客户机密存储在Android应用程序中,以确保对我的应用程序进行反向工程的人员无法访问它们?

Also, if I were to develop an iOS application (a second client), would it be wise to use a different clientID and client secret from a security POV? 另外,如果我要开发iOS应用程序(第二个客户端),使用与安全POV不同的clientID和客户端密码是否明智?

1 个解决方案

解决方案1
 4 已采纳  2017-06-14 13:03:37

You can't - even if there was a way, I could still just inspect the payload on the wire to determine the values. 您不能-即使有办法,我仍然可以只检查电线上的有效载荷来确定值。 See section 8.5 of the OAuth 2.0 for Native Apps 请参阅OAuth 2.0 for Native Apps的 8.5节

Secrets that are statically included as part of an app distributed to multiple users should not be treated as confidential secrets, as one user may inspect their copy and learn the shared secret. 作为分发给多个用户的应用程序的一部分静态包含的机密不应视为机密,因为一个用户可以检查其副本并了解共享机密。 For this reason, and those stated in Section 5.3.1 of [RFC6819], it is NOT RECOMMENDED for authorization servers to require client authentication of public native apps clients using a shared secret, as this serves little value beyond client identification which is 因此,以及[RFC6819]第5.3.1节中所述的原因,建议授权服务器不要求使用共享机密对公共本机应用程序客户端进行客户端身份验证,因为除了客户端身份验证之外,此功能几乎没有其他价值。
already provided by the "client_id" request parameter. 已由“ client_id”请求参数提供。

Your client id/secret parameters are just providing the identity of application making the request, as such it is recommended you'd want to create a different client for your iOS application, both from a security isolation point of view + for any analytics you want to gather about use of your application (eg 'how many sign in attempts are you retrieving by client id?' etc) 您的客户端ID /秘密参数仅提供发出请求的应用程序的身份,因此建议您从安全隔离的角度+为所需的任何分析为iOS应用程序创建其他客户端收集有关您的应用程序使用情况的信息(例如“您通过客户端ID检索了多少次登录尝试?”等)

However, a threat actor could reverse engineer your settings, take your client id + secret and then start hitting your token endpoint with a username/password combo to attempt to brute force your application. 但是,威胁参与者可能会对您的设置进行反向工程,获取您的客户端ID +机密,然后开始使用用户名/密码组合击中令牌端点,以尝试强行强制应用程序。 If an endpoint accepts these values and returns a success/failure code, this is a useful attack vector for someone trying to compromise your system. 如果端点接受这些值并返回成功/失败代码,则对于试图破坏您的系统的人来说,这是一个有用的攻击手段。

The current recommended approach is to use the 'Authorization code flow' 当前推荐的方法是使用“授权代码流”

The best current practice for authorizing users in native apps is to perform the OAuth authorization request in an external user-agent (typically the browser), rather than an embedded user-agent (such as one implemented with web-views). 当前在本地应用中授权用户的最佳实践是在外部用户代理(通常是浏览器)而不是嵌入式用户代理(例如使用Web视图实现的代理)中执行OAuth授权请求。

Previously it was common for native apps to use embedded user-agents (commonly implemented with web-views) for OAuth authorization requests. 以前,本机应用程序通常使用嵌入式用户代理(通常通过Web视图实现)来进行OAuth授权请求。 That approach has many drawbacks, including the host app being able to copy user credentials and cookies, and the user needing to authenticate from scratch in each app. 这种方法有很多缺点,包括主机应用程序能够复制用户凭据和cookie,以及用户需要在每个应用程序中从头开始进行身份验证。 See Section 8.12 for a deeper analysis of using embedded user-agents for OAuth." 有关将嵌入式用户代理用于OAuth的更深入分析,请参见第8.12节。”

Have a look at AppAuth for Android for more information, 有关更多信息,请查看Android版AppAuth

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Oauth 2.0:暴露客户端ID和客户端秘密,这是一个安全问题吗? - Oauth 2.0: client id and client secret exposed, is it a security issue? Google OAuth2的客户端机密到底是什么? - What exactly is the client secret for Google OAuth2? OAuth2原生应用 - 客户端密码 - OAuth2 native apps - client secret OAuth2服务器设置'client_id'广告''client_secret'用于'密码'授权类型 - OAuth2 Server setup 'client_id' ad ''client_secret' for 'password' grant type 在 Android 中使用客户端 ID 和客户端密钥的 Retrofit2 OAuth2 - 401 未经授权的错误 - Retrofit2 OAuth2 with Client ID and Client secret key in Android - 401 Unauthorized error 如何从OAuth2中的MVC5获取客户端ID和客户端密码? - How to get client id and a client secret from MVC5 in OAuth2? 为什么Google原生oauth2流需要客户端密钥? - Why Google native oauth2 flow require client secret? 我的Gmail帐户中的oauth2 client_secret吗? - oauth2 client_secret from my gmail account? Firebase不断在服务器配置中抛出OAuth2客户端ID - Firebase keeps throwing OAuth2 client id in server configuration is not found 如何在使用OAuth时在Android应用上存储'client_secret'和'client_id'? - how to store 'client_secret' and 'client_id' on Android app when using OAuth?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM