简体繁体 English

是否可以将Microsoft-Graph客户机密放入源代码中？

[英]Is it possible to put microsoft-graph client secret into source code?

原文 2018-09-20 15:30:34 7 1 javascript/ oauth/ electron/ azure-active-directory/ microsoft-graph

I have a javascript electron app ( https://github.com/damien122/cloudnoter ) which should connect to Microsoft graph backend and provide access to OneNote notebooks. 我有一个Javascript电子应用程序（ https://github.com/damien122/cloudnoter ），该应用程序应连接到Microsoft图形后端并提供对OneNote笔记本的访问。 Previously it works very well, but Microsoft changed the API, and I should adapt my app now. 以前它可以很好地工作，但是Microsoft更改了API，现在我应该修改我的应用程序。 Previously it was possible to get the Bearer token by code without using the client-secret, but now I should use the client secret and my question: 以前可以通过代码获取Bearer令牌，而无需使用客户端秘密，但是现在我应该使用客户端秘密和我的问题：

Is it recommended to put the client secret into the source code? 是否建议将客户端密码放入源代码中？ And also publish it on GitHub. 并将其发布在GitHub上。 What can someone can do with the client ID and client secret? 有人可以使用客户ID和客户机密做什么？ Should I keep the client-secret really "secret"? 我应该让客户机密真正保持“机密”吗？ Can I provide the client-secret to my app and keep it secret? 我可以为我的应用提供客户端机密并将其保密吗？

In the app registration service from ms I registered the app as a web app because this is the only way to get the authentication for me. 在ms的应用程序注册服务中，我将应用程序注册为网络应用程序，因为这是唯一获得身份验证的方法。 I can't find a way how to authenticate for web apps without the client secret. 如果没有客户端机密，我找不到如何对Web应用程序进行身份验证的方法。 And can't find a way how to use the "Nativ/Mobile App" registration with javascript. 并且找不到一种方法来通过javascript使用“ Nativ /移动应用”注册。 By the way, I use this documentation -> https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_user 顺便说一下，我使用此文档-> https://developer.microsoft.com/zh-cn/graph/docs/concepts/auth_v2_user

1 个解决方案

For the grant flow, please check it as @Event and @Marc suggested. 对于授权流程，请按照@Event和@Marc的建议进行检查。

And for your other questions. 还有其他问题。

Is it recommended to put the client secret into the source code? 是否建议将客户端密码放入源代码中？ And also publish it on GitHub. 并将其发布在GitHub上。

No 没有

What can someone can do with the client ID and client secret? 有人可以使用客户ID和客户机密做什么？

With the Client ID and client secret, someone may call the resource in your data store. 使用“客户端ID”和“客户端密码”，有人可以调用您的数据存储中的资源。 But some case need we also pass the app name in the request. 但在某些情况下，我们还需要在请求中传递应用名称。

Should I keep the client-secret really "secret"? 我应该让客户机密真正保持“机密”吗？

Yes 是

Can I provide the client-secret to my app and keep it secret? 我可以为我的应用提供客户端机密并将其保密吗？

Yes . 是的。 You can use the Azure KeyValut to protect your secret. 您可以使用Azure KeyValut保护您的秘密。 Or just following the below blog: 或仅关注以下博客：

https://medium.com/poka-techblog/the-best-way-to-store-secrets-in-your-app-is-not-to-store-secrets-in-your-app-308a6807d3ed https://medium.com/poka-techblog/the-best-way-to-store-secrets-in-your-app-is-not-to-store-secrets-in-your-app-308a6807d3ed

Storing secrets in the environment 在环境中存储秘密

stripe_api_key = os.environ["STRIPE_API_KEY"] stripe_api_key = os.environ [“ STRIPE_API_KEY”]

Storing secrets in the database 在数据库中存储机密
Using a secrets syncing service 使用机密同步服务

Storing secrets in your code …but encrypted 在您的代码中存储机密…但已加密