在 UWP 应用程序中安全存储访问令牌的位置?
[英]Where to store access token securely in UWP application?
问题描述
Local storage is not right place to store tokens.
本地存储不是存储令牌的正确位置。 But this blog post says LocalCache is generally the right location.但是这篇博文说 LocalCache 通常是正确的位置。 If I store in LocalCache using DPAPI, Does this enough secure?如果我使用 DPAPI 存储在 LocalCache 中,这是否足够安全?
Does PasswordVault is good place to store it? PasswordVault 是存储它的好地方吗?
How can I store token securely so that outside this application token is not accessible?我怎样才能安全地存储令牌,以便在这个应用程序之外无法访问令牌?
2 个解决方案
解决方案1
4 已采纳 2020-12-24 11:57:27
I would definitely recommend storing confidential information like an Access Token in the PasswordVault as LocalSettings are not encrypted and are accessible quite easily from the app's package folder in AppData .我肯定会建议在PasswordVault中存储访问令牌等机密信息,因为LocalSettings未加密,并且可以从AppData中应用程序的 package 文件夹轻松访问。
Although PasswordVault has a bit odd API, you can still easily use it to store the token:尽管PasswordVault的 API 有点奇怪,但您仍然可以轻松地使用它来存储令牌:
var passwordVault = new PasswordVault();
passwordVault.Add(new PasswordCredential("Resource", "UserName", accessToken));
In your case, you most likely care only about the access token, so the "resource" and "user name" may be just arbitrary constants.在您的情况下,您很可能只关心访问令牌,因此“资源”和“用户名”可能只是任意常量。 Retrieving the token is easy as well:检索令牌也很容易:
//find credentials in the store
PasswordCredential? credential = null;
try
{
// Try to get an existing credential from the vault.
credential = _passwordVault.Retrieve("Resource", "UserName");
}
catch (Exception)
{
// When there is no matching resource an error occurs, which we ignore.
}
credential?.RetrievePassword();
return credential?.Password;
Note the use of try..catch .注意try..catch的使用。 This is because the vault throws if given resource/user name combo is not found (which could even happen when user manually deletes the entry in system Credential Manager.这是因为如果找不到给定的资源/用户名组合,保险库就会抛出(当用户手动删除系统凭据管理器中的条目时甚至可能发生这种情况。
Another advantage of PasswordVault is that credentials are synced across devices (although this feature may be going away in future versions). PasswordVault的另一个优点是凭据在设备之间同步(尽管此功能可能会在未来版本中消失)。
解决方案2
0 2020-12-24 07:08:44
Where to store access token securely in UWP application?
In general, we often store access token with ApplicationData.LocalSettings class that place settings container in the local app data store.通常,我们经常使用ApplicationData.LocalSettings class 存储访问令牌,将设置容器放置在本地应用程序数据存储中。 You could use it like the following.您可以像下面这样使用它。
var localSettings = Windows.Storage.ApplicationData.Current.LocalSettings;
// Create a simple setting.
localSettings.Values["accesstoken"] = token;
// Read data from a simple setting.
Object value = localSettings.Values["accesstoken"];
if (value == null)
{
// No data.
}
else
{
// Access data in value.
}
And if you want to store access token securely.如果您想安全地存储访问令牌。 The Windows Runtime provides the PasswordVault class to securely store credentials. Windows 运行时提供PasswordVault class 来安全地存储凭据。 for more please refer this document .有关更多信息,请参阅此文档。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.