简体繁体 English

如何在 Electron 应用程序上正确存储 Google Drive API 的客户端机密？

[英]How to properly store client secret for Google Drive API on Electron app?

原文 2021-01-14 16:14:11 7 1 node.js/ oauth-2.0/ electron

I have an Electron app that requires access to the users Google Drive and I want to implement the api functionality without having to expose the client secret.我有一个 Electron 应用程序需要访问用户 Google Drive，我想实现 api 功能而不必公开客户端密码。 From my understanding, this is impossible to do in certain scenarios like mobile applications, but what is the proper way of going about this on a local app?据我了解，这在某些情况下是不可能的，例如移动应用程序，但是在本地应用程序上执行此操作的正确方法是什么？

When trying to follow the web-app OAuth instructions from Google, it looks like you can't use this method on a local application.当尝试按照 Google 的网络应用程序OAuth 说明进行操作时，您似乎无法在本地应用程序上使用此方法。 When trying to setup the OAuth process this way it doesn't even let you whitelist localhost as a domain to authenticate users on (which breaks the process since this is a local app running on Electron).当尝试以这种方式设置 OAuth 进程时，它甚至不允许您将 localhost 作为域列入白名单以对用户进行身份验证（这会中断进程，因为这是在 Electron 上运行的本地应用程序）。 Add on to that this paper that Google released and it also seems like you can't trick the auth process to think it's not running on localhost, and you also can't run Node.js in the browser (I'm using Electron so this is impossible to do).加上谷歌发布的这篇论文，你似乎也无法欺骗 auth 进程认为它没有在本地主机上运行，你也无法在浏览器中运行 Node.js（我使用的是 Electron，所以这是不可能做到）。

I then tried following their Mobile and Desktop app workflow which seemed promising.然后我尝试遵循他们的移动和桌面应用程序工作流程，这似乎很有希望。 The issue arises when you need to Exchange authorization code for refresh and access tokens .当您需要为刷新和访问令牌交换授权代码时，就会出现问题。 This again requires that you show your client secret in your main app.这再次要求您在主应用程序中显示您的客户端密码。 I then though of splitting this up and doing some of it locally and then having an auth server that held the client secret and exchanged the authorization code from the client and returned a refresh and access token.然后我将其拆分并在本地执行其中的一些操作，然后拥有一个验证服务器来保存客户端机密并从客户端交换授权代码并返回刷新和访问令牌。 Looking at the diagram that Google provides for visualizing this process, it clearly shows that your app needs to do both parts of the authorization process so that idea was also out.查看 Google 提供的用于可视化此过程的图表，它清楚地表明您的应用程序需要执行授权过程的两个部分，因此这个想法也被淘汰了。

One application that I personally use and looked at was rclone and from the looks of it they just list their client ID and secret directly in their code .我个人使用和查看的一个应用程序是 rclone，从外观上看，他们只是在代码中直接列出了他们的客户端 ID 和密码。 The client secret is encrypted, but if you follow the workflow it gets revealed with a key that is also just stored locally on the app .客户端密码是加密的，但如果您按照工作流程进行操作，它会通过一个密钥显示出来，该密钥也只是存储在应用程序的本地。 So it's plain text is obscured, but there is nothing preventing anyone from getting hold of the client secret by slightly modifying the code.所以它的纯文本是模糊的，但是没有什么可以阻止任何人通过稍微修改代码来获取客户端机密。

I should also mention this app is in a public repo on GitHub and will stay that way.我还应该提到这个应用程序在 GitHub 上的公共回购中，并将保持这种状态。

This is my first time using OAuth so I may be misunderstanding something, but I tried following the documentation as closely as I could and can't shake the feeling that I'm overlooking a piece of this process.这是我第一次使用 OAuth，所以我可能误解了一些东西，但我尝试尽可能地遵循文档并且无法摆脱我忽略了这个过程的一部分的感觉。

And if the only way to solve this problem is to expose both the client id and secret, is there any way this could lead to users data being compromised?如果解决此问题的唯一方法是公开客户端 ID 和密码，是否有任何方法可能导致用户数据被泄露？ Since the Google Drive API is free to use I don't really mind if others use some of my quota.由于 Google 云端硬盘 API 是免费使用的，所以我并不介意其他人使用我的部分配额。 I'm more worried about security.我更担心安全问题。

1 个解决方案

For public clients like Desktop apps you're developing, you'll need to use the PKCE flow.对于您正在开发的桌面应用等公共客户端，您需要使用 PKCE 流程。 You're right that Google's documentation seems off here - you shouldn't need to pass the client_secret as part of the authorization code exchange.你是对的，谷歌的文档似乎在这里 - 你不应该需要传递client_secret作为授权代码交换的一部分。

That's supported by the documentation here: https://www.oauth.com/oauth2-servers/pkce/authorization-code-exchange/此处的文档支持： https://www.oauth.com/oauth2-servers/pkce/authorization-code-exchange/

It's possible that Google requires the client_secret but it doesn't treat the parameter as a real "secret" for public clients, but rather an additional identifier that is not sensitive, and not sufficient on its own to do anything on behalf of your application.谷歌可能需要client_secret但它并不将该参数视为公共客户的真正“秘密”，而是一个不敏感的附加标识符，并且其本身不足以代表您的应用程序执行任何操作。 Section 8.5 of the specification reads:规范第 8.5 节内容如下：

Secrets that are statically included as part of an app distributed to multiple users should not be treated as confidential secrets, as one user may inspect their copy and learn the shared secret.作为分发给多个用户的应用程序的一部分静态包含的秘密不应被视为机密，因为一个用户可能会检查他们的副本并了解共享秘密。 For this reason, and those stated in Section 5.3.1 of [RFC6819], it is NOT RECOMMENDED for authorization servers to require client authentication of public native apps clients using a shared secret, as this serves little value beyond client identification which is already provided by the "client_id" request parameter.出于这个原因，以及 [RFC6819] 第 5.3.1 节中所述，不建议授权服务器要求使用共享密钥对公共原生应用程序客户端进行客户端身份验证，因为除了已经提供的客户端标识之外，这几乎没有什么价值通过“client_id”请求参数。

Authorization servers that still require a statically included shared secret for native app clients MUST treat the client as a public client (as defined by Section 2.1 of OAuth 2.0 [RFC6749]), and not accept the secret as proof of the client's identity.仍然需要本地应用程序客户端静态包含的共享机密的授权服务器必须将客户端视为公共客户端（如 OAuth 2.0 [RFC6749] 的第 2.1 节所定义），并且不接受该机密作为客户端身份的证明。 Without additional measures, such clients are subject to client impersonation (see Section 8.6).如果不采取额外措施，此类客户可能会被冒充客户（请参阅第 8.6 节）。

You might also look into standalone OAuth service providers, like Xkit where I work.您也可以查看独立的 OAuth 服务提供商，例如我工作的Xkit 。 That would let you keep the secret confidential while still going through an OAuth flow.这样一来，您就可以在继续执行 OAuth 流程的同时保密。