Oauth2.0,将client_secret存储在本地存储是否安全
[英]Oauth2.0, Is it safe to store client_secret on a local storage
问题描述
I'm using resource owner password credentials flow or password grant type.
我正在使用资源所有者密码凭证流或密码授予类型。 I just implemented my own authorization server using Spring Oauth2.我刚刚使用 Spring Oauth2 实现了自己的授权服务器。 So I wonder if it's safe to store client_secret on a local storage (web browser).所以我想知道将client_secret存储在本地存储(网络浏览器)上是否安全。 As far as I understand client_secret has nothing to do with authentication it's just a thing that use to verify a client that can request for an access token (if we want to specify the only client that can request for a token).据我了解, client_secret与身份验证无关,它只是用来验证可以请求访问令牌的客户端(如果我们想指定唯一可以请求令牌的客户端)。 So if this client_secret is leaked the hacker would need to have valid username/password of a user anyway.因此,如果此 client_secret 被泄露,黑客无论如何都需要拥有用户的有效用户名/密码。 There's another flow called implicit which doesn't require a client to store client_secret.还有另一种称为 implicit 的流程,它不需要客户端存储 client_secret。 Isn't that equivalent to password grant_type with poor client_secret storing since anyone wiht a valid username/password can request for a token anyway.这不等同于client_secret存储不佳的密码 grant_type,因为任何拥有有效用户名/密码的人都可以请求令牌。
1 个解决方案
解决方案1
1 2022-12-08 16:05:37
No, it is not.不它不是。 "Rich" clients cannot keep secrets actually secret. “富有”的客户实际上无法保守秘密。 In your case, anyone could open browser dev tools and read the "secret".在您的情况下,任何人都可以打开浏览器开发工具并阅读“秘密”。
The flows you are using are not sure neither.您正在使用的流程也不确定。 Use authorization-code with PKCE with public clients (those you cannot trust to keep a secret).将授权代码与 PKCE 一起用于公共客户端(您不能相信会保密的那些)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.