Google OAuth - Keeping the Client ID Secret

余生颓废 提交于 2020-01-01 10:13:13

问题


When using OAuth in the Google Cloud Endpoints JavaScript client, how do you preserve the secrecy of the client ID?

How to implement 0Auth in the Google Cloud Endpoints JavaScript client is detailed here. In the code snippet below the client ID is passed as a parameter to the OAuth method.

gapi.auth.authorize({client_id: CLIENT_ID, scope: SCOPES,
    immediate: mode}, callback);

Since the end user will receive the script file in clear text, regardless of the use of HTTPS, how would you avoid handing the client ID over to every user you serve? After all, it would be rather simple to comb the JavaScript code to find the client ID.


回答1:


You don't. Anyone can see and intercept it (as you stated), which is the root of the confused deputy problem.

That's why you validate your tokens. For a simple explanation of token validation and the confused deputy problem, check out this great SO question and answer on How and why is Google OAuth token validation performed.



来源:https://stackoverflow.com/questions/22266729/google-oauth-keeping-the-client-id-secret

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!