OAuth 2.0 - does the client-secret has to be “secret”?

主宰稳场 提交于 2020-05-26 05:13:29

问题


I'm just curious - do I need to keep the client_secret from Google/FaceBook/another OAuth 2.0 providers in a 'secret' place? As far as I can see, there're very little things that could be done with client-secret parameter, as soon as I specify very restrictive callback-urls.

So is it safe, for instance, to commit 'secret' keys to github/bitbucket/etc as a public repository for some live web-project?

As far as I know, client-secret has nothing in common with the developer account on google/facebook, so it's not possible to use it for hjacking or spoofing.

Am I missing something? Thanks!


回答1:


Try to keep it as secret as possible.

For a web app it is crucial to keep it secret, the security of the whole flow relies on that.

For native apps do your best. It can always be reverse engineered from your binary, but in some cases that may not be trivial. If possible don't commit in plain to github or such. You can add it as part of the build process.



来源:https://stackoverflow.com/questions/17395694/oauth-2-0-does-the-client-secret-has-to-be-secret

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!