问题
I'm just curious - do I need to keep the client_secret from Google/FaceBook/another OAuth 2.0 providers in a 'secret' place? As far as I can see, there're very little things that could be done with client-secret parameter, as soon as I specify very restrictive callback-urls.
So is it safe, for instance, to commit 'secret' keys to github/bitbucket/etc as a public repository for some live web-project?
As far as I know, client-secret has nothing in common with the developer account on google/facebook, so it's not possible to use it for hjacking or spoofing.
Am I missing something? Thanks!
回答1:
Try to keep it as secret as possible.
For a web app it is crucial to keep it secret, the security of the whole flow relies on that.
For native apps do your best. It can always be reverse engineered from your binary, but in some cases that may not be trivial. If possible don't commit in plain to github or such. You can add it as part of the build process.
来源:https://stackoverflow.com/questions/17395694/oauth-2-0-does-the-client-secret-has-to-be-secret