在Google Cloud Endpoints JavaScript客户端中使用OAuth时,如何保存客户端ID的保密性?
此处详细介绍了如何在Google Cloud Endpoints JavaScript客户端中实现0Auth.一个>.在下面的代码段中,客户端ID作为参数传递给OAuth方法.
How to implement 0Auth in the Google Cloud Endpoints JavaScript client is detailed here. In the code snippet below the client ID is passed as a parameter to the OAuth method.
gapi.auth.authorize({client_id: CLIENT_ID, scope: SCOPES, immediate: mode}, callback);由于最终用户将以纯文本形式接收脚本文件,而无论使用HTTPS如何,如何避免将客户端ID移交给您服务的每个用户?毕竟,组合JavaScript代码以找到客户端ID相当简单.
Since the end user will receive the script file in clear text, regardless of the use of HTTPS, how would you avoid handing the client ID over to every user you serve? After all, it would be rather simple to comb the JavaScript code to find the client ID.
推荐答案您没有.任何人都可以看到并拦截它(如您所述),这是困惑的代理问题的根源.
You don't. Anyone can see and intercept it (as you stated), which is the root of the confused deputy problem.
这就是为什么验证令牌的原因.有关令牌验证和困惑的代理问题的简单说明,请在如何以及为什么执行Google OAuth令牌验证.
That's why you validate your tokens. For a simple explanation of token validation and the confused deputy problem, check out this great SO question and answer on How and why is Google OAuth token validation performed.
更多推荐
Google OAuth
发布评论