从 Microsoft 应用程序注册门户获取的客户端 ID 的安全问题
Security concern over Client ID obtained from Microsoft Application Registration Portal
我正在开发一个 Android 应用程序,它与用户 OneDrive for Personal 帐户集成并获得 Files.Read 范围。
我已经在 Microsoft 应用程序注册门户上注册了该应用程序。获得了用于使用 OneDrive 验证我的应用程序的客户端 ID,并且我正在使用 Microsoft Graph API。
现在我必须在我的应用程序中包含该客户端 ID,它将通过 Google Play 分发。
安全吗?如果任何人都可以获得该 Client ID,他们是否可以通过使用该 Client ID 发送虚假请求来篡改用户数据?
请注意,此问题专门针对客户端 ID 来验证对 OneDrive 的请求。
此外,这些答案在这里是否成立?
答案一:
Just a remark: the client ID is not a secret by design, so actually
there is no need to protect it.
See section 2.2 in RFC 6749 ("The OAuth 2.0 Authorization Framework"):
The client identifier is not a secret; it is exposed to the resource
owner and MUST NOT be used alone for client authentication.
答案2:
I know this won't be a good Whosebug answer, but I don't feel
able to explain it better than the Threat Model and Security
Considerations (RFC 6819). So here is the paragraph about obtaining a
Client Secret and its relative consequences.
Note that an Android app is a Public Client (a Native Application to
be more specific) so, as you say, unable to keep confidential its
credentials, but still able to protect Tokens and Authorization Code.
答案 #1 是正确的,客户端 ID 不是秘密,您不必担心将其打包到您的应用程序中。它的目标是识别发出请求的客户端,例如你的应用程序,而不是授权调用。作为成功的 OAuth 流程的输出获得的访问令牌应该能够保护,它用于授权调用。
我正在开发一个 Android 应用程序,它与用户 OneDrive for Personal 帐户集成并获得 Files.Read 范围。
我已经在 Microsoft 应用程序注册门户上注册了该应用程序。获得了用于使用 OneDrive 验证我的应用程序的客户端 ID,并且我正在使用 Microsoft Graph API。
现在我必须在我的应用程序中包含该客户端 ID,它将通过 Google Play 分发。
安全吗?如果任何人都可以获得该 Client ID,他们是否可以通过使用该 Client ID 发送虚假请求来篡改用户数据?
请注意,此问题专门针对客户端 ID 来验证对 OneDrive 的请求。
此外,这些答案在这里是否成立?
答案一:
Just a remark: the client ID is not a secret by design, so actually there is no need to protect it.
See section 2.2 in RFC 6749 ("The OAuth 2.0 Authorization Framework"):
The client identifier is not a secret; it is exposed to the resource owner and MUST NOT be used alone for client authentication.
答案2:
I know this won't be a good Whosebug answer, but I don't feel able to explain it better than the Threat Model and Security Considerations (RFC 6819). So here is the paragraph about obtaining a Client Secret and its relative consequences.
Note that an Android app is a Public Client (a Native Application to be more specific) so, as you say, unable to keep confidential its credentials, but still able to protect Tokens and Authorization Code.
答案 #1 是正确的,客户端 ID 不是秘密,您不必担心将其打包到您的应用程序中。它的目标是识别发出请求的客户端,例如你的应用程序,而不是授权调用。作为成功的 OAuth 流程的输出获得的访问令牌应该能够保护,它用于授权调用。