Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
405 views
in Technique[技术] by (71.8m points)

android - Why Google native oauth2 flow require client secret?

According to facebook oauth2 docs, client side flow doesn't require client secret param. Client side flow can be used on both native and mobile web apps.

However google's native oauth2 flow require client secret http://code.google.com/apis/accounts/docs/OAuth2.html#IA.

In this case client secret can be stolen by hacker using reverse engineering tools.

Can somebody clarify why it was done this way?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

According to a post from a Googler, the main reason is that they use the same libraries for server-side apps and native apps. It sounds like they don't consider client_secret to be sensitive in the context a native app, but they plan to phase it out for the installed app flow eventually.

From https://groups.google.com/group/oauth2-dev/browse_thread/thread/1e714924ebcc7e60/edfaaad5830ff2e8 :

We don't expect those secrets to stay secret—so far we're including them mostly so it's convenient to use with libraries today, and expect to stop requiring them at some point in the future.

While that might sound bad, keep in mind that OAuth was never intended to prevent malicious users from forging requests in the context of your mobile/desktop app.

If you're concerned about exposing client_secret, there is also the client-side flow described here: http://code.google.com/apis/accounts/docs/OAuth2.html#CS As far as I can tell, the client-side flow doesn't require client_secret and would work fine from a desktop or mobile app.

-Chris


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...