开源应用程序中的消费者秘密

开源应用程序中的消费者秘密

本文介绍了OAuth - 开源应用程序中的消费者秘密的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在创建一个用于共同管理 Twitter 的 Wordpress 插件帐户.我想允许用户通过管理面板添加帐户类似于 twitterfeed.com 的方式.

I'm creating a Wordpress plugin for collectively managing a Twitteraccount. I want to allow the user to add accounts via the Admin panelsimilar to the way twitterfeed.com does.

然而,我能看到的唯一方法是让用户签名在他们的帐户中,以唯一的名称注册应用程序,然后将 Consumer Key 和 Consumer Secret 粘贴到我的应用程序中.

However, the only way I can see of doing it is to get the user to signin to their account, register the application under a unique name andpaste in the Consumer Key and Consumer Secret to my application.

简单的安全影响是什么使用我的插件分发单个消费者密钥和消费者秘密,这样我就可以获得请求令牌和访问令牌并最小化用户所需的努力?

What are the security repercussions of simplydistributing a single Consumer Key and Consumer Secret with my plugin,so that I can get the Request Token and Access Token and minimise theeffort required by the user?

推荐答案

据我所知,最大的问题(我不确定这是否一定是安全问题)是有人会不恰当地使用您的密钥/秘密(假设垃圾邮件应用程序)导致它被撤销.那时,您插件的每个实例都将无法通过身份验证,您必须生成一个新实例,将其合并到您的插件中并让所有用户进行更新.这可能并不理想...

As I understand it, the biggest issue (I'm not sure it's necessarily a security issue) is that someone will use your Key/Secret inappropriately (let's say a spamming application) causing it to get revoked. At that point, every instance of your plug-in will fail to authenticate and you'll have to generate a new one, incorporate it in your plug-in and get all the users to update. Which is probably not ideal...

Ars Technica 对此有很好的描述 这里

Ars Technica had a pretty good write-up about it here

这篇关于OAuth - 开源应用程序中的消费者秘密的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

09-06 04:21