问题描述
我一直在使用 Auth0 构建我网站的前端用户身份验证部分,但不确定如果我应该完全遵守文档的话.
I've been using Auth0 to build the front-end user authentication part of my site, but am unsure if I should be following the documentation exactly.
如果我要构建商业产品,我应该隐藏客户端ID和域吗?这会导致安全漏洞吗?
If I want to build a commercial product, should I be hiding the client ID and domain? Is this something that would lead to a security breach?
目前,任何人都可以查看我的Angular2源代码并查看客户端ID和域.
Currently anyone can view my Angular2 source code and look at the client ID and domain.
推荐答案
客户端标识符和您的域(我假设您是指与[account].auth0.com
类似的已分配Auth0域)都被视为不需要保密的信息.
The client identifier and your domain (which I'm assuming you're referring to the assigned Auth0 domain similar to [account].auth0.com
) are both considered information that does not need to be kept secret.
域代表处理身份验证的实体;等同于您的应用程序的accounts.google.com
.
The domain represents the entity handling the authentication; the equivalent of accounts.google.com
for your application.
客户端标识符是在OAuth 2.0规范中定义的,该标识符明确表明不是机密信息:
The client identifier is defined within the OAuth 2.0 specification which clearly indicates that is not confidential information:
在实际代码位于客户端环境中的基于浏览器的应用程序或其他应用程序中,不可避免地要在其中存储用于身份验证的信息.您只需要确保所存储的信息可以像您给出的两个示例一样公开即可.
In browser-based or other application where the actual code is located in a client environment it's unavoidable to have information stored there for authentication purposes. You just need to be sure that the information stored is okay to be disclosed like it is with the two examples you gave.
另一方面,这些类型的应用程序无法安全地使用OAuth 2.0定义的客户端机密,因为就像您所说的,任何人都可以通过检查代码来查看它.
On the other hand these types of application could not securely use a client secret as it is defined by OAuth 2.0, because like you said, anyone could see it by inspecting the code.
这篇关于带有Auth0的Angular2,我需要隐藏我的ClientID和域吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!