问题
I want to implement OAuth2 with Spring Boot. I saw maximum demo, they had used hard coded client id and secret. In a real project, how do we use these?
I am attaching two images. One is of client code, I have made it using Angular, another one is server code, made it with Spring Boot OAuth2.
回答1:
You can save your client ID on client-side (property file, database, JNDI, ...), because it is a public identifier, see RFC 6749:
2.2. Client Identifier
The authorization server issues the registered client a client identifier -- a unique string representing the registration information provided by the client. The client identifier is not a secret; it is exposed to the resource owner and MUST NOT be used alone for client authentication. The client identifier is unique to the authorization server.
You can save your client secret on client-side (property file, database, JNDI, ...), if you have a confidential client, see RFC 6749:
2.1. Client Types
OAuth defines two client types, based on their ability to authenticate securely with the authorization server (i.e., ability to maintain the confidentiality of their client credentials):
confidential
Clients capable of maintaining the confidentiality of their credentials (e.g., client implemented on a secure server with restricted access to the client credentials), or capable of secure client authentication using other means.public
Clients incapable of maintaining the confidentiality of their credentials (e.g., clients executing on the device used by the resource owner, such as an installed native application or a web browser-based application), and incapable of secure client authentication via any other means.
For public clients you need no authentication, see RFC 6749:
2.3. Client Authentication
[...] The authorization server MAY establish a client authentication method with public clients. However, the authorization server MUST NOT rely on public client authentication for the purpose of identifying the client.
But not all authorization servers are supporting public clients for Authorization Code Grant.
Another way is to use the Implicit Grant (without a client secret), see RFC 6749:
4.2. Implicit Grant
The implicit grant type is used to obtain access tokens (it does not support the issuance of refresh tokens) and is optimized for public clients known to operate a particular redirection URI. These clients are typically implemented in a browser using a scripting language such as JavaScript.
[...]
The implicit grant type does not include client authentication, and relies on the presence of the resource owner and the registration of the redirection URI. Because the access token is encoded into the redirection URI, it may be exposed to the resource owner and other applications residing on the same device.
But not all authorization servers are supporting Implicit Grant, for example GitHub.
来源:https://stackoverflow.com/questions/47945902/how-to-deal-with-oauth2-client-id-and-secret