英文:
Should the "code" parameter be filtered out of the logs in the oauth2 flow?
问题
我正在实施基于OAuth2的登录流程。当用户在OAuth2提供程序一侧授予权限时,服务器会收到一个包含用于检索访问令牌的代码的回调。这个代码在定义上是非常短暂的,但我仍然想知道它是否被视为敏感数据,不应该出现在应用程序日志中(就像用户通过常规表单登录时发送的密码参数一样)。
英文:
I'am implementing a login flow based on oauth2.
When the user grants the permission on the oauth2 provider side, the server gets a callback with a code that can be used to retrieve the access token.
The code is by definition very short lived, but I still wonder if it is considered sensitive data that should not end in the application logs (like the password param that is sent when a user logs in via a regular form)
答案1
得分: 2
一次性代码发送到URL中被视为安全记录。通常它们的生存期很短。其他示例包括在“魔术”电子邮件链接中发送的“nonce”值。一旦使用,它们就会从后端数据中删除,无法重播。如果不使用,它们也会很快过期。
授权代码通常具有一两分钟的生命周期,由授权服务器中存储的状态确定。在任何最新的代码流程中,兑换代码以获取令牌还需要客户端秘钥、PKCE代码验证器或两者兼而有之。因此,仅授权代码无法用于获取访问令牌。
此外,如果您喜欢在授权请求中接收代码的POST响应,也可以发送“response_mode=form_post”参数。但如果用户在登录后单击返回按钮,可能会导致表单重新提交警告,这可能会稍微降低可用性。
英文:
One time codes sent in URLs are considered safe to log. Usually they are short lived also. Other examples include nonce
values sent in 'magic' email links. Once used they are removed from backend data and cannot be replayed. If not used they expire soon anyway.
The authorization code typically has a lifetime of a minute or two, determined by state stored in the authorization server. In any up to date code flow, redeeming a code for tokens also requires a client secret, a PKCE code verifier or both. The authorization code alone thus cannot be used to get access tokens.
Also. it is possible to send the response_mode=form_post
parameter in the authorization request, if you prefer to receive the code in a POST response. This may have slightly worse usability though, if the user clicks the back button after login, resulting in a form resubmission warning.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论