Embedding client Id in chrome extension

2019-04-07 16:41发布

问题:

I am building a chrome extension which will interact with salesforce-chatter api. But for a user using oAuth(User agent flow) authentication, I need to embed my client key in my extension.

Will this cause any security problem? Or is there a way to use oAuth without embedding client id in my extension?

回答1:

The client id has to be included into a request, so the provider knows that the request came from you, as @Matt Lacey already pointed out. Normally, the provider also issues a confidential client secret that is additionally included into the access token request, so the provider can verify that your app is allowed to use that client id.

Chrome extensions run on an open platform and the platform itself provides no methods for either authenticating the extension against a server (which salesforce would then also have to support) or storing properties securely (would be hard, if not impossible on an open platform), so keeping the client secret confidential is unfortunately not possible.

As this is a common problem, it is already considered in the OAuth specification (see section 10.1 Client Authentication and 10.2 Client Impersonation). The provider is therefore required to do additional checks, but on the client side you can't do anything to effectively improve security.

If you want some more insight into how this will be handled on Android devices in the future, check out my answer here.



回答2:

You have to embed the client ID in the extension to let Salesforce know what the app is that's trying to authenticate. These client IDs are intended to always be stored and passed to the server, so as long as you're storing it in a secure manner there shouldn't be a problem.



回答3:

As Matt explained if you are creating a packaged app you will be forced to include the client id. Another solutions is to write the app as a hosted app:

What is the difference between packaged apps and hosted apps?

The drawback of this is the added complexity of managing a web server. But it will allow greater security.