REST API的凭证
因此,基本上我已经准备好了我的应用程序进行分发(它只能在我们的客户中分发,而不是通过互联网在全球范围内分发)。这是一个简单的WPF(.NET Framework 4.8)应用,它与定义的REST API交互。但是,要与上述API进行互动,我当然需要凭证(用户,密码和clientId和clientsecret的散布字符串)。目前,我在源代码中将这些信息作为纯文本……显然不是最终解决方案。
当我阅读了很多有关保护密码的不同方法(Securestring,RFC2898DeriveBytes,salts,Peppers等)时,我一直失去了重点。
这么长的故事,对API的请求必须看起来像这样:
POST https://server.domain.tld/MobiControl/api/token HTTP/1.1
Host: server.domain.tld
Authorization: Basic QXBwbGljYXRpb24xOkFwcGxpY2F0aW9uMVBhc3N3b3Jk
Content-Type: application/x-www-form-urlencoded
Content-Length: 53
grant_type=password&username=Administrator&password=1
由于身体包含用户名和密码,因此我问自己,这是否有可能,安全地加密源代码中的凭据是有意义的吗?
So basically i got my App ready for Distribution (it only will distributed among our Customers, not worldwide via Internet). It is a simple WPF (.net Framework 4.8) App which interacts with a defined REST API. But to interact with said API i need, of course, Credentials (User, Password and a Hashed string from a ClientID and ClientSecret). Currently i got this information as plain text in my Source Code... which is obviously NOT the final solution.
As i read quite a bit about different methods (SecureString, RFC2898DeriveBytes, Salts, Peppers etc) of protecting the passwords i continuously lost my focus.
So long story short, the Request to the API must look like this:
POST https://server.domain.tld/MobiControl/api/token HTTP/1.1
Host: server.domain.tld
Authorization: Basic QXBwbGljYXRpb24xOkFwcGxpY2F0aW9uMVBhc3N3b3Jk
Content-Type: application/x-www-form-urlencoded
Content-Length: 53
grant_type=password&username=Administrator&password=1
As the Body contains username and password in plaintext i am asking myself, is it even possible and does it make sense to safely encrypt the credentials in the Source Code?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
对API的凭证是否总是相同的,还是/可以/可以取决于谁在使用WPF应用程序?如果您只是使用WPF用户的凭据或基于它们的东西,那就很好。没有完整的方法可以确保您在二进制中获得您向第三方提供的二进制文件。您可以通过加密凭据更难提取,但是根据定义,解密密钥也必须在您的应用中。
我猜你不控制API?否则,唯一的方法是让最终用户的凭据可以访问API。
Are the credentials to the API always the same or can/do they depend on who's using the WPF application? If you're simply using the WPF user's credentials or something based on them, you're fine. There is no fullproof way to secure your credentials inside binaries that you're giving out to third parties. You can make it harder to extract by encrypting the credentials but by definition the decryption key also has to be in your app.
I'm guessing you don't control the API? Otherwise the only way is to let the end user's credentials give access to the API.