个人中心
文章发布
退出
作者热门文章
- html - 出于某种原因,IE8 对我的 Sass 文件中继承的 html5 CSS 不友好?
- JMeter 在响应断言中使用 span 标签的问题
- html - 在 :hover and :active? 上具有不同效果的 CSS 动画
- html - 相对于居中的 html 内容固定的 CSS 重复背景?
25
4
我正在构建一个使用 OAuth 的自定义 Power BI DataConnector。我正在关注 github example .但这会将客户端凭据(OAuth 中的 'code flow' 需要)存储为纯文本文件。有没有安全的替代方案?
最佳答案
不幸的是,根据微软员工 Curt Hagenlocher 的说法,由于当前的“最先进的技术”,没有办法安全地保护这些凭据:
There is no way to protect a secret on someone's desktop. That's why some OAuth providers (like AAD) support a "native app" mode where there's a client id but no secret. The most recent development in this space is PKCE, and we're aiming to have sample code for that later this year.
In principle, a secret could be supplied separately for service use -- and I'd like to see us do that some day -- but there's a lot of infrastructure which would need to be created to support that.
All someone needs to do is have Fiddler running and they can seeexactly what secret is being sent to the token endpoint.
关于powerbi - 如何在 Power BI DataConnector 中存储凭据?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/61122933/
25
4
0
我是一名优秀的程序员,十分优秀!