OIDC ID Token验证与时钟偏移（aud/iss/nonce/exp）最佳实践

背景与价值ID Token是登录流程核心。结合验签、声明校验与时钟偏移容忍，能防止伪造与重放问题并提升跨环境稳定性。统一规范验签算法：统一 `RS256/ES256`，拒绝不安全算法。发行者与受众：`iss/aud` 精确匹配；`azp` 可选辅助校验。时间窗口：为 `iat/exp` 提供 ±300 秒容忍，避免小幅时钟漂移导致误判。nonce绑定：`nonce` 与会话一致且一次性使用。核心实现JWS验签与声明校验type Claims = { iss: string; aud: string | string[]; exp: number; iat: number; nonce?: string; azp?: string } function enc(s: string): Uint8Array { return new TextEncoder().encode(s) } async function importKey(spki: ArrayBuffer, type: 'RS256'|'ES256'): Promise<CryptoKey> { const algo = type === 'RS256' ? { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' } : { name: 'ECDSA', namedCurve: 'P-256' } return crypto.subtle.importKey('spki', spki, algo as any, false, ['verify']) } function base64urlToBuf(s: string): ArrayBuffer { const b = atob(s.replace(/-/g,'+').replace(/_/g,'/')); const u = new Uint8Array(b.length); for (let i=0;i<b.length;i++) u[i] = b.charCodeAt(i); return u.buffer } async function verifyJws(jws: string, key: CryptoKey, type: 'RS256'|'ES256'): Promise<Claims | null> { const parts = jws.split('.') if (parts.length !== 3) return null const [h, p, s] = parts const header = JSON.parse(new TextDecoder().decode(base64urlToBuf(h))) if (header.alg !== type) return null const sig = base64urlToBuf(s) const ok = await crypto.subtle.verify(type === 'RS256' ? { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' } : { name: 'ECDSA', hash: 'SHA-256' }, key, sig, enc(h + '.' + p)) if (!ok) return null const claims: Claims = JSON.parse(new TextDecoder().decode(base64urlToBuf(p))) return claims } function timeNow(): number { return Math.floor(Date.now() / 1000) } function validAud(aud: string | string[], expected: string): boolean { return Array.isArray(aud) ? aud.includes(expected) : aud === expected } function claimsOk(c: Claims, expected: { iss: string; aud: string; nonce?: string; leewaySec: number }): boolean { if (c.iss !== expected.iss) return false if (!validAud(c.aud, expected.aud)) return false const now = timeNow() if (c.exp + expected.leewaySec < now) return false if (c.iat - expected.leewaySec > now) return false if (expected.nonce && c.nonce !== expected.nonce) return false return true } 落地建议验签算法限定为 `RS256/ES256`，拒绝 `none` 与弱算法；确保公钥来源可信并定期轮换。`iss/aud` 精确匹配，`nonce` 与会话绑定且一次性使用，过期后拒绝。针对 `iat/exp` 引入合适的偏移窗口（建议300秒），缓解小幅时钟漂移。验证清单JWS验签是否成功且算法符合要求。`iss/aud/nonce` 是否与期望一致。`iat/exp` 是否在容忍窗口内。