"OAuth 2.1与OIDC企业级实施与风险缓解最佳实践"

OAuth 2.1与OIDC企业级实施与风险缓解最佳实践概述通过强制PKCE、回调白名单与JWK验证，可显著降低授权码窃取与令牌滥用风险。PKCE参数生成function base64url(buf: Uint8Array): string { return btoa(String.fromCharCode(...buf)).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '') } async function createPkce(): Promise<{ verifier: string; challenge: string }> { const verifierBytes = crypto.getRandomValues(new Uint8Array(32)) const verifier = base64url(verifierBytes) const digest = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(verifier)) const challenge = base64url(new Uint8Array(digest)) return { verifier, challenge } } 回调白名单校验function isAllowedRedirect(uri: string, allow: string[]): boolean { try { const u = new URL(uri) return allow.includes(u.origin + u.pathname) } catch { return false } } OIDC ID Token验证import { createVerify } from 'crypto' type Jwk = { kid: string; kty: string; n?: string; e?: string; crv?: string; x?: string; y?: string } async function verifyIdToken(token: string, jwks: Jwk[], expected: { iss: string; aud: string }): Promise<boolean> { const [h, p, s] = token.split('.') const header = JSON.parse(atob(h.replace(/-/g, '+').replace(/_/g, '/'))) const payload = JSON.parse(atob(p.replace(/-/g, '+').replace(/_/g, '/'))) if (payload.iss !== expected.iss || payload.aud !== expected.aud) return false if (payload.exp * 1000 < Date.now()) return false const jwk = jwks.find(j => j.kid === header.kid) if (!jwk || jwk.kty !== 'RSA') return false const pub = buildRsaPublicKeyPem(jwk.n!, jwk.e!) const verifier = createVerify('RSA-SHA256') verifier.update(`${h}.${p}`) verifier.end() const sig = Buffer.from(s.replace(/-/g, '+').replace(/_/g, '/'), 'base64') return verifier.verify(pub, sig) } 风险缓解要点强制授权码流启用PKCE并验证 `code_verifier`严格的回调URI白名单与精确匹配令牌最短有效期与刷新令牌轮换与撤销通过PKCE与JWK验证、严格回调白名单与令牌治理，可实现企业级的OAuth/OIDC安全实施。