1. 首页
  2. 软件
  3. 工程实践
  4. 安全

OAuth设备码流与移动端安全回调治理最佳实践

YBB 13 阅读 0 评论

OAuth设备码流与移动端安全回调治理最佳实践概述设备码流(Device Code)适用于输入受限设备。通过严格的轮询与用户代码验证、移动端回调白名单与PKCE,可降低令牌滥用风险。设备码流参数type DeviceCode = { device_code: string; user_code: string; verification_uri: string; expires_in: number; interval: number }

async function startDeviceAuth(clientId: string): Promise<DeviceCode> {

const res = await fetch('https://idp.example.com/device/code', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ client_id: clientId, scope: 'openid profile' }) })

return await res.json()

}

轮询与授权async function pollToken(dc: DeviceCode, clientId: string): Promise<string> {

const deadline = Date.now() + dc.expires_in * 1000

while (Date.now() < deadline) {

await new Promise(r => setTimeout(r, dc.interval * 1000))

const res = await fetch('https://idp.example.com/device/token', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ device_code: dc.device_code, client_id: clientId }) })

const data = await res.json()

if (data.access_token) return data.access_token

if (data.error && data.error !== 'authorization_pending') throw new Error(data.error)

}

throw new Error('expired_device_code')

}

移动端回调白名单与PKCEfunction isAllowedMobileCallback(uri: string): boolean {

const allow = ['myapp://auth/callback', 'myapp2://auth/callback']

try { const u = new URL(uri); return allow.includes(u.protocol + '//' + u.host + u.pathname) } catch { return false }

}

async function createPkce(): Promise<{ verifier: string; challenge: string }> {

const verifierBytes = crypto.getRandomValues(new Uint8Array(32))

const verifier = btoa(String.fromCharCode(...verifierBytes)).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '')

const digest = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(verifier))

const challenge = btoa(String.fromCharCode(...new Uint8Array(digest))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '')

return { verifier, challenge }

}

令牌轮换与撤销刷新令牌采用最短有效期与撤销接口移动端持久化采用安全存储并定期轮换运维要点严格执行轮询间隔与过期时间,防止过载移动端回调URI白名单精确匹配,配合PKCE令牌轮换与撤销审计,避免长期令牌暴露通过设备码流、回调白名单与PKCE,可实现设备与移动端场景下的安全认证治理。

点赞(0) 打赏
制品下载完整性与重试退避治理(checksum-retry-backoff)最佳实践
制品下载完整性与重试退避治理(checksum-retry-backoff)最佳实践
CSS 容器查询与现代响应式布局:稳定性、性能与可维护性实践
CSS 容器查询与现代响应式布局:稳定性、性能与可维护性实践
CSS 代码组织:@layer 与 @scope 协同实践
CSS 代码组织:@layer 与 @scope 协同实践
CSS View Transitions:页面与路由状态过渡实践
CSS View Transitions:页面与路由状态过渡实践

评论列表 共有 0 条评论

暂无评论
立即
投稿

微信公众账号

微信扫一扫加关注

 发表
评论 返回
顶部