---
title: OAuth设备码流与移动端安全回调治理最佳实践
keywords:
- 设备码流
- Device Code
- 移动端回调
- PKCE
- 回调白名单
- 令牌轮换
description: 以设备码流与PKCE为基础,结合移动端回调白名单与令牌轮换,构建安全可控的设备登录与移动回调治理方案。
categories:
- 文章资讯
- 技术教程
---
OAuth设备码流与移动端安全回调治理最佳实践
概述
设备码流(Device Code)适用于输入受限设备。通过严格的轮询与用户代码验证、移动端回调白名单与PKCE,可降低令牌滥用风险。
设备码流参数
type DeviceCode = { device_code: string; user_code: string; verification_uri: string; expires_in: number; interval: number }
async function startDeviceAuth(clientId: string): Promise<DeviceCode> {
const res = await fetch('https://idp.example.com/device/code', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ client_id: clientId, scope: 'openid profile' }) })
return await res.json()
}
轮询与授权
async function pollToken(dc: DeviceCode, clientId: string): Promise<string> {
const deadline = Date.now() + dc.expires_in * 1000
while (Date.now() < deadline) {
await new Promise(r => setTimeout(r, dc.interval * 1000))
const res = await fetch('https://idp.example.com/device/token', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ device_code: dc.device_code, client_id: clientId }) })
const data = await res.json()
if (data.access_token) return data.access_token
if (data.error && data.error !== 'authorization_pending') throw new Error(data.error)
}
throw new Error('expired_device_code')
}
移动端回调白名单与PKCE
function isAllowedMobileCallback(uri: string): boolean {
const allow = ['myapp://auth/callback', 'myapp2://auth/callback']
try { const u = new URL(uri); return allow.includes(u.protocol + '//' + u.host + u.pathname) } catch { return false }
}
async function createPkce(): Promise<{ verifier: string; challenge: string }> {
const verifierBytes = crypto.getRandomValues(new Uint8Array(32))
const verifier = btoa(String.fromCharCode(...verifierBytes)).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '')
const digest = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(verifier))
const challenge = btoa(String.fromCharCode(...new Uint8Array(digest))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '')
return { verifier, challenge }
}
令牌轮换与撤销
- 刷新令牌采用最短有效期与撤销接口
- 移动端持久化采用安全存储并定期轮换
运维要点
- 严格执行轮询间隔与过期时间,防止过载
- 移动端回调URI白名单精确匹配,配合PKCE
- 令牌轮换与撤销审计,避免长期令牌暴露
通过设备码流、回调白名单与PKCE,可实现设备与移动端场景下的安全认证治理。
发表评论 取消回复