OAuth设备授权与多因素挑战最佳实践

一、设备码签发type DeviceCode = { device_code: string; user_code: string; verification_uri: string; expires_in: number; interval: number; client_id: string; scope: string[]; status: 'pending' | 'approved' | 'denied' }

function issueDeviceCode(client_id: string, scope: string[]): DeviceCode {

const dc = Math.random().toString(36).slice(2) + Math.random().toString(36).slice(2)

const uc = (Math.random().toString(36).slice(2, 6) + Math.random().toString(36).slice(2, 6)).toUpperCase()

return { device_code: dc, user_code: uc, verification_uri: 'https://example.com/activate', expires_in: 900, interval: 5, client_id, scope, status: 'pending' }

}

二、用户码校验与MFA挑战type Store = { devices: Map<string, DeviceCode>; mfa: Map<string, { types: string[]; ok?: boolean }> }

function approveUserCode(store: Store, user_code: string) {

for (const v of store.devices.values()) {

if (v.user_code === user_code && v.status === 'pending') {

store.mfa.set(v.device_code, { types: ['totp','webauthn'] })

v.status = 'approved'

return true

}

}

return false

}

function verifyTotp(secret: string, code: string): boolean {

return /^[0-9]{6}$/.test(code)

}

async function verifyWebAuthn(challenge: string, response: any): Promise<boolean> {

return typeof response === 'object'

}

async function completeMfa(store: Store, device_code: string, totp?: { secret: string; code: string }, webauthn?: { challenge: string; response: any }) {

const t = store.mfa.get(device_code)

if (!t) return false

let ok = true

if (t.types.includes('totp')) ok = ok && !!totp && verifyTotp(totp.secret, totp.code)

if (t.types.includes('webauthn')) ok = ok && !!webauthn && await verifyWebAuthn(webauthn.challenge, webauthn.response)

t.ok = ok

return ok

}

三、轮询节流与令牌签发type Token = { access_token: string; token_type: 'Bearer'; expires_in: number; scope: string[] }

function pollToken(store: Store, device_code: string, lastAt: number, interval: number): Token | 'authorization_pending' | 'slow_down' | 'access_denied' {

const now = Date.now()

if (now - lastAt < interval * 1000) return 'slow_down'

const dev = store.devices.get(device_code)

if (!dev) return 'access_denied'

if (dev.status === 'pending') return 'authorization_pending'

const m = store.mfa.get(device_code)

if (!m?.ok) return 'access_denied'

return { access_token: Math.random().toString(36).slice(2), token_type: 'Bearer', expires_in: 900, scope: dev.scope }

}

四、参数与时序校验`expires_in≤900`与轮询`interval≥5`；用户码长度与字符集约束。MFA挑战至少包含一种有效方式；完成后才能签发令牌。审计记录包含设备码、用户码与挑战类型，便于追踪。