CN117579374A - OpenAPI-based service access authority authentication method, device, system and server - Google Patents
OpenAPI-based service access authority authentication method, device, system and server Download PDFInfo
- Publication number
- CN117579374A CN117579374A CN202311756185.4A CN202311756185A CN117579374A CN 117579374 A CN117579374 A CN 117579374A CN 202311756185 A CN202311756185 A CN 202311756185A CN 117579374 A CN117579374 A CN 117579374A
- Authority
- CN
- China
- Prior art keywords
- key
- openapi
- dynamic key
- access code
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 77
- 230000003068 static effect Effects 0.000 claims abstract description 190
- 238000004590 computer program Methods 0.000 claims description 35
- 238000004422 calculation algorithm Methods 0.000 claims description 29
- 238000012545 processing Methods 0.000 claims description 8
- 238000004891 communication Methods 0.000 abstract description 16
- 238000013475 authorization Methods 0.000 abstract description 9
- 238000004364 calculation method Methods 0.000 abstract description 5
- 238000010586 diagram Methods 0.000 description 13
- 230000008569 process Effects 0.000 description 11
- 238000011161 development Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000002035 prolonged effect Effects 0.000 description 3
- 238000013473 artificial intelligence Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 101150053844 APP1 gene Proteins 0.000 description 1
- 101100055496 Arabidopsis thaliana APP2 gene Proteins 0.000 description 1
- 101100189105 Homo sapiens PABPC4 gene Proteins 0.000 description 1
- 101100217298 Mus musculus Aspm gene Proteins 0.000 description 1
- 102100039424 Polyadenylate-binding protein 4 Human genes 0.000 description 1
- 101100016250 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) GYL1 gene Proteins 0.000 description 1
- 102100038359 Xaa-Pro aminopeptidase 3 Human genes 0.000 description 1
- 101710081949 Xaa-Pro aminopeptidase 3 Proteins 0.000 description 1
- 239000008186 active pharmaceutical agent Substances 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 230000007423 decrease Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000002427 irreversible effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 150000003839 salts Chemical class 0.000 description 1
- 230000001502 supplementing effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
- H04L63/0846—Network architectures or network communication protocols for network security for authentication of entities using passwords using time-dependent-passwords, e.g. periodically changing passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0863—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/088—Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Abstract
The application relates to a service access authority authentication method based on an OpenAPI, which comprises the following steps: receiving a user login request sent by a client; the user login request is generated by an initial key call configured by an OpenAPI gateway for a client; according to the access code of the initial key, a user login request is sent to a corresponding service system to carry out identity authentication; after the identity authentication is passed, receiving the identity information returned by the service system; inquiring a static key configured corresponding to the initial key according to the access code of the initial key to obtain the access code of the static key; generating a dynamic key; the dynamic key carries the access code, the identity information and the security validity period of the static key; and returning the dynamic key to the client so as to carry out authority authentication on the service access request after receiving the service access request carrying the dynamic key sent by the client. The method realizes the universality of the identity authentication and service access authorization scheme, and has simple calculation logic, high communication efficiency and high security level.
Description
Technical Field
The present application relates to the technical field of rights authentication, and in particular, to a service access rights authentication method, device, system and server based on an OpenAPI.
Background
API (Application Programming Interface) is an application programming interface, in the internet age, a service of a website is packaged into a series of easily identifiable data interfaces of a computer to be opened for a third party developer to use, and this behavior is called an API of the opened website, and correspondingly, the opened API is called an OpenAPI.
Enterprises need to open their own data, capabilities and the like as development platforms, and usually provide the data and capabilities outwards in a REST API interface manner, such as a naughty corporation QQ development platform, a WeChat development platform and the like. The OpenAPI open platform relates to access of a client, management of API rights, call number management, and the like, and needs to have a unified portal for management, which is just when the OpenAPI gateway functions.
As a platform-level API gateway, the API service is provided by different service systems, the login schemes, authentication and authorization protocols or standards used by each service system are often inconsistent, and the API gateway platform often does not integrate all the authentication and authorization protocols or standards; how to design a set of general identity authentication and service access authorization schemes with uncomplicated computational logic and higher security level and communication efficiency based on an OpenAPI gateway platform is a major problem to be solved in the application process of the OpenAPI gateway.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a service access right authentication method, apparatus, system, server, electronic device, and computer-readable storage medium based on the OpenAPI.
In one aspect, an embodiment of the present invention provides a service access authority authentication method based on an OpenAPI, where the method includes:
receiving a user login request sent by a client; the user login request is generated by the OpenAPI gateway for the initial key call configured by the client, and carries an access code of the initial key;
according to the access code of the initial key, the user login request is sent to a corresponding service system for identity authentication; after the identity authentication is passed, receiving the identity information returned by the service system;
inquiring a static key configured corresponding to the initial key according to the access code of the initial key to obtain the access code of the static key; the static key is configured to authenticate service access rights of the client;
acquiring a safe validity period; the safety validity period is used for representing the residual validity period for passing the user identity authentication;
Generating a dynamic key; the dynamic key carries the access code of the static key, the identity information and the security validity period;
and returning the dynamic key to the client, and performing authority authentication on the service access request according to the dynamic key, the access code of the static key carried by the dynamic key and the security validity period after receiving the service access request carrying the dynamic key sent by the client.
In one embodiment, the step of authenticating the service access request according to the dynamic key, the access code of the static key carried by the dynamic key, and the security validity period includes:
performing digital signature authentication on the dynamic key; after signature authentication is passed, judging whether the dynamic key is valid or not according to the safe validity period;
and if the dynamic key is effective, authenticating the authority of the service access request according to the access code of the static key carried by the dynamic key.
In one embodiment, the step of authenticating the service access request according to the access code of the static key carried by the dynamic key includes: acquiring an OpenAPI authority list corresponding to the static key according to the access code of the static key carried by the dynamic key; judging whether the current access service corresponding to the service access request is in the OpenAPI authority list, if so, sending a right access instruction aiming at the current access service to the client; if not, sending an unauthorized access instruction aiming at the current access service to the client.
In one embodiment, the method further comprises: and configuring a corresponding OpenAPI authority list for the static key through an Ant mode or an access control list.
In one embodiment, the method further comprises: according to the dynamic key adjustment parameters, adjusting the corresponding safe validity period of the dynamic key; the dynamic key adjustment parameters comprise the frequency, the time period and the API level of the dynamic key used by the client; generating a replacement dynamic key by using the adjusted safe validity period; and sending the replacement dynamic key to the client for updating the dynamic key of the client.
In one embodiment, the step of generating the dynamic key includes: combining the access code of the static key, the identity information and the security validity period to obtain an access code plaintext of the dynamic key; performing data processing on the access code plaintext through an encryption algorithm to obtain an access code of a dynamic key; and obtaining a key certificate of the dynamic key through an encryption algorithm, and generating the dynamic key according to the access code of the dynamic key and the key certificate.
On the other hand, the embodiment of the invention provides a service access authority authentication method based on an OpenAPI, which comprises the following steps:
Sending a user login request to an OpenAPI gateway; the user login request is generated by the OpenAPI gateway for the initial key call configured by the client, and carries an access code of the initial key;
receiving a dynamic key returned by the OpenAPI gateway; the dynamic key is an access code of the OpenAPI gateway according to the initial key, and the user login request is sent to a corresponding service system to carry out identity authentication; after the identity authentication is passed, receiving the identity information returned by the service system; inquiring a static key configured corresponding to the initial key according to the access code of the initial key to obtain the access code of the static key; the static key is configured to authenticate service access rights of the client; acquiring a safe validity period; the safety validity period is used for representing the residual validity period of the user identity authentication, and further generating and obtaining the user identity authentication; the dynamic key carries the access code of the static key, the identity information and the security validity period;
and sending a service access request carrying the dynamic key to the OpenAPI gateway so that the OpenAPI gateway can carry out authority authentication on the service access request according to the dynamic key, the access code of the static key carried by the dynamic key and the security validity period.
In yet another aspect, an embodiment of the present invention provides a service access authority authentication method based on an OpenAPI, where the method includes:
the client sends a user login request to the OpenAPI gateway; the user login request is generated by the OpenAPI gateway for the initial key call configured by the client, and carries an access code of the initial key;
the OpenAPI gateway sends the user login request to a corresponding service system for identity authentication according to the access code of the initial key; after the identity authentication is passed, receiving the identity information returned by the service system; inquiring a static key configured corresponding to the initial key according to the access code of the initial key to obtain the access code of the static key; the static key is configured to authenticate service access rights of the client; acquiring a safe validity period; the safety validity period is used for representing the residual validity period for passing the user identity authentication; generating a dynamic key; the dynamic key carries the access code of the static key, the identity information and the security validity period; returning the dynamic key to the client;
The client sends a service access request to the OpenAPI gateway; the service access request carries the dynamic key;
and the OpenAPI gateway performs authority authentication on the service access request according to the dynamic key, the access code of the static key carried by the dynamic key and the security validity period.
In still another aspect, an embodiment of the present invention provides an OpenAPI-based service access rights authentication device, including:
the request receiving module is used for receiving a user login request sent by the client; the user login request is generated by the OpenAPI gateway for the initial key call configured by the client, and carries an access code of the initial key;
the identity authentication module is used for sending the user login request to a corresponding service system for identity authentication according to the access code of the initial key; after the identity authentication is passed, receiving the identity information returned by the service system;
the static key inquiry module is used for inquiring the static key configured corresponding to the initial key according to the access code of the initial key to obtain the access code of the static key; the static key is configured to authenticate service access rights of the client;
The validity period acquisition module is used for acquiring the safety validity period; the safety validity period is used for representing the residual validity period for passing the user identity authentication;
the dynamic key generation module is used for generating a dynamic key; the dynamic key carries the access code of the static key, the identity information and the security validity period;
and the permission authentication module is used for returning the dynamic key to the client and carrying out permission authentication on the service access request according to the dynamic key, the access code of the static key carried by the dynamic key and the security validity period after receiving the service access request carrying the dynamic key sent by the client.
In another aspect, an embodiment of the present invention provides an OpenAPI-based service access rights authentication device, where the device includes:
the request sending module is used for sending a user login request to the OpenAPI gateway; the user login request is generated by the OpenAPI gateway for the initial key call configured by the client, and carries an access code of the initial key;
the dynamic key receiving module is used for receiving a dynamic key returned by the OpenAPI gateway; the dynamic key is an access code of the OpenAPI gateway according to the initial key, and the user login request is sent to a corresponding service system to carry out identity authentication; after the identity authentication is passed, receiving the identity information returned by the service system; inquiring a static key configured corresponding to the initial key according to the access code of the initial key to obtain the access code of the static key; the static key is configured to authenticate service access rights of the client; acquiring a safe validity period; the safety validity period is used for representing the residual validity period of the user identity authentication, and further generating and obtaining the user identity authentication; the dynamic key carries the access code of the static key, the identity information and the security validity period;
And the request authentication module is used for sending a service access request carrying the dynamic key to the OpenAPI gateway so that the OpenAPI gateway can carry out authority authentication on the service access request according to the dynamic key, the access code of the static key carried by the dynamic key and the security validity period.
On the other hand, the embodiment of the invention provides a service access authority authentication system based on an OpenAPI, which comprises a client, an OpenAPI gateway and a service system;
the client is used for sending a user login request to the OpenAPI gateway; the user login request is generated by the OpenAPI gateway for the initial key call configured by the client, and carries an access code of the initial key;
the OpenAPI gateway is used for sending the user login request to a corresponding service system according to the access code of the initial key;
the service system is used for carrying out identity authentication according to the user login request, and returning corresponding identity identification information to the OpenAPI gateway after the identity authentication is passed;
the OpenAPI gateway is used for inquiring a static key configured corresponding to the initial key according to the access code of the initial key to obtain the access code of the static key; the static key is configured to authenticate service access rights of the client; acquiring a safe validity period; the safety validity period is used for representing the residual validity period for passing the user identity authentication; generating a dynamic key; the dynamic key carries the access code of the static key, the identity information and the security validity period; returning the dynamic key to the client;
The client is used for sending a service access request to the OpenAPI gateway; the service access request carries the dynamic key;
the OpenAPI gateway is used for carrying out authority authentication on the service access request according to the dynamic key, the access code of the static key carried by the dynamic key and the security validity period.
In yet another aspect, an embodiment of the present invention provides a server, including a memory and a processor, where the memory stores a computer program, and the processor implements steps of a service access authority authentication method based on an OpenAPI when executing the computer program.
In still another aspect, an embodiment of the present invention provides an electronic device, including a memory and a processor, where the memory stores a computer program, and the processor implements steps of a service access authority authentication method based on an OpenAPI when executing the computer program.
In yet another aspect, an embodiment of the present invention provides a computer readable storage medium having a computer program stored thereon, wherein the computer program when executed by a processor implements steps of an OpenAPI-based service access right authentication method.
One of the above technical solutions has the following advantages or beneficial effects: the OpenAPI gateway establishes a foundation for a plurality of clients to adopt the same OpenAPI gateway to carry out identity authentication and service authentication from configuring an initial key for the clients to generating a corresponding dynamic key for the clients, which can be used for service access authority authentication, by utilizing the initial key, so that the universality of an identity authentication and service access authority scheme is realized, the calculation logic is simple, and the communication efficiency is high; by providing a new dynamic key data structure, namely, the dynamic key carries an access code of a static key for authority authentication, identity information returned by a service system and a safety validity period used for representing the residual validity duration of user identity authentication, the static key is responsible for configuring the authority, and the dynamic key inherits the authority of the static key and is a dynamic key, so that the dynamic key can be dynamically generated after each user login and is only valid in the current session, and is effectively responsible for safety authentication, and the safety level is high. In summary, the OpenAPI gateway service can provide a set of general identity authentication and service access authorization schemes with uncomplicated computational logic and higher security level and communication efficiency for users, so as to solve the problems of universality, security and the like of interface access.
Drawings
FIG. 1 is an application environment diagram of an OpenAPI-based service access rights authentication method in one embodiment;
FIG. 2 is an application environment diagram of an OpenAPI-based service access rights authentication method in another embodiment;
FIG. 3 is a schematic flow diagram of an OpenAPI-based service access rights authentication method in one embodiment;
FIG. 4 is a schematic flow chart of an OpenAPI-based service access rights authentication method in another embodiment;
FIG. 5 is a schematic flow chart diagram of an OpenAPI-based service access rights authentication method in another embodiment;
FIG. 6 is a timing diagram of an OpenAPI-based service access rights authentication method in another embodiment;
FIG. 7 is a schematic block diagram of an OpenAPI-based service access rights authentication device in one embodiment;
FIG. 8 is a schematic block diagram of an OpenAPI-based service access rights authentication device in another embodiment;
FIG. 9 is an internal block diagram of a server in one embodiment;
fig. 10 is an internal structural diagram of an electronic device in one embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the present application. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments.
The service access authority authentication method based on the OpenAPI can be applied to an application environment shown in figure 1. The application environment of the OpenAPI-based service access authority authentication method shown in fig. 1 includes a client, an OpenAPI gateway server, and a service system, where the client and the OpenAPI gateway, and the OpenAPI gateway and the service system may all be connected through a wired or wireless network by network communication, specifically, communication modes such as internet, local area network, bluetooth, wi-Fi, or ZigBee. Clients include, but are not limited to, windows clients, linux clients, ios clients, etc.; the client may run on a terminal device including, but not limited to, a personal computer, notebook computer, smart phone, tablet, portable wearable device, or other AI (Artificial Intelligence ) device; the OpenAPI gateway server can be realized by an independent server or a server cluster formed by a plurality of servers; each service system may be implemented by a separate server or a server cluster formed by a plurality of servers. Business systems may be understood as software systems developed to support the business's daily operations, and may include sales, purchasing, inventory, finance, human resources, and so on; of course, each service system may be replaced by other servers or server clusters capable of providing user services and used for authenticating the login identity of the client, and the service system should not limit the service access authority authentication method based on the OpenAPI provided by the application.
The application environment may include a plurality of clients (fig. 1 illustrates two clients as an example, namely, a client 1 and a client 2, and further illustrates a client 1 as a mobile phone APP and a client 2 as a PC web as an example). Each client can communicate with a corresponding service system through an OpenAPI gateway, and each client can correspond to at least one service system and is specifically configured according to actual conditions. As an application scenario, as shown in fig. 2, each client may correspond to a designated service system, for example, the client 1 establishes communication with the meeting system through an OpenAPI gateway server, the client 2 establishes communication with the order system through the OpenAPI gateway server, and the client 3 establishes communication with the logistics system through the OpenAPI gateway server. The client 1, the client 2 and the client 3 can be configured with various user identities, and each user identity corresponds to different operation authorities. If the client 1 corresponds to the member systems, the user identities of the client can be configured with high-level, medium-level and low-level member identities, and the service provided by the member systems corresponding to each level is different, so that the operation authority is determined to be different. If the client 1, the client 2 and the client 3 all have millions of user logins, the keys of identity authentication and authentication of each user are different, and the interfaces of the service end accessed by each user are different when the corresponding authorities are different, the login authentication scheme of the service system, which is universal, high in efficiency and performance and safer, is provided.
In one embodiment, as shown in fig. 3, taking an OpenAPI gateway as an example, the service access authority authentication method based on the OpenAPI includes the following steps: s202, receiving a user login request sent by a client; the user login request is generated by an OpenAPI gateway for an initial key call configured by a client and carries an access code of the initial key; s204, according to the access code of the initial key, the user login request is sent to the corresponding service system for identity authentication; after the identity authentication is passed, receiving the identity information returned by the service system; s206, inquiring a static key configured corresponding to the initial key according to the access code of the initial key to obtain the access code of the static key; the static key is configured to authenticate service access rights of the client; s208, acquiring a safe validity period; the safety validity period is used for representing the residual validity period for passing the user identity authentication; s210, generating a dynamic key; the dynamic key carries the access code, the identity information and the security validity period of the static key; s212, returning the dynamic key to the client, and performing authority authentication on the service access request according to the dynamic key and the access code and the security validity period of the static key carried by the dynamic key after receiving the service access request carried with the dynamic key and sent by the client.
Specifically, the execution subject of steps S202 to S212 may be an OpenAPI gateway server, and the execution subject may be changed according to actual situations.
In one embodiment, as shown in fig. 4, taking a client as an example, the service access authority authentication method based on OpenAPI includes the following steps: s302, a user login request is sent to an OpenAPI gateway; the user login request is generated by an OpenAPI gateway for an initial key call configured by a client and carries an access code of the initial key; s304, receiving a dynamic key returned by the OpenAPI gateway; the dynamic key is an access code of the OpenAPI gateway according to the initial key, and a user login request is sent to a corresponding service system to carry out identity authentication; after the identity authentication is passed, receiving the identity information returned by the service system; inquiring a static key configured corresponding to the initial key according to the access code of the initial key to obtain the access code of the static key; the static key is configured to authenticate service access rights of the client; acquiring a safe validity period; the safety validity period is used for representing the residual validity period of the user identity authentication passing, and further generating and obtaining; the dynamic key carries the access code, the identity information and the security validity period of the static key; s306, sending a service access request carrying a dynamic key to the OpenAPI gateway so that the OpenAPI gateway can carry out authority authentication on the service access request according to the dynamic key, the access code and the security validity period of the static key carried by the dynamic key.
The execution subject in steps S302 to S306 may be a client, and the execution subject may be changed according to actual situations.
According to the two OpenAPI-based service access authority authentication methods, the OpenAPI gateway provided by the invention configures an initial key for a client to generate a corresponding dynamic key for the client, wherein the dynamic key negotiation process lays a foundation for identity authentication and service authentication by adopting the same OpenAPI gateway for multiple clients, so that the universality of an identity authentication and service access authority scheme is realized, the calculation logic is simple, and the communication efficiency is high; by providing a new dynamic key data structure, namely, the dynamic key carries an access code of a static key for authority authentication, identity information returned by a service system and a safety validity period used for representing the residual validity duration of user identity authentication, the static key is responsible for configuring the authority, and the dynamic key inherits the authority of the static key and is a dynamic key, so that the dynamic key can be dynamically generated after each user login and is only valid in the current session, and is effectively responsible for safety authentication, and the safety level is high. In summary, the OpenAPI gateway service can provide a set of general identity authentication and service access authorization schemes with uncomplicated computational logic and higher security level and communication efficiency for users, so as to solve the problems of universality, security and the like of interface access.
In the following embodiments of the present invention, based on the description of the application scenario of fig. 2, the interaction process between each APP, the OpenAPI gateway, and each service system will be described as an example. As shown in fig. 5 and 6, in one embodiment, the OpenAPI-based service access right authentication method includes the steps of:
s312, the client sends a user login request to the OpenAPI gateway; the user login request is generated by an initial key call configured by the OpenAPI gateway for the client, and carries an access code of the initial key.
The key (such as an initial key, a static key and a dynamic key) refers to a key pair consisting of an Access Key and a secretKey, wherein the Access Key is an access code and is used for marking an authentication identity and can also be used as a user identity; the SecretKey is a key certificate and is used for carrying out digital signature authentication on the message in communication so as to prevent the message from being tampered in the transmission process; in addition, the SecretKey is also used for encrypting the key of data according to the requirement, for example, when a user login request is generated, a message composed of fields such as a user name and a password is transmitted, the server side can judge whether the message is tampered or not through the SecretKey signature, but if the password is intercepted by a hacker in the middle, the information can be revealed, so that the SecretKey can be used for symmetrically encrypting sensitive fields such as the user login password and the like, and the secret key can be used as a symmetrical encryption key to ensure that the transmitted sensitive information is ciphertext.
The initial key refers to a key used by a client (for example, an App) to call a dedicated login authentication interface of the OpenAPI gateway, for example, the initial key can be issued to the App by the OpenAPI gateway after a configuration file or a management system is configured for the App, and written into an installer of the App after the system is initialized.
The client sends a user login request to the OpenAPI gateway, namely, the user login request is generated based on the special login authentication interface; after a special login authentication interface realized by a service system is designed, the OpenApi gateway is injected into an OpenAPI service for calling, so that the service system can perform service layer security authentication on a user login request sent by a client.
In one embodiment, the core parameters of the special login authentication interface include an initial key, a user name, a password and other client parameters, and the specific data structures can be the user name, the password, a key certificate (SecretKey) encrypted by the user name and an access code (AccessKey) of the initial key; the OpenAPI gateway can identify the service system corresponding to the matched client according to the access code of the initial key, and then send the user login request to the service system for subsequent login identity authentication. The special login authentication interface may be used to obtain the identity information (user ID or UserId) assigned to the client by the service system, and the definition process may be as follows:
Interface ApiLoginService{
UserId login(username,password,context);
}
S314, the OpenAPI gateway sends a user login request to a corresponding service system for identity authentication according to the access code of the initial key; after the identity authentication is passed, receiving the identity information returned by the service system; inquiring a static key configured corresponding to the initial key according to the access code of the initial key to obtain the access code of the static key; the static key is configured to authenticate service access rights of the client; acquiring a safe validity period; the safety validity period is used for representing the residual validity period for passing the user identity authentication; generating a dynamic key; the dynamic key carries the access code, the identity information and the security validity period of the static key; the dynamic key is returned to the client.
In one embodiment, the process of sending the user login request to the corresponding service system for identity authentication according to the access code of the initial key can be understood with reference to fig. 2. Assuming that APP1, APP2, APP3 send user login requests to an OpenAPI gateway respectively, the access codes of initial keys carried in the three user login requests sequentially correspond to A, B, C, the OpenAPI gateway can know that the user login request with the access code of a is forwarded to a member system according to preconfigured data or data in other databases, the user login request with the access code of B is forwarded to an order system, the user login request with the access code of C is forwarded to a logistics system, so that the user login requests are distributed to the corresponding service systems for identity authentication. In the embodiment of the invention, after the user succeeds in authenticating the identity of the service system each time, the OpenAPI gateway can obtain the identity information returned by the service system, wherein the identity information is a unique mark (for example, U0001) of the user.
It should be noted that, according to the access code of the initial key, the static key configured corresponding to the initial key is queried to obtain the access code of the static key, which can be understood as the access key (for example, the access key: P123456789) of the initial key requested by the user at this time, the static key (the static key may be referred to as a parent key) configured correspondingly is found; the OpenAPI gateway may configure a set of proprietary parent keys and initial keys for the client and corresponding service system in advance. The step can be performed after the OpenAPI gateway obtains the identity information returned by the service system, or can be performed in advance before the OpenAPI gateway obtains the identity information returned by the service system, so that the access code of the static key is prepared in advance, and the preparation is performed for generating the dynamic key.
The static key is configured to authenticate the service access rights of the client, wherein one embodiment is to configure a corresponding static key (parent key) in a configuration file or management system for an initial key and a subsequently generated dynamic key, for example: access Key: p123456789, secretKey:9515d303064fce881758cf8544eab8f0, further, the service access authority authentication method based on the OpenAPI may further include: the corresponding OpenAPI authority list is configured for the static key through the Ant mode or the access control list (Access Control Lists, ACL), namely, the accessible API list authority can be configured for the father key through the Ant mode (Order: indicating that all APIs named as Order open can be accessed) or the access control list (OrderCreate, orderQuery, etc.).
Acquiring a safety validity period, wherein the safety validity period is used for representing the residual validity period for passing the user identity authentication; it should be noted that the configuration of the secure validity period in the dynamic key also represents that the secure validity period also belongs to the validity period of the dynamic key. Each dynamic key has a default validity period, and when generating, the dynamic key strategy of each service system can be obtained according to configuration (configuration file or background management system), and the specific value of the security validity period which should be carried by each dynamic key when generating is determined according to the dynamic key strategy. For example, if an e-commerce App determines that the validity period of a dynamic key after a user logs in a mall is 1 hour, the configuration of parameters or a management system can be completed, so that the initial value of the security validity period of the dynamic key generated by an OpenAPI gateway is 1 hour; the security validity period gradually decreases along with time, when the security validity period is 0, the remaining validity period which is determined by the fact that the identity authentication of the user login mall passes is 0, the user is required to log in again and carry out the identity authentication again, and when the identity authentication passes, a new security validity period can be obtained, and then a new dynamic key is generated.
The process of generating the dynamic key can be specifically completed by the following steps:
after each time the service system authentication of the user succeeds, the user ID returned by the service system is obtained, a configured father key is found according to the Access Key of the initial key of the current user login request, then the security validity period (such as 600, the unit is seconds and represents 10 minutes) of the dynamic key is obtained according to parameter configuration, and then the Access Key, the identity identification information and the security validity period of the father key are combined to obtain an access code plaintext of the dynamic key, such as the Access Key# user ID# validity period of the father key (specifically, P123456789# U0001# 600);
then, data processing is carried out on the plaintext of the access code through an encryption algorithm, and the access code of the dynamic key is obtained; specifically, the method can obtain the final dynamic key Access Key by encrypting the access code plaintext of the dynamic key through a symmetric encryption Algorithm (such as DES, 3DES, AES, etc., of course, other encryption algorithms can be adopted to encrypt the data, and the method is not limited herein), and then performing MD5 (Message-Digest Algorithm 5, information Digest Algorithm); it should be noted that, in order to improve the information security, the MD5 algorithm may be treated by adding salt, or replaced by a safer SHA series algorithm, which may be selected according to the actual requirement, and is not limited only herein.
Then, obtaining a key certificate of the dynamic key through an encryption algorithm, namely generating a SecretKey of the dynamic key through MD5 (taking a timestamp and a random number); the SecretKey of the dynamic key is generated by a random algorithm every time so as to improve the data security; similarly, the MD5 algorithm may be replaced by other hashing algorithms or encryption methods, and may be selected according to actual requirements, which is not limited only herein.
Finally, generating a dynamic key according to the access code and the key certificate of the dynamic key; the dynamic key Access Key and the secretKey of the dynamic key can be combined into a dynamic key pair to generate a final dynamic key.
The dynamic key is returned to the client, and particularly, the response message of the special login authentication interface (namely, the message of responding to the request login of the service system or the client) is returned to the client, so that the dynamic key can be used by the access signature and authentication of the subsequent service OpenAPI interface, and the safe validity period of the dynamic key is the appointed validity period, and the dynamic key can be regenerated after re-login.
S316, the client sends a service access request to the OpenAPI gateway; the service access request carries a dynamic key.
The client can display an interface after successful login after receiving the dynamic key returned by the OpenAPI gateway and temporarily store the dynamic key; when a client operates a certain service in the interface, the client sends a service access request to the OpenAPI gateway, and the OpenAPI gateway authenticates the service access request through a dynamic key.
And S318, the OpenAPI gateway performs authority authentication on the service access request according to the dynamic key, the access code of the static key carried by the dynamic key and the security validity period.
In some embodiments, S318 specifically includes: performing digital signature authentication on the dynamic key; after the signature authentication is passed, judging whether the dynamic key is valid or not according to the safety validity period; if the dynamic key is effective, authority authentication is carried out on the service access request according to the access code of the static key carried by the dynamic key.
The digital signature authentication algorithm for performing digital signature authentication on the dynamic key may be the same as that of other static keys, and the specific digital signature authentication algorithm may be an irreversible encryption algorithm (such as MD5, SHA1, SHA-224, SHA-256, etc.), a symmetric encryption algorithm, an asymmetric encryption algorithm, etc., which are not limited herein. After the signature authentication is passed, optionally, decrypting the AccessKey of the dynamic key through a symmetric encryption algorithm of the OpenAPI gateway platform, verifying the security validity period of the AccessKey, and if the signature authentication is passed, determining that the dynamic key is valid.
Further, the step of performing authority authentication on the service access request according to the access code of the static key carried by the dynamic key may specifically include: acquiring an OpenAPI authority list corresponding to the static key according to the access code of the static key carried by the dynamic key; judging whether the current access service corresponding to the service access request is in an OpenAPI authority list, if so, sending a right access instruction aiming at the current access service to a client; if not, sending an unauthorized access instruction for the current access service to the client.
According to the access code of the static key carried by the dynamic key, before the step of acquiring the OpenAPI authority list corresponding to the static key, the access code of the static key carried by the dynamic key can be acquired; specifically, the manner of obtaining the access code of the static key carried by the dynamic key may be: after the dynamic key is determined to be effective, the OpenAPI gateway can separate the decrypted Access Key plaintext through a # character, and the obtained first segment is the Access Key of the static key carried by the dynamic key.
After the access code of the static key carried by the dynamic key is acquired, the identity of the user is firstly determined through the Access Key of the static key, and then the accessible OpenAPI list corresponding to the Access Key of the static key is acquired according to the identity, so that whether the currently accessed OpenAPI service name has authority access is judged. Optionally, the OpenAPI gateway may pre-configure an access key of the static key and a mapping table of the accessible OpenAPI service, and compare the currently accessed OpenAPI service name with the accessible OpenAPI service name in the mapping table through the access key of the static key, if there is a consistent service name, determine that the currently accessed OpenAPI service has permission to access, and send an access instruction with respect to the currently accessed service to the client, where the instruction may cause the client interface to display a start interface corresponding to the currently accessed service; if the consistent service name does not exist, determining that the currently accessed OpenAPI service has no authority to access, and sending an access-free instruction aiming at the currently accessed service to the client, wherein the instruction can enable the client interface to display a dialog box of the service having no authority to access.
As a further optimization, in some embodiments, the OpenAPI-based service access rights authentication method may further include: according to the dynamic key adjustment parameters, adjusting the corresponding safe validity period of the dynamic key; the dynamic key adjustment parameters comprise the frequency, time period and API level of using the dynamic key by the client; generating a replacement dynamic key by using the adjusted safe validity period; and sending the replacement dynamic key to the client for updating the dynamic key of the client.
In this embodiment, the security validity period of the dynamic key can be dynamically changed through OpenAPI gateway data analysis and dynamic learning. The specific method comprises the following steps: according to the parameters such as frequency, time period, API level and the like of a dynamic key request application are used after a user logs in to acquire the dynamic key, the safety validity period is dynamically calculated, so that the OpenAPI gateway can automatically adjust the safety validity period; similarly, when the time period of using the dynamic key by the user (which can be understood as the interval duration of using the dynamic key twice) is prolonged, the safety validity period corresponding to the dynamic key can be properly shortened, and otherwise, the safety validity period is prolonged; the API level using the dynamic key can be understood as the level of the security requirement of the user using the dynamic key on identity authentication and service authentication, if the API level using the dynamic key belongs to a high level, the requirement on the security of the data is higher, at the moment, the security validity period corresponding to the dynamic key can be shortened, and otherwise, the security validity period is prolonged.
The parameters can be integrated, and a comprehensive and reasonable dynamic key dynamic adjustment strategy is formulated, so that the interaction between the client and the OpenAPI gateway is more flexible and intelligent, and the security level is higher; the process of frequently generating the dynamic key can be reduced to a certain extent, and the OpenAPI gateway server has better data processing performance and higher efficiency.
It should be noted that the dynamic key adjustment parameters may also include other adjustment parameters, and are not limited to the above three types. The time for sending the replacement dynamic key to the client can update the dynamic key when the instruction with or without the right is sent by the service authentication every time, and can also send the replacement dynamic key in a designated time period to update the dynamic key of the client, and the dynamic key can be flexibly configured according to actual needs.
In the service access authority authentication method based on the OpenAPI, the OpenAPI gateway establishes a foundation for the identity authentication and the service authentication of a plurality of clients by adopting the same OpenAPI gateway from configuring an initial key for the clients to generating a corresponding dynamic key for the clients, which can be used for the service access authority authentication, by utilizing the initial key, so that the universality of the identity authentication and the service access authority authentication scheme is realized, the calculation logic is simple, and the communication efficiency is high; by providing a new dynamic key data structure, namely, the dynamic key carries an access code of a static key for authority authentication, identity information returned by a service system and a safety validity period used for representing the residual validity duration of user identity authentication, the static key is responsible for configuring the authority, and the dynamic key inherits the authority of the static key and is a dynamic key, so that the dynamic key can be dynamically generated after each user login and is only valid in the current session, and is effectively responsible for safety authentication, and the safety level is high. In a word, the OpenAPI gateway service can provide a set of general identity authentication and service access authorization integrated solutions with uncomplicated computational logic and higher security level and communication efficiency for users, so as to solve the problems of universality, security and the like of interface access, and can realize high-performance security authentication by caching basic data.
The above embodiments also belong to the lower embodiments of the method shown in fig. 3 and 4, for supplementing the specific implementation of the steps of the method shown in the figures.
It should be understood that, for each of the foregoing method embodiments, although each step in the flowchart is shown in order as indicated by an arrow, the steps are not necessarily performed in order as indicated by an arrow. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts of the method embodiments may include a plurality of sub-steps or stages that are not necessarily performed at the same time, but may be performed at different times, nor does the order in which the sub-steps or stages are performed necessarily occur in sequence, but may be performed alternately or alternately with at least a portion of the other steps or sub-steps of other steps.
Based on the same ideas of the OpenAPI-based service access right authentication method in the above embodiment, an OpenAPI-based service access right authentication device is also provided herein.
In one embodiment, as shown in fig. 7, there is provided an OpenAPI-based service access right authentication apparatus, including: a request receiving module 401, an identity authentication module 402, a static key query module 403, a validity period obtaining module 404, a dynamic key generating module 405 and a permission authentication module 406, wherein:
a request receiving module 401, configured to receive a user login request sent by a client; the user login request is generated by an OpenAPI gateway for an initial key call configured by a client and carries an access code of the initial key;
the identity authentication module 402 is configured to send a user login request to a corresponding service system for identity authentication according to an access code of the initial key; after the identity authentication is passed, receiving the identity information returned by the service system;
the static key inquiry module 403 is configured to inquire a static key configured corresponding to the initial key according to the access code of the initial key, and obtain the access code of the static key; the static key is configured to authenticate service access rights of the client;
a validity period obtaining module 404, configured to obtain a security validity period; the safety validity period is used for representing the residual validity period for passing the user identity authentication;
A dynamic key generation module 405, configured to generate a dynamic key; the dynamic key carries the access code, the identity information and the security validity period of the static key;
and the permission authentication module 406 is configured to return the dynamic key to the client, and perform permission authentication on the service access request according to the dynamic key and the access code and the security validity period of the static key carried by the dynamic key after receiving the service access request carrying the dynamic key sent by the client.
In some embodiments, the rights authentication module 406 is specifically configured to perform digital signature authentication on the dynamic key; after the signature authentication is passed, judging whether the dynamic key is valid or not according to the safety validity period; if the dynamic key is effective, authority authentication is carried out on the service access request according to the access code of the static key carried by the dynamic key.
In some embodiments, the permission authentication module 406 is more specifically configured to obtain an OpenAPI permission list corresponding to the static key according to an access code of the static key carried by the dynamic key; judging whether the current access service corresponding to the service access request is in an OpenAPI authority list, if so, sending a right access instruction aiming at the current access service to a client; if not, sending an unauthorized access instruction for the current access service to the client.
In some embodiments, the OpenAPI-based service access rights authentication apparatus further includes: and the permission configuration module is used for configuring a corresponding OpenAPI permission list for the static key through the Ant mode or the access control list.
In some embodiments, the OpenAPI-based service access rights authentication apparatus further includes: the key replacement module is used for adjusting the safety validity period corresponding to the dynamic key according to the dynamic key adjustment parameter; the dynamic key adjustment parameters comprise the frequency, time period and API level of using the dynamic key by the client; generating a replacement dynamic key by using the adjusted safe validity period; and sending the replacement dynamic key to the client for updating the dynamic key of the client.
In some embodiments, the dynamic key generation module 405 is specifically configured to combine the access code, the identity information, and the security validity period of the static key to obtain an access code plaintext of the dynamic key; performing data processing on the plaintext of the access code by an encryption algorithm to obtain the access code of the dynamic key; and obtaining a key credential of the dynamic key through an encryption algorithm, and generating the dynamic key according to the access code of the dynamic key and the key credential.
Based on the same ideas of the OpenAPI-based service access right authentication method in the above embodiment, an OpenAPI-based service access right authentication device is also provided herein.
In one embodiment, as shown in fig. 8, there is provided an OpenAPI-based service access right authentication apparatus, including: a request sending module 501, a dynamic key receiving module 502 and a request authenticating module 503, wherein:
a request sending module 501, configured to send a user login request to an OpenAPI gateway; the user login request is generated by an OpenAPI gateway for an initial key call configured by a client and carries an access code of the initial key;
the dynamic key receiving module 502 receives a dynamic key returned by the OpenAPI gateway; the dynamic key is an access code of the OpenAPI gateway according to the initial key, and a user login request is sent to a corresponding service system to carry out identity authentication; after the identity authentication is passed, receiving the identity information returned by the service system; inquiring a static key configured corresponding to the initial key according to the access code of the initial key to obtain the access code of the static key; the static key is configured to authenticate service access rights of the client; acquiring a safe validity period; the safety validity period is used for representing the residual validity period of the user identity authentication passing, and further generating and obtaining; the dynamic key carries the access code, the identity information and the security validity period of the static key;
The request authentication module 503 sends a service access request carrying a dynamic key to the OpenAPI gateway, so that the OpenAPI gateway can perform authority authentication on the service access request according to the dynamic key, an access code and a security validity period of a static key carried by the dynamic key.
In some embodiments, the request authentication module 503 is specifically configured to cause the OpenAPI gateway to perform the following steps: performing digital signature authentication on the dynamic key; after the signature authentication is passed, judging whether the dynamic key is valid or not according to the safety validity period; if the dynamic key is effective, authority authentication is carried out on the service access request according to the access code of the static key carried by the dynamic key.
In some embodiments, the request authentication module 503, more specifically, may be configured to cause the OpenAPI gateway to perform the following steps: acquiring an OpenAPI authority list corresponding to the static key according to the access code of the static key carried by the dynamic key; judging whether the current access service corresponding to the service access request is in an OpenAPI authority list, if so, sending a right access instruction aiming at the current access service to a client; if not, sending an unauthorized access instruction for the current access service to the client.
In some embodiments, the OpenAPI gateway may perform the following steps: and configuring a corresponding OpenAPI authority list for the static key through the Ant mode or the access control list.
In some embodiments, the request authentication module 503 may be further configured to cause the OpenAPI gateway to perform the following steps: according to the dynamic key adjustment parameters, adjusting the corresponding safe validity period of the dynamic key; the dynamic key adjustment parameters comprise the frequency, time period and API level of using the dynamic key by the client; generating a replacement dynamic key by using the adjusted safe validity period; and sending the replacement dynamic key to the client for updating the dynamic key of the client. At this time, the OpenAPI-based service access right authentication apparatus may further include: and the key updating module is used for receiving the replacement dynamic key returned by the OpenAPI gateway and storing the replacement dynamic key as a new dynamic key for subsequent service authentication and other operation processes.
In some embodiments, the OpenAPI gateway may perform the following steps: combining the access code of the static key, the identity information and the safety validity period to obtain the access code plaintext of the dynamic key; performing data processing on the plaintext of the access code by an encryption algorithm to obtain the access code of the dynamic key; and obtaining a key credential of the dynamic key through an encryption algorithm, and generating the dynamic key according to the access code of the dynamic key and the key credential.
For specific limitations on the OpenAPI-based service access right authentication apparatus, reference may be made to the above limitation on the OpenAPI-based service access right authentication method, which is not described herein. The above-described modules in the OpenAPI-based service access right authentication apparatus may be implemented in whole or in part by software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In addition, in the embodiment of the OpenAPI-based service access right authentication device, the logic division of each program module is merely illustrative, and the above-mentioned function allocation may be performed by different program modules according to the needs in practical application, for example, in view of the configuration requirement of corresponding hardware or the convenience of implementation of software, that is, the internal structure of the OpenAPI-based service access right authentication device is divided into different program modules, so as to complete all or part of the functions described above.
In one embodiment, an OpenAPI-based service access authority authentication system is provided, and its structure diagram may be shown in fig. 1 or fig. 2, and its data flow situation may refer to fig. 6. The service access authority authentication system based on the OpenAPI comprises a client, an OpenAPI gateway and a service system; the client is used for sending a user login request to the OpenAPI gateway; the user login request is generated by an OpenAPI gateway for an initial key call configured by a client and carries an access code of the initial key; the OpenAPI gateway is used for sending a user login request to a corresponding service system according to the access code of the initial key; the service system is used for carrying out identity authentication according to the user login request, and returning corresponding identity identification information to the OpenAPI gateway after the identity authentication is passed; the OpenAPI gateway is used for inquiring a static key configured corresponding to the initial key according to the access code of the initial key to obtain the access code of the static key; the static key is configured to authenticate service access rights of the client; acquiring a safe validity period; the safety validity period is used for representing the residual validity period for passing the user identity authentication; generating a dynamic key; the dynamic key carries the access code, the identity information and the security validity period of the static key; returning the dynamic key to the client; the client is used for sending a service access request to the OpenAPI gateway; the service access request carries a dynamic key; the OpenAPI gateway is used for carrying out authority authentication on the service access request according to the dynamic key, the access code of the static key carried by the dynamic key and the security validity period.
In the service access authority authentication system based on the OpenAPI, the OpenAPI gateway configures an initial key for the client to generate a corresponding dynamic key for the client, wherein the dynamic key negotiation process lays a foundation for identity authentication and service authentication of multiple clients by adopting the same OpenAPI gateway, so that the universality of an identity authentication and service access authorization scheme is realized, the calculation logic is simple, and the communication efficiency is high; by providing a new dynamic key data structure, namely, the dynamic key carries an access code of a static key for authority authentication, identity information returned by a service system and a safety validity period used for representing the residual validity duration of user identity authentication, the static key is responsible for configuring the authority, and the dynamic key inherits the authority of the static key and is a dynamic key, so that the dynamic key can be dynamically generated after each user login and is only valid in the current session, and is effectively responsible for safety authentication, and the safety level is high. In short, the OpenAPI gateway service can provide a set of general identity authentication and service access authorization integrated solutions with uncomplicated computational logic and higher security level and communication efficiency for users (clients and service systems) so as to solve the problems of universality, security and the like of interface access, and can realize high-performance security authentication by caching basic data.
Those skilled in the art will appreciate that the structures shown in fig. 1 or fig. 2 are merely block diagrams of portions of structures related to the present application and do not constitute a limitation of the OpenAPI-based service access authority authentication system to which the present application is applied, and that a specific OpenAPI-based service access authority authentication system may include more or less components than those shown in the drawings, or may combine some components, or have different arrangements of components.
In one embodiment, a server is provided, the internal structure of which may be as shown in fig. 9. The server includes a processor, memory, network interface, and database connected by a system bus. Wherein the processor of the server is configured to provide computing and control capabilities. The memory of the server includes nonvolatile storage medium and internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database of the server is used for storing service access authority authentication data based on an OpenAPI. The network interface of the server is used for communicating with an external terminal through a network connection. The computer program, when executed by a processor, implements a service access rights authentication method based on an OpenAPI.
It will be appreciated by those skilled in the art that the structure shown in fig. 9 is merely a block diagram of a portion of the structure associated with the present application and is not limiting of the server to which the present application is applied, and that a particular server may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.
In one embodiment, a server is provided that includes a memory and a processor, the memory having a computer program stored therein, the processor when executing the computer program performing the steps of: receiving a user login request sent by a client; the user login request is generated by an OpenAPI gateway for an initial key call configured by a client and carries an access code of the initial key; according to the access code of the initial key, a user login request is sent to a corresponding service system to carry out identity authentication; after the identity authentication is passed, receiving the identity information returned by the service system; inquiring a static key configured corresponding to the initial key according to the access code of the initial key to obtain the access code of the static key; the static key is configured to authenticate service access rights of the client; acquiring a safe validity period; the safety validity period is used for representing the residual validity period for passing the user identity authentication; generating a dynamic key; the dynamic key carries the access code, the identity information and the security validity period of the static key; and returning the dynamic key to the client for carrying out authority authentication on the service access request according to the dynamic key, the access code and the security validity period of the static key carried by the dynamic key after receiving the service access request carried with the dynamic key and sent by the client.
In one embodiment, the processor when executing the computer program further performs the steps of: and carrying out authority authentication on the service access request according to the dynamic key, the access code of the static key carried by the dynamic key and the safety validity period, wherein the method comprises the following steps: performing digital signature authentication on the dynamic key; after the signature authentication is passed, judging whether the dynamic key is valid or not according to the safety validity period; if the dynamic key is effective, authority authentication is carried out on the service access request according to the access code of the static key carried by the dynamic key.
In one embodiment, the processor when executing the computer program further performs the steps of: acquiring an OpenAPI authority list corresponding to the static key according to the access code of the static key carried by the dynamic key; judging whether the current access service corresponding to the service access request is in an OpenAPI authority list, if so, sending a right access instruction aiming at the current access service to a client; if not, sending an unauthorized access instruction for the current access service to the client.
In one embodiment, the processor when executing the computer program further performs the steps of: and configuring a corresponding OpenAPI authority list for the static key through the Ant mode or the access control list.
In one embodiment, the processor when executing the computer program further performs the steps of: according to the dynamic key adjustment parameters, adjusting the corresponding safe validity period of the dynamic key; the dynamic key adjustment parameters comprise the frequency, time period and API level of using the dynamic key by the client; generating a replacement dynamic key by using the adjusted safe validity period; and sending the replacement dynamic key to the client for updating the dynamic key of the client.
In one embodiment, the processor when executing the computer program further performs the steps of: combining the access code of the static key, the identity information and the safety validity period to obtain the access code plaintext of the dynamic key; performing data processing on the plaintext of the access code by an encryption algorithm to obtain the access code of the dynamic key; and obtaining a key credential of the dynamic key through an encryption algorithm, and generating the dynamic key according to the access code of the dynamic key and the key credential.
In one embodiment, an electronic device is provided, the internal structure of which may be as shown in FIG. 10. The electronic device includes a processor, a memory, a network interface, and a display screen connected by a system bus. Wherein the processor of the electronic device is configured to provide computing and control capabilities. The memory of the electronic device includes a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database of the electronic device is used for storing wireless screen data. The network interface of the electronic device is used for communicating with an external terminal through a network connection. The computer program, when executed by a processor, implements a service access rights authentication method based on an OpenAPI.
It will be appreciated by those skilled in the art that the structure shown in fig. 10 is merely a block diagram of a portion of the structure associated with the present application and is not limiting of the electronic device to which the present application is applied, and that a particular electronic device may include more or fewer components than shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, an electronic device is provided that includes a memory having a computer program stored therein and a processor that when executing the computer program performs the steps of: sending a user login request to an OpenAPI gateway; the user login request is generated by an OpenAPI gateway for an initial key call configured by a client and carries an access code of the initial key; receiving a dynamic key returned by the OpenAPI gateway; the dynamic key is an access code of the OpenAPI gateway according to the initial key, and a user login request is sent to a corresponding service system to carry out identity authentication; after the identity authentication is passed, receiving the identity information returned by the service system; inquiring a static key configured corresponding to the initial key according to the access code of the initial key to obtain the access code of the static key; the static key is configured to authenticate service access rights of the client; acquiring a safe validity period; the safety validity period is used for representing the residual validity period of the user identity authentication passing, and further generating and obtaining; the dynamic key carries the access code, the identity information and the security validity period of the static key; and sending a service access request carrying the dynamic key to the OpenAPI gateway so that the OpenAPI gateway can carry out authority authentication on the service access request according to the dynamic key, the access code of the static key carried by the dynamic key and the security validity period.
In one embodiment, a computer readable storage medium is provided having a computer program stored thereon, which when executed by a processor, performs the steps of: receiving a user login request sent by a client; the user login request is generated by an OpenAPI gateway for an initial key call configured by a client and carries an access code of the initial key; according to the access code of the initial key, a user login request is sent to a corresponding service system to carry out identity authentication; after the identity authentication is passed, receiving the identity information returned by the service system; inquiring a static key configured corresponding to the initial key according to the access code of the initial key to obtain the access code of the static key; the static key is configured to authenticate service access rights of the client; acquiring a safe validity period; the safety validity period is used for representing the residual validity period for passing the user identity authentication; generating a dynamic key; the dynamic key carries the access code, the identity information and the security validity period of the static key; and returning the dynamic key to the client for carrying out authority authentication on the service access request according to the dynamic key, the access code and the security validity period of the static key carried by the dynamic key after receiving the service access request carried with the dynamic key and sent by the client.
In one embodiment, the computer program when executed by the processor further performs the steps of: and carrying out authority authentication on the service access request according to the dynamic key, the access code of the static key carried by the dynamic key and the safety validity period, wherein the method comprises the following steps: performing digital signature authentication on the dynamic key; after the signature authentication is passed, judging whether the dynamic key is valid or not according to the safety validity period; if the dynamic key is effective, authority authentication is carried out on the service access request according to the access code of the static key carried by the dynamic key.
In one embodiment, the computer program when executed by the processor further performs the steps of: acquiring an OpenAPI authority list corresponding to the static key according to the access code of the static key carried by the dynamic key; judging whether the current access service corresponding to the service access request is in an OpenAPI authority list, if so, sending a right access instruction aiming at the current access service to a client; if not, sending an unauthorized access instruction for the current access service to the client.
In one embodiment, the computer program when executed by the processor further performs the steps of: and configuring a corresponding OpenAPI authority list for the static key through the Ant mode or the access control list.
In one embodiment, the computer program when executed by the processor further performs the steps of: according to the dynamic key adjustment parameters, adjusting the corresponding safe validity period of the dynamic key; the dynamic key adjustment parameters comprise the frequency, time period and API level of using the dynamic key by the client; generating a replacement dynamic key by using the adjusted safe validity period; and sending the replacement dynamic key to the client for updating the dynamic key of the client.
In one embodiment, the computer program when executed by the processor further performs the steps of: combining the access code of the static key, the identity information and the safety validity period to obtain the access code plaintext of the dynamic key; performing data processing on the plaintext of the access code by an encryption algorithm to obtain the access code of the dynamic key; and obtaining a key credential of the dynamic key through an encryption algorithm, and generating the dynamic key according to the access code of the dynamic key and the key credential.
In one embodiment, a computer readable storage medium is provided having a computer program stored thereon, which when executed by a processor, performs the steps of: sending a user login request to an OpenAPI gateway; the user login request is generated by an OpenAPI gateway for an initial key call configured by a client and carries an access code of the initial key; receiving a dynamic key returned by the OpenAPI gateway; the dynamic key is an access code of the OpenAPI gateway according to the initial key, and a user login request is sent to a corresponding service system to carry out identity authentication; after the identity authentication is passed, receiving the identity information returned by the service system; inquiring a static key configured corresponding to the initial key according to the access code of the initial key to obtain the access code of the static key; the static key is configured to authenticate service access rights of the client; acquiring a safe validity period; the safety validity period is used for representing the residual validity period of the user identity authentication passing, and further generating and obtaining; the dynamic key carries the access code, the identity information and the security validity period of the static key; and sending a service access request carrying the dynamic key to the OpenAPI gateway so that the OpenAPI gateway can carry out authority authentication on the service access request according to the dynamic key, the access code of the static key carried by the dynamic key and the security validity period.
Those skilled in the art will appreciate that implementing all or part of the above-described methods in accordance with the embodiments may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed may comprise the steps of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the various embodiments provided herein may include non-volatile and/or volatile memory. The nonvolatile memory can include Read Only Memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), memory bus direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), among others.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and for parts of one embodiment that are not described in detail, reference may be made to the related descriptions of other embodiments.
The terms "comprising" and "having" and any variations thereof herein are intended to cover a non-exclusive inclusion. For example, a process, method, system, article, or apparatus that comprises a list of steps or (module) elements is not limited to only those steps or elements but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
References herein to "a plurality" means two or more. "and/or", describes an association relationship of an association object, and indicates that there may be three relationships, for example, a and/or B, and may indicate: a exists alone, A and B exist together, and B exists alone. The character "/" generally indicates that the context-dependent object is an "or" relationship.
References herein to "first\second" are merely to distinguish similar objects and do not represent a particular ordering for the objects, it being understood that "first\second" may interchange a particular order or precedence where allowed. It is to be understood that the "first\second" distinguishing objects may be interchanged where appropriate to enable the embodiments described herein to be implemented in sequences other than those illustrated or described herein.
The above examples merely represent a few embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the invention. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present application is to be determined by the claims appended hereto.
Claims (14)
1. A service access right authentication method based on an OpenAPI, the method comprising:
receiving a user login request sent by a client; the user login request is generated by the OpenAPI gateway for the initial key call configured by the client, and carries an access code of the initial key;
According to the access code of the initial key, the user login request is sent to a corresponding service system for identity authentication; after the identity authentication is passed, receiving the identity information returned by the service system;
inquiring a static key configured corresponding to the initial key according to the access code of the initial key to obtain the access code of the static key; the static key is configured to authenticate service access rights of the client;
acquiring a safe validity period; the safety validity period is used for representing the residual validity period for passing the user identity authentication;
generating a dynamic key; the dynamic key carries the access code of the static key, the identity information and the security validity period;
and returning the dynamic key to the client, and performing authority authentication on the service access request according to the dynamic key, the access code of the static key carried by the dynamic key and the security validity period after receiving the service access request carrying the dynamic key sent by the client.
2. The method according to claim 1, wherein the step of authenticating the service access request based on the dynamic key and the access code of the static key carried by the dynamic key and the security validity period comprises:
Performing digital signature authentication on the dynamic key; after signature authentication is passed, judging whether the dynamic key is valid or not according to the safe validity period;
and if the dynamic key is effective, authenticating the authority of the service access request according to the access code of the static key carried by the dynamic key.
3. The method according to claim 2, wherein the step of authenticating the service access request based on the access code of the static key carried by the dynamic key comprises:
acquiring an OpenAPI authority list corresponding to the static key according to the access code of the static key carried by the dynamic key;
judging whether the current access service corresponding to the service access request is in the OpenAPI authority list, if so, sending a right access instruction aiming at the current access service to the client; if not, sending an unauthorized access instruction aiming at the current access service to the client.
4. A method according to claim 3, characterized in that the method further comprises:
and configuring a corresponding OpenAPI authority list for the static key through an Ant mode or an access control list.
5. The method according to any one of claims 1 to 4, further comprising:
according to the dynamic key adjustment parameters, adjusting the corresponding safe validity period of the dynamic key; the dynamic key adjustment parameters comprise the frequency, the time period and the API level of the dynamic key used by the client;
generating a replacement dynamic key by using the adjusted safe validity period;
and sending the replacement dynamic key to the client for updating the dynamic key of the client.
6. The method according to any one of claims 1 to 4, wherein the step of generating a dynamic key comprises:
combining the access code of the static key, the identity information and the security validity period to obtain an access code plaintext of the dynamic key;
performing data processing on the access code plaintext through an encryption algorithm to obtain an access code of a dynamic key;
and obtaining a key certificate of the dynamic key through an encryption algorithm, and generating the dynamic key according to the access code of the dynamic key and the key certificate.
7. A service access right authentication method based on an OpenAPI, the method comprising:
Sending a user login request to an OpenAPI gateway; the user login request is generated by the OpenAPI gateway for the initial key call configured by the client, and carries an access code of the initial key;
receiving a dynamic key returned by the OpenAPI gateway; the dynamic key is an access code of the OpenAPI gateway according to the initial key, and the user login request is sent to a corresponding service system to carry out identity authentication; after the identity authentication is passed, receiving the identity information returned by the service system; inquiring a static key configured corresponding to the initial key according to the access code of the initial key to obtain the access code of the static key; the static key is configured to authenticate service access rights of the client; acquiring a safe validity period; the safety validity period is used for representing the residual validity period of the user identity authentication, and further generating and obtaining the user identity authentication; the dynamic key carries the access code of the static key, the identity information and the security validity period;
and sending a service access request carrying the dynamic key to the OpenAPI gateway so that the OpenAPI gateway can carry out authority authentication on the service access request according to the dynamic key, the access code of the static key carried by the dynamic key and the security validity period.
8. A service access right authentication method based on an OpenAPI, the method comprising:
the client sends a user login request to the OpenAPI gateway; the user login request is generated by the OpenAPI gateway for the initial key call configured by the client, and carries an access code of the initial key;
the OpenAPI gateway sends the user login request to a corresponding service system for identity authentication according to the access code of the initial key; after the identity authentication is passed, receiving the identity information returned by the service system; inquiring a static key configured corresponding to the initial key according to the access code of the initial key to obtain the access code of the static key; the static key is configured to authenticate service access rights of the client; acquiring a safe validity period; the safety validity period is used for representing the residual validity period for passing the user identity authentication; generating a dynamic key; the dynamic key carries the access code of the static key, the identity information and the security validity period; returning the dynamic key to the client;
the client sends a service access request to the OpenAPI gateway; the service access request carries the dynamic key;
And the OpenAPI gateway performs authority authentication on the service access request according to the dynamic key, the access code of the static key carried by the dynamic key and the security validity period.
9. A service access rights authentication apparatus based on an OpenAPI, the apparatus comprising:
the request receiving module is used for receiving a user login request sent by the client; the user login request is generated by the OpenAPI gateway for the initial key call configured by the client, and carries an access code of the initial key;
the identity authentication module is used for sending the user login request to a corresponding service system for identity authentication according to the access code of the initial key; after the identity authentication is passed, receiving the identity information returned by the service system;
the static key inquiry module is used for inquiring the static key configured corresponding to the initial key according to the access code of the initial key to obtain the access code of the static key; the static key is configured to authenticate service access rights of the client;
the validity period acquisition module is used for acquiring the safety validity period; the safety validity period is used for representing the residual validity period for passing the user identity authentication;
The dynamic key generation module is used for generating a dynamic key; the dynamic key carries the access code of the static key, the identity information and the security validity period;
and the permission authentication module is used for returning the dynamic key to the client and carrying out permission authentication on the service access request according to the dynamic key, the access code of the static key carried by the dynamic key and the security validity period after receiving the service access request carrying the dynamic key sent by the client.
10. A service access rights authentication apparatus based on an OpenAPI, the apparatus comprising:
the request sending module is used for sending a user login request to the OpenAPI gateway; the user login request is generated by the OpenAPI gateway for the initial key call configured by the client, and carries an access code of the initial key;
the dynamic key receiving module is used for receiving a dynamic key returned by the OpenAPI gateway; the dynamic key is an access code of the OpenAPI gateway according to the initial key, and the user login request is sent to a corresponding service system to carry out identity authentication; after the identity authentication is passed, receiving the identity information returned by the service system; inquiring a static key configured corresponding to the initial key according to the access code of the initial key to obtain the access code of the static key; the static key is configured to authenticate service access rights of the client; acquiring a safe validity period; the safety validity period is used for representing the residual validity period of the user identity authentication, and further generating and obtaining the user identity authentication; the dynamic key carries the access code of the static key, the identity information and the security validity period;
And the request authentication module is used for sending a service access request carrying the dynamic key to the OpenAPI gateway so that the OpenAPI gateway can carry out authority authentication on the service access request according to the dynamic key, the access code of the static key carried by the dynamic key and the security validity period.
11. The service access authority authentication system based on the OpenAPI is characterized by comprising a client, an OpenAPI gateway and a service system;
the client is used for sending a user login request to the OpenAPI gateway; the user login request is generated by the OpenAPI gateway for the initial key call configured by the client, and carries an access code of the initial key;
the OpenAPI gateway is used for sending the user login request to a corresponding service system according to the access code of the initial key;
the service system is used for carrying out identity authentication according to the user login request, and returning corresponding identity identification information to the OpenAPI gateway after the identity authentication is passed;
the OpenAPI gateway is used for inquiring a static key configured corresponding to the initial key according to the access code of the initial key to obtain the access code of the static key; the static key is configured to authenticate service access rights of the client; acquiring a safe validity period; the safety validity period is used for representing the residual validity period for passing the user identity authentication; generating a dynamic key; the dynamic key carries the access code of the static key, the identity information and the security validity period; returning the dynamic key to the client;
The client is used for sending a service access request to the OpenAPI gateway; the service access request carries the dynamic key;
the OpenAPI gateway is used for carrying out authority authentication on the service access request according to the dynamic key, the access code of the static key carried by the dynamic key and the security validity period.
12. A server comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any one of claims 1-6 when the computer program is executed.
13. An electronic device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of claim 7 when executing the computer program.
14. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method according to any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311756185.4A CN117579374A (en) | 2023-12-19 | 2023-12-19 | OpenAPI-based service access authority authentication method, device, system and server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311756185.4A CN117579374A (en) | 2023-12-19 | 2023-12-19 | OpenAPI-based service access authority authentication method, device, system and server |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117579374A true CN117579374A (en) | 2024-02-20 |
Family
ID=89864312
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311756185.4A Pending CN117579374A (en) | 2023-12-19 | 2023-12-19 | OpenAPI-based service access authority authentication method, device, system and server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117579374A (en) |
-
2023
- 2023-12-19 CN CN202311756185.4A patent/CN117579374A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111488598B (en) | Access control method, device, computer equipment and storage medium | |
| US11558381B2 (en) | Out-of-band authentication based on secure channel to trusted execution environment on client device | |
| CN111191286B (en) | HyperLegger Fabric block chain private data storage and access system and method thereof | |
| JP6142026B2 (en) | Secure time function for wireless devices | |
| CN112422532B (en) | Service communication method, system and device and electronic equipment | |
| CN111708991A (en) | Service authorization method, service authorization device, computer equipment and storage medium | |
| US11356450B2 (en) | Managing data access | |
| US9397835B1 (en) | Web of trust management in a distributed system | |
| CN111107073B (en) | Application automatic login method and device, computer equipment and storage medium | |
| CN112800393B (en) | Authorization authentication method, software development kit generation method, device and electronic equipment | |
| CN112231692A (en) | Security authentication method, device, equipment and storage medium | |
| CN112688773A (en) | Token generation and verification method and device | |
| US20220245631A1 (en) | Authentication method and apparatus of biometric payment device, computer device, and storage medium | |
| CN111917711B (en) | Data access method and device, computer equipment and storage medium | |
| US20200342121A1 (en) | Encrypted storage of data | |
| CN115412269A (en) | Service processing method, device, server and storage medium | |
| CN115473648A (en) | Certificate signing and issuing system and related equipment | |
| CN113434882A (en) | Communication protection method and device of application program, computer equipment and storage medium | |
| CN111147235B (en) | Object access method and device, electronic equipment and machine-readable storage medium | |
| CN116599719A (en) | User login authentication method, device, equipment and storage medium | |
| Binu et al. | A mobile based remote user authentication scheme without verifier table for cloud based services | |
| CN112087417B (en) | Terminal authority control method and device, computer equipment and storage medium | |
| CN117579374A (en) | OpenAPI-based service access authority authentication method, device, system and server | |
| Fan et al. | Ucam: A User-Centric, Blockchain-Based and End-to-End Secure Home IP Camera System | |
| CN115001743B (en) | Access method, device and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |