CN117614628A - ISTIO-based JWT authentication and authorization method and system - Google Patents

ISTIO-based JWT authentication and authorization method and system Download PDF

Info

Publication number
CN117614628A
CN117614628A CN202311486796.1A CN202311486796A CN117614628A CN 117614628 A CN117614628 A CN 117614628A CN 202311486796 A CN202311486796 A CN 202311486796A CN 117614628 A CN117614628 A CN 117614628A
Authority
CN
China
Prior art keywords
authorization
jwt
istio
client
token
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311486796.1A
Other languages
Chinese (zh)
Inventor
魏东仪
王国安
彭家彦
陈强
杨国平
谢春生
党旭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Lanzhou Feitian Netscape Information Industry Co ltd
Original Assignee
Lanzhou Feitian Netscape Information Industry Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lanzhou Feitian Netscape Information Industry Co ltd filed Critical Lanzhou Feitian Netscape Information Industry Co ltd
Priority to CN202311486796.1A priority Critical patent/CN117614628A/en
Publication of CN117614628A publication Critical patent/CN117614628A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/08Protocols specially adapted for terminal emulation, e.g. Telnet
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a JWT authentication authorization method and a system based on ISTIO, which relate to the technical field of computer security authentication, and the method comprises the following steps: acquiring client resources and user related information to construct an authorization model; identifying and managing user requests by using an ISTIO gateway, and generating different JWT tokens for the current user through a unified server of an authentication center; after receiving the JWT token, the client analyzes the client authorization information to enable the JWT token to be matched with the authorization model so as to control the authority; when a client requests to pass through an ISTIO gateway, a WebAssemble extension is used for acquiring an authorization model in a JWT token, and the operation logic of the authorization model is dynamically started through a WASM to realize authorization logic judgment, so that authorization is completed; the method solves the problem of overhigh security hidden trouble of the JWT, improves the authority control capability and efficiency of the client and the server, and realizes the distinction of control differences of front and rear authorities.

Description

ISTIO-based JWT authentication and authorization method and system
Technical Field
The invention relates to the technical field of computer security authentication, in particular to a JWT authentication and authorization method and system based on ISTIO.
Background
JWT (JSON Web Token) is an open standard (RFC 7519) based on JSON, which is executed to transfer declarations between network application environments, and defines a rule based on session management of Token, and covers standard content that Token needs to contain and Token generation process, and consists of three parts, namely Header, payload, and Signature. It is currently the most popular cross-domain authentication solution. When a user communicates with a server, the server relies solely on the JWT object to identify the user, and to prevent the user from tampering with the data, the server adds a signature when generating the object. The JWT is stored in the client, the server does not need to store any session data, namely, the server is stateless and is easier to expand, and the JWT is particularly suitable for Single Sign On (SSO) scenes of distributed sites. ISTIO is a complete practice of microservice governance, is an open platform for cloud primary scene service grid governance tightly combined with k8s, adopts SideCar mode architecture, has secondary development capability, and mainly realizes connection, safety, policy execution and observability functions.
However, the biggest disadvantage of JWT is that the server does not save session state, so it is not possible to revoke the right to or change the token during use. Once issued, the JWT will be valid for a valid period, so that the necessary authorization information is inconvenient to update, and thus, once the information is revealed, anyone can obtain all rights of the token. To reduce theft, the validity period of the JWT should not be set too long. Identity authentication must be performed for every request for critical operations. The JWT is separated from the server, and has no method for renewing, and can only be issued again, so that the JWT has great potential safety hazard.
Based on this, the present application proposes a JWT authentication and authorization method and system based on ISTIO to solve the above-mentioned problems.
Disclosure of Invention
The invention aims to provide an ISTIO-based JWT authentication and authorization method and system, which can solve the problem of too high potential safety hazard of the JWT, and improve the authority control capability and efficiency of a client and a server so as to realize the control difference of distinguishing front and rear authorities.
The technical scheme of the invention is as follows:
in a first aspect, the present application provides an ISTIO-based JWT authentication and authorization method, including the steps of:
s1, acquiring client resources and user related information to construct an authorization model;
s2, identifying and managing a user request by using an ISTIO gateway, and generating different JWT tokens for the current user through a unified server of an authentication center when the user successfully logs in;
s3, after the client receives the JWT token, analyzing the client authorization information to enable the JWT token to be matched with the authorization model so as to control the authority;
s4, when the client requests to pass through the ISTIO gateway, the WebAssemble extension is used for obtaining an authorization model in the JWT token, and the operation logic of the authorization model is dynamically started through the WASM to realize authorization logic judgment, so that authorization is completed.
It should be noted that, the complex authority of the current resource access is verified by the unified identity authentication service, if the current resource needs the authority access by the authorization model of the complex version JWT token, the complex authority is carried to the micro-service through the Header of Http, and is directly invoked by the micro-service.
Further, in step S1, the process of building the authorization model includes: based on the dynamic execution logic as a basic mode and the addition of the call of the external RESTful interface, the client resource and the user related information are comprehensively calculated to construct an authorization model.
Further, in step S2, the JWT tokens include basic JWT tokens and complex JWT tokens, where the basic JWT tokens are used for client authorization; the complex version JWT token and authorization model described above are buffered at a server unified by the authentication center for use in the authorization process of the service daemon.
When the client requests to reach the business service of ISTIO, the complex JWT token is used for authority control as required, and authority control is realized through the authority data.
Further, the basic version JWT token and the complex version JWT token establish a corresponding relation in the cache, all carry the timestamp of the last modification date of the user permission, and when the user information or the permission information is changed, the latest version JWT token is automatically generated according to the calling time.
And if the authority is changed, generating and returning the latest JWT token, and if complex authority control is required to be realized, invoking a model of the complex JWT token to execute the authority control.
Further, in step S3, the process of matching the JWT token with the authorization model to perform authority control includes: and matching the client resource with the authorization model, and carrying the JWT token when a secondary request is made to the server through the client.
Further, step S4 further includes: when user result data is returned through the gateway proxy, the WASM expansion capability is used to replace the basic version JWT token, and the client subsequent control uses the latest version JWT token.
In a second aspect, the present application provides an ISTIO-based JWT authentication and authorization system, including:
the model construction module is used for acquiring client resources and user related information to construct an authorization model;
the JWT generation module is used for identifying and managing user requests by utilizing the ISTIO gateway, and generating different JWT tokens for the current user through a unified server of the authentication center when the user successfully logs in;
the authority control module is used for analyzing the client authorization information after the client receives the JWT token, so that the JWT token is matched with the authorization model to perform authority control;
and the authorization module is used for acquiring an authorization model in the JWT token by using WebAssembly extension when the client requests to pass through the ISTIO gateway, and dynamically starting the operation logic of the authorization model through the WASM to realize authorization logic judgment and complete authorization.
In a third aspect, the present application provides an electronic device, comprising:
a memory for storing one or more programs;
a processor;
an ISTIO-based JWT authentication authorization method as in any one of the first aspects is implemented when the one or more programs are executed by the processor.
In a fourth aspect, the present application provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements an ISTIO-based JWT authentication authorization method according to any of the first aspects above.
Compared with the prior art, the invention has at least the following advantages or beneficial effects:
according to the ISTIO-based JWT authentication and authorization method and system, through the gateway secondary development capability of the ISTIO, the authorization control and the circulation of the front end and the rear end are respectively realized by using the double JWT tokens, the dynamic authority control of the interaction mode is realized by using the authorization model package, the front end authorization logic and the rear end authorization logic are distinguished, the authorization logic is integrated, and the authority control capability and the efficiency of the client side and the server side and the security and the efficiency of the authentication and authorization are improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the embodiments will be briefly described below, it being understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a step diagram of an ISTIO-based JWT authentication and authorization method of the present invention;
FIG. 2 is a schematic block diagram of an authorization model;
FIG. 3 is an ISTIO-based JWT authentication authorization data flow diagram;
FIG. 4 is a flow chart of an ISTIO-based JWT authentication authorization;
fig. 5 is a schematic block diagram of an electronic device.
Icon: 101. a memory; 102. a processor; 103. a communication interface.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments. The components of the embodiments of the present application, which are generally described and illustrated in the figures herein, may be arranged and designed in a wide variety of different configurations.
Some embodiments of the present application are described in detail below with reference to the accompanying drawings. The various embodiments and features of the embodiments described below may be combined with one another without conflict.
Example 1
Referring to fig. 1, fig. 1 is a step diagram of an ISTIO-based JWT authentication and authorization method according to an embodiment of the present application.
In a first aspect, the present application provides an ISTIO-based JWT authentication and authorization method, including the steps of:
s1, acquiring client resources and user related information to construct an authorization model;
s2, identifying and managing a user request by using an ISTIO gateway, and generating different JWT tokens for the current user through a unified server of an authentication center when the user successfully logs in;
s3, after the client receives the JWT token, analyzing the client authorization information to enable the JWT token to be matched with the authorization model so as to control the authority;
s4, when the client requests to pass through the ISTIO gateway, the WebAssemble extension is used for obtaining an authorization model in the JWT token, and the operation logic of the authorization model is dynamically started through the WASM to realize authorization logic judgment, so that authorization is completed.
It should be noted that, the complex authority of the current resource access is verified by the unified identity authentication service, if the current resource needs the authority access by the authorization model of the complex version JWT token, the complex authority is carried to the micro-service through the Header of Http, and is directly invoked by the micro-service.
As a preferred embodiment, in step S1, the process of constructing the authorization model includes: based on the dynamic execution logic as a basic mode and the addition of the call of the external RESTful interface, the client resource and the user related information are comprehensively calculated to construct an authorization model.
As a preferred embodiment, in step S2, the JWT tokens include basic version JWT tokens and complex version JWT tokens, the basic version JWT tokens being used for client authorization; the complex version JWT token and authorization model are buffered at a server unified by the authentication center for authorization processing of the service daemon.
When the client requests to reach the business service of ISTIO, the complex JWT token is used for authority control as required, and authority control is realized through the authority data.
As a preferred implementation manner, the basic version JWT token and the complex version JWT token establish a corresponding relation in the cache, all carry the timestamp of the last modification date of the user permission, and when the user information or the permission information is changed, the latest version JWT token is automatically generated according to the calling time.
And if the authority is changed, generating and returning the latest JWT token, and if complex authority control is required to be realized, invoking a model of the complex JWT token to execute the authority control.
In a preferred embodiment, in step S3, the process of matching the JWT token with the authorization model for rights control includes: and matching the client resource with the authorization model, and carrying the JWT token when a secondary request is made to the server through the client.
As a preferred embodiment, step S4 further includes: when user result data is returned through the gateway proxy, the WASM expansion capability is used to replace the basic version JWT token, and the client subsequent control uses the latest version JWT token.
In a second aspect, the present application provides an ISTIO-based JWT authentication and authorization system, including:
the model construction module is used for acquiring client resources and user related information to construct an authorization model;
the JWT generation module is used for identifying and managing user requests by utilizing the ISTIO gateway, and generating different JWT tokens for the current user through a unified server of the authentication center when the user successfully logs in;
the authority control module is used for analyzing the client authorization information after the client receives the JWT token, so that the JWT token is matched with the authorization model to perform authority control;
and the authorization module is used for acquiring an authorization model in the JWT token by using WebAssembly extension when the client requests to pass through the ISTIO gateway, and dynamically starting the operation logic of the authorization model through the WASM to realize authorization logic judgment and complete authorization.
Example 2
Referring to fig. 2, fig. 2 is a schematic block diagram of an authorization model provided in embodiment 2 of the present invention, and related functions thereof are as follows:
s110, a function menu is used for defining basic attributes of the function menu according to a request address, an operation command and a request label of RESTful corresponding to the function menu;
s120, a system account is used for defining and managing the system account according to the roles of the affiliated organization, the post color correction and the operation buffer to form a model unit of the system account;
s130, an external interface is used for defining codes of formulas accessed to the outside in a mode of formulas and dynamic scripts, and respectively realizing account authority acquisition, function authority definition and labels to which service data belong;
s140, an authorization model is used for integrating a system account number, a function menu and an external interface which are related to an expression and form a WASM group package by taking dynamic codes as main materials;
s150, WASM group package, a code package, which supports authorization authentication when the external system executes.
It should be noted that, the ISTIO gateway is a bearer for traffic access and output, and depending on the cloud protocal system of the K8S, the traffic between the client and the server and the related JWT authentication information can be obtained through secondary development of the container technology; the Envoy agent is an agent unit deployed based on ISTIO, has secondary expansion development capability, can acquire authentication information through analysis of a data stream packet, and performs authority control; the authentication service center is constructed in the quick service capability of the memory database system, buffers the latest user account authentication and authorization model data, loads currently used user account authority information when user information changes, provides an open interface to acquire the latest account authority, provides the open interface to the outside, supports the inquiry of the user authority, generally controls the computing capability of resource authorization, constructs an access authority model of the resource, and forms the quick authorization capability.
When a client request is received, verifying whether a request model of a current user needs to be updated or not, returning to the current model without updating, otherwise returning to a state display model for updating, returning back through callback, and constructing an authority verification model internally according to user authority information.
When a client requests a data packet to pass through Envoy, a channel between the client and an authentication service center is established through WASM, a token and a change label of a current user are obtained, and the request is forwarded to the application of the POD through a requested Header.
After the latest JWT token of the authentication server center is obtained, verifying the legitimacy of the login state of the current user and the accessibility permission of the current resource through a model, if the login state of the current user and the accessibility permission of the current resource are not met, directly returning an illegal access prompt to the client, and not continuing to execute the related data message downwards.
After the POD application acquires the token through the Header, the POD application judges that the current service needs complex authorization, and then the POD application is connected with an authentication server center to acquire the newly generated token, and performs authority control according to an authorization model.
Referring to fig. 3, fig. 3 is a JWT authentication authorization data flow diagram based on ISTIO, mainly described around specific processing methods:
s210: in the embodiment, the description is performed in the Http protocol message format, the client establishes connection with the ISTIO gateway through the network, and sends a request to the application POD service through the ISTIO gateway;
s220: after the request message passes ISTIO, the request message is identified in the ENVOY, the JWT account and the authority information are analyzed, account information verification is carried out, and illegal login prompt information is returned to the client by using the user account non-rule;
s230: the request message passes through the ENVOY proxy, the WASM technology is used in the ISTIO container to acquire the token information of the current user account, and the basic authority is verified;
s240: the request message passing through the authority verification is directly subjected to data flow to the application POD through the ENVOY proxy, and the latest version token is added to the request Header, so that the application POD is convenient to carry out internal authority verification;
s250: according to the interface specification, the application POD does not acquire the user permission information of the token through the Header and needs to carry out complex permission control, then acquires the latest token information from the authentication service center through the interface, and the permission model carries out permission verification;
s260: the authentication center adopts short period data to carry out storage management, and a data model and a JWT token are stored in a memory database mode, so that service providing with aging requirements is provided;
s270: after each ISTIO service is started, a long link with the authentication center is established by using WASM through Envoy, so that token data can be conveniently and rapidly acquired from the authentication center, and authentication service is used.
Referring to fig. 4, fig. 4 is an ISTIO-based JWT authentication authorization flow chart, mainly described around the trend of data flows in an ISTIO gateway proxy:
s310: when the client requests data to pass through ISTIO, the effectiveness of a login user is identified by using ISTIO expansion capability, and account information of the current user and token information of a basic version are acquired in a bypass mode;
if the JWT token of the current user is unsuitable, controlling the current request data packet to be in an aborted state, and returning a re-login prompt to the user;
s320: the ENVOY agent analyzes the JWT token and the basic authority model through the WASM, acquires account information and authority information of the current login user, and acquires complex token authorization information of the current request and timeliness of the current token from the authentication and authorization center;
s330: the ENVOY uses token authority models of basic and complex versions to carry out security control according to the authority control requirements through the acquired authority control information of the resource, and requests which are adapted by the authorization models continue to request downwards;
if the authorization fails, the data packet requested by the client is stopped and sent to the application POD, and information of the authorization failure is returned to the client; if the authentication service center needs to update the authority of the token and the current resource needs to update the model for verifying the authority, the current service is in asynchronous waiting, and if the resource is not used for verifying the authority, the service is not waited;
s340: the authentication center receives the access information, discovers that the authorization of the current user changes, and updates and caches the authorization model of the current user to the memory database and simultaneously asynchronously pushes the authorization model to the requesting party;
s350: and if the POD needs the token and the permission model, accessing the authentication service center through the interface to acquire the authorization model, and adapting the service permission by using the related permission.
Example 3
Referring to fig. 5, fig. 5 is a schematic block diagram of an electronic device according to embodiment 3 of the present application.
An electronic device comprises a memory 101, a processor 102 and a communication interface 103, wherein the memory 101, the processor 102 and the communication interface 103 are directly or indirectly electrically connected with each other to realize data transmission or interaction. For example, the components may be electrically connected to each other via one or more communication buses or signal lines. The memory 101 may be used to store software programs and modules that are stored within the memory 101 for execution by the processor 102 to perform various functional applications and data processing. The communication interface 103 may be used for communication of signaling or data with other node devices.
The Memory 101 may be, but is not limited to, a random access Memory (Random Access Memory, RAM), a Read Only Memory (ROM), a programmable Read Only Memory (Programmable Read-Only Memory, PROM), an erasable Read Only Memory (Erasable Programmable Read-Only Memory, EPROM), an electrically erasable Read Only Memory (Electric Erasable Programmable Read-Only Memory, EEPROM), etc.
The processor 102 may be an integrated circuit chip with signal processing capabilities. The processor 102 may be a general purpose processor including a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), etc.; but also digital signal processors (Digital Signal Processing, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components.
It will be appreciated that the architecture shown in the figures is illustrative only and that an ISTIO-based JWT authentication authorization method and system may also include more or fewer components than shown in the figures or have a different configuration than shown in the figures. The components shown in the figures may be implemented in hardware, software, or a combination thereof.
In the embodiments provided in the present application, it should be understood that the disclosed method may be implemented in other manners as well. The above-described embodiments are merely illustrative, for example, of the flowcharts or block diagrams in the figures that illustrate the architecture, functionality, and operation of possible implementations of methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, the functional modules in the embodiments of the present application may be integrated together to form a single part, or each module may exist alone, or two or more modules may be integrated to form a single part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In summary, according to the method and the system for JWT authentication and authorization based on ISTIO provided in the embodiments of the present application, through gateway secondary development capability of ISTIO, authorization control and circulation of front end and back end are respectively implemented by using double JWT tokens, dynamic authority control of interactive mode is implemented by using authorization model encapsulation, front and back end authorization logic is distinguished, authorization logic is integrated, and client and server authority control capability and efficiency, and security and efficiency of authentication and authorization are improved.
The foregoing description is only of the preferred embodiments of the present application and is not intended to limit the same, but rather, various modifications and variations may be made by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principles of the present application should be included in the protection scope of the present application.

Claims (9)

1. The JWT authentication and authorization method based on ISTIO is characterized by comprising the following steps:
s1, acquiring client resources and user related information to construct an authorization model;
s2, identifying and managing a user request by using an ISTIO gateway, and generating different JWT tokens for the current user through a unified server of an authentication center when the user successfully logs in;
s3, after the client receives the JWT token, analyzing the client authorization information to enable the JWT token to be matched with the authorization model so as to control the authority;
s4, when the client requests to pass through the ISTIO gateway, the WebAssemble extension is used for obtaining an authorization model in the JWT token, and the operation logic of the authorization model is dynamically started through the WASM to realize authorization logic judgment, so that authorization is completed.
2. The method for JWT authentication and authorization based on ISTIO as claimed in claim 1, wherein in step S1, the process of constructing an authorization model includes: based on the dynamic execution logic as a basic mode and the addition of the call of the external RESTful interface, the client resource and the user related information are comprehensively calculated to construct an authorization model.
3. The ISTIO-based JWT authentication and authorization method as claimed in claim 1, wherein in step S2, the JWT token includes a basic version JWT token and a complex version JWT token, the basic version JWT token being used for client authorization; the complex version JWT token and authorization model are buffered at a server unified by an authentication center for authorization processing of the service daemon.
4. The method for authenticating and authorizing the JWT based on the ISTIO according to claim 3, wherein the basic JWT token and the complex JWT token establish a corresponding relation in a cache, each carry a timestamp of the last modification date of the user permission, and when user information or permission information is changed, the latest JWT token is automatically generated according to the calling time.
5. The method for authenticating and authorizing a JWT based on ISTIO as set forth in claim 1, wherein in step S3, the process of matching the JWT token with the authorization model for authority control includes: and matching the client resource with the authorization model, and carrying the JWT token when a secondary request is made to the server through the client.
6. The ISTIO-based JWT authentication and authorization method of claim 1, wherein step S4 further comprises: when user result data is returned through the gateway proxy, the WASM expansion capability is used to replace the basic version JWT token, and the client subsequent control uses the latest version JWT token.
7. An ISTIO-based JWT authentication and authorization system, comprising:
the model construction module is used for acquiring client resources and user related information to construct an authorization model;
the JWT generation module is used for identifying and managing user requests by utilizing the ISTIO gateway, and generating different JWT tokens for the current user through a unified server of the authentication center when the user successfully logs in;
the authority control module is used for analyzing the client authorization information after the client receives the JWT token, so that the JWT token is matched with the authorization model to perform authority control;
and the authorization module is used for acquiring an authorization model in the JWT token by using WebAssembly extension when the client requests to pass through the ISTIO gateway, and dynamically starting the operation logic of the authorization model through the WASM to realize authorization logic judgment and complete authorization.
8. An electronic device, comprising:
a memory for storing one or more programs;
a processor;
an ISTIO-based JWT authentication authorization method as in any one of claims 1-6, when the one or more programs are executed by the processor.
9. A computer readable storage medium having stored thereon a computer program, which when executed by a processor implements an ISTIO-based JWT authentication authorization method according to any of claims 1-6.
CN202311486796.1A 2023-11-08 2023-11-08 ISTIO-based JWT authentication and authorization method and system Pending CN117614628A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311486796.1A CN117614628A (en) 2023-11-08 2023-11-08 ISTIO-based JWT authentication and authorization method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311486796.1A CN117614628A (en) 2023-11-08 2023-11-08 ISTIO-based JWT authentication and authorization method and system

Publications (1)

Publication Number Publication Date
CN117614628A true CN117614628A (en) 2024-02-27

Family

ID=89947206

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311486796.1A Pending CN117614628A (en) 2023-11-08 2023-11-08 ISTIO-based JWT authentication and authorization method and system

Country Status (1)

Country Link
CN (1) CN117614628A (en)

Similar Documents

Publication Publication Date Title
CN108306877B (en) NODE JS-based user identity information verification method and device and storage medium
CN111865598B (en) Identity verification method and related device for network function service
US10965772B2 (en) Interface invocation method and apparatus for hybrid cloud
US10484385B2 (en) Accessing an application through application clients and web browsers
CN110191063B (en) Service request processing method, device, equipment and storage medium
WO2017129016A1 (en) Resource access method, apparatus and system
CN109635550B (en) Permission verification method, gateway and system for cluster data
CN112131021B (en) Access request processing method and device
CN103716326A (en) Resource access method and URG
CN110839087B (en) Interface calling method and device, electronic equipment and computer readable storage medium
CN109413040B (en) Message authentication method, device, system and computer readable storage medium
CN111865984A (en) Stateless authentication method for micro-service system
CN107453872A (en) A kind of unified safety authentication method and system based on Mesos container cloud platforms
CN112702336A (en) Security control method and device for government affair service, security gateway and storage medium
CN111371811A (en) Resource calling method, resource calling device, client and service server
CN111327680A (en) Authentication data synchronization method, device, system, computer equipment and storage medium
CN115378645A (en) Verification method and system based on unified authentication of electric power marketing management system
CN112929453B (en) Method and device for sharing session data
CN117614628A (en) ISTIO-based JWT authentication and authorization method and system
CN111970253B (en) PEP configuration method and device, electronic equipment and storage medium
CN110784551A (en) Data processing method, device, equipment and medium based on multiple tenants
CN115297066B (en) Resource dynamic cooperation method, device, server and medium
CN112953892B (en) Access authentication method and device of third-party system
CN112422429B (en) Data request processing method and device, storage medium and electronic equipment
US20230376628A1 (en) Privacy Manager for Connected TV and Over-the-Top Applications

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination