CN110417779A - A kind of authentication accessing method based on service - Google Patents
A kind of authentication accessing method based on service Download PDFInfo
- Publication number
- CN110417779A CN110417779A CN201910693341.4A CN201910693341A CN110417779A CN 110417779 A CN110417779 A CN 110417779A CN 201910693341 A CN201910693341 A CN 201910693341A CN 110417779 A CN110417779 A CN 110417779A
- Authority
- CN
- China
- Prior art keywords
- kong
- service
- plug
- access
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Telephonic Communication Services (AREA)
Abstract
A kind of authentication accessing method based on service, it is related to the module plug-in technical field of API gateway, and in particular to a kind of authentication accessing method based on service.It includes configuration step, operating procedure and the big module of implementation three;Configuration step: step 1: modification Kong.conf configuration file;Step 2: under deployment certification access (para-auth) plug-in unit source code to the running environment plugins catalogue of Kong;Step 3: log-on data library, executes the order of plug-in's data library initialization.After by adopting the above technical scheme, the invention has the following beneficial effects: when the Technical Architecture of enterprise is adjusted to micro services mode and needs Kong gateway deployment, it can carry out seamless access to third-party Verification System, reduce customized development amount, accelerate deployment efficiency, development cost is reduced, solves the problems, such as to be based on service authentication without the token by accessing external OAuth2.0 Verification System and its being issued.
Description
Technical field
The present invention relates to the module plug-in technical fields of API gateway, and in particular to a kind of certification access side based on service
Method.
Background technique
Existing API gateway (Kong) plug-in unit does not access the Verification System module of external OAuth2.0, the certification system of itself
System is unable to satisfy the demand of corporate authentication, actually causes enterprise and is not available using oneself external Verification System after Kong.
Summary of the invention
In view of the defects and deficiencies of the prior art, the present invention intends to provide a kind of certification access side based on service
Method, when the Technical Architecture of enterprise is adjusted to micro services mode and needs Kong gateway deployment, it can be to third-party certification
System carries out seamless access, reduces customized development amount, accelerates deployment efficiency, reduces development cost, solves without outer by access
The problem of portion's OAuth2.0 Verification System and its token issued are based on service authentication.
To achieve the above object, the present invention is using following technical scheme: it includes configuration step, operating procedure and realization
The big module of mode three;
A, configuration step
Step 1: modification Kong.conf configuration file;
Step 2: under deployment certification access (para-auth) plug-in unit source code to the running environment plugins catalogue of Kong;
Step 3: log-on data library, executes the order of plug-in's data library initialization;
B, operating procedure
Step 1: starting Kong, defines service side, routing, the association of increase group are defined in service;
Step 2: consumer is defined, selection certification AM access module, association user unique identification on consumer;
Step 3: adding configuration certification access plug-in unit on consumer or in the overall situation;
Step 4: accessing the routed path defined in the first step, meeting triggering authentication, module check access by URL request
Whether the URL of service carries AccessToken according to the identification (RNC-ID) analytic request message of configuration, by AccessToken from having determined
The Third Party Authentication system of justice obtains authorization mark;
Consumer's authority is obtained step 5: identifying according to authorization;
C, implementation
1) Lua scripting language
Using Lua scripting language's plug-in unit, card module is enable to be resolved and call;
2) Kong Open-Source Tools constructing environment
Running environment is constructed using Kong Open-Source Tools, card module can be called directly, realizes functional module dynamic
Resolved and operation.
In the first step of the configuration step, Kong.conf configuration file is being modified, is needing to add certification access mould
Block title.
The working principle of the invention: the access in order to solve the problems, such as external authentication increases external authentication interface module,
Packet parsing is handled, the legitimacy of token is verified with external authentication system interaction, increases the unique identification of customized access, is permitted
Perhaps enterprise is redefined according to the business demand of oneself, needs Kong when the Technical Architecture of enterprise is adjusted to micro services mode
When gateway deployment, seamless access can be carried out to third-party Verification System, reduce customized development amount, accelerate deployment efficiency, drop
Low development cost.
After adopting the above technical scheme, the invention has the following beneficial effects: the Technical Architecture when enterprise is adjusted to micro services mode
And when needing Kong gateway deployment, it can carry out seamless access to third-party Verification System, reduce customized development amount, accelerate
Efficiency is disposed, development cost is reduced, is solved without the token base by accessing external OAuth2.0 Verification System and its being issued
In the service authentication the problem of.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention without any creative labor, may be used also for those of ordinary skill in the art
To obtain other drawings based on these drawings.
Fig. 1 is configuration flow figure of the invention;
Fig. 2 is operational flow diagram of the invention.
Specific embodiment
Referring to shown in Fig. 1-Fig. 2, present embodiment is the technical solution adopted is that it includes configuration step, operating procedure
With the big module of implementation three;
A, configuration step
Step 1: modification Kong.conf configuration file;
Step 2: addition certification AM access module title;
Step 3: under deployment certification access (para-auth) block code to the running environment plugins catalogue of Kong;
Step 4: log-on data library;
Step 5: executing the order of plug-in's data library initialization;
B, operating procedure
Step 1: starting Kong, defines service side, routing, the association of increase group are defined in service;
Step 2: consumer is defined, selection certification AM access module, association user unique identification on consumer;
Step 3: adding configuration certification access plug-in unit on consumer or in the overall situation;
Step 4: accessing the routed path defined in the first step, meeting triggering authentication, module check access by URL request
Whether the URL of service carries AccessToken according to the identification (RNC-ID) analytic request message of configuration, by AccessToken from having determined
The Third Party Authentication system of justice obtains authorization mark;
Consumer's authority is obtained step 5: identifying according to authorization;
C, implementation
1) Lua scripting language
Using Lua scripting language's plug-in unit, card module is enable to be resolved and call;
2) Kong Open-Source Tools constructing environment
Running environment is constructed using Kong Open-Source Tools, card module can be called directly, realizes functional module dynamic
Resolved and operation.
Nginx: a kind of open source gateway write based on C language can be used for the load balancing and access filtering of network, can be with
Plug-in unit is custom-configured, after needing to recompilate simultaneously start-up loading, plug-in unit can just work.
Lua: a kind of scripting language, more more flexible than C language, other programs that need to rely on could be run, and be had with C language
Good interactivity
OpenResty: can parse Lua scripting language, and provide Lua language basis library, be that Lua language and C language are converted
Bridge, the plug-in unit that corresponding C language is write is provided, for Nginx call.
Kong;It is the open source API gateway based on Nginx and OpenResty technology, supports Lua scripting language as plug-in unit
Extension, pin function can be custom-configured, do not need recompilate can start-up loading, realize at the coupling of card i/f bottom
Reason.
AccessToken: the token that access service needs to carry, it is unified to be issued by Verification System, with timeliness and only
One property interacts the unique identification that can get user by the verifying with Verification System.
OAuth: being that a kind of authorization for user resources provides a safety, open and easy consensus standard,
Authorize the account (such as user name and password) that third party will not be made to touch user, i.e. use of the third party without using user
Name in an account book and password can apply for obtaining the authorization of the user resources.
Packet parsing: the mode of AccessToken storage as defined in compatible OAuth2.0 standard agreement allows customized mark
Know, module meeting analysis request message obtains the attribute value of AccessToken, and stored.
Verification System interaction: Verification System is external OAuth2.0 system, and module obtains user's unique identification by token.
According to the Verification System URL information of configuration, module is encapsulated by access token, and request interacts to obtain with Verification System
User's unique identification.
Customized unique identification: this mark for being is variate-value, is access token and disappear for unique authority that access logs in
The bridge of the side's of expense authority, can need can customize the unique identification variable of configuration access according to business, and consumer's authentication mode
Associated is variate-value, is under normal circumstances login ID.
Consumer's authority: consumer's authority refers to the unique mark for requesting access to and capable of obtaining user under the premise of certification passes through
Know, the unique identification is related to authentication mode, needs to be associated configuration with consumer before operation
The working principle of the invention: the access in order to solve the problems, such as external authentication increases external authentication interface module,
Packet parsing is handled, the legitimacy of token is verified with external authentication system interaction, increases the unique identification of customized access, is permitted
Perhaps enterprise is redefined according to the business demand of oneself, needs Kong when the Technical Architecture of enterprise is adjusted to micro services mode
When gateway deployment, seamless access can be carried out to third-party Verification System, reduce customized development amount, accelerate deployment efficiency, drop
Low development cost.
After adopting the above technical scheme, the invention has the following beneficial effects: the Technical Architecture when enterprise is adjusted to micro services mode
And when needing Kong gateway deployment, it can carry out seamless access to third-party Verification System, reduce customized development amount, accelerate
Efficiency is disposed, development cost is reduced, is solved without the token base by accessing external OAuth2.0 Verification System and its being issued
In the service authentication the problem of.
The above is only used to illustrate the technical scheme of the present invention and not to limit it, and those of ordinary skill in the art are to this hair
The other modifications or equivalent replacement that bright technical solution is made, as long as it does not depart from the spirit and scope of the technical scheme of the present invention,
It is intended to be within the scope of the claims of the invention.
Claims (2)
1. a kind of authentication accessing method based on service, it is characterised in that: it includes configuration step, operating procedure and implementation
Three big modules;
A, configuration step
Step 1: modification Kong.conf configuration file;
Step 2: under deployment certification access (para-auth) plug-in unit source code to the running environment plugins catalogue of Kong;
Step 3: log-on data library, executes the order of plug-in's data library initialization
B, operating procedure
Step 1: starting Kong, defines service side, routing, the association of increase group are defined in service;
Step 2: consumer is defined, selection certification AM access module, association user unique identification on consumer;
Step 3: adding configuration certification access plug-in unit on consumer or in the overall situation;
Step 4: accessing the routed path defined in the first step, meeting triggering authentication, module check access service by URL request
URL, whether AccessToken is carried according to the identification (RNC-ID) analytic request message of configuration, by AccessToken from defined
Third Party Authentication system obtains authorization mark;
Consumer's authority is obtained step 5: identifying according to authorization.
C, implementation
1) Lua scripting language
Using Lua scripting language's plug-in unit, card module is enable to be resolved and call.
2) Kong Open-Source Tools constructing environment
Running environment is constructed using Kong Open-Source Tools, card module can be called directly, realizes that functional module dynamic is solved
Analysis and operation.
2. a kind of authentication accessing method based on service according to claim 1, it is characterised in that: the configuration step
The first step in, modifying Kong.conf configuration file, need to add certification AM access module title.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910693341.4A CN110417779A (en) | 2019-07-30 | 2019-07-30 | A kind of authentication accessing method based on service |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910693341.4A CN110417779A (en) | 2019-07-30 | 2019-07-30 | A kind of authentication accessing method based on service |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110417779A true CN110417779A (en) | 2019-11-05 |
Family
ID=68364093
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910693341.4A Pending CN110417779A (en) | 2019-07-30 | 2019-07-30 | A kind of authentication accessing method based on service |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110417779A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111385347A (en) * | 2019-12-29 | 2020-07-07 | 南京云帐房网络科技有限公司 | Service system routing method based on token + lua |
| CN114040009A (en) * | 2021-10-18 | 2022-02-11 | 浪潮云信息技术股份公司 | Method for implementing micro-service management platform gateway, storage medium and electronic equipment |
| CN114301622A (en) * | 2021-11-17 | 2022-04-08 | 奇安信科技集团股份有限公司 | Authentication method, authentication device, electronic equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108446111A (en) * | 2018-03-26 | 2018-08-24 | 国家电网公司客户服务中心 | A kind of micro services construction method based on Spring cloud |
| CN109039880A (en) * | 2018-09-05 | 2018-12-18 | 四川长虹电器股份有限公司 | A method of simple authentication authorization is realized using API gateway |
| CN109981561A (en) * | 2019-01-17 | 2019-07-05 | 华南理工大学 | Monomer architecture system moves to the user authen method of micro services framework |
-
2019
- 2019-07-30 CN CN201910693341.4A patent/CN110417779A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108446111A (en) * | 2018-03-26 | 2018-08-24 | 国家电网公司客户服务中心 | A kind of micro services construction method based on Spring cloud |
| CN109039880A (en) * | 2018-09-05 | 2018-12-18 | 四川长虹电器股份有限公司 | A method of simple authentication authorization is realized using API gateway |
| CN109981561A (en) * | 2019-01-17 | 2019-07-05 | 华南理工大学 | Monomer architecture system moves to the user authen method of micro services framework |
Non-Patent Citations (3)
| Title |
|---|
| KKBOB: "kong-external-oauth", 《HTTPS://GITHUB.COM》 * |
| LANSHIQIN: "cloud-project", 《HTTPS://GITHUB.COM》 * |
| 蓝士钦: "API网关整合OAuth认证授权服务", 《简书》 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111385347A (en) * | 2019-12-29 | 2020-07-07 | 南京云帐房网络科技有限公司 | Service system routing method based on token + lua |
| CN111385347B (en) * | 2019-12-29 | 2023-10-24 | 云帐房网络科技有限公司 | Service system routing method based on token+lua implementation |
| CN114040009A (en) * | 2021-10-18 | 2022-02-11 | 浪潮云信息技术股份公司 | Method for implementing micro-service management platform gateway, storage medium and electronic equipment |
| CN114040009B (en) * | 2021-10-18 | 2024-04-30 | 浪潮云信息技术股份公司 | Method for realizing micro-service management platform gateway, storage medium and electronic equipment |
| CN114301622A (en) * | 2021-11-17 | 2022-04-08 | 奇安信科技集团股份有限公司 | Authentication method, authentication device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10764286B2 (en) | System and method for proxying federated authentication protocols | |
| Celesti et al. | Security and cloud computing: Intercloud identity management infrastructure | |
| US9430302B2 (en) | Method, device and system for using and invoking Oauth API | |
| CN110417779A (en) | A kind of authentication accessing method based on service | |
| US10063539B2 (en) | SSO functionality by means of a temporary password and out-of-band communications | |
| US8661420B2 (en) | System and method for runtime interface versioning | |
| EP2589179B1 (en) | Apparatus and method for controlling access to multiple services | |
| CN103716308B (en) | Multiprotocol platform communication method and multiprotocol platform | |
| CN103209200B (en) | Cloud service exchange system and service-seeking and exchange method | |
| WO2014040461A1 (en) | Access control method and device | |
| KR20080111005A (en) | A system and method for creating, performing and mapping service | |
| CN106911627B (en) | A kind of true identity method of controlling security and its system based on eID | |
| CN104935599B (en) | A kind of general-purpose rights control management method and system | |
| CN103209168A (en) | Method and system for achieving single sign-on | |
| WO2009021412A1 (en) | A method, device and system for routing | |
| CN111552568A (en) | Cloud service calling method and device | |
| CN113221093A (en) | Single sign-on system, method, equipment and product based on block chain | |
| Kotulski et al. | New security architecture of access control in 5G MEC | |
| Emig et al. | Identity as a service–towards a service-oriented identity management architecture | |
| CN104283852A (en) | Mobile application single-sign-on authentication method, system, client side and server side | |
| CN104753860B (en) | Network service system based on middleware | |
| CN110365700A (en) | A kind of access control method based on service | |
| Lakshminarayanan | Authentication and authorization for Smart Grid application interfaces | |
| CN114065182A (en) | Micro-service application authentication method, system and device | |
| CN103905376B (en) | A kind of method and system that two-way authentication is carried out based on OAUTH agreements |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191105 |
|
| RJ01 | Rejection of invention patent application after publication |