CN112261022A - Security authentication method based on API gateway - Google Patents
Security authentication method based on API gateway Download PDFInfo
- Publication number
- CN112261022A CN112261022A CN202011104520.9A CN202011104520A CN112261022A CN 112261022 A CN112261022 A CN 112261022A CN 202011104520 A CN202011104520 A CN 202011104520A CN 112261022 A CN112261022 A CN 112261022A
- Authority
- CN
- China
- Prior art keywords
- api
- gateway
- token
- authentication
- api gateway
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
- H04L63/0846—Network architectures or network communication protocols for network security for authentication of entities using passwords using time-dependent-passwords, e.g. periodically changing passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a security authentication method based on an API gateway, wherein the API gateway receives an API authentication request message and sends the API authentication request message to an authentication authorization server; the terminal user information, the access authority and the private key generation standard token of the authentication and authorization server return to an API (application programming interface) calling party through an API gateway; the public key is configured on the API gateway; an API caller carries a standard token to send an API service request message to an API gateway; the API gateway verifies the token information according to the public key, forwards the API service request message to the back-end service after the verification is successful, and returns the service response to the API caller; and returning token failure information to the API caller when the verification is unsuccessful. By using token mechanism and combining with the characteristics of private key encryption and public key decryption, a set of universal identity authentication and authorization is realized on the API gateway, and different identity authentication protocols or standards of API providers are met.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a security authentication method based on an API gateway.
Background
In the prior art, after SaaS (software-as-a-service) is implemented, an API gateway may provide internal services such as a platform or a system to a third party application in a form of Restful (Representational State Transfer) API, so that the third party application can integrate different API services into its own application to derive a new service, which is beneficial to promoting technical development and innovation.
The API gateway is a barrier designed for protecting internal services, and provides high-performance API hosting services to help developers of application services to conveniently provide services to the outside, so that the API gateway is a uniform entrance for end users to access various services, and the end users can not access identity authentication and authorization rarely. Many open APIs need to identify the identity of the requestor and determine whether the requested resource can be returned to the requestor based on the identity. Token is a mechanism for identity verification, based on which an application does not need to keep authentication information or session information of a user at a server, and stateless and distributed Web application authorization can be implemented. As a platform level API gateway, the API service is provided by different API providers, the certification authority protocols or standards used by the API providers are often inconsistent, and the API gateway platform does not integrate all the certification authority protocols or standards. How to realize a set of general identity authentication and authorization on the API gateway platform and meet the user personalized security setting is a main problem to be solved for realizing the API gateway security authentication scheme.
Disclosure of Invention
The invention aims to provide a security authentication method based on an API gateway, which is used for solving the problem that an API gateway platform in the prior art does not have a set of universal identity authentication and authorization protocol or standard and can not perform uniform authentication on API services provided by all API providers.
The invention solves the problems through the following technical scheme:
a security authentication method based on an API gateway comprises the following steps:
step S1: the method comprises the steps that an API gateway receives an API authentication request message sent by an API calling party, wherein the API authentication request message comprises terminal user information;
step S2: the API gateway sends the API authentication request message to an authentication authorization server of a corresponding API provider, the authentication authorization server is configured with a public key and a private key of the API provider and configures the public key on the API gateway, the authentication authorization server distributes access authority for the terminal user after verifying the terminal user information, generates a standard token according to the terminal user information, the access authority and the private key and returns the standard token to the API gateway; the API gateway returns the generated standard token to the API caller;
step S3: the API caller caches the standard token to the local, and the API caller carries the standard token to send an API service request message to the API gateway;
step S4: the API gateway verifies the token information obtained by analysis according to a pre-configured public key of an API provider, and if the verification is successful and the standard token is still in the valid period, the next step is carried out; if the verification is unsuccessful or the standard token is not in the validity period, returning token failure information to the API caller;
step S5: the API gateway forwards the received API service request message to the back-end service and returns a service response returned by the back-end service to the API caller.
And the API caller receives the token failure information and then resends the API authentication request message to the API gateway.
The end user information includes a user name and a user password.
The authentication and authorization server of the API provider is configured with a key pair: the API gateway verifies the token carried by the API caller service request. The API gateway utilizes token authentication mechanism to provide uniform identity authentication service for terminal user in the API gateway layer, and meets the individual requirement that API provider can use the familiar authentication protocol or standard to authorize calling API.
Compared with the prior art, the invention has the following advantages and beneficial effects:
the invention utilizes token mechanism, combines the characteristics of private key encryption and public key decryption in asymmetric encryption algorithm, realizes a set of universal identity authentication and authorization on API gateway, realizes unified authentication, meets different identity authentication protocols or standards of API providers, and meets the personalized security setting of the API providers.
Drawings
FIG. 1 is a flow chart of the present invention.
Detailed Description
The present invention will be described in further detail with reference to examples, but the embodiments of the present invention are not limited thereto.
Example (b):
referring to fig. 1, a method for security authentication based on an API gateway includes the following steps:
step one, an API gateway receives an API authentication request message sent by an API calling party and forwards the API authentication request message to a corresponding authentication authorization server
The API gateway is a platform level API gateway and is a unified entrance for accessing all back-end services; the API authentication request sent by the API caller at least comprises terminal user information, wherein the terminal user information comprises a user, a password and the like; after receiving an API authentication request sent by an API calling party, the API gateway sends the API authentication request to an authentication authorization server corresponding to an API provider according to the API provider corresponding to the API authentication request message;
step two, the authentication and authorization server generates token
And the authentication and authorization server is used for acquiring the information of the terminal user and verifying whether the user information provided by the terminal user is correct, such as information of a user name, a user password and the like. If the user information provided by the terminal user is correct, the verification is successful, otherwise, the verification fails. After the terminal user information is successfully verified, the authentication and authorization server distributes proper access authority according to the user information, and generates a standard token according to the user information, the distributed access authority and a private key in a key pair of the API provider. The API provider configures the public key of the key pair (including the private key and the public key) in the API gateway in advance. The key pair has the function of encrypting data through a private key in the key pair and then decrypting the data through a public key in the key pair so as to ensure the safety of the data in the transmission process. The API provider may generate the key pair by the code itself or search for available online generation tools. Many externally open APIs need to identify the identity of a requestor and determine whether a requested resource can be returned to the requestor according to a token, which is a mechanism for identity authentication. The authentication and authorization protocol or standard used by the authentication and authorization server may be OAuth2, oid c (openid connect), jwt (json Web token), etc.
Step three, the API caller caches the token to the local
The authentication and authorization server generates token information and returns the token information to the API gateway, the API gateway forwards the received response message carrying the token to the API caller, and the API caller caches the token information in the local after receiving the response message forwarded by the API gateway so as to be used by a subsequent service request.
Step four, the API gateway receives an API service request message sent by an API caller;
and the API caller carries token information cached in the local to send a service request to the API gateway, and the API gateway receives the API service request of the API caller and obtains the token information in the API service request through analysis.
And step five, the API gateway verifies whether the token information is valid by using a pre-configured public key for the token information obtained through analysis, if the token information is verified to be valid, the step six is performed, and if not, the step seven is performed. Further, verifying that the token information is valid also requires verifying that the token is within the validity period. Specifically, the API gateway verifies an exp (expiration time) field in the token information, and the token information is invalid once the field expires.
And step six, the API gateway forwards the received API service request to the back-end service, the back-end service processes the service response and returns the response information to the API gateway, and the API gateway returns the back-end service response to the API caller.
And step seven, the API gateway returns token failure information to the API caller, so that the API caller resends the API authentication request message to the API gateway after receiving the token failure information.
Although the present invention has been described herein with reference to the illustrated embodiments thereof, which are intended to be preferred embodiments of the present invention, it is to be understood that the invention is not limited thereto, and that numerous other modifications and embodiments can be devised by those skilled in the art that will fall within the spirit and scope of the principles of this disclosure.
Claims (3)
1. A security authentication method based on an API gateway is characterized by comprising the following steps:
step S1: the method comprises the steps that an API gateway receives an API authentication request message sent by an API calling party, wherein the API authentication request message comprises terminal user information;
step S2: the API gateway sends the API authentication request message to an authentication authorization server of a corresponding API provider, the authentication authorization server is configured with a public key and a private key of the API provider and configures the public key on the API gateway, the authentication authorization server distributes access authority for the terminal user after verifying the terminal user information, generates a standard token according to the terminal user information, the access authority and the private key and returns the standard token to the API gateway; the API gateway returns the generated standard token to the API caller;
step S3: the API caller carries the standard token to send an API service request message to an API gateway;
step S4: the API gateway verifies the token information obtained by analysis according to a pre-configured public key of an API provider, and if the verification is successful and the standard token is still in the valid period, the next step is carried out; if the verification is unsuccessful or the standard token is not in the validity period, returning token failure information to the API caller;
step S5: the API gateway forwards the received API service request message to the back-end service and returns a service response returned by the back-end service to the API caller.
2. The API gateway-based security authentication method according to claim 1, wherein the API caller resends the API authentication request message to the API gateway after receiving the token failure message.
3. The API gateway-based security authentication method of claim 1, wherein the end-user information comprises a user name and a user password.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011104520.9A CN112261022A (en) | 2020-10-15 | 2020-10-15 | Security authentication method based on API gateway |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011104520.9A CN112261022A (en) | 2020-10-15 | 2020-10-15 | Security authentication method based on API gateway |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112261022A true CN112261022A (en) | 2021-01-22 |
Family
ID=74243561
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011104520.9A Pending CN112261022A (en) | 2020-10-15 | 2020-10-15 | Security authentication method based on API gateway |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112261022A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112804258A (en) * | 2021-03-11 | 2021-05-14 | 北京市商汤科技开发有限公司 | Authentication and authorization method, authorization server, API gateway, system and storage medium |
| CN114124408A (en) * | 2021-11-26 | 2022-03-01 | 浪潮云信息技术股份公司 | Method and system for realizing back-end signature of API gateway |
| CN114363054A (en) * | 2021-12-31 | 2022-04-15 | 杭州数梦工场科技有限公司 | Interface request conversion method, interface conversion device, electronic device and storage medium |
| CN114598490A (en) * | 2021-04-09 | 2022-06-07 | 亚信科技(南京)有限公司 | Method, device and equipment for redirecting page based on API gateway and storage medium |
| CN114650180A (en) * | 2022-03-31 | 2022-06-21 | 广东省工业边缘智能创新中心有限公司 | Micro-service authentication method and system |
| CN115516574A (en) * | 2020-06-18 | 2022-12-23 | 柠檬医疗保健有限公司 | Cloud-based API specification management method for linking multiple hospital servers and federation servers in simultaneous concurrent manner |
| CN115913568A (en) * | 2022-11-08 | 2023-04-04 | 杭州网易再顾科技有限公司 | Authorization authentication method and device, gateway, medium and computer equipment |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150033330A1 (en) * | 2013-07-24 | 2015-01-29 | Verizon Patent And Licensing Inc. | Collection and analysis of customer data from application programming interface usage |
| US20170142085A1 (en) * | 2015-11-16 | 2017-05-18 | Mastercard International Incorporated | Systems and Methods for Authenticating Network Messages |
| CN108259432A (en) * | 2016-12-29 | 2018-07-06 | 亿阳安全技术有限公司 | A kind of management method of API Calls, equipment and system |
| CN108512784A (en) * | 2018-06-21 | 2018-09-07 | 珠海宏桥高科技有限公司 | Authentication method based on gateway routing forwarding |
| CN109039880A (en) * | 2018-09-05 | 2018-12-18 | 四川长虹电器股份有限公司 | A method of simple authentication authorization is realized using API gateway |
| CN109617907A (en) * | 2019-01-04 | 2019-04-12 | 平安科技(深圳)有限公司 | Authentication method, electronic device and computer readable storage medium |
| CN109995754A (en) * | 2019-02-20 | 2019-07-09 | 石化盈科信息技术有限责任公司 | The method and computer readable storage medium of application access server end API |
| US10673839B2 (en) * | 2015-11-16 | 2020-06-02 | Mastercard International Incorporated | Systems and methods for authenticating network messages |
-
2020
- 2020-10-15 CN CN202011104520.9A patent/CN112261022A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150033330A1 (en) * | 2013-07-24 | 2015-01-29 | Verizon Patent And Licensing Inc. | Collection and analysis of customer data from application programming interface usage |
| US20170142085A1 (en) * | 2015-11-16 | 2017-05-18 | Mastercard International Incorporated | Systems and Methods for Authenticating Network Messages |
| US9769142B2 (en) * | 2015-11-16 | 2017-09-19 | Mastercard International Incorporated | Systems and methods for authenticating network messages |
| US10673839B2 (en) * | 2015-11-16 | 2020-06-02 | Mastercard International Incorporated | Systems and methods for authenticating network messages |
| CN108259432A (en) * | 2016-12-29 | 2018-07-06 | 亿阳安全技术有限公司 | A kind of management method of API Calls, equipment and system |
| CN108512784A (en) * | 2018-06-21 | 2018-09-07 | 珠海宏桥高科技有限公司 | Authentication method based on gateway routing forwarding |
| CN109039880A (en) * | 2018-09-05 | 2018-12-18 | 四川长虹电器股份有限公司 | A method of simple authentication authorization is realized using API gateway |
| CN109617907A (en) * | 2019-01-04 | 2019-04-12 | 平安科技(深圳)有限公司 | Authentication method, electronic device and computer readable storage medium |
| CN109995754A (en) * | 2019-02-20 | 2019-07-09 | 石化盈科信息技术有限责任公司 | The method and computer readable storage medium of application access server end API |
Non-Patent Citations (1)
| Title |
|---|
| WEIXIN_33965305: "阿里云API网关(11)API的三种安全认证方式", 《HTTPS://BLOG.CSDN.NET/WEIXIN_33965305/ARTICLE/DETAILS/85919689》 * |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115516574A (en) * | 2020-06-18 | 2022-12-23 | 柠檬医疗保健有限公司 | Cloud-based API specification management method for linking multiple hospital servers and federation servers in simultaneous concurrent manner |
| CN115516574B (en) * | 2020-06-18 | 2023-08-01 | 柠檬医疗保健有限公司 | Cloud-based API specification management method for linking multiple hospital servers and federated servers in a concurrent manner |
| CN112804258A (en) * | 2021-03-11 | 2021-05-14 | 北京市商汤科技开发有限公司 | Authentication and authorization method, authorization server, API gateway, system and storage medium |
| CN112804258B (en) * | 2021-03-11 | 2023-02-28 | 北京市商汤科技开发有限公司 | Authentication and authorization method, authorization server, API gateway, system and storage medium |
| CN114598490A (en) * | 2021-04-09 | 2022-06-07 | 亚信科技(南京)有限公司 | Method, device and equipment for redirecting page based on API gateway and storage medium |
| CN114598490B (en) * | 2021-04-09 | 2024-03-29 | 亚信科技(南京)有限公司 | Method, device, equipment and storage medium for redirecting page based on API gateway |
| CN114124408A (en) * | 2021-11-26 | 2022-03-01 | 浪潮云信息技术股份公司 | Method and system for realizing back-end signature of API gateway |
| CN114363054A (en) * | 2021-12-31 | 2022-04-15 | 杭州数梦工场科技有限公司 | Interface request conversion method, interface conversion device, electronic device and storage medium |
| CN114363054B (en) * | 2021-12-31 | 2023-12-01 | 杭州数梦工场科技有限公司 | Interface request conversion method, interface conversion device, electronic equipment and storage medium |
| CN114650180A (en) * | 2022-03-31 | 2022-06-21 | 广东省工业边缘智能创新中心有限公司 | Micro-service authentication method and system |
| CN115913568A (en) * | 2022-11-08 | 2023-04-04 | 杭州网易再顾科技有限公司 | Authorization authentication method and device, gateway, medium and computer equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112261022A (en) | Security authentication method based on API gateway | |
| EP3251324B1 (en) | Secure access to cloud-based services | |
| JP4673364B2 (en) | Method for verifying first ID and second ID of entity | |
| CN110322940B (en) | Access authorization method and system for medical data sharing | |
| US9191814B2 (en) | Communications device authentication | |
| EP1965558B1 (en) | Method, apparatuses and computer program product for robust digest authentication using two types of nonce values | |
| US6785729B1 (en) | System and method for authorizing a network user as entitled to access a computing node wherein authenticated certificate received from the user is mapped into the user identification and the user is presented with the opprtunity to logon to the computing node only after the verification is successful | |
| CN103220303B (en) | The login method of server and server, authenticating device | |
| CN108833507B (en) | Authorization authentication system and method for shared product | |
| JP2007528650A5 (en) | ||
| JP2013138474A (en) | Authentication delegation based on re-verification of cryptographic evidence | |
| CN103051628A (en) | Method and system for obtaining authentication token based on servers | |
| WO2012024910A1 (en) | Authentication method, apparatus and system | |
| WO2015139725A1 (en) | User identifier based device, identity and activity management system | |
| EP2957064B1 (en) | Method of privacy-preserving proof of reliability between three communicating parties | |
| WO2011144081A2 (en) | Method, system and server for user service authentication | |
| DK2414983T3 (en) | Secure computer system | |
| WO2015089996A1 (en) | Security authentication method and authorization authentication server | |
| WO2010043134A1 (en) | Method and system for realizing third party authentication of trans-system access in a communication system | |
| Huang et al. | A token-based user authentication mechanism for data exchange in RESTful API | |
| CN113569210A (en) | Distributed identity authentication method, equipment access method and device | |
| CN114390524B (en) | Method and device for realizing one-key login service | |
| JP2007181123A (en) | Digital certificate exchange method, terminal device, and program | |
| RU2325774C2 (en) | Method of password management | |
| US11146536B2 (en) | Method and a system for managing user identities for use during communication between two web browsers |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210122 |
|
| RJ01 | Rejection of invention patent application after publication |