CN112804224A - Authentication method, device, medium and electronic equipment based on micro service - Google Patents
Authentication method, device, medium and electronic equipment based on micro service Download PDFInfo
- Publication number
- CN112804224A CN112804224A CN202110018399.6A CN202110018399A CN112804224A CN 112804224 A CN112804224 A CN 112804224A CN 202110018399 A CN202110018399 A CN 202110018399A CN 112804224 A CN112804224 A CN 112804224A
- Authority
- CN
- China
- Prior art keywords
- authentication
- service
- service request
- request
- type
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Telephonic Communication Services (AREA)
Abstract
The embodiment of the invention discloses a method, a device, a medium and electronic equipment for authentication based on micro-service. The method comprises the following steps: if a service request is received, determining the authentication type of the service request according to the request path of the service request; if the type is the first type, analyzing request parameters in the service request, authenticating the service request by adopting authentication aggregation micro-service, and authenticating the service request by adopting strong authentication aggregation micro-service to obtain a strong authentication result; if the type is the second type, authenticating the service request by adopting weak authentication aggregation micro service according to the request parameters in the service request to obtain a weak authentication result; and performing aggregation processing on the strong authentication result or the weak authentication result to obtain a service request result corresponding to the service request and returning the service request result to the client. By adopting the technical scheme provided by the application, different logics of authentication and authorization can be adopted for different services, and the purpose of accurate feedback can be realized for different access ways.
Description
Technical Field
The embodiment of the invention relates to the technical field of internet, in particular to a method, a device, a medium and electronic equipment for authentication based on micro-service.
Background
With the development of scientific technology, it has been a very common situation for users to access server systems through different approaches. In order to meet the requirement of consistency of information fed back when a user accesses through different ways, the prior art strongly couples authentication and authorization in the underlying architecture of the server system. The advantage of this arrangement is that the fixed mode can be used for authentication and authorization, ensuring the consistency of information under different access ways. However, the problem is that the authentication and the authentication are coupled to process the service, and it is difficult to deal with some services that only require authentication and do not require authentication, so that part of the services cannot be normally processed.
Disclosure of Invention
The embodiment of the invention provides a method, a device, a medium and electronic equipment for authentication based on micro-service, which can adopt different logics of authentication and authorization aiming at different services and achieve the aim of accurate feedback aiming at different access.
In a first aspect, an embodiment of the present invention provides a method for authentication and authorization based on microservice, where the method includes:
if a service request is received, determining the authentication type of the service request according to the request path of the service request;
if the authentication type is a first type, analyzing a request parameter in the service request, authenticating the service request by adopting authentication aggregation micro-service, and authenticating the service request by adopting strong authentication aggregation micro-service to obtain a strong authentication result; if the authentication type is a second type, authenticating the service request by adopting weak authentication aggregation micro-service according to a request parameter in the service request to obtain a weak authentication result;
and performing aggregation processing on the strong authentication result or the weak authentication result to obtain a service request result corresponding to the service request and returning the service request result to the client.
Further, if a service request is received, determining an authentication type of the service request according to a request path of the service request, including:
if a service request is received, analyzing request parameters of the service request;
determining a request path according to the request parameters; if the request path corresponds to an authentication interface, determining that the authentication type of the service request is a first type; and if the request path corresponds to a weak authentication interface, determining that the authentication type of the service request is a second type.
Further, determining the authentication mode corresponding to the request path includes:
determining a URL address in a configuration file corresponding to the service request according to the request parameters;
and determining an authentication mode according to the URL address in the configuration file and an authentication mode code corresponding to the URL address.
Further, the method further comprises:
and determining a verification field corresponding to the URL address of the service request according to the URL address in the configuration file.
Further, analyzing the request parameters in the service request, authenticating the service request by using the authentication aggregation micro-service, and authenticating the service request by using the strong authentication aggregation micro-service to obtain a strong authentication result, including:
receiving an authentication request of the service request through a gateway, and forwarding the authentication request to an authentication aggregation micro-service;
verifying the authentication information in the service request through the authentication aggregation micro-service, and if the authentication information passes the verification, returning Token to the client; the authentication aggregation micro-service comprises at least one authentication basic service of mobile phone number authentication, micro-letter authentication, QQ authentication, applet authentication and account authentication;
if the Token is carried in the service request sent by the client side through the gateway, determining that the service request is a strong authentication request;
and if the Token is verified to be effective, forwarding the service request to the strong authentication aggregation micro-service so that the strong authentication aggregation micro-service authenticates the service request to obtain a strong authentication result.
Further, according to the request parameter in the service request, a weak authentication aggregation microservice is adopted to authenticate the service request, and a weak authentication result is obtained, which includes:
receiving user information in a service request sent by the client through a gateway, and if the user information passes verification, sending a weak authentication request in the service request to a weak authentication aggregation micro-service;
and authenticating the service request through the weak authentication aggregation micro service to obtain a weak authentication result.
Further, the method further comprises:
determining whether the load capacity of the current service request reaches a load threshold value;
if yes, the interface with the authentication type being the second type is closed.
In a second aspect, an embodiment of the present invention further provides an authentication and authorization apparatus based on microservice, including:
the authentication type determining module is used for determining the authentication type of the service request according to the request path of the service request if the service request is received;
the authentication result acquisition module is used for analyzing the request parameters in the service request if the authentication type is a first type, authenticating the service request by adopting authentication aggregation micro-service, and authenticating the service request by adopting strong authentication aggregation micro-service to obtain a strong authentication result; if the authentication type is a second type, authenticating the service request by adopting weak authentication aggregation micro-service according to a request parameter in the service request to obtain a weak authentication result;
and the service processing module is used for carrying out aggregation processing on the strong authentication result or the weak authentication result to obtain a service request result corresponding to the service request and returning the service request result to the client.
In a third aspect, the present application provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the authentication and authorization method based on microservices as described in the present application.
In a fourth aspect, an embodiment of the present application provides an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor executes the computer program to implement the authentication and authorization method based on microservices according to the embodiment of the present application.
According to the technical scheme provided by the embodiment of the application, if a service request is received, the authentication type of the service request is determined according to the request path of the service request; if the authentication type is a first type, analyzing a request parameter in the service request, authenticating the service request by adopting authentication aggregation micro-service, and authenticating the service request by adopting strong authentication aggregation micro-service to obtain a strong authentication result; if the authentication type is a second type, authenticating the service request by adopting weak authentication aggregation micro-service according to a request parameter in the service request to obtain a weak authentication result; and performing aggregation processing on the strong authentication result or the weak authentication result to obtain a service request result corresponding to the service request and returning the service request result to the client. The technical scheme provided by the application can adopt different authentication and authorization logics aiming at different services, and the purpose of accurate feedback when accessing in different ways is achieved.
Drawings
FIG. 1 is a flowchart of a method for authentication and authorization based on microservice according to an embodiment of the present invention;
FIG. 2 is a diagram illustrating an authentication service provided by an embodiment of the invention;
fig. 3 is a schematic diagram of a strong authentication service provided in an embodiment of the present invention;
fig. 4 is a schematic diagram of a weak authentication service provided in an embodiment of the present invention;
FIG. 5 is a schematic structural diagram of a authentication and authorization apparatus based on microservice according to a second embodiment of the present invention;
fig. 6 is a schematic structural diagram of an electronic device according to a fourth embodiment of the present application.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
Before discussing exemplary embodiments in more detail, it should be noted that some exemplary embodiments are described as processes or methods depicted as flowcharts. Although a flowchart may describe the steps as a sequential process, many of the steps can be performed in parallel, concurrently or simultaneously. In addition, the order of the steps may be rearranged. The process may be terminated when its operations are completed, but may have additional steps not included in the figure. The processes may correspond to methods, functions, procedures, subroutines, and the like.
The micro-service architecture has become a mainstream architecture of a server at present, and is a new software architecture style. In the micro-service system, all module functions are not like single-unit applications, and all functions of each single unit are collectively deployed in one package. But the system is composed of a plurality of micro services, each micro service can be independently designed, developed and deployed and is responsible for different business functions, and the flexibility of the system is greatly improved. But due to the multitude of services, microservice-based secure access is becoming increasingly important.
In the existing authentication and authorization methods, one mode is based on Session + Cookie, and the other mode is based on Token (Token).
Session + Cookie mode: that is, after a registered user passes a login operation request, the Web server checks a user name and a password from the database, and after the user passes the login operation request, a record is added to the Session and then the record is returned to the browser. In the message returned to the browser, sessionId will be placed inside the Cookie.
Token (Token) -based mode: token will generally contain the relevant information of the user, and the identity verification can be completed by verifying Token. Token is generated at the authentication server (i.e., gateway). If the client requests authentication from the authentication server by using the user name/password, and the authentication of the authentication server is successful, the authentication server will return a user Token to the client. The client can take Token at each service request, and performs authentication through the gateway, wherein the authentication mainly checks whether the user information is legal or not. Authentication is to check if Token is valid, expired, etc. If the authentication passes, the gateway forwards the service request to the bottom layer service for service processing.
The problem with the Session + Cookie mode is that: the user session is bound to a certain server, if some upgrading or modification needs to be carried out on the server, or the server is delayed or down, the one-wave authentication user information on the server disappears instantly, and the user needs to log in again.
The problem with Token-based (Token) modes is that: in the prior art, authentication and authentication are coupled, that is, when a client calls a request of a server, either authentication and authentication are performed or authentication and non-authentication are performed. Implementing the business service at this time would be very complex and would present a large amount of redundant code.
Example one
Fig. 1 is a flowchart of a microservice-based authentication and authorization method according to an embodiment of the present invention, where the embodiment is applicable to a case where service requests of different paths are processed in different manners, and the method can be executed by a microservice-based authentication and authorization apparatus according to an embodiment of the present invention, where the apparatus can be implemented by software and/or hardware, and can be integrated in an electronic device of a service system.
As shown in fig. 1, the method includes:
s110, if a service request is received, determining the authentication type of the service request according to the request path of the service request.
The service request may be sent by the client, specifically, the service request may be sent by the client on an application program (APP), or may be sent in a client page, such as a page on the PC side, or may be sent in an applet or a native H5 page.
In this scheme, the request path of the service request may include an interface type called by the service request, for example, may include an authentication interface, or may include only an authentication interface. It is understood that the request path is not only embodied by the interface, and any path that can embody the request path differently, such as different callers, different invocation objects, etc., can be used to distinguish different service requests. The authentication type of the service request can be determined according to the request path.
In the scheme, the service authentication types can be divided into types which need authentication and authentication at the same time, namely strong authentication types, and types which only need authentication, namely weak authentication types.
In the present embodiment, it is possible, alternatively,
if a service request is received, determining the authentication type of the service request according to the request path of the service request, wherein the authentication type comprises the following steps:
if a service request is received, analyzing request parameters of the service request;
determining a request path according to the request parameters; if the request path corresponds to an authentication interface, determining that the authentication type of the service request is a first type; and if the request path corresponds to a weak authentication interface, determining that the authentication type of the service request is a second type.
The request parameter may be a parameter related to the service request, such as the content of the request, a response object required by the request, and an interface required by the request. After obtaining the request parameters, the request path can be determined according to the request parameters, and in conjunction with the above description, if the port required for the service request can be determined, the request path can be determined. After the request path is determined, different authentication types can be determined according to different required calling interfaces.
The scheme has the advantage that the request path can be determined according to the request parameters of the service request, so that the authentication type of the service request can be determined. Through the arrangement, the service system can be compatible with different types of authentication and authorization types at the same time, different authentication and authorization logics do not need to be designed for strong authentication and weak authentication respectively, multiple authentication modes are integrated, and better compatibility is provided for service requests sent by different paths.
In the present solution, it is possible, alternatively,
further, determining the authentication mode corresponding to the request path includes:
determining a URL address in a configuration file corresponding to the service request according to the request parameters;
and determining an authentication mode according to the URL address in the configuration file and an authentication mode code corresponding to the URL address.
Further, the method further comprises:
and determining a verification field corresponding to the URL address of the service request according to the URL address in the configuration file.
The following table is a partial example of a configuration file, where url is the address, i.e. the request path from which the request originated. url _ filed is a field that needs to be verified, and if it is empty, it indicates that the path does not need to be verified. When the gateway _ type is 1, it means that sensitive information, such as a mobile phone number, needs to be encrypted in the transmission process, and correspondingly, when the value is 2, it means that encryption is not needed, and it can also be determined that weak authentication is directly performed. source _ system is the engineering name of the business layer, which may be the engineering name of the microservice.
In addition, the following code provides a specific calling mode for authentication:
in the scheme, after the request parameter is obtained, the configuration file in the service system can be read, the interface configuration item in the configuration file is determined, and the interface associated with the request parameter is determined, so that the interface of the service request can be determined according to the request parameter, the interface of the service request can be configured, and the purpose of managing and controlling the request path of the service request is achieved.
In the foregoing scheme, specifically, the method further includes:
and determining the calling interface information of the changed interface configuration item in response to the changing operation of the interface configuration item in the configuration file.
It can be understood that if the authentication and authorization policy of the content changes at different time periods for the same content request, the adjustment of the calling interface can be realized by modifying the configuration file by the staff, so that the change of the interface configuration item can be realized. The scheme can flexibly adjust the authentication type of the service request through the setting, and can flexibly process according to the actual requirement of the service.
S120, if the authentication type is a first type, analyzing a request parameter in the service request, authenticating the service request by adopting an authentication aggregation micro-service, and authenticating the service request by adopting a strong authentication aggregation micro-service to obtain a strong authentication result; and if the authentication type is the second type, authenticating the service request by adopting weak authentication aggregation micro service according to the request parameter in the service request to obtain a weak authentication result.
If the authentication type is the first type, the authentication can be preferentially carried out, and strong authentication is carried out after the authentication is passed. If the authentication type is the second type, authentication can be directly carried out without passing authentication.
The authentication aggregation micro-service may be a micro-service system that aggregates multiple authentication services to perform different authentication services for different needs. The strong authentication aggregated micro-service may be a micro-service aggregated with multiple authentications. The weak authentication aggregated micro-service may be a micro-service that authenticates information of a user.
S130, carrying out aggregation processing on the strong authentication result or the weak authentication result to obtain a service request result corresponding to the service request and returning the service request result to the client.
In this scheme, specifically, parsing a request parameter in the service request, authenticating the service request by using an authentication aggregation micro service, and authenticating the service request by using a strong authentication aggregation micro service to obtain a strong authentication result, includes:
receiving an authentication request of the service request through a gateway, and forwarding the authentication request to an authentication aggregation micro-service;
verifying the authentication information in the service request through the authentication aggregation micro-service, and if the authentication information passes the verification, returning Token to the client; the authentication aggregation micro-service comprises at least one authentication basic service of mobile phone number authentication, micro-letter authentication, QQ authentication, applet authentication and account authentication;
if the Token is carried in the service request sent by the client side through the gateway, determining that the service request is a strong authentication request;
and if the Token is verified to be effective, forwarding the service request to the strong authentication aggregation micro-service so that the strong authentication aggregation micro-service authenticates the service request to obtain a strong authentication result.
The following are specific calling methods for authentication and strong authentication:
wherein, the printing log can be used for subsequent error elimination, and after the printing log is printed, the error can be eliminated through getToken (); the function fetches Token from the request, and according to Token, the function may obtain cached user information, such as UserID, from the database corresponding to the current microservice. After determining the user information, the user information may be added to a corresponding field of Token, so as to facilitate subsequent direct acquisition of the user information.
In this scheme, optionally, if it is found that the database corresponding to the current micro service does not have the user information corresponding to Token, the user information associated with Token may be searched by calling the databases corresponding to other micro services, so that the user information can be ensured to be acquired.
Fig. 2 is a schematic diagram of an authentication service according to an embodiment of the present invention, and as shown in fig. 2, a client invokes the authentication service, and a gateway receives an authentication request and forwards the authentication request to an authentication aggregation microservice. And the authentication aggregation micro-service analyzes the authentication request parameters and calls a specific authentication micro-service. And verifying the authentication detailed information by the authentication micro-service, verifying the authentication detailed information, generating Token if the verification is passed, recording the Token information into a cache, setting a reasonable validity period, and finally returning the Token to the client.
It can be understood that there is no direct relationship between multiple authentication microservices (mobile phone numbers, WeChat, QQ, applets, account numbers) here, and the authentication microservices can be used in a plug-in mode. After aggregation, the logical relationships among binding, unbinding, logout and the like of the account numbers with different authentication types need to be solved.
For example, in the case of a mobile phone number a and a micro signal B:
the mobile phone number A and the micro signal B can be independently logged in the system for authentication. At the moment, the micro-signal is not influenced when the mobile phone number is cancelled, and the micro-signal is cancelled;
if the mobile phone number and the micro signal are logged in the system for authentication, the two account numbers cannot be bound;
if the mobile phone number logs in the system for authentication, the micro signal does not log in the system for authentication independently, the mobile phone number can be bound with the micro signal, and after the binding, the mobile phone number login and the micro signal login are regarded as the same account. At the moment, the mobile phone number and the micro signal are simultaneously cancelled;
after the mobile phone number A and the micro signal B are bound, the operation of unbinding can be carried out, and after the micro signal is unbound, the authentication information of the mobile phone number is unchanged. WeChat reauthentication will be treated as a new number;
the relation between the mobile phone number authentication and the small program authentication is equal to the relation between the mobile phone number authentication and the micro message authentication;
the relationship between the mobile phone number authentication and the QQ authentication is equal to the relationship between the mobile phone number authentication and the WeChat authentication.
Fig. 3 is a schematic diagram of a strong authentication service provided in an embodiment of the present invention, as shown in fig. 3, a client carries a strong authentication service of a Token request server, gateway authentication verifies Token validity, and the Token is valid, and parses the Token, identifies user information, and transmits the user information as a new parameter to an authentication aggregation microservice.
And the strong authentication aggregation micro service receives a user request. The user request is decomposed into a plurality of strong authentication basic micro-service requests. And aggregating the response information returned by the basic micro-service, and returning the service result to the client.
The above is the process of obtaining the strong authentication result by adopting the authentication and strong authentication mode. For some information displayed without user login, if a strong authentication mode is adopted, the user needs to be forced to log in or register first to view the information, and for the access similar to the small program, the business logic is obviously unreasonable. Therefore, a mechanism for weak authentication can be designed separately.
In this scheme, specifically, according to the request parameter in the service request, the weak authentication aggregated microservice is used to authenticate the service request, so as to obtain a weak authentication result, including:
receiving user information in a service request sent by the client through a gateway, and if the user information passes verification, sending a weak authentication request in the service request to a weak authentication aggregation micro-service;
and authenticating the service request through the weak authentication aggregation micro service to obtain a weak authentication result.
Here, if it is determined to be weak authentication, the chain of the system may be directly called filter (); the function passes.
Fig. 4 is a schematic diagram of a weak authentication service provided in an embodiment of the present invention, as shown in fig. 4, a client does not carry Token, only carries weak authentication information, requests a weak authentication service of a server, and a gateway acquires weak authentication user information and determines that a service requested by a applet is a weak authentication service, and then the gateway starts to check the weak authentication user information, and if the check is passed, transmits the weak authentication information as a new parameter to a weak authentication aggregation microservice.
And the weak authentication aggregation micro service receives a user request. The user request is decomposed into a plurality of weak authentication basic micro-service requests. And aggregating the response information returned by the basic micro-service, and returning the service result to the client.
Through comparison, the following relations can be found in the technical scheme of the three processes of authentication, strong authentication and weak authentication:
the Token is obtained after authentication and is used for subsequent strong authentication;
the Token (authentication acquisition) needs to be verified when the strong authentication interface is called;
and the Token does not need to be verified when the weak authentication interface is called.
The scheme of the application can lead the service to be more cohesive and more specific by separating the authentication from the authorization. Service expansion is easier. Can be directly used as a middle stage. Or can be directly multiplexed as middleware.
The server side provides two authentication modes of strong authentication and weak authentication, and can meet service application scenes of different clients. The basic micro-service only needs to complete one set, so that one set of basic service system can provide service for multiple terminals at the same time. Greatly improving the research and development efficiency and accelerating the research and development speed. The test workload is reduced by times, and the system test research and development are carried out more fully. The software quality is greatly improved.
In the face of service adjustment and demand change, delivery can be completed with the least workload, the fastest speed and the best quality. The free edge can move the whole body instead of pulling one.
According to the technical scheme provided by the embodiment of the application, if a service request is received, the authentication type of the service request is determined according to the request path of the service request; if the authentication type is a first type, analyzing a request parameter in the service request, authenticating the service request by adopting authentication aggregation micro-service, and authenticating the service request by adopting strong authentication aggregation micro-service to obtain a strong authentication result; if the authentication type is a second type, authenticating the service request by adopting weak authentication aggregation micro-service according to a request parameter in the service request to obtain a weak authentication result; and performing aggregation processing on the strong authentication result or the weak authentication result to obtain a service request result corresponding to the service request and returning the service request result to the client. The technical scheme provided by the application can adopt different authentication and authorization logics aiming at different services, and the purpose of accurate feedback when accessing in different ways is achieved.
On the basis of the above technical solutions, optionally, the method further includes:
determining whether the load capacity of the current service request reaches a load threshold value;
if yes, the interface with the authentication type being the second type is closed.
It can be understood that, after the load of the service request processed by the service system exceeds a certain load threshold, the weak authentication interface may be closed to support the normal operation of the strong authentication interface, thereby ensuring that the service request with strong authentication can be processed normally. By the arrangement, the service request with strong authentication can be normally processed, the reduction of the processing speed of the service system and even the crash of the service system caused by overlarge service request amount can be avoided, and the stability of the service process of the service system is ensured.
Example two
Fig. 5 is a schematic structural diagram of a authentication and authorization apparatus based on microservice according to a second embodiment of the present invention. As shown in fig. 5, the authentication and authorization apparatus based on microservice includes:
an authentication and authorization type determining module 510, configured to determine, if a service request is received, an authentication and authorization type of the service request according to a request path of the service request;
an authentication result obtaining module 520, configured to, if the authentication type is the first type, analyze a request parameter in the service request, authenticate the service request by using an authentication aggregation micro service, and authenticate the service request by using a strong authentication aggregation micro service to obtain a strong authentication result; if the authentication type is a second type, authenticating the service request by adopting weak authentication aggregation micro-service according to a request parameter in the service request to obtain a weak authentication result;
the service processing module 530 is configured to perform aggregation processing on the strong authentication result or the weak authentication result to obtain a service request result corresponding to the service request, and return the service request result to the client.
The product can execute the method provided by the first embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method.
EXAMPLE III
Embodiments of the present application also provide a storage medium containing computer-executable instructions, which when executed by a computer processor, are configured to perform a method for authentication and authorization based on microservice, the method comprising:
if a service request is received, determining the authentication type of the service request according to the request path of the service request;
if the authentication type is a first type, analyzing a request parameter in the service request, authenticating the service request by adopting authentication aggregation micro-service, and authenticating the service request by adopting strong authentication aggregation micro-service to obtain a strong authentication result; if the authentication type is a second type, authenticating the service request by adopting weak authentication aggregation micro-service according to a request parameter in the service request to obtain a weak authentication result;
and performing aggregation processing on the strong authentication result or the weak authentication result to obtain a service request result corresponding to the service request and returning the service request result to the client.
Storage medium-any of various types of memory electronics or storage electronics. The term "storage medium" is intended to include: mounting media such as CD-ROM, floppy disk, or tape devices; computer system memory or random access memory such as DRAM, DDR RAM, SRAM, EDO RAM, Lanbas (Rambus) RAM, etc.; non-volatile memory such as flash memory, magnetic media (e.g., hard disk or optical storage); registers or other similar types of memory elements, etc. The storage medium may also include other types of memory or combinations thereof. In addition, the storage medium may be located in the computer system in which the program is executed, or may be located in a different second computer system connected to the computer system through a network (such as the internet). The second computer system may provide the program instructions to the computer for execution. The term "storage medium" may include two or more storage media that may reside in different locations, such as in different computer systems that are connected by a network. The storage medium may store program instructions (e.g., embodied as a computer program) that are executable by one or more processors.
Of course, the storage medium provided in the embodiments of the present application contains computer-executable instructions, and the computer-executable instructions are not limited to the authentication and authentication operation based on the micro service described above, and may also perform related operations in the authentication and authentication method based on the micro service provided in any embodiment of the present application.
Example four
The embodiment of the application provides electronic equipment. Fig. 6 is a schematic structural diagram of an electronic device according to a fourth embodiment of the present application. As shown in fig. 6, the present embodiment provides an electronic device 600, which includes: one or more processors 620; the storage device 610 is configured to store one or more programs, and when the one or more programs are executed by the one or more processors 620, the one or more processors 620 are enabled to implement the authentication and authorization method based on microservices provided in the embodiment of the present application, the method includes:
if a service request is received, determining the authentication type of the service request according to the request path of the service request;
if the authentication type is a first type, analyzing a request parameter in the service request, authenticating the service request by adopting authentication aggregation micro-service, and authenticating the service request by adopting strong authentication aggregation micro-service to obtain a strong authentication result; if the authentication type is a second type, authenticating the service request by adopting weak authentication aggregation micro-service according to a request parameter in the service request to obtain a weak authentication result;
and performing aggregation processing on the strong authentication result or the weak authentication result to obtain a service request result corresponding to the service request and returning the service request result to the client.
The electronic device 600 shown in fig. 6 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present application.
As shown in fig. 6, the electronic device 600 includes a processor 620, a storage device 610, an input device 630, and an output device 640; the number of the processors 620 in the electronic device may be one or more, and one processor 620 is taken as an example in fig. 6; the processor 620, the storage device 610, the input device 630, and the output device 640 in the electronic apparatus may be connected by a bus or other means, and are exemplified by being connected by a bus 650 in fig. 6.
The storage device 610 is a computer readable storage medium, and can be used to store software programs, computer executable programs, and module units, such as program instructions corresponding to the authentication and authorization method based on microservices in the embodiment of the present application.
The storage device 610 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the terminal, and the like. In addition, the storage 610 may include high speed random access memory and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, the storage 610 may further include memory located remotely from the processor 620, which may be connected via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input means 630 may be used to receive input numbers, character information, or voice information, and to generate key signal inputs related to user settings and function control of the electronic device. The output device 640 may include a display screen, a speaker, and other electronic devices.
The electronic device provided by the embodiment of the application can adopt different authentication and authorization logics for different services, and the purpose of accurate feedback for different access ways is achieved.
The authentication device, medium and electronic device based on micro-services provided in the above embodiments can operate the authentication method based on micro-services provided in any embodiment of the present application, and have corresponding functional modules and beneficial effects for operating the method. Technical details that are not described in detail in the above embodiments may be referred to a authentication and authorization method based on microservice provided in any embodiment of the present application.
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.
Claims (10)
1. A authentication method based on micro service, characterized in that the method comprises:
if a service request is received, determining the authentication type of the service request according to the request path of the service request;
if the authentication type is a first type, analyzing a request parameter in the service request, authenticating the service request by adopting authentication aggregation micro-service, and authenticating the service request by adopting strong authentication aggregation micro-service to obtain a strong authentication result; if the authentication type is a second type, authenticating the service request by adopting weak authentication aggregation micro-service according to a request parameter in the service request to obtain a weak authentication result;
and performing aggregation processing on the strong authentication result or the weak authentication result to obtain a service request result corresponding to the service request and returning the service request result to the client.
2. The method of claim 1, wherein if a service request is received, determining an authentication type of the service request according to a request path of the service request comprises:
if a service request is received, analyzing request parameters of the service request;
determining a request path according to the request parameters; if the request path corresponds to an authentication interface, determining that the authentication type of the service request is a first type; and if the request path corresponds to a weak authentication interface, determining that the authentication type of the service request is a second type.
3. The method of claim 2, wherein determining the authentication mode corresponding to the request path comprises:
determining a URL address in a configuration file corresponding to the service request according to the request parameters;
and determining an authentication mode according to the URL address in the configuration file and an authentication mode code corresponding to the URL address.
4. The method of claim 3, further comprising:
and determining a verification field corresponding to the URL address of the service request according to the URL address in the configuration file.
5. The method of claim 1, wherein parsing request parameters in the service request, authenticating the service request using an authentication aggregation micro-service, and authenticating the service request using a strong authentication aggregation micro-service to obtain a strong authentication result, comprises:
receiving an authentication request of the service request through a gateway, and forwarding the authentication request to an authentication aggregation micro-service;
verifying the authentication information in the service request through the authentication aggregation micro-service, and if the authentication information passes the verification, returning Token to the client; the authentication aggregation micro-service comprises at least one authentication basic service of mobile phone number authentication, micro-letter authentication, QQ authentication, applet authentication and account authentication;
if the Token is carried in the service request sent by the client side through the gateway, determining that the service request is a strong authentication request;
and if the Token is verified to be effective, forwarding the service request to the strong authentication aggregation micro-service so that the strong authentication aggregation micro-service authenticates the service request to obtain a strong authentication result.
6. The method of claim 1, wherein authenticating the service request by using weak authentication aggregation micro-service according to a request parameter in the service request to obtain a weak authentication result comprises:
receiving user information in a service request sent by the client through a gateway, and if the user information passes verification, sending a weak authentication request in the service request to a weak authentication aggregation micro-service;
and authenticating the service request through the weak authentication aggregation micro service to obtain a weak authentication result.
7. The method of claim 1, further comprising:
determining whether the load capacity of the current service request reaches a load threshold value;
if yes, the interface with the authentication type being the second type is closed.
8. A microservice-based authentication and authorization apparatus, the apparatus comprising:
the authentication type determining module is used for determining the authentication type of the service request according to the request path of the service request if the service request is received;
the authentication result acquisition module is used for analyzing the request parameters in the service request if the authentication type is a first type, authenticating the service request by adopting authentication aggregation micro-service, and authenticating the service request by adopting strong authentication aggregation micro-service to obtain a strong authentication result; if the authentication type is a second type, authenticating the service request by adopting weak authentication aggregation micro-service according to a request parameter in the service request to obtain a weak authentication result;
and the service processing module is used for carrying out aggregation processing on the strong authentication result or the weak authentication result to obtain a service request result corresponding to the service request and returning the service request result to the client.
9. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out a microservice-based authentication and authorization method according to any one of claims 1 to 7.
10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the microservice-based authentication and authorization method according to any of claims 1-7 when executing the computer program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110018399.6A CN112804224B (en) | 2021-01-07 | 2021-01-07 | Authentication and authorization method and device based on micro-service, medium and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110018399.6A CN112804224B (en) | 2021-01-07 | 2021-01-07 | Authentication and authorization method and device based on micro-service, medium and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112804224A true CN112804224A (en) | 2021-05-14 |
| CN112804224B CN112804224B (en) | 2023-07-14 |
Family
ID=75808964
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110018399.6A Active CN112804224B (en) | 2021-01-07 | 2021-01-07 | Authentication and authorization method and device based on micro-service, medium and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112804224B (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2013046807A1 (en) * | 2011-09-28 | 2013-04-04 | 株式会社日立製作所 | Authentication relay device, authentication relay system and authentication relay method |
| CN106341429A (en) * | 2016-11-28 | 2017-01-18 | 浙江工业大学 | Authentication method capable of protecting safety of server data |
| CN108901022A (en) * | 2018-06-28 | 2018-11-27 | 深圳云之家网络有限公司 | A kind of micro services universal retrieval method and gateway |
| CN110399713A (en) * | 2018-07-27 | 2019-11-01 | 腾讯科技(北京)有限公司 | A kind of method and relevant apparatus of authentification of message |
| CN110460595A (en) * | 2019-08-02 | 2019-11-15 | 阿里巴巴集团控股有限公司 | It is a kind of to authenticate and business service method, apparatus and equipment |
| CN111698250A (en) * | 2020-06-11 | 2020-09-22 | 腾讯科技(深圳)有限公司 | Access request processing method and device, electronic equipment and computer storage medium |
| CN111786969A (en) * | 2020-06-17 | 2020-10-16 | 朗新科技集团股份有限公司 | Single sign-on method, device and system |
| CN111970282A (en) * | 2020-08-19 | 2020-11-20 | 工银科技有限公司 | Authentication method and device for heterogeneous module in system |
| CN112188493A (en) * | 2020-10-22 | 2021-01-05 | 深圳云之家网络有限公司 | Authentication method, system and related equipment |
-
2021
- 2021-01-07 CN CN202110018399.6A patent/CN112804224B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2013046807A1 (en) * | 2011-09-28 | 2013-04-04 | 株式会社日立製作所 | Authentication relay device, authentication relay system and authentication relay method |
| CN106341429A (en) * | 2016-11-28 | 2017-01-18 | 浙江工业大学 | Authentication method capable of protecting safety of server data |
| CN108901022A (en) * | 2018-06-28 | 2018-11-27 | 深圳云之家网络有限公司 | A kind of micro services universal retrieval method and gateway |
| CN110399713A (en) * | 2018-07-27 | 2019-11-01 | 腾讯科技(北京)有限公司 | A kind of method and relevant apparatus of authentification of message |
| CN110460595A (en) * | 2019-08-02 | 2019-11-15 | 阿里巴巴集团控股有限公司 | It is a kind of to authenticate and business service method, apparatus and equipment |
| CN111698250A (en) * | 2020-06-11 | 2020-09-22 | 腾讯科技(深圳)有限公司 | Access request processing method and device, electronic equipment and computer storage medium |
| CN111786969A (en) * | 2020-06-17 | 2020-10-16 | 朗新科技集团股份有限公司 | Single sign-on method, device and system |
| CN111970282A (en) * | 2020-08-19 | 2020-11-20 | 工银科技有限公司 | Authentication method and device for heterogeneous module in system |
| CN112188493A (en) * | 2020-10-22 | 2021-01-05 | 深圳云之家网络有限公司 | Authentication method, system and related equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112804224B (en) | 2023-07-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11736469B2 (en) | Single sign-on enabled OAuth token | |
| US11316689B2 (en) | Trusted token relay infrastructure | |
| US10880292B2 (en) | Seamless transition between WEB and API resource access | |
| WO2018036314A1 (en) | Single-sign-on authentication method and apparatus, and storage medium | |
| KR101850677B1 (en) | Method and system for determining whether a terminal logging into a website is a mobile terminal | |
| US7865931B1 (en) | Universal authorization and access control security measure for applications | |
| US20120144501A1 (en) | Regulating access to protected data resources using upgraded access tokens | |
| CN112468481B (en) | Single-page and multi-page web application identity integrated authentication method based on CAS | |
| US11277404B2 (en) | System and data processing method | |
| US10574699B1 (en) | Load balancer request processing | |
| US9916308B2 (en) | Information processing system, document managing server, document managing method, and storage medium | |
| CN107196950A (en) | Method of calibration, device and service end | |
| CN113079164B (en) | Remote control method and device for bastion machine resources, storage medium and terminal equipment | |
| US20140365526A1 (en) | Content management apparatus and content management method | |
| CN112583834B (en) | Method and device for single sign-on through gateway | |
| CN110069909A (en) | It is a kind of to exempt from the close method and device for logging in third party system | |
| US11882159B2 (en) | Executing code injected into an intercepted application response message to eliminate accumulation of stale computing sessions | |
| US20090249461A1 (en) | Business management system | |
| CN116170234B (en) | Single sign-on method and system based on virtual account authentication | |
| CN116455613A (en) | OpenResty-based cross-language heterogeneous micro-service unified authentication optimization method | |
| WO2023170653A1 (en) | System and method for providing multi factor authorization to rdp services through a zero trust cloud environment | |
| CN112738005A (en) | Access processing method, device, system, first authentication server and storage medium | |
| CN112804224B (en) | Authentication and authorization method and device based on micro-service, medium and electronic equipment | |
| US9104347B2 (en) | Systems, methods, and apparatus to print messages from an electronic mailbox | |
| CN112422528B (en) | Client login method, device, system, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |