CN112804224B - Authentication and authorization method and device based on micro-service, medium and electronic equipment - Google Patents

Authentication and authorization method and device based on micro-service, medium and electronic equipment Download PDF

Info

Publication number
CN112804224B
CN112804224B CN202110018399.6A CN202110018399A CN112804224B CN 112804224 B CN112804224 B CN 112804224B CN 202110018399 A CN202110018399 A CN 202110018399A CN 112804224 B CN112804224 B CN 112804224B
Authority
CN
China
Prior art keywords
authentication
service
request
micro
service request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110018399.6A
Other languages
Chinese (zh)
Other versions
CN112804224A (en
Inventor
汪海滨
何国立
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenyang Linlong Technology Co ltd
Original Assignee
Shenyang Linlong Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenyang Linlong Technology Co ltd filed Critical Shenyang Linlong Technology Co ltd
Priority to CN202110018399.6A priority Critical patent/CN112804224B/en
Publication of CN112804224A publication Critical patent/CN112804224A/en
Application granted granted Critical
Publication of CN112804224B publication Critical patent/CN112804224B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The embodiment of the invention discloses an authentication method, an authentication device, a medium and electronic equipment based on micro-services. The method comprises the following steps: if a service request is received, determining an authentication type of the service request according to a request path of the service request; if the service request is of the first type, analyzing request parameters in the service request, authenticating the service request by adopting an authentication aggregation micro-service, and authenticating the service request by adopting a strong authentication aggregation micro-service to obtain a strong authentication result; if the service request is of the second type, authenticating the service request by adopting weak authentication aggregation micro-service according to the request parameters in the service request to obtain a weak authentication result; and carrying out aggregation treatment on the strong authentication result or the weak authentication result to obtain a service request result corresponding to the service request, and returning the service request result to the client. By adopting the technical scheme provided by the application, different logics of authentication and authentication can be adopted for different services, so that the purpose of accurate feedback for different access is realized.

Description

Authentication and authorization method and device based on micro-service, medium and electronic equipment
Technical Field
The embodiment of the invention relates to the technical field of Internet, in particular to an authentication method, an authentication device, a medium and electronic equipment based on micro-services.
Background
With the development of science and technology, it has been very common for users to access a server system through different approaches. In order to cope with the requirement of consistency of the information fed back when the user accesses through different ways, the prior art has made it possible to strongly couple authentication and authorization in the underlying architecture of the server system. The advantage of this arrangement is that authentication and authentication operations can be performed in a fixed manner, ensuring the consistency of information in the case of different access. The problem is that the authentication and the authentication are coupled to process the service, so that the service which only needs authentication and does not need authentication is difficult to deal with, and part of the service cannot be processed normally.
Disclosure of Invention
The embodiment of the invention provides an authentication and authorization method, device, medium and electronic equipment based on micro-service, which can adopt different authentications and authorization logics aiming at different services, and realize the purpose of accurate feedback aiming at different access.
In a first aspect, an embodiment of the present invention provides a micro-service-based authentication method, where the method includes:
if a service request is received, determining an authentication type of the service request according to a request path of the service request;
if the authentication type is the first type, analyzing request parameters in the service request, authenticating the service request by adopting an authentication aggregation micro-service, and authenticating the service request by adopting a strong authentication aggregation micro-service to obtain a strong authentication result; if the authentication type is the second type, authenticating the service request by adopting a weak authentication aggregation micro-service according to the request parameters in the service request to obtain a weak authentication result;
and carrying out aggregation treatment on the strong authentication result or the weak authentication result to obtain a service request result corresponding to the service request, and returning the service request result to the client.
Further, if a service request is received, determining an authentication type of the service request according to a request path of the service request includes:
if a service request is received, analyzing request parameters of the service request;
determining a request path according to the request parameters; if the request path corresponds to the authentication interface, determining that the authentication type of the service request is a first type; and if the request path corresponds to the weak authentication interface, determining that the authentication type of the service request is a second type.
Further, determining an authentication mode corresponding to the request path includes:
determining a URL address in a configuration file corresponding to the service request according to the request parameter;
and determining an authentication mode according to the URL address in the configuration file and an authentication mode code corresponding to the URL address.
Further, the method further comprises:
and determining a verification field corresponding to the URL address of the service request according to the URL address in the configuration file.
Further, analyzing the request parameters in the service request, authenticating the service request by adopting an authentication aggregation micro-service, and authenticating the service request by adopting a strong authentication aggregation micro-service to obtain a strong authentication result, including:
receiving an authentication request of the service request through a gateway, and forwarding the authentication request to an authentication aggregation micro-service;
checking authentication information in the service request through the authentication aggregation micro-service, and if the authentication information passes the check, returning Token to the client; the authentication aggregation micro-service comprises at least one authentication basic service of mobile phone number authentication, weChat authentication, QQ authentication, applet authentication and account authentication;
if the gateway receives that the Token is carried in the service request sent by the client, determining that the service request is a strong authentication request;
and if the Token is verified to be valid, forwarding the service request to a strong authentication aggregation micro-service so that the strong authentication aggregation micro-service authenticates the service request to obtain a strong authentication result.
Further, according to the request parameters in the service request, the weak authentication aggregation micro service is adopted to authenticate the service request, and a weak authentication result is obtained, including:
receiving user information in a service request sent by the client through a gateway, and if the user information passes verification, sending a weak authentication request in the service request to a weak authentication aggregation micro-service;
and authenticating the service request through the weak authentication aggregation micro service to obtain a weak authentication result.
Further, the method further comprises:
determining whether the current service request load reaches a load threshold value;
if yes, closing the interface with the authentication type being the second type.
In a second aspect, an embodiment of the present invention further provides a micro-service based authentication device, including:
the authentication type determining module is used for determining the authentication type of the service request according to the request path of the service request if the service request is received;
the authentication result acquisition module is used for analyzing request parameters in the service request if the authentication type is the first type, authenticating the service request by adopting an authentication aggregation micro-service, and authenticating the service request by adopting a strong authentication aggregation micro-service to obtain a strong authentication result; if the authentication type is the second type, authenticating the service request by adopting a weak authentication aggregation micro-service according to the request parameters in the service request to obtain a weak authentication result;
and the service processing module is used for carrying out aggregation processing on the strong authentication result or the weak authentication result to obtain a service request result corresponding to the service request and returning the service request result to the client.
In a third aspect, embodiments of the present application provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements a micro-service based authentication method as described in embodiments of the present application.
In a fourth aspect, an embodiment of the present application provides an electronic device, including a memory, a processor, and a computer program stored on the memory and executable by the processor, where the processor executes the computer program to implement a micro-service based authentication method according to an embodiment of the present application.
According to the technical scheme provided by the embodiment of the application, if a service request is received, determining an authentication type of the service request according to a request path of the service request; if the authentication type is the first type, analyzing request parameters in the service request, authenticating the service request by adopting an authentication aggregation micro-service, and authenticating the service request by adopting a strong authentication aggregation micro-service to obtain a strong authentication result; if the authentication type is the second type, authenticating the service request by adopting a weak authentication aggregation micro-service according to the request parameters in the service request to obtain a weak authentication result; and carrying out aggregation treatment on the strong authentication result or the weak authentication result to obtain a service request result corresponding to the service request, and returning the service request result to the client. The technical scheme provided by the application can adopt different authentication and authentication logics aiming at different services, and achieves the purpose of accurate feedback aiming at different access.
Drawings
Fig. 1 is a flowchart of a micro-service-based authentication method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of an authentication service provided by a first embodiment of the present invention;
FIG. 3 is a schematic diagram of a strong authentication service provided by a first embodiment of the present invention;
FIG. 4 is a schematic diagram of a weak authentication service provided by a first embodiment of the present invention;
fig. 5 is a schematic structural diagram of a micro-service based authentication device according to a second embodiment of the present invention;
fig. 6 is a schematic structural diagram of an electronic device according to a fourth embodiment of the present application.
Detailed Description
The invention is described in further detail below with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting thereof. It should be further noted that, for convenience of description, only some, but not all of the structures related to the present invention are shown in the drawings.
Before discussing exemplary embodiments in more detail, it should be mentioned that some exemplary embodiments are described as processes or methods depicted as flowcharts. Although a flowchart depicts steps as a sequential process, many of the steps may be implemented in parallel, concurrently, or with other steps. Furthermore, the order of the steps may be rearranged. The process may be terminated when its operations are completed, but may have additional steps not included in the figures. The processes may correspond to methods, functions, procedures, subroutines, and the like.
The micro-service architecture is currently becoming a main stream architecture of a server, and is a new style of software architecture. In a microservice system, all module functions are no longer deployed in a package as the single-body application, with all functions of each single body being centrally deployed. The system consists of a plurality of micro services, each micro service can be independently designed, developed and deployed and is responsible for different service functions, so that the flexibility of the system is greatly improved. But security access based on micro-services is becoming more and more important due to the multitude of services.
In the existing authentication method, one is a session+cookie-based mode, and the other is a Token-based mode.
Session+Cookie mode: when a registered user requests through login operation, the Web server checks the user name and the password to the database, and adds a record to the Session after the user passes the login operation, and then returns the record to the browser. In the message returned to the browser, the sessionId will be placed in the Cookie.
Token based mode: token will typically contain information about the user and verification of the identity can be accomplished by verifying Token. Token is generated at the authentication server (i.e., gateway). If the client requests authentication from the authentication server by using the user name/password, the authentication server successfully authenticates, and then the authentication server returns a user Token to the client. The client can take Token when each service request, and carry out authentication through the gateway, and the authentication mainly verifies whether the user information is legal or not, and the like. Authentication is to check whether Token is valid, expired, etc. If the authentication passes, the gateway forwards the service request to the underlying service for service processing.
The problem with the Session+Cookie mode is: the user session is bound to a certain server, if the server needs to be upgraded or modified, or the server is delayed or down, the user information authenticated by one wave on the server will disappear instantaneously, and the user must log in again.
The problem with Token-based modes is that: in the prior art, authentication and authentication are coupled together, that is, when a client calls a request of a server, the client either authenticates and authenticates or does not authenticate and does not authenticate. At this time, it is very complex to implement business services, and a large amount of redundant codes may occur.
Example 1
Fig. 1 is a flowchart of a micro-service-based authentication method according to an embodiment of the present invention, where the embodiment is applicable to a case where service requests of different paths are processed in different manners, and the method may be performed by a micro-service-based authentication device according to the embodiment of the present invention, where the device may be implemented by software and/or hardware, and may be integrated in an electronic device of a service system.
As shown in fig. 1, the method includes:
s110, if a service request is received, determining an authentication type of the service request according to a request path of the service request.
The service request may be sent by the client, specifically, the client may be sent on an Application (APP), or may be sent in a client page, for example, a page of the PC, or may be sent in an applet or an H5 native page.
In this solution, the request path of the service request may include the interface type called by the service request, for example, may include an authentication interface, or may include only an authentication interface. It will be appreciated that the request path is not merely an interface and that any device that is capable of representing a different request path, such as a caller, a call object, etc., may be used to distinguish between different service requests. The authentication type of the service request may be determined based on the request path.
In the scheme, the service authentication type can be divided into a type requiring authentication and authentication at the same time, namely a strong authentication type, and a type requiring authentication only, namely a weak authentication type.
In this embodiment, the number of the optional,
if a service request is received, determining an authentication type of the service request according to a request path of the service request, including:
if a service request is received, analyzing request parameters of the service request;
determining a request path according to the request parameters; if the request path corresponds to the authentication interface, determining that the authentication type of the service request is a first type; and if the request path corresponds to the weak authentication interface, determining that the authentication type of the service request is a second type.
The request parameters may be parameters related to the service request, such as the content of the request, the response object required by the request, the interface required to be used by the request, and so on. After the request parameters are obtained, the request path can be determined from it, which, in combination with the description above, can be determined here if the ports required for the service request can be determined. After determining the request path, different authentication types can be determined according to the difference of the required calling interfaces.
The advantage of this arrangement of the scheme is that the request path can be determined according to the request parameters of the service request, thereby determining the authentication type of the service request. Through the arrangement, the service system can be compatible with different authentication types at the same time, different authentication and authentication logics are not required to be designed for strong authentication and weak authentication respectively, a plurality of authentication modes are integrated, and better compatibility is provided for service requests sent by different paths.
In this solution, the number of the elements, alternatively,
further, determining an authentication mode corresponding to the request path includes:
determining a URL address in a configuration file corresponding to the service request according to the request parameter;
and determining an authentication mode according to the URL address in the configuration file and an authentication mode code corresponding to the URL address.
Further, the method further comprises:
and determining a verification field corresponding to the URL address of the service request according to the URL address in the configuration file.
The following table is a partial example of a configuration file, where url is the address, i.e., the request path from which the request was made. url_filtered is a field that needs to be verified, and if empty, it indicates that the path does not need to be verified. When the gateway_type takes 1, it means that sensitive information, such as a mobile phone number, exists, encryption processing needs to be performed on the sensitive information in the transmission process, and correspondingly, when the value is 2, encryption processing does not need to be performed, and meanwhile, weak authentication can also be determined to be directly performed. source_system is the engineering name of the business layer, which may be the engineering name of the microservice.
Figure BDA0002887503420000081
Figure BDA0002887503420000091
In addition, the following code provides a specific invocation mode of authentication:
Figure BDA0002887503420000092
Figure BDA0002887503420000101
Figure BDA0002887503420000111
in the scheme, after the request parameters are obtained, the configuration file in the service system can be read, the interface configuration items in the configuration file are determined, and the interfaces associated with the request parameters are determined, so that the interfaces of the service requests can be determined according to the request parameters, the configurability of the interfaces of the service requests is realized, and the purpose of managing and controlling the request paths of the service requests is achieved.
In the above scheme, specifically, the method further includes:
and responding to the changing operation of the interface configuration items in the configuration file, and determining calling interface information of the changed interface configuration items.
It can be understood that if the authentication and authorization policy of the content changes in different periods for the request of the same content, the adjustment of the calling interface can be realized by modifying the configuration file by the staff, so that the change of the interface configuration item can be realized. The scheme can flexibly adjust the authentication type of the service request through the arrangement, and can flexibly process according to the actual requirement of the service.
S120, if the authentication type is the first type, analyzing request parameters in the service request, authenticating the service request by adopting an authentication aggregation micro-service, and authenticating the service request by adopting a strong authentication aggregation micro-service to obtain a strong authentication result; and if the authentication type is the second type, authenticating the service request by adopting a weak authentication aggregation micro-service according to the request parameters in the service request to obtain a weak authentication result.
If the authentication type is the first type, authentication can be performed preferentially, and strong authentication is performed after the authentication is passed. If the authentication type is the second type, authentication can be directly performed without passing authentication.
The authentication aggregation micro-service may be a micro-service system that aggregates multiple authentication services to perform different authentication services for different needs. The strong authentication aggregated micro-service may be a micro-service aggregated with multiple authentications. The weak authentication aggregated micro-service may be a micro-service that authenticates information of a user.
And S130, carrying out aggregation processing on the strong authentication result or the weak authentication result to obtain a service request result corresponding to the service request, and returning the service request result to the client.
In this scheme, specifically, resolving the request parameter in the service request, authenticating the service request by using an authentication aggregation micro-service, and authenticating the service request by using a strong authentication aggregation micro-service to obtain a strong authentication result, including:
receiving an authentication request of the service request through a gateway, and forwarding the authentication request to an authentication aggregation micro-service;
checking authentication information in the service request through the authentication aggregation micro-service, and if the authentication information passes the check, returning Token to the client; the authentication aggregation micro-service comprises at least one authentication basic service of mobile phone number authentication, weChat authentication, QQ authentication, applet authentication and account authentication;
if the gateway receives that the Token is carried in the service request sent by the client, determining that the service request is a strong authentication request;
and if the Token is verified to be valid, forwarding the service request to a strong authentication aggregation micro-service so that the strong authentication aggregation micro-service authenticates the service request to obtain a strong authentication result.
The following is a specific calling method for authentication and strong authentication:
Figure BDA0002887503420000131
Figure BDA0002887503420000141
/>
Figure BDA0002887503420000151
wherein, the printing log can be used for removing errors subsequently, and the printing log can be passed through a getToken (); the function fetches Token from the request and can obtain cached user information, such as userID, from the database corresponding to the current micro-service according to the Token. After determining the user information, the user information can be added to the corresponding field of Token, so that the user information can be directly acquired later.
In this scheme, optionally, if it is found that the database corresponding to the Token does not exist in the database corresponding to the current micro-service, the database corresponding to the other micro-services may be called to search the user information associated with the Token, so as to ensure that the user information can be obtained.
Fig. 2 is a schematic diagram of an authentication service provided in accordance with an embodiment of the present invention, and as shown in fig. 2, a client invokes the authentication service, a gateway receives an authentication request, and forwards the authentication request to an authentication aggregation micro service. The authentication aggregation micro-service analyzes the authentication request parameters and invokes a specific authentication micro-service. The authentication micro-service checks the authentication detailed information, generates Token if the authentication passes, records Token information into a cache, sets a reasonable validity period, and finally returns the Token to the client.
It can be understood that there is no direct relationship between the authentication microservices (mobile phone number, weChat, QQ, applet, account number) and the authentication microservices can be used in a pluggable manner. After aggregation, the logical relations among binding, unbinding, cancellation and the like of the account numbers with different authentication types need to be solved.
For example, in the case of a mobile phone number a and a micro signal B, at present:
the mobile phone number A and the micro signal B can be independently logged into the system for authentication. At the moment, the mobile phone number is logged out without affecting the micro signal and the mobile phone number;
if the mobile phone number and the micro signal are independently logged in the system for authentication, the two account numbers cannot be bound;
if the mobile phone number is logged in the system for authentication, the micro signal is not independently logged in the system for authentication, at the moment, the mobile phone number can be bound with the micro signal, and after the binding, the mobile phone number login and the micro signal login are regarded as the same account. At this time, the mobile phone number and the micro signal are logged out simultaneously;
after the mobile phone number A and the micro signal B are bound, unbinding operation can be carried out, and after the micro signal is unbinding, the authentication information of the mobile phone number is unchanged. The WeChat re-authentication will be treated as a new number;
the relationship between the mobile phone number authentication and the applet authentication is equal to the relationship between the mobile phone number authentication and the WeChat authentication;
the relationship between the mobile phone number authentication and the QQ authentication is equal to the relationship between the mobile phone number authentication and the WeChat authentication.
Fig. 3 is a schematic diagram of a strong authentication service provided by the first embodiment of the present invention, as shown in fig. 3, a client carries a strong authentication service of a Token request service end, a gateway authenticates and verifies Token validity, the Token is valid, parses the Token, identifies user information, and transmits the user information as a newly added parameter to an authentication aggregation micro-service.
And receiving the user request by the strong authentication aggregation micro service. The user request is broken down into a plurality of strongly authenticated basic microservice requests. And aggregating the response information returned by the basic micro-service, and returning the service result to the client.
The above is a process of obtaining a strong authentication result by adopting authentication and strong authentication modes. For some information displayed without user login, if a strong authentication mode is adopted, the user needs to be forced to log in first or register first to view the information, and for small program-like access, such business logic is obviously unreasonable. Thus, a weak authentication mechanism can be designed alone.
In this scheme, specifically, according to the request parameter in the service request, the weak authentication aggregation micro service is adopted to authenticate the service request, so as to obtain a weak authentication result, including:
receiving user information in a service request sent by the client through a gateway, and if the user information passes verification, sending a weak authentication request in the service request to a weak authentication aggregation micro-service;
and authenticating the service request through the weak authentication aggregation micro service to obtain a weak authentication result.
Figure BDA0002887503420000171
Figure BDA0002887503420000181
/>
Here, if it is determined to be weak authentication, the chain filter ()' of the system may be directly called; the function is released.
Fig. 4 is a schematic diagram of a weak authentication service provided in the first embodiment of the present invention, as shown in fig. 4, a client does not carry Token, only carries weak authentication information, requests a weak authentication service of a service end, a gateway obtains weak authentication user information, and confirms that a service requested by a applet is the weak authentication service, and if the service requested by the applet is the weak authentication service, the gateway starts to verify the weak authentication user information, and if the verification is passed, the weak authentication information is transmitted to a weak authentication aggregation micro service as a new added parameter.
And the weak authentication aggregate micro-service receives the user request. The user request is broken down into a plurality of weak authentication basic microservice requests. And aggregating the response information returned by the basic micro-service, and returning the service result to the client.
The comparison shows that the three processes of authentication, strong authentication and weak authentication have the following relationships in the technical scheme:
the authentication is to acquire Token for subsequent strong authentication;
when the strong authentication interface is called, the Token needs to be verified (authentication acquisition);
the weak authentication interface does not need to verify Token when called.
The scheme of the application can lead the service to be more cohesive and specific by separating authentication from authentication. Service expansion is easier. Can be directly used as a middle table. And can also be directly reused as middleware.
The service end provides two authentication modes of strong authentication and weak authentication, and can meet the service application scenes of different clients. The basic micro-service only needs to complete one set, so that one set of basic service system can provide services for multiple ends at the same time. The research and development efficiency is greatly improved, and the research and development speed is accelerated. The test workload is reduced by times, and the system test research and development is more fully performed. Greatly improves the software quality.
The delivery can be completed with the least amount of work, the fastest speed and the best quality in the face of business adjustment and demand change. The balance of the free-cutting is achieved, and the whole body is moved instead of pulling.
According to the technical scheme provided by the embodiment of the application, if a service request is received, determining an authentication type of the service request according to a request path of the service request; if the authentication type is the first type, analyzing request parameters in the service request, authenticating the service request by adopting an authentication aggregation micro-service, and authenticating the service request by adopting a strong authentication aggregation micro-service to obtain a strong authentication result; if the authentication type is the second type, authenticating the service request by adopting a weak authentication aggregation micro-service according to the request parameters in the service request to obtain a weak authentication result; and carrying out aggregation treatment on the strong authentication result or the weak authentication result to obtain a service request result corresponding to the service request, and returning the service request result to the client. The technical scheme provided by the application can adopt different authentication and authentication logics aiming at different services, and achieves the purpose of accurate feedback aiming at different access.
On the basis of the above technical solutions, optionally, the method further includes:
determining whether the current service request load reaches a load threshold value;
if yes, closing the interface with the authentication type being the second type.
It can be understood that after the service request load amount processed by the service system exceeds a certain load threshold value, the weak authentication interface can be closed to support the normal operation of the strong authentication interface, so that the normal processing of the service request of the strong authentication is ensured. Through the arrangement, the normal processing of the service request with strong authentication can be ensured, the reduction of the processing speed of the service system caused by overlarge service request amount is avoided, even the breakdown of the service system is avoided, and the stability of the service process of the service system is ensured.
Example two
Fig. 5 is a schematic structural diagram of a micro-service based authentication device according to a second embodiment of the present invention. As shown in fig. 5, the authentication device based on micro service includes:
an authentication type determining module 510, configured to determine an authentication type of a service request according to a request path of the service request if the service request is received;
the authentication result obtaining module 520 is configured to parse a request parameter in the service request if the authentication type is a first type, authenticate the service request with an authentication aggregation micro-service, and authenticate the service request with a strong authentication aggregation micro-service to obtain a strong authentication result; if the authentication type is the second type, authenticating the service request by adopting a weak authentication aggregation micro-service according to the request parameters in the service request to obtain a weak authentication result;
and the service processing module 530 is configured to aggregate the strong authentication result or the weak authentication result, obtain a service request result corresponding to the service request, and return the service request result to the client.
The product can execute the method provided by the first embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
Example III
The present embodiments also provide a storage medium containing computer-executable instructions, which when executed by a computer processor, are for performing a micro-service based authentication method, the method comprising:
if a service request is received, determining an authentication type of the service request according to a request path of the service request;
if the authentication type is the first type, analyzing request parameters in the service request, authenticating the service request by adopting an authentication aggregation micro-service, and authenticating the service request by adopting a strong authentication aggregation micro-service to obtain a strong authentication result; if the authentication type is the second type, authenticating the service request by adopting a weak authentication aggregation micro-service according to the request parameters in the service request to obtain a weak authentication result;
and carrying out aggregation treatment on the strong authentication result or the weak authentication result to obtain a service request result corresponding to the service request, and returning the service request result to the client.
Storage media—any of various types of memory electronic devices or storage electronic devices. The term "storage medium" is intended to include: mounting media such as CD-ROM, floppy disk or tape devices; computer system memory or random access memory such as DRAM, DDR RAM, SRAM, EDO RAM, lanbas (Rambus) RAM, etc.; nonvolatile memory such as flash memory, magnetic media (e.g., hard disk or optical storage); registers or other similar types of memory elements, etc. The storage medium may also include other types of memory or combinations thereof. In addition, the storage medium may be located in a computer system in which the program is executed, or may be located in a different second computer system connected to the computer system through a network (such as the internet). The second computer system may provide program instructions to the computer for execution. The term "storage medium" may include two or more storage media that may reside in different locations (e.g., in different computer systems connected by a network). The storage medium may store program instructions (e.g., embodied as a computer program) executable by one or more processors.
Of course, the storage medium containing the computer executable instructions provided in the embodiments of the present application is not limited to the micro-service based authentication and authorization operation described above, and may also perform the related operations in the micro-service based authentication and authorization method provided in any embodiment of the present application.
Example IV
The embodiment of the application provides electronic equipment. Fig. 6 is a schematic structural diagram of an electronic device according to a fourth embodiment of the present application. As shown in fig. 6, the present embodiment provides an electronic device 600, which includes: one or more processors 620; a storage 610, configured to store one or more programs that, when executed by the one or more processors 620, cause the one or more processors 620 to implement a micro-service based authentication method provided by an embodiment of the present application, the method includes:
if a service request is received, determining an authentication type of the service request according to a request path of the service request;
if the authentication type is the first type, analyzing request parameters in the service request, authenticating the service request by adopting an authentication aggregation micro-service, and authenticating the service request by adopting a strong authentication aggregation micro-service to obtain a strong authentication result; if the authentication type is the second type, authenticating the service request by adopting a weak authentication aggregation micro-service according to the request parameters in the service request to obtain a weak authentication result;
and carrying out aggregation treatment on the strong authentication result or the weak authentication result to obtain a service request result corresponding to the service request, and returning the service request result to the client.
The electronic device 600 shown in fig. 6 is merely an example, and should not be construed as limiting the functionality and scope of use of embodiments of the present application.
As shown in fig. 6, the electronic device 600 includes a processor 620, a storage device 610, an input device 630, and an output device 640; the number of processors 620 in the electronic device may be one or more, one processor 620 being taken as an example in fig. 6; the processor 620, the storage 610, the input 630, and the output 640 in the electronic device may be connected by a bus or other means, as exemplified in fig. 6 by a bus 650.
The storage device 610 is used as a computer readable storage medium, and can be used for storing a software program, a computer executable program, and a module unit, such as program instructions corresponding to the micro-service based authentication and authorization method in the embodiment of the present application.
The storage device 610 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, at least one application program required for functions; the storage data area may store data created according to the use of the terminal, etc. In addition, the storage 610 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid-state storage device. In some examples, the storage device 610 may further include memory remotely located with respect to the processor 620, which may be connected via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 630 may be used to receive input numeric, character information, or voice information, and to generate key signal inputs related to user settings and function control of the electronic device. The output device 640 may include an electronic device such as a display screen, a speaker, etc.
The electronic equipment provided by the embodiment of the application can adopt different authentication and authentication logics aiming at different services, and achieves the purpose of accurate feedback aiming at different access.
The authentication and authorization device based on the micro-service, the medium and the electronic equipment provided in the above embodiment can operate the authentication and authorization method based on the micro-service provided in any embodiment of the application, and have the corresponding functional modules and beneficial effects of operating the method. Technical details not described in detail in the above embodiments may be found in the micro-service based authentication method provided in any embodiment of the present application.
Note that the above is only a preferred embodiment of the present invention and the technical principle applied. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, while the invention has been described in connection with the above embodiments, the invention is not limited to the embodiments, but may be embodied in many other equivalent forms without departing from the spirit or scope of the invention, which is set forth in the following claims.

Claims (6)

1. A micro-service based authentication method, the method comprising:
if a service request is received, determining an authentication type of the service request according to a request path of the service request; the request path of the service request comprises an interface type called by the service request, wherein the interface type comprises an authentication interface or the interface type only comprises an authentication interface;
if the authentication type is the first type, analyzing request parameters in the service request, authenticating the service request by adopting an authentication aggregation micro-service, and authenticating the service request by adopting a strong authentication aggregation micro-service to obtain a strong authentication result; if the authentication type is the second type, authenticating the service request by adopting a weak authentication aggregation micro-service according to the request parameters in the service request to obtain a weak authentication result; wherein the first type corresponds to the interface type and comprises an authentication interface, and the second type corresponds to the interface type and comprises only an authentication interface;
the method comprises the steps of analyzing request parameters in the service request, authenticating the service request by adopting an authentication aggregation micro-service, authenticating the service request by adopting a strong authentication aggregation micro-service to obtain a strong authentication result, and comprising the following steps:
receiving an authentication request of the service request through a gateway, and forwarding the authentication request to an authentication aggregation micro-service;
checking authentication information in the service request through the authentication aggregation micro-service, and if the authentication information passes the check, returning Token to the client; the authentication aggregation micro-service comprises at least one authentication basic service of mobile phone number authentication, weChat authentication, QQ authentication, applet authentication and account authentication;
if the gateway receives that the Token is carried in the service request sent by the client, determining that the service request is a strong authentication request;
if the Token is verified to be valid, the Token is analyzed, the user information is identified, and the user information is used as a newly added parameter and is transmitted to Jiang Jianquan aggregation micro-service; receiving a user request by the strong authentication aggregation micro service; decomposing the user request into a plurality of strong authentication basic micro-service requests; the response information returned by the basic micro-service is aggregated, and the service result is returned to the client;
and authenticating the service request by adopting a weak authentication aggregation micro service according to the request parameters in the service request to obtain a weak authentication result, wherein the method comprises the following steps:
receiving user information in a service request sent by the client through a gateway, and if the user information passes verification, transmitting the user information as a newly added parameter to a weak authentication aggregation micro-service; receiving a user request by weak authentication aggregation micro service; decomposing the user request into a plurality of weak authentication basic micro-service requests; the response information returned by the basic micro-service is aggregated, and the service result is returned to the client;
wherein the method further comprises:
determining whether the current service request load reaches a load threshold value;
if yes, closing the interface with the authentication type being the second type.
2. The method of claim 1, wherein determining the authentication mode corresponding to the request path comprises:
determining a URL address in a configuration file corresponding to the service request according to the request parameter;
and determining an authentication mode according to the URL address in the configuration file and an authentication mode code corresponding to the URL address.
3. The method according to claim 2, wherein the method further comprises:
and determining a verification field corresponding to the URL address of the service request according to the URL address in the configuration file.
4. A micro-service based authentication device, the device comprising:
the authentication type determining module is used for determining the authentication type of the service request according to the request path of the service request if the service request is received; the request path of the service request comprises an interface type called by the service request, wherein the interface type comprises an authentication interface or the interface type only comprises an authentication interface;
the authentication result acquisition module is used for analyzing request parameters in the service request if the authentication type is the first type, authenticating the service request by adopting an authentication aggregation micro-service, and authenticating the service request by adopting a strong authentication aggregation micro-service to obtain a strong authentication result; if the authentication type is the second type, authenticating the service request by adopting a weak authentication aggregation micro-service according to the request parameters in the service request to obtain a weak authentication result; wherein the first type corresponds to the interface type and comprises an authentication interface, and the second type corresponds to the interface type and comprises only an authentication interface;
the method comprises the steps of analyzing request parameters in the service request, authenticating the service request by adopting an authentication aggregation micro-service, authenticating the service request by adopting a strong authentication aggregation micro-service to obtain a strong authentication result, and comprising the following steps:
receiving an authentication request of the service request through a gateway, and forwarding the authentication request to an authentication aggregation micro-service;
checking authentication information in the service request through the authentication aggregation micro-service, and if the authentication information passes the check, returning Token to the client; the authentication aggregation micro-service comprises at least one authentication basic service of mobile phone number authentication, weChat authentication, QQ authentication, applet authentication and account authentication;
if the gateway receives that the Token is carried in the service request sent by the client, determining that the service request is a strong authentication request;
if the Token is verified to be valid, the Token is analyzed, the user information is identified, and the user information is used as a newly added parameter and is transmitted to Jiang Jianquan aggregation micro-service; receiving a user request by the strong authentication aggregation micro service; decomposing the user request into a plurality of strong authentication basic micro-service requests; the response information returned by the basic micro-service is aggregated, and the service result is returned to the client;
and authenticating the service request by adopting a weak authentication aggregation micro service according to the request parameters in the service request to obtain a weak authentication result, wherein the method comprises the following steps:
receiving user information in a service request sent by the client through a gateway, and if the user information passes verification, transmitting the user information as a newly added parameter to a weak authentication aggregation micro-service; receiving a user request by weak authentication aggregation micro service; decomposing the user request into a plurality of weak authentication basic micro-service requests; the response information returned by the basic micro-service is aggregated, and the service result is returned to the client;
wherein the apparatus is further configured to:
determining whether the current service request load reaches a load threshold value;
if yes, closing the interface with the authentication type being the second type.
5. A computer readable storage medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements a micro-service based authentication method as claimed in any one of claims 1-3.
6. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements a micro-service based authentication method according to any of claims 1-3 when executing the computer program.
CN202110018399.6A 2021-01-07 2021-01-07 Authentication and authorization method and device based on micro-service, medium and electronic equipment Active CN112804224B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110018399.6A CN112804224B (en) 2021-01-07 2021-01-07 Authentication and authorization method and device based on micro-service, medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110018399.6A CN112804224B (en) 2021-01-07 2021-01-07 Authentication and authorization method and device based on micro-service, medium and electronic equipment

Publications (2)

Publication Number Publication Date
CN112804224A CN112804224A (en) 2021-05-14
CN112804224B true CN112804224B (en) 2023-07-14

Family

ID=75808964

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110018399.6A Active CN112804224B (en) 2021-01-07 2021-01-07 Authentication and authorization method and device based on micro-service, medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN112804224B (en)

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2013073416A (en) * 2011-09-28 2013-04-22 Hitachi Ltd Authentication repeating apparatus, authentication repeating system and authentication repeating method
CN106341429B (en) * 2016-11-28 2019-08-02 浙江工业大学 A kind of authentication method for protecting server data safety
CN108901022B (en) * 2018-06-28 2021-08-20 深圳云之家网络有限公司 Micro-service unified authentication method and gateway
CN110399713B (en) * 2018-07-27 2024-06-25 腾讯科技(北京)有限公司 Information authentication method and related device
CN110460595B (en) * 2019-08-02 2021-03-30 创新先进技术有限公司 Authentication and service method, device and equipment
CN111698250B (en) * 2020-06-11 2023-11-28 腾讯科技(深圳)有限公司 Access request processing method and device, electronic equipment and computer storage medium
CN111786969B (en) * 2020-06-17 2024-04-23 朗新科技集团股份有限公司 Single sign-on method, device and system
CN111970282B (en) * 2020-08-19 2022-09-30 中国工商银行股份有限公司 Authentication method and device for heterogeneous module in system
CN112188493B (en) * 2020-10-22 2023-08-15 深圳云之家网络有限公司 Authentication method, system and related equipment

Also Published As

Publication number Publication date
CN112804224A (en) 2021-05-14

Similar Documents

Publication Publication Date Title
CN108901022B (en) Micro-service unified authentication method and gateway
CN107948167B (en) Single sign-on method and device
WO2018036314A1 (en) Single-sign-on authentication method and apparatus, and storage medium
JP5881687B2 (en) Online business methods, systems, and devices based on open application programming interfaces
US8966594B2 (en) Proxy authentication
US8869258B2 (en) Facilitating token request troubleshooting
KR102205941B1 (en) Actively federated mobile authentication
CN112468481B (en) Single-page and multi-page web application identity integrated authentication method based on CAS
CN110839087B (en) Interface calling method and device, electronic equipment and computer readable storage medium
JP2017107342A (en) Authentication cooperation system, authentication cooperation method, authorization server, application server, and program
US11277404B2 (en) System and data processing method
CN108965341A (en) The method, apparatus and system of login authentication
CN112583834B (en) Method and device for single sign-on through gateway
CN102143177A (en) Portal authentication method, Portal authentication device,Portal authentication equipment and Portal authentication system
CN110069909A (en) It is a kind of to exempt from the close method and device for logging in third party system
CN113821784A (en) Multi-system single sign-on method and device and computer readable storage medium
US8763151B2 (en) Mediation processing method, mediation apparatus and system
CN112187453A (en) Digital certificate updating method and system, electronic equipment and readable storage medium
CN113761509B (en) iframe verification login method and device
JP2009245268A (en) Business management system
CN116170234B (en) Single sign-on method and system based on virtual account authentication
CN112910915A (en) Trusted connection authentication method, device, equipment and computer readable storage medium
CN112804224B (en) Authentication and authorization method and device based on micro-service, medium and electronic equipment
CN116455613A (en) OpenResty-based cross-language heterogeneous micro-service unified authentication optimization method
WO2023170653A1 (en) System and method for providing multi factor authorization to rdp services through a zero trust cloud environment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant