CN113626840A - Interface authentication method and device, computer equipment and storage medium - Google Patents
Interface authentication method and device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN113626840A CN113626840A CN202110836397.8A CN202110836397A CN113626840A CN 113626840 A CN113626840 A CN 113626840A CN 202110836397 A CN202110836397 A CN 202110836397A CN 113626840 A CN113626840 A CN 113626840A
- Authority
- CN
- China
- Prior art keywords
- identity authentication
- authentication token
- client
- interface
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/50—Allocation of resources, e.g. of the central processing unit [CPU]
- G06F9/5005—Allocation of resources, e.g. of the central processing unit [CPU] to service a request
- G06F9/5027—Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals
- G06F9/505—Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals considering the load
Abstract
The application relates to an interface authentication method, an interface authentication device, computer equipment and a storage medium. The method comprises the following steps: acquiring an identity authentication token stored locally at a first client, wherein the identity authentication token is used for interface authentication after logging in the first client; after the interface of a first server for deploying the first client service is successfully called by a first client, responding to a cross-platform service processing instruction, and generating an interface calling request containing an identity authentication token; and sending the interface calling request to a second server, and indicating the second server to carry out interface calling authentication. By adopting the method, the single sign-on of the distributed system can be realized, and the load balancing problem caused by the deployment of a special authentication server is avoided.
Description
Technical Field
The present application relates to the field of internet technologies, and in particular, to an interface authentication method and apparatus, a computer device, and a storage medium.
Background
With the deep development of internet technology, software systems have been deep into different scenes of various industries, so that the connection among different systems is closer and closer. Therefore, various platforms, combined systems, single sign-on services, and the like have been developed, and the communication between the systems is more frequently required to have higher security and reliability.
At present, in a traditional cross-platform interface authentication of single-point login in a distributed system, a special authentication server needs to be deployed, an interface calling request which is initiated on a client and related to a service server is sent to the authentication server in advance, the authentication server performs interface authentication of the service server, and confirms whether information in the interface calling request is consistent with pre-stored information in a database or not through interaction with the database, so that after the authentication is successful, a corresponding service server request picture is jumped to in a redirection mode.
However, the deployment mode of the authentication server is fixed, and authentication can be performed only in the fixed authentication server each time during interface authentication, which has the problems of strong network constraint, load balance and the like.
Disclosure of Invention
In view of the above, it is necessary to provide an interface authentication method, apparatus, computer device and storage medium for solving the above technical problems.
An interface authentication method, applied to a first client, the method comprising:
acquiring an identity authentication token stored locally at the first client, wherein the identity authentication token is used for interface authentication after logging in the first client;
after the first client successfully calls an interface of a first server for deploying first client services, responding to a cross-platform service processing instruction, and generating an interface calling request containing the identity authentication token;
and sending the interface calling request to a second server, and indicating the second server to carry out interface calling authentication.
In the embodiment, the identity authentication token is stored in the local client, when the interface is required to be called, the interface calling request containing the identity authentication token is generated and sent to the target server for identity authentication, a special identity authentication server is not required to be deployed, the single sign-on requirement of the distributed system can be met, the resource cost of the server is saved, meanwhile, verification called by each interface is executed in different servers, and the problem of load balance when the authentication server is used is solved.
In one embodiment, the obtaining the identity authentication token stored locally at the first client includes:
sending user login information to a first server through the first client, and indicating the first server to generate an identity authentication token according to the user login information; the first server is a server for deploying the first client service;
and receiving the identity authentication token fed back by the first server, and storing the identity authentication token to the local.
In this embodiment, the first server corresponding to the first client performs authentication of user login information and generates a corresponding identity authentication token that can be used for interface invocation, thereby implementing functions of single login and cross-platform interface authentication in the distributed system.
In one embodiment, the generating an interface invocation request including the identity authentication token in response to the cross-platform service processing instruction includes:
responding to the trigger of the cross-platform service processing instruction, and acquiring a data structure of an interface calling request;
and packaging the identity authentication token to the head of the data structure of the interface calling request to generate the interface calling request containing the identity authentication token.
In this embodiment, according to the encapsulation of the first client, the identity authentication token is encapsulated into the data structure of the interface call request, so as to generate the interface call request, and be used for calling each service interface.
In one embodiment, before generating the interface call request including the identity authentication token, the method further includes:
judging the validity of the identity authentication token according to the validity period of the identity authentication token;
if the identity authentication token has validity, executing the step of generating an interface calling request containing the identity authentication token;
and if the identity authentication token is invalid, outputting an overdue prompt message of the identity authentication token.
In this embodiment, the first client generates the interface call request according to the time-efficient identity authentication token, so that the risk of being falsely used can be reduced, and the security of interface call can be improved.
In one embodiment, the generating an interface invocation request including the identity authentication token if the identity authentication token has validity includes:
determining the current validity period of the identity authentication token according to the preset valid duration of the identity authentication token and the recorded starting point of the current validity period of the identity authentication token;
if the current time is within the current validity period and the lower limit time of the current time from the current validity period is greater than a preset time difference threshold value, maintaining the current validity period of the identity authentication token and generating an interface calling request containing the identity authentication token;
and if the current time is within the current validity period and the lower limit time of the current time from the current validity period is less than a preset time difference threshold, updating the validity period of the identity authentication token by taking the lower limit time of the current validity period as a new validity period starting point, and generating an interface calling request containing the identity authentication token.
In this embodiment, the first client has a supervision and update mechanism for the validity period of the identity authentication token, and when the user continuously inputs the operation instruction, the first client can determine whether to update the validity period of the identity authentication token according to the remaining period of the validity period of the identity authentication token, so as to prolong the validity of the identity authentication token.
An interface authentication method, applied to a first server, the method comprising:
receiving a user login request sent by a first client, wherein the user login request carries user login information;
after the login is successful according to the user login information, determining user identity authentication information corresponding to the first client;
generating an identity authentication token according to the user identity authentication information and a preset encryption algorithm;
sending the identity authentication token to the first client, and indicating the first client to store the identity authentication token; the identity card token is used for responding to a cross-platform service processing instruction through the first client, generating an interface calling request and sending the interface calling request to the second server, and indicating the second server to carry out interface calling authentication.
In this embodiment, the first server determines, for login information of the first client after successful login, identity authentication information corresponding to the first client, generates an identity authentication token according to the identity authentication information and a preset encryption algorithm, and feeds the identity authentication token back to the first client for storage, so as to instruct the first client to perform cross-platform interface calling according to the identity authentication token, thereby implementing cross-platform interface authentication under single sign-on.
In one embodiment, the generating an identity authentication token according to the user identity authentication information and a preset encryption algorithm includes:
acquiring encryption algorithm parameters of the identity authentication token and an identity authentication token data structure;
adding the encryption algorithm parameters to the head of the identity authentication token data structure, and adding the user identity authentication information to the load of the identity authentication token data structure;
encrypting the head and the load of the identity authentication token data structure according to a standard encryption mode to obtain a head ciphertext and a load ciphertext;
and encrypting the head ciphertext and the load ciphertext according to the encryption mode of the encryption algorithm parameter declaration to obtain an encrypted ciphertext, and performing salting combined encryption on the ciphertext to obtain the identity authentication token.
In this embodiment, the security of the identity authentication information is ensured by encrypting in a combined encryption manner through the acquired identity authentication information and a data structure of a preset identity authentication token.
An interface authentication apparatus, the apparatus comprising:
the system comprises an acquisition module, a storage module and a processing module, wherein the acquisition module is used for acquiring an identity authentication token stored locally at a first client, and the identity authentication token is used for interface authentication after logging in the first client;
the generating module is used for responding to a cross-platform service processing instruction after the first client successfully calls an interface of a first server for deploying first client services, and generating an interface calling request containing the identity authentication token;
and the sending module is used for sending the interface calling request to a second server and indicating the second server to carry out interface calling authentication.
A computer device comprising a memory and a processor, the memory storing a computer program, the processor implementing the following steps when executing the computer program:
acquiring an identity authentication token stored locally at the first client, wherein the identity authentication token is used for interface authentication after logging in the first client;
after the first client successfully calls an interface of a first server for deploying first client services, responding to a cross-platform service processing instruction, and generating an interface calling request containing the identity authentication token;
and sending the interface calling request to a second server, and indicating the second server to carry out interface calling authentication.
A computer-readable storage medium, on which a computer program is stored which, when executed by a processor, carries out the steps of:
acquiring an identity authentication token stored locally at the first client, wherein the identity authentication token is used for interface authentication after logging in the first client;
after the first client successfully calls an interface of a first server for deploying first client services, responding to a cross-platform service processing instruction, and generating an interface calling request containing the identity authentication token;
and sending the interface calling request to a second server, and indicating the second server to carry out interface calling authentication.
The interface authentication method, the interface authentication device, the computer equipment and the storage medium obtain the identity authentication token stored locally at the first client, wherein the identity authentication token is used for interface authentication after logging in the first client; after the interface of the first server is successfully called through the first client, responding to a cross-platform service processing instruction, and generating an interface calling request containing the identity authentication token; and sending the interface calling request to a second server, and indicating the second server to carry out interface calling authentication. By adopting the method, the identity authentication token is stored in the local client, when the interface is required to be called, the interface calling request containing the identity authentication token is generated and sent to the target server for identity authentication, the single sign-on requirement of the distributed system can be realized without deploying a special identity authentication server, the resource cost of the server is saved, meanwhile, the verification of calling of each interface is executed in different servers, and the problem of load balance when the authentication server is used is avoided.
Drawings
FIG. 1 is a diagram of an application environment of a method for interface authentication in one embodiment;
FIG. 2 is a flow diagram illustrating a method for interface authentication in one embodiment;
FIG. 3 is a flowchart illustrating the steps of obtaining an identity authentication token in one embodiment;
FIG. 4 is a flowchart illustrating the step of generating an interface call request in one embodiment;
FIG. 5 is a flowchart illustrating the steps of determining the validity of an identity authentication token in one embodiment;
FIG. 6 is a flowchart illustrating the steps of maintaining validity of an identity authentication token in one embodiment;
FIG. 7 is a flowchart illustrating a method for authenticating an identity authentication token in interface authentication according to an embodiment;
FIG. 8 is a flowchart illustrating steps for generating an identity authentication token in one embodiment;
FIG. 9 is a block diagram showing the structure of an interface authentication apparatus according to an embodiment;
FIG. 10 is a diagram showing an internal structure of a computer device according to an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
The interface authentication method provided by the application can be applied to a distributed system as shown in fig. 1. Wherein a terminal 102 communicates with a plurality of servers 104 over a network. The method comprises the steps that clients of various service types are downloaded On a terminal 102, service processing logic of each client is correspondingly deployed On a server 104, in order to achieve Single Sign On (SSO) of a distributed system, after a user logs in the terminal and deploys a first client, an identity authentication token stored in the first client locally is obtained, wherein the identity authentication token is used for interface authentication after logging in the first client. And after the interface of the first server for deploying the first client service is successfully called by the first client, responding to the cross-platform service processing instruction, and generating an interface calling request containing the identity authentication token. And the first client sends the interface calling request to the second server and instructs the second server to carry out interface calling authentication.
The terminal 102 may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, and portable wearable devices, and the server 104 may be implemented by an independent server or a server cluster formed by a plurality of servers.
In one embodiment, as shown in fig. 2, an interface authentication method is provided, which is described by taking the method as an example applied to the terminal 102 running the first client in fig. 1, and includes the following steps:
The identity authentication token is used for identity authentication when the interface is called.
Specifically, after the user successfully logs in the first client on the terminal device, the first client obtains an identity authentication token fed back by the first server, where the identity authentication token is used for performing identity authentication (or called role authentication) when the first client calls the first server interface, that is, authenticating a service right possessed by the first client. Therefore, after the first client receives the identity authentication token, the identity authentication token is stored in the local memory, and when the interface call needs to be performed, the first client acquires the identity authentication token from the local memory.
In implementation, after the first client successfully calls the interface of the first server deploying the first client service (i.e. indicating that the first client can call the first server to process the corresponding service according to the service processing requirement), when the user triggers the cross-platform service processing instruction through the display page of the first client, the first client generates an interface call request containing the identity authentication token in response to the cross-platform service processing instruction.
In implementation, based on the cross-platform interface service processing instruction, the first client sends the generated interface calling request to the second server in a cross-platform manner, that is, the second server is directly instructed to perform interface calling authentication on the first client according to the identity authentication token of the first client without login authentication and interface calling of the second client. For example, when a commodity is ordered on a certain purchasing platform (first client), and when the commodity is selected for payment, a corresponding cross-platform service processing instruction can be input through a payment option on the purchasing platform (first client), an interface calling request is generated and sent to a second server deploying payment service, and the second server is instructed to perform interface calling authentication, namely authentication of identity authority, on the platform (first client).
Optionally, the second server may be any server having a business cooperation relationship with the first server corresponding to the first client, and the embodiment of the present application is not limited.
In the interface authentication method, an identity authentication token stored locally at a first client is obtained, wherein the identity authentication token is used for interface authentication after logging in the first client; after the interface of a first server for deploying the first client service is successfully called by a first client, responding to a cross-platform service processing instruction, and generating an interface calling request containing an identity authentication token; and sending the interface calling request to a second server, and indicating the second server to carry out interface calling authentication. By adopting the method, the identity authentication token is stored in the local client, when the interface is required to be called, the interface calling request containing the identity authentication token is generated and sent to the target server for identity authentication, a special identity authentication server is not required to be deployed, the resource cost of the server is saved, meanwhile, the verification called by each interface is executed in different servers, and the problem of load balance when the authentication server is used is avoided.
In an embodiment, as shown in fig. 3, the identity authentication token stored in the first client in step 201 is obtained by the feedback of the first server, and the specific processing procedure is as follows:
The first server is a server for deploying the service corresponding to the first client.
In implementation, when a user logs in a first client, corresponding login information is input in a login interface provided by the first client, wherein the login information can be a user name and a login password, and then the first client sends the received login information to a first server to instruct the first server to generate an identity authentication token according to the user login information.
In implementation, the first client receives the identity authentication token fed back by the first server, and stores the identity authentication token locally for identity authentication called by different subsequent service interfaces.
In this embodiment, the first server corresponding to the first client performs authentication of user login information and generates a corresponding identity authentication token that can be used for interface invocation, thereby implementing functions of single login and cross-platform interface authentication in the distributed system.
In one embodiment, as shown in fig. 4, the specific process of generating the interface invocation request containing the identity authentication token in response to the cross-platform service processing instruction in step 202 includes the following steps:
In implementation, the first client pre-stores data structures of various interface call requests, and acquires a data structure (json, JavaScript Object Notation) corresponding to the interface call request in response to triggering of a cross-platform service processing instruction, where the data structure is a lightweight data exchange format.
In implementation, the first client encapsulates the identity authentication token to the head of the data structure according to the obtained identity authentication token and the data structure of the interface call request, and generates the interface call request which contains the identity authentication token and can be used for interface authentication.
In this embodiment, according to the encapsulation of the first client, the identity authentication token is encapsulated into the data structure of the interface call request, so as to generate the interface call request, and be used for calling each service interface.
In one embodiment, as shown in fig. 5, the identity authentication token has a validity period, and therefore, before generating the interface invocation request containing the identity authentication token in step 402, the method further comprises:
In implementation, the first client reads the validity period of the identity authentication token, and determines whether the current time is within a validity period according to the time range of the validity period of the identity authentication token, i.e., determines the validity of the identity authentication token at the current time.
In an implementation, if the identity authentication token has validity, it indicates that the identity authentication token is currently available for identity authentication, and therefore, the interface call request including the identity authentication token is generated in step 402.
In implementation, if the identity authentication token is invalid, the identity authentication token is indicated to be expired, and an expiration prompt message of the identity authentication token is correspondingly output on a display page of the first client to prompt a user that the user cannot call each interface currently.
Optionally, if after receiving the prompt message that the identity authentication token is expired, the user still needs to continue to perform corresponding operations in the first client, and the user needs to log in the first client again to perform identity authentication again.
Optionally, except that the first client verifies the validity of the authentication token to ensure that the generated interface call request is valid, the first client may monitor the validity of the authentication token in real time, and once it is detected that the authentication token is invalid, the first client outputs corresponding prompt information on a display page.
In this embodiment, the first client generates the interface call request according to the time-efficient identity authentication token, so that the risk of being falsely used can be reduced, and the security of interface call can be improved.
In one embodiment, as shown in fig. 6, the specific processing procedure of step 502 includes the following steps:
In implementation, the first client determines the current validity period of the identity authentication token according to a preset validity period of the identity authentication token and a recorded validity period starting point of the identity authentication token, for example, the validity period of the identity authentication token is 5 minutes, and the recorded starting point of the current validity period of the identity authentication token is 9: 00, the current validity range of the identity authentication token is 9: 00 to 9: 05.
In implementation, the first client monitors the time progress of the validity period of the identity authentication token, and if the current time is within the current validity period range and the time difference between the current time and the lower limit time of the validity period range is greater than a preset time difference threshold, it indicates that the deadline time from the current validity period is sufficient, so that the current validity period of the identity authentication token is maintained, and an interface calling request including the identity authentication token is generated by being triggered by a cross-platform service processing instruction.
In implementation, the first client monitors the time progress of the validity period of the identity authentication token, and if the current time is within the current validity period range and the lower limit time of the current time from the validity period range is less than a preset time difference threshold, it indicates that the current identity authentication token is valid but is about to expire, and therefore, triggered by the cross-platform service processing instruction, the first client updates the validity period of the identity authentication token by taking the lower limit time of the current validity period as the starting point of a new validity period, and further generates an interface call request according to the updated identity authentication token.
Optionally, after the first client receives the identity authentication token fed back by the first server, the validity period of the identity authentication token is updated by the trigger of the cross-platform service processing instruction, and any other instruction can trigger the update of the validity period of the identity authentication token, that is, the user continuously performs service operation in the operation page of the first client, if the validity period of the identity authentication token is about to end and a corresponding operation instruction is input, it indicates that the user service processing is not completed, and the operation instruction triggers the validity period of the identity authentication token to update, so as to maintain the validity of the identity authentication token.
In this embodiment, the first client has a supervision and update mechanism for the validity period of the identity authentication token, and when the user continuously inputs the operation instruction, the first client can determine whether to update the validity period of the identity authentication token according to the remaining period of the validity period of the identity authentication token, so as to prolong the validity of the identity authentication token.
In another embodiment, an interface authentication method is provided, as shown in fig. 7, where the method is applied to a first server, where the first server is a server that deploys service processing logic corresponding to a first client, and the method includes the following steps:
The user login request carries user login information.
In implementation, the first server receives a user login request sent by the first client, and obtains user login information carried in the login request. The user login information may include a user name (or a user ID) and a login password, and may also include user attribute information that may be used for login authentication, which is not limited in the embodiments of the present application.
In implementation, after receiving login information sent by a user, a first server verifies whether the identity of a first client to which the user belongs is legal according to the login information, that is, the login information is compared with user login information stored in a database of the first server, if the comparison result is that the login information is consistent, it is determined that the identity of the first client of the user is legal, and further, after the user successfully logs in, the first server can query and determine identity authentication information corresponding to the user, such as public attribute information of the user, in the database according to the login information: ID (Identity document), user name; private attribute information of the user: user roles (e.g., member, non-member, administrator, general user), and the like, and the identity authentication information further includes information such as a preset validity period of the identity authentication token, and an expiration time of the identity authentication token. Therefore, the identity authentication information may be set according to the authentication requirement of the identity authentication token, and the embodiment of the present application is not limited.
And 703, generating an identity authentication token according to the user identity authentication information and a preset encryption algorithm.
In implementation, the first server generates an identity authentication token according to the user identity authentication information and a preset encryption algorithm. Specifically, the identity authentication token may be encrypted and authenticated by using a bcryptpassentrecoder class in spring security. According to the password encryption algorithm, ciphertexts of the same password after being processed are different, and the cracking difficulty of the identity authentication token is increased.
In implementation, the first server sends the generated identity authentication token to the first client, instructs the first client to locally store the identity authentication token, and can perform other interface calling authentication through the identity authentication token.
In this embodiment, the first server determines, for login information of the first client after successful login, identity authentication information corresponding to the first client, generates an identity authentication token according to the identity authentication information and a preset encryption algorithm, and feeds the identity authentication token back to the first client for storage, so as to instruct the first client to perform cross-platform interface calling according to the identity authentication token, thereby implementing cross-platform interface authentication under single sign-on.
In one embodiment, as shown in fig. 8, the specific process for generating the identity authentication token in step 703 includes the following steps:
In implementation, the first server obtains the encryption algorithm parameters of the identity authentication token and the data structure of the identity authentication token. Specifically, the data structure of the identity authentication token (json web token) comprises three parts, a header, a payload and a visa, and character strings of the three parts are connected through ". times.. The first server performs token generation for each portion of the identity authentication token.
In implementation, the first server adds the type of the identity authentication token and the encryption algorithm parameter used for signature to the head of the data structure of the identity authentication token, and simultaneously adds the determined user identity authentication information to the load of the data structure of the identity authentication token. Specifically, the payload is substantially a place where valid new information of the identity authentication token is stored, such as a standard registration claim, a public claim, and a private claim, and the embodiments of the present application are not limited thereto.
And 803, encrypting the head and the load of the data structure of the identity authentication token according to a standard encryption mode to obtain a head ciphertext and a load ciphertext.
In implementation, to create the visa of the identity authentication token, the first server encrypts a header (header) and a payload (payload) of a data structure of the identity authentication token by using a standard encryption method (base64 encryption method), so as to obtain a header ciphertext and a payload ciphertext.
And step 804, encrypting the head ciphertext and the load ciphertext according to the encryption mode of the encryption algorithm parameter declaration to obtain an encrypted ciphertext, and performing salting combined encryption on the ciphertext to obtain the identity authentication token.
In implementation, the first server encrypts the header ciphertext and the payload ciphertext according to an encryption mode (HS256 encryption mode) of an encryption algorithm parameter declaration to obtain an encrypted ciphertext, then performs combined encryption on the encrypted ciphertext and a salt (secret) to obtain a signature of the identity authentication token, and further obtains a final identity authentication token according to each part of the generated identity authentication token.
In this embodiment, the security of the identity authentication information is ensured by encrypting in a combined encryption manner through the acquired identity authentication information and a data structure of a preset identity authentication token.
In an embodiment, as shown in fig. 9, the method may be applied to the first server or the second server, and the embodiment is exemplified by the second server, where after receiving an interface call request sent by the first client, the second server parses a header of the interface call request, and determines whether the interface call request includes an identity authentication Token (Token). And if so, acquiring the identity authentication token from the interceptor for identity authentication, and analyzing the identity authentication token by using a jwt. The second server can analyze the attribute information (public attribute and private attribute) of the user into a claiming object to judge the identity authentication token. Firstly, judging the validity of the identity authentication token, and if the identity authentication token is in the validity period, having validity. Then further judging the user identity authentication information carried in the load of the identity authentication token, for example, user attribute information (user role, user authority, etc.), and determining whether the current first client has the authority to invoke the interface according to the judgment of the user identity authentication information. And if the user has the interface calling authority, the second server responds to the cross-platform service processing instruction, processes data according to the service logic and returns a corresponding processing result to the first client.
Optionally, if it is determined in the interface transferring request that the identity authentication token is not included, or the identity authentication token exists, but the identity authentication token is expired, or the identity authentication token is valid, but it is determined that the identity authentication token does not have the interface calling authority, the second server returns 403 prompt information of no-authority access to the first client to prompt that the user interface calling fails.
In this embodiment, the second server determines the identity information and the corresponding role authority of the first client by authenticating the interface call request including the identity authentication token sent by the first client, and further provides service processing of corresponding authority for the first client conforming to the interface call, thereby achieving the security of interface call.
It should be understood that, although the steps in the flowcharts of fig. 2 to 6, 7 to 8 are shown in sequence as indicated by the arrows, the steps are not necessarily performed in sequence as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least some of the steps in fig. 2 to 6 and 7 to 8 may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of performing the steps or stages is not necessarily sequential, but may be performed alternately or alternately with other steps or at least some of the other steps.
In one embodiment, as shown in fig. 9, there is provided an interface authentication apparatus 900 including: an obtaining module 910, a generating module 920 and a sending module 930, wherein:
an obtaining module 910, configured to obtain an identity authentication token stored locally at a first client, where the identity authentication token is used for interface authentication after logging in the first client;
a generating module 920, configured to generate an interface invocation request including an identity authentication token in response to a cross-platform service processing instruction after an interface of a first server that deploys a first client service is successfully invoked by a first client;
a sending module 930, configured to send the interface call request to the second server, and instruct the second server to perform interface call authentication.
In an embodiment, the obtaining module 910 is specifically configured to send, by the first client, user login information to a first server, and instruct the first server to generate an identity authentication token according to the user login information; the first server is a server for deploying the first client service;
and receiving the identity authentication token fed back by the first server, and storing the identity authentication token to the local.
In an embodiment, the generating module 920 is specifically configured to, in response to a trigger of a cross-platform service processing instruction, obtain a data structure of an interface call request;
and packaging the identity authentication token to the head of the data structure of the interface calling request to generate the interface calling request containing the identity authentication token.
In one embodiment, the apparatus 900 further comprises:
the judging module is used for judging the validity of the identity authentication token according to the validity period of the identity authentication token;
the generating module 920 is further configured to execute a step of generating an interface call request including the identity authentication token if the identity authentication token has validity;
and the output module is used for outputting the overdue prompt information of the identity authentication token if the identity authentication token is invalid.
In an embodiment, the generating module 920 is specifically configured to determine the current validity period of the identity authentication token according to a preset validity period of the identity authentication token and a recorded starting point of the current validity period of the identity authentication token;
if the current time is within the current validity period and the lower limit time of the current time from the current validity period is greater than a preset time difference threshold value, maintaining the current validity period of the identity authentication token and generating an interface calling request containing the identity authentication token;
and if the current time is within the current validity period and the lower limit time of the current time from the current validity period is less than a preset time difference threshold, updating the validity period of the identity authentication token by taking the lower limit time of the current validity period as a new validity period starting point, and generating an interface calling request containing the identity authentication token.
By adopting the device, the identity authentication token is stored in the local client, when the interface is required to be called, the interface calling request containing the identity authentication token is generated and sent to the target server for identity authentication, a special identity authentication server is not required to be deployed, the single sign-on requirement of a distributed system can be realized, the resource cost of the server is saved, meanwhile, the verification called by each interface is executed in different servers, and the problem of load balance when the authentication server is used is avoided.
For specific limitations of the interface authentication apparatus 900, reference may be made to the above limitations of the interface authentication method, which will not be described herein again. The modules in the interface authentication device can be wholly or partially implemented by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, which may be a terminal, and its internal structure diagram may be as shown in fig. 10. The computer device includes a processor, a memory, a communication interface, a display screen, and an input device connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless communication can be realized through WIFI, an operator network, NFC (near field communication) or other technologies. The computer program is executed by a processor to implement an interface authentication method. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on the shell of the computer equipment, an external keyboard, a touch pad or a mouse and the like.
Those skilled in the art will appreciate that the architecture shown in fig. 10 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In an embodiment, a computer-readable storage medium is provided, on which a computer program is stored which, when being executed by a processor, carries out the steps of the above-mentioned method embodiments.
In an embodiment, a computer-readable storage medium is provided, on which a computer program is stored which, when being executed by a processor, carries out the steps of the above-mentioned method embodiments.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database or other medium used in the embodiments provided herein can include at least one of non-volatile and volatile memory. Non-volatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical storage, or the like. Volatile Memory can include Random Access Memory (RAM) or external cache Memory. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.
Claims (10)
1. An interface authentication method, applied to a first client, the method comprising:
acquiring an identity authentication token stored locally at the first client, wherein the identity authentication token is used for interface authentication after logging in the first client;
after the first client successfully calls an interface of a first server for deploying first client services, responding to a cross-platform service processing instruction, and generating an interface calling request containing the identity authentication token;
and sending the interface calling request to a second server, and indicating the second server to carry out interface calling authentication.
2. The method of claim 1, wherein obtaining the identity authentication token stored locally at the first client comprises:
sending user login information to a first server through the first client, and indicating the first server to generate an identity authentication token according to the user login information; the first server is a server for deploying the first client service;
and receiving the identity authentication token fed back by the first server, and storing the identity authentication token to the local.
3. The method of claim 1, wherein generating an interface invocation request containing the identity authentication token in response to a cross-platform business processing instruction comprises:
responding to the trigger of the cross-platform service processing instruction, and acquiring a data structure of an interface calling request;
and packaging the identity authentication token to the head of the data structure of the interface calling request to generate the interface calling request containing the identity authentication token.
4. The method of claim 1 or 3, wherein prior to generating the interface invocation request containing the identity authentication token, the method further comprises:
judging the validity of the identity authentication token according to the validity period of the identity authentication token;
if the identity authentication token has validity, executing the step of generating an interface calling request containing the identity authentication token;
and if the identity authentication token is invalid, outputting an overdue prompt message of the identity authentication token.
5. The method of claim 4, wherein generating an interface invocation request containing the identity authentication token if the identity authentication token has validity comprises:
determining the current validity period of the identity authentication token according to the preset valid duration of the identity authentication token and the recorded starting point of the current validity period of the identity authentication token;
if the current time is within the current validity period and the lower limit time of the current time from the current validity period is greater than a preset time difference threshold value, maintaining the current validity period of the identity authentication token and generating an interface calling request containing the identity authentication token;
and if the current time is within the current validity period and the lower limit time of the current time from the current validity period is less than a preset time difference threshold, updating the validity period of the identity authentication token by taking the lower limit time of the current validity period as a new validity period starting point, and generating an interface calling request containing the identity authentication token.
6. An interface authentication method, applied to a first server, the method comprising:
receiving a user login request sent by a first client, wherein the user login request carries user login information;
after the login is successful according to the user login information, determining user identity authentication information corresponding to the first client;
generating an identity authentication token according to the user identity authentication information and a preset encryption algorithm;
sending the identity authentication token to the first client, and indicating the first client to store the identity authentication token; the identity card token is used for responding to a cross-platform service processing instruction through the first client, generating an interface calling request and sending the interface calling request to the second server, and indicating the second server to carry out interface calling authentication.
7. The method according to claim 6, wherein generating the identity authentication token according to the user identity authentication information and a preset encryption algorithm comprises:
acquiring encryption algorithm parameters of the identity authentication token and an identity authentication token data structure;
adding the encryption algorithm parameters to the head of the identity authentication token data structure, and adding the user identity authentication information to the load of the identity authentication token data structure;
encrypting the head and the load of the identity authentication token data structure according to a standard encryption mode to obtain a head ciphertext and a load ciphertext;
and encrypting the head ciphertext and the load ciphertext according to the encryption mode of the encryption algorithm parameter declaration to obtain an encrypted ciphertext, and performing salting combined encryption on the ciphertext to obtain the identity authentication token.
8. An interface authentication apparatus, the apparatus comprising:
the system comprises an acquisition module, a storage module and a processing module, wherein the acquisition module is used for acquiring an identity authentication token stored locally at a first client, and the identity authentication token is used for interface authentication after logging in the first client;
the generating module is used for responding to a cross-platform service processing instruction after the first client successfully calls an interface of a first server for deploying first client services, and generating an interface calling request containing the identity authentication token;
and the sending module is used for sending the interface calling request to a second server and indicating the second server to carry out interface calling authentication.
9. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, implements the steps of the method of any of claims 1 to 5 or claims 6 to 7.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 5 or 6 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110836397.8A CN113626840A (en) | 2021-07-23 | 2021-07-23 | Interface authentication method and device, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110836397.8A CN113626840A (en) | 2021-07-23 | 2021-07-23 | Interface authentication method and device, computer equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113626840A true CN113626840A (en) | 2021-11-09 |
Family
ID=78380767
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110836397.8A Pending CN113626840A (en) | 2021-07-23 | 2021-07-23 | Interface authentication method and device, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113626840A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114422226A (en) * | 2022-01-13 | 2022-04-29 | 企查查科技有限公司 | Token processing method and device, computer equipment and storage medium |
| CN115514478A (en) * | 2022-09-22 | 2022-12-23 | 广西电网有限责任公司南宁供电局 | Encryption authentication method, system and storage medium for intelligent power distribution terminal |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103188344A (en) * | 2013-02-22 | 2013-07-03 | 浪潮电子信息产业股份有限公司 | Method for safely invoking REST API (representational state transfer, application programming interface) |
| CN104378210A (en) * | 2014-11-26 | 2015-02-25 | 成都卫士通信息安全技术有限公司 | Cross-trust-domain identity authentication method |
| US20170353444A1 (en) * | 2016-06-06 | 2017-12-07 | Illumina, Inc. | Tenant-aware distributed application authentication |
| CN110519240A (en) * | 2019-08-09 | 2019-11-29 | 浙江大搜车软件技术有限公司 | A kind of single-point logging method, apparatus and system |
| CN110569638A (en) * | 2018-06-06 | 2019-12-13 | 中移(苏州)软件技术有限公司 | API authentication method and device, storage medium and computing equipment |
| CN111447184A (en) * | 2020-03-09 | 2020-07-24 | 上海数据交易中心有限公司 | Single sign-on method, device, system and computer readable storage medium |
| CN112491778A (en) * | 2019-09-11 | 2021-03-12 | 北京京东尚科信息技术有限公司 | Authentication method, device, system and medium |
| CN112788033A (en) * | 2021-01-13 | 2021-05-11 | 京东方科技集团股份有限公司 | Authentication method and authentication system |
-
2021
- 2021-07-23 CN CN202110836397.8A patent/CN113626840A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103188344A (en) * | 2013-02-22 | 2013-07-03 | 浪潮电子信息产业股份有限公司 | Method for safely invoking REST API (representational state transfer, application programming interface) |
| CN104378210A (en) * | 2014-11-26 | 2015-02-25 | 成都卫士通信息安全技术有限公司 | Cross-trust-domain identity authentication method |
| US20170353444A1 (en) * | 2016-06-06 | 2017-12-07 | Illumina, Inc. | Tenant-aware distributed application authentication |
| CN110569638A (en) * | 2018-06-06 | 2019-12-13 | 中移(苏州)软件技术有限公司 | API authentication method and device, storage medium and computing equipment |
| CN110519240A (en) * | 2019-08-09 | 2019-11-29 | 浙江大搜车软件技术有限公司 | A kind of single-point logging method, apparatus and system |
| CN112491778A (en) * | 2019-09-11 | 2021-03-12 | 北京京东尚科信息技术有限公司 | Authentication method, device, system and medium |
| CN111447184A (en) * | 2020-03-09 | 2020-07-24 | 上海数据交易中心有限公司 | Single sign-on method, device, system and computer readable storage medium |
| CN112788033A (en) * | 2021-01-13 | 2021-05-11 | 京东方科技集团股份有限公司 | Authentication method and authentication system |
Non-Patent Citations (1)
| Title |
|---|
| 周凯: "《React+Node.js开发实战:从入门到项目上线》", 机械工业出版社, pages: 315 - 318 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114422226A (en) * | 2022-01-13 | 2022-04-29 | 企查查科技有限公司 | Token processing method and device, computer equipment and storage medium |
| CN115514478A (en) * | 2022-09-22 | 2022-12-23 | 广西电网有限责任公司南宁供电局 | Encryption authentication method, system and storage medium for intelligent power distribution terminal |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112019493B (en) | Identity authentication method, identity authentication device, computer equipment and medium | |
| CN111262889B (en) | Authority authentication method, device, equipment and medium for cloud service | |
| CN105897668A (en) | Third party account authorization method, device, server and system | |
| CN112559993B (en) | Identity authentication method, device and system and electronic equipment | |
| CN111131416B (en) | Service providing method and device, storage medium and electronic device | |
| JP2018504789A (en) | Payment authentication system, method and apparatus | |
| US20160044508A1 (en) | Method for providing application service | |
| US20160241536A1 (en) | System and methods for user authentication across multiple domains | |
| CN111970116A (en) | Virtual delivery device and system with remote authentication and related methods | |
| CN113614719A (en) | Computing system and method for providing session access based on authentication tokens having different authentication credentials | |
| CN113626840A (en) | Interface authentication method and device, computer equipment and storage medium | |
| CN112165448B (en) | Service processing method, device, system, computer equipment and storage medium | |
| CN104821951B (en) | A kind of method and apparatus of secure communication | |
| CN112800393A (en) | Authorization authentication method, software development kit generation method, device and electronic equipment | |
| EP3381166B1 (en) | Systems and methods for cross-channel device binding | |
| US11750391B2 (en) | System and method for performing a secure online and offline login process | |
| CN109587098B (en) | Authentication system and method, and authorization server | |
| CN112560006A (en) | Single sign-on method and system under multi-application system | |
| CN111628985A (en) | Security access control method, security access control device, computer equipment and storage medium | |
| CN108965335B (en) | Method for preventing malicious access to login interface, electronic device and computer medium | |
| CN108809927B (en) | Identity authentication method and device | |
| JP6714551B2 (en) | Authentication key sharing system and inter-terminal key copying method | |
| US20240113898A1 (en) | Secure Module and Method for App-to-App Mutual Trust Through App-Based Identity | |
| CN113297559B (en) | Single sign-on method and device, computer equipment and storage medium | |
| US20230020656A1 (en) | Computing session multi-factor authentication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |