CN113761503A - Interface call processing method and device - Google Patents

Interface call processing method and device Download PDF

Info

Publication number
CN113761503A
CN113761503A CN202010964221.6A CN202010964221A CN113761503A CN 113761503 A CN113761503 A CN 113761503A CN 202010964221 A CN202010964221 A CN 202010964221A CN 113761503 A CN113761503 A CN 113761503A
Authority
CN
China
Prior art keywords
interface
call
calling
identity
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010964221.6A
Other languages
Chinese (zh)
Other versions
CN113761503B (en
Inventor
张斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jingdong Century Trading Co Ltd
Beijing Wodong Tianjun Information Technology Co Ltd
Original Assignee
Beijing Jingdong Century Trading Co Ltd
Beijing Wodong Tianjun Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jingdong Century Trading Co Ltd, Beijing Wodong Tianjun Information Technology Co Ltd filed Critical Beijing Jingdong Century Trading Co Ltd
Priority to CN202010964221.6A priority Critical patent/CN113761503B/en
Publication of CN113761503A publication Critical patent/CN113761503A/en
Application granted granted Critical
Publication of CN113761503B publication Critical patent/CN113761503B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/448Execution paradigms, e.g. implementations of programming paradigms
    • G06F9/4482Procedural

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The present disclosure provides a method for processing an interface call, which may include the following operations: receiving a call authentication request of a first object, wherein the call authentication request is generated by the first object after receiving an interface call request of a second object; determining identity information of a second object indicated by the calling authentication request and interface parameters of a target interface called by the second object request; verifying whether the second object is authorized to call the target interface or not according to the identity information and the interface parameters to obtain a verification result; and sending the verification result to the first object so that the first object can determine whether to allow the second object to call the target interface according to the verification result. The disclosure also provides a processing device for interface calling, an electronic device and a computer readable storage medium.

Description

Interface call processing method and device
Technical Field
The present disclosure relates to the field of security technologies, and in particular, to a method and an apparatus for processing an interface call, an electronic device, and a computer-readable storage medium.
Background
In the microservice-based application architecture, an application is constructed as a set of loosely coupled services, and a service provider provides the services to the outside by providing an interface. In order to ensure the safety of application and data, when a user requests to call an interface, a service provider performs interface call authentication to determine whether the user has the right to call the interface.
In the process of implementing the disclosed concept of the present invention, the inventor finds that authentication configuration information required by different interfaces may be different when performing interface call authentication in the related art, which causes the problem that a service provider needs to maintain a large amount of authentication configuration information, the maintenance cost is high, the maintenance difficulty is large, and the interface call authentication efficiency is low.
Disclosure of Invention
In view of this, the present disclosure provides a method and an apparatus for processing an interface call, which have low maintenance cost, low maintenance difficulty, and high interface call authentication efficiency.
One aspect of the present disclosure provides a processing method for interface call, which is applied to a call authentication platform and includes receiving a call authentication request of a first object, where the call authentication request is generated by the first object after receiving an interface call request of a second object; determining the identity information of the second object indicated by the calling authentication request and the interface parameter of the target interface called by the second object request; verifying whether the second object is authorized to call the target interface according to the identity information and the interface parameters to obtain a verification result; and sending the verification result to the first object so that the first object determines whether to allow the second object to call the target interface according to the verification result.
Optionally, the determining the identity information of the second object indicated by the invoking authentication request includes determining an identity token of the second object indicated by the invoking authentication request; verifying whether the second object is authorized to call the target interface according to the identity information and the interface parameters comprises verifying whether the second object is authorized to call the target interface according to the identity token and the interface parameters.
Optionally, the verifying whether the second object is authorized to call the target interface according to the identity token and the interface parameter includes performing an identity verification operation on the second object according to the identity token to obtain an identity verification result; under the condition that the identity authentication result indicates passing, acquiring a valid interface list associated with the identity token; and verifying whether the second object has the right to call the target interface according to the effective interface list and the interface parameters.
Optionally, the performing, according to the identity token, an identity verification operation on the second object includes determining a valid date of the identity token and a token signature in the identity token; and verifying the valid date and the token signature so as to perform the identity verification operation.
Optionally, the verifying whether the second object has the right to call the target interface according to the valid interface list and the interface parameters includes determining whether the valid interface list includes the target interface indicated by the interface parameters; and determining that the second object has the right to call the target interface under the condition that the effective interface list contains the target interface.
Optionally, the method for generating the identity token and the valid interface list includes receiving registration information of the second object, where the registration information includes identity information and interface call information of the second object; determining an interface list which the second object has the right to call according to the identity information and the interface calling information so as to obtain the effective interface list; and generating the identity token according to the identity information and the effective interface list.
Optionally, the determining, according to the identity information and the interface call information, an interface list to which the second object is authorized to call includes determining, according to the interface call information, at least one unauthorized interface which the second object requests to call; according to the identity information and the interface calling information, calling authentication operation aiming at each unauthorized interface is carried out to obtain a first authentication result aiming at each unauthorized interface; determining to issue at least one third object of the at least one unauthorized interface according to the interface identifier of each unauthorized interface; sending the identity information and the interface calling information to each third object, so that each third object can perform calling authentication operation aiming at the unauthorized interface to obtain a second authentication result aiming at each unauthorized interface; and determining an interface list which the second object has the right to call according to the first authentication result and the second authentication result.
Optionally, the method further includes receiving a right acquisition request for any unauthorized interface sent by the second object; performing an auditing operation on the permission acquisition request to determine whether the second object has the right to call the unauthorized interface; and adding the unauthorized interface to the list of valid interfaces in case that the second object is determined to be authorized to call the unauthorized interface.
Another aspect of the present disclosure provides a method for processing an interface call, which is applied to a first object, and includes receiving an interface call request of a second object; generating a calling authentication request based on the identity information of the second object indicated by the interface calling request and the interface parameter of the target interface called by the second object request; sending the calling authentication request to a calling authentication platform so that the calling authentication platform determines whether the second object is authorized to call the target interface according to the received calling authentication request to generate a verification result; and receiving the verification result returned by the calling authentication platform, and determining whether to allow the second object to call the target interface according to the verification result.
Another aspect of the present disclosure provides a method for processing an interface call, which is applied to a second object, and includes sending registration information to a call authentication platform, where the registration information includes identity information and interface call information of the second object; and receiving an identity token returned by the calling authentication platform, wherein the identity token is generated by the calling authentication platform according to the identity information and the interface calling information, the identity token is associated with an effective interface list aiming at the second object, and the effective interface list is an interface list which the second object has the right to call.
Another aspect of the disclosure provides an interface call processing apparatus. The device comprises a first receiving module, a second receiving module and a third receiving module, wherein the first receiving module is used for receiving a calling authentication request of a first object, and the calling authentication request is generated by the first object after receiving an interface calling request of a second object; the first determining module is used for determining the identity information of the second object indicated by the calling authentication request and the interface parameters of the target interface called by the second object request; the first verification module is used for verifying whether the second object has the right to call the target interface according to the identity information and the interface parameters so as to obtain a verification result; and the sending module is used for sending the verification result to the first object so that the first object can determine whether to allow the second object to call the target interface according to the verification result.
Optionally, the first determining module includes a first determining submodule, configured to determine the identity token of the second object indicated by the invoking authentication request; the first verification module comprises a first verification submodule used for verifying whether the second object is authorized to call the target interface or not according to the identity token and the interface parameters.
Optionally, the first verification sub-module includes a first verification unit, configured to perform an identity verification operation on the second object according to the identity token, so as to obtain an identity verification result; a first obtaining unit, configured to obtain a valid interface list associated with the identity token when the identity verification result indicates pass; and a second verifying unit, configured to verify whether the second object has the right to invoke the target interface according to the valid interface list and the interface parameters.
Optionally, the first verification unit includes a first processing subunit, configured to determine a validity date of the identity token and a token signature in the identity token; and the first verification subunit is used for verifying the effective date and the token signature so as to perform the identity verification operation.
Optionally, the second verifying unit includes a second processing subunit, configured to determine whether the valid interface list includes the target interface indicated by the interface parameter; and a third processing subunit, configured to determine that the second object is authorized to invoke the target interface when the valid interface list includes the target interface.
Optionally, the apparatus further includes a second receiving module, configured to receive registration information of the second object, where the registration information includes identity information and interface call information of the second object; a second determining module, configured to determine, according to the identity information and the interface calling information, an interface list that the second object has the right to call, so as to obtain the valid interface list; and the first processing module is used for generating the identity token according to the identity information and the valid interface list.
Optionally, the second determining module includes a second determining submodule, configured to determine, according to the interface calling information, at least one unauthorized interface that the second object requests to call; a first processing sub-module, configured to perform a calling authentication operation for each unauthorized interface according to the identity information and the interface calling information, so as to obtain a first authentication result for each unauthorized interface; a third determining submodule, configured to determine to issue at least one third object of the at least one unauthorized interface according to the interface identifier of each unauthorized interface; a sending submodule, configured to send the identity information and the interface calling information to each third object, so that each third object performs a calling authentication operation for the unauthorized interface, so as to obtain a second authentication result for each unauthorized interface; and the fourth determining submodule is used for determining the interface list which the second object has the right to call according to the first authentication result and the second authentication result.
Optionally, the system further includes a third receiving module, configured to receive a right obtaining request for any unauthorized interface sent by the second object; a third determining module, configured to perform an audit operation on the permission obtaining request to determine whether the second object has a right to call the unauthorized interface; and the second processing module is used for adding the unauthorized interface to the effective interface list under the condition that the second object is determined to be authorized to call the unauthorized interface.
Another aspect of the present disclosure provides an electronic device. The electronic device includes at least one processor, and a memory communicatively coupled to the at least one processor. Wherein the memory stores instructions executable by the at least one processor to cause the at least one processor to implement the methods of the embodiments of the present disclosure.
Another aspect of the present disclosure provides a computer-readable storage medium storing computer-executable instructions that, when executed, implement the method of embodiments of the present disclosure.
Another aspect of the disclosure provides a computer program comprising computer executable instructions for implementing the method of an embodiment of the disclosure when executed.
According to the embodiment of the disclosure, the calling authentication request of the first object is received, wherein the calling authentication request is generated after the first object receives the interface calling request of the second object; determining identity information of a second object indicated by the calling authentication request and interface parameters of a target interface called by the second object request; verifying whether the second object is authorized to call the target interface or not according to the identity information and the interface parameters to obtain a verification result; the verification result is sent to the first object so that the first object can determine whether the second object is allowed to call the target interface according to the verification result, so that the technical problems of high maintenance cost, high maintenance difficulty and low calling authentication efficiency of calling configuration information in the related technology are at least partially solved, and the technical effects of effectively reducing the maintenance cost and the maintenance difficulty of calling configuration information and effectively improving the calling authentication efficiency are achieved.
Drawings
For a more complete understanding of the present disclosure and the advantages thereof, reference is now made to the following descriptions taken in conjunction with the accompanying drawings, in which:
FIG. 1 schematically illustrates a processing system architecture for interface calls in accordance with an embodiment of the present disclosure;
FIG. 2A schematically illustrates a flow diagram of a method of processing an interface call according to an embodiment of the present disclosure;
FIG. 2B schematically illustrates an example diagram of identity information received in accordance with an embodiment of the disclosure;
FIG. 2C schematically illustrates an example diagram of interface call information received in accordance with an embodiment of the disclosure;
FIG. 2D schematically illustrates a processing system diagram of an interface call according to an embodiment of the disclosure;
FIG. 3 schematically shows a flow chart of a method of processing an interface call according to another embodiment of the present disclosure;
FIG. 4 schematically shows a block diagram of a processing device for interface calls according to an embodiment of the present disclosure;
fig. 5 schematically shows a block diagram of an electronic device adapted to implement the processing method and apparatus for interface calls according to an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It is to be understood that such description is merely illustrative and not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, operations steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
Various embodiments of the present disclosure provide a method for processing an interface call and a device capable of applying the method. Receiving a call authentication request of a first object, wherein the call authentication request is generated by the first object after receiving an interface call request of a second object; determining identity information of a second object indicated by the calling authentication request and interface parameters of a target interface called by the second object request; then, according to the identity information and the interface parameters, verifying whether the second object is authorized to call the target interface or not to obtain a verification result; and finally, sending the verification result to the first object so that the first object can determine whether to allow the second object to call the target interface according to the verification result.
As shown in fig. 1, the system architecture 100 includes at least one terminal (a plurality of terminals 101, 102, 103 are shown) and a call authentication platform 104 (which may be a server or a server cluster, etc., not shown). In the system architecture 100, a terminal may be an interface caller or an interface provider. Specifically, after receiving a call authentication request of a first object, where the call authentication request is generated by the first object after receiving an interface call request of a second object, the call authentication platform 104 determines identity information of the second object indicated by the call authentication request and interface parameters of a target interface requested to be called by the second object, then verifies whether the second object is authorized to call the target interface according to the identity information and the interface parameters to obtain a verification result, and finally sends the verification result to the first object, so that the first object determines whether to allow the second object to call the target interface according to the verification result.
It should be noted that the first object and the second object are only used for distinguishing the interface provider and the interface caller of the target interface in the embodiment of the present disclosure, and do not cause any special limitation to the present disclosure.
The present disclosure will be described in detail below with reference to the drawings and specific embodiments.
Fig. 2A schematically illustrates a flow chart of a method of processing an interface call according to an embodiment of the present disclosure.
As shown in fig. 2A, the method may include operations S210 to S240, for example.
In operation S210, a call authentication request of a first object is received, wherein the call authentication request is generated by the first object after receiving an interface call request of a second object.
In particular, in the disclosed embodiments, an interface is a type of predefined function that is used to provide a set of routines that the software system is accessed. The software system acts as a service provider by exposing an application program interface so that an external program can call a service of the software system or use a resource of the software system without changing a source code of the software system.
With different service types and application scenes, service providers can provide interfaces for various types and types of applications. Illustratively, in an application scenario of person-goods matching, the interface provided by the service provider may include, for example, a user attribute preference model, a crowd interest model, and the like; in the application scenario of commodity marketing, the interface provided by the service provider may include, for example, obtaining commodity details, detecting a crowd category, a class lifecycle model, and the like.
The first object is a service provider, i.e. an interface provider, which allows other objects to share their services or use their resources by providing an interface. The second object is a service requester, namely an interface caller, and calls the service provided by the first object or uses the resource provided by the first object by accessing the interface. When a second object requests to call a target interface of a first object by sending an interface call request to the first object, the first object needs to verify whether the second object is authorized to call the target interface.
Compared with the prior art in which the second object provides authentication configuration information for the target interface, the first object performs a call authentication operation on the second object according to the authentication configuration information, in the embodiment of the present disclosure, after receiving an interface call request from the second object, the first object generates a call authentication request according to the identity information of the second object included in the interface call request and the interface parameter of the target interface called by the second object request, and sends the call authentication request to the call authentication platform to request the call authentication platform to perform the call authentication operation for the second object, so as to determine whether the second object is authorized to call the target interface.
Next, in operation S220, identity information of the second object indicated by the call authentication request and interface parameters of the target interface called by the second object request are determined.
In the embodiment of the present disclosure, specifically, the identity information of the second object indicated by the invoking authentication request is determined, specifically, the identity token (token) of the second object indicated by the invoking authentication request is determined. The identity token is a string created by the calling authentication platform for the second object to uniquely identify its identity information when the second object is registered at the calling authentication platform. The identity token is associated with identity information of the second object and is associated with a list of valid interfaces to which the second object has authority to invoke.
The method for generating the identity token and the valid interface list comprises the steps of receiving registration information of a second object, wherein the registration information comprises identity information and interface calling information of the second object; determining an interface list which the second object has the right to call according to the identity information and the interface calling information so as to obtain an effective interface list; and generating an identity token according to the identity information and the effective interface list.
And when the second object calls the authentication platform to register, the second object uploads the identity information and the interface calling information in the calling authentication platform. Fig. 2B schematically illustrates an example diagram of identity information received according to an embodiment of the present disclosure, and as shown in fig. 2B, the identity information may include, for example, an IP address of a client machine of the second object, a client application ID (appID, which is assigned by the open service platform), a client application name (appName), a client user agent (user agent), business identity information (businessIdentity), and the like. Fig. 2C schematically illustrates an example diagram of interface call information received according to an embodiment of the present disclosure, and as shown in fig. 2C, the interface call information may include information such as a first-level classification of an interface requested to be called by a second object, an interface classification, an interface name, an applicant, an application scenario, a system source, a system name, a validity period, a single-day maximum call amount, a promotion maximum call amount, and a single call number.
And the calling authentication platform determines at least one unauthorized interface requested to be called by the second object according to the interface calling information, and then carries out calling authentication operation aiming at the at least one unauthorized interface according to the identity information and the interface calling information of the second object to obtain a first authentication result aiming at each unauthorized interface. And simultaneously, calling the authentication platform to invite a third object, namely, inviting the issuers of the unauthorized interfaces to carry out calling authentication operation, and obtaining second authentication results aiming at the unauthorized interfaces. And for any unauthorized interface, when the first authentication result and the second authentication result both indicate that the verification is passed, determining that the second object has the calling authority for the unauthorized interface, and adding the unauthorized interface to a valid interface list associated with the second object.
Invoking authentication operations for the unauthorized interface, including application authentication and interface authentication. The application authentication is to verify whether the second object (i.e. the interface caller represented by the second object) has a call authority, and specifically, determine whether the second object has an authority to perform interface call for a certain service provider according to the identity information of the second object. The interface authentication is to verify whether the second object has the calling authority for some unauthorized interface.
For example, in the application scenario of order service, a certain service provider (i.e., an interface provider, i.e., a third object) only plans to open the authority of the order query interface, and an interface related to an order refund or the like rejects a third-party call. At this time, if the unauthorized interface requested to be called by the second object includes the order refund interface, it is determined that the second object does not have the calling authority for the order refund interface, and the order refund interface is not added to the valid interface list associated with the second object. As another example, if the service provider (i.e., the interface provider, that is, the third object) determines that the call volume of the second object for an unauthorized interface is too large, which may affect the normal calls of other callers for the unauthorized interface, and may even threaten the security performance of the unauthorized interface, it may be determined that the second object does not have the call authority for the unauthorized interface, and the unauthorized interface is not added to the list of valid interfaces associated with the second object.
And after obtaining the effective interface list associated with the second object, generating an identity token of the second object according to the identity information of the second object and the effective interface list, and returning the identity token to the second object so that the second object can perform interface calling according to the received identity token. Specifically, when a second object requests to call a certain target interface, the second object sends an interface call request to an interface provider of the target interface, and the interface call request comprises an identity token of the second object. And the first object generates a calling authentication request according to the received identity token of the second object and the interface parameter of the target interface called by the second object request, and sends the calling authentication request to the calling authentication platform so as to request the calling authentication platform to verify whether the second object is authorized to call the target interface. The interface parameters may include an interface class name and an interface name, where the interface class name describes a class to which the interface belongs, or describes an application classification of the interface, and the interface name indicates a specific interface under the interface class name.
Next, in operation S230, it is verified whether the second object has the right to call the target interface according to the identity information and the interface parameter, so as to obtain a verification result.
In the embodiment of the present disclosure, specifically, according to the identity information of the second object indicated by the calling authentication request and the interface parameter of the target interface requested to be called by the second object, a calling authentication operation for the target interface is performed, so as to obtain a verification result. Further, determining a valid interface list associated with the second object according to the received identity token of the second object; and judging whether the target interface is positioned in the effective interface list or not according to the interface class name and the interface name of the target interface requested to be called by the second object, and judging that the second object has the calling authority aiming at the target interface when the effective interface list contains the target interface.
Fig. 2D schematically shows a schematic diagram of a processing system for interface invocation according to an embodiment of the present disclosure, and as shown in fig. 2D, an interface caller (e.g., a second object) sends registration information to a call authentication platform, and the call authentication platform generates an identity token for the interface caller and returns the identity token to the interface caller according to identity information and interface call information in the registration information, and at the same time, the call authentication platform also generates a valid interface list associated with the interface caller. When an interface caller needs to call an interface, the interface caller sends an interface call request to an interface provider (such as a first object), wherein the interface call request comprises an identity token of the interface caller and interface parameters of a target interface which the interface caller requests to access; the interface provider generates a calling authentication request according to the received interface calling request, and sends the calling authentication request to a calling authentication platform, so that the calling authentication platform determines whether the interface caller has the right to call the target interface and generates a verification result according to the identity token in the calling authentication request and the interface parameters of the target interface; and the calling authentication platform returns the verification result to the calling authentication platform so that the calling authentication platform determines whether the interface caller is allowed to call the target interface according to the verification result.
The interface calling authentication is carried out by utilizing a third-party platform (namely, calling authentication platform) independent of an interface calling party and an interface provider, when the interface calling party calls the interface, the interface calling party only needs to send an identity token to the interface provider, meanwhile, the interface provider only needs to send the identity token of the interface calling party to the calling authentication platform for authority verification, the interface provider does not need to maintain a large amount of authentication configuration information aiming at different interfaces, the data maintenance cost of the interface calling authentication is low, the maintenance difficulty is small, and the interface calling authentication efficiency is effectively improved.
Next, in operation S240, the verification result is transmitted to the first object for the first object to determine whether the second object is allowed to call the target interface according to the verification result.
In the embodiment of the present disclosure, specifically, after determining the verification result of the call authentication operation for the target interface, the verification result is sent to the first object. The verification result indicates whether the first object has the calling authority for the target interface, and the first object can determine whether the second object is allowed to call the target interface according to the verification result.
For the interface calling operation of the second object, an interface calling log of the second object may be generated in the form of a call record, and the interface calling log and the identity token of the second object are stored in an associated manner, where the call record may include the identity token, the interface class name, and the interface name. Optionally, the invoking authentication platform may further receive an authority acquisition request for any unauthorized interface sent by the second object, perform an audit operation on the authority acquisition request, determine whether the second object is authorized to invoke the unauthorized interface, and add the unauthorized interface to the valid interface list when it is determined that the second object is authorized to invoke the unauthorized interface.
Optionally, when the call authority of the second object for an interface needs to be released, the interface identifier of the interface is deleted from the valid interface list. Specifically, when the authorization condition for a certain interface is changed, the interface provider synchronizes the changed authorization condition to the calling authentication platform, and the calling authentication platform re-determines whether the calling authority of the second object for the interface is changed. The design is favorable for updating the effective interface list associated with the interface calling party, and the interface calling authentication operation is carried out according to the effective interface list, so that the design is favorable for improving the efficiency of the interface calling authentication and the accuracy of the interface calling authentication.
In the embodiment of the disclosure, by receiving a call authentication request of a first object, where the call authentication request is generated by the first object after receiving an interface call request of a second object, identity information of the second object indicated by the call authentication request and an interface parameter of a target interface requested to be called by the second object are determined, and then, according to the identity information and the interface parameter, it is verified whether the second object is authorized to call the target interface, so as to obtain a verification result, and the verification result is sent to the first object, so that the first object determines whether to allow the second object to call the target interface according to the verification result. The third party platform (calling authentication platform) independent of the first object (interface provider) and the second object (interface caller) is utilized to carry out interface calling authentication operation aiming at the second object, and the provider providing interface service does not need to maintain authentication configuration information aiming at each interface, so that the data maintenance cost and the maintenance difficulty of interface calling authentication are favorably reduced, and the authentication efficiency of interface calling authentication is favorably improved.
Fig. 3 schematically shows a flow chart of a method of processing an interface call according to another embodiment of the present disclosure.
As shown in fig. 3, operation S230 may include, for example, operations S310 to S330.
In operation S310, an authentication operation is performed on the second object according to the identity token, so as to obtain an authentication result.
In the embodiment of the present disclosure, specifically, performing an identity verification operation on the second object may specifically include determining a valid date of the identity token and a token signature in the identity token; and verifying the valid date and the token signature to perform identity verification operation.
The verifying the validity date of the identity token may include verifying whether the issue date of the identity token is within the validity date, and may further include verifying whether the time stamp of the identity token is within a preset time window. And determining whether the identity token of the second object is valid by verifying whether the issuing date of the identity token is within the valid date. Optionally, in order to ensure security of the interface call, an identity token sent by an interface caller (e.g., the second object) to an interface provider (e.g., the first object) is prevented from being intercepted by an attacker, the attacker is prevented from sending the identity token to the interface provider and pretending to be an authorized interface caller to perform the interface call, when the interface caller requests to call a certain interface, the interface caller sends the identity token with an attached timestamp to the interface caller, when the interface caller requests to call an authentication platform to perform the interface call authentication, the interface caller calls the authentication platform to determine whether the timestamp of the identity token is within a preset time window, and when the timestamp is within the preset time window, the identity token of the second object is determined to be valid.
The token signature may be a signature of the identity token, which may be encrypted with a private key. And calling the authentication platform to verify the validity of the token signature, and rejecting the interface calling request with invalid token signature. And when the valid date and the token signature are verified, determining that the identity verification result for the second object is passed.
Next, in operation S320, in case that the authentication result indicates pass, a valid interface list associated with the identity token is acquired.
In this embodiment of the present disclosure, specifically, after it is determined that the authentication result of the second object passes, an effective interface list associated with the identity token is obtained, where the effective interface list includes interface identifiers of all interfaces that the second object has the right to call, and the interface identifiers may specifically include interface class names and interface names of the interfaces. The two parameters, i.e., the interface class name and the interface name, are different and fixed for each interface, so that the two parameters can be fixed for each interface, and thus each interface can be uniquely identified by the two parameters.
Next, in operation S330, it is verified whether the second object has a right to call the target interface according to the valid interface list and the interface parameters.
In the embodiment of the present disclosure, specifically, it is determined whether the valid interface list includes a target interface indicated by the interface parameter, and in a case that the valid interface list includes the target interface, it is determined that the second object has a right to call the target interface; and in the case that the effective interface list does not contain the target interface, determining that the second object does not have the right to call the target interface.
When the interface caller calls the authentication platform to register, the interface caller calls the authentication platform and the interface provider to carry out calling authentication operation aiming at each unauthorized interface by acquiring the interface identifier of the unauthorized interface which the interface caller requests to call, and an effective interface list associated with the identity token of the interface caller is generated. In the subsequent interface calling operation, an interface provider does not need to perform calling authentication operation aiming at the target interface according to a large amount of calling configuration information, and the interface calling authentication efficiency is high.
In the embodiment of the present disclosure, after obtaining the interface call request, the interface provider sends the identity token of the interface caller to the call authentication platform, so as to perform a call authentication operation for the target interface. The application program providing the interface service can be free from maintaining authentication configuration information aiming at each interface, the maintenance cost of calling the authentication data is low, and the maintenance difficulty is small; the calling authentication platform determines whether the interface caller has the calling authority for the target interface according to the effective interface list associated with the identity token, and compared with the calling authentication operation performed by utilizing a large amount of authentication configuration information associated with the target interface, the calling authentication platform is beneficial to improving the interface calling authentication efficiency.
Fig. 4 schematically shows a block diagram of a processing device for interface calls according to an embodiment of the present disclosure.
As shown in fig. 4, the apparatus includes a first receiving module 401, a first determining module 402, a first verifying module 403, and a transmitting module 404.
Specifically, the first receiving module 401 is configured to receive a call authentication request of a first object, where the call authentication request is generated by the first object after receiving an interface call request of a second object; a first determining module 402, configured to determine identity information of a second object indicated by the call authentication request and interface parameters of a target interface called by the second object request; a first verification module 403, configured to verify whether the second object has the right to call the target interface according to the identity information and the interface parameter, so as to obtain a verification result; a sending module 404, configured to send the verification result to the first object, so that the first object determines whether to allow the second object to call the target interface according to the verification result.
In the embodiment of the disclosure, by receiving a call authentication request of a first object, where the call authentication request is generated by the first object after receiving an interface call request of a second object, identity information of the second object indicated by the call authentication request and an interface parameter of a target interface requested to be called by the second object are determined, and then, according to the identity information and the interface parameter, it is verified whether the second object is authorized to call the target interface, so as to obtain a verification result, and the verification result is sent to the first object, so that the first object determines whether to allow the second object to call the target interface according to the verification result. The third party platform (calling authentication platform) independent of the first object (interface provider) and the second object (interface caller) is utilized to carry out interface calling authentication operation aiming at the second object, and the provider providing interface service does not need to maintain authentication configuration information aiming at each interface, so that the data maintenance cost and the maintenance difficulty of interface calling authentication are favorably reduced, and the authentication efficiency of interface calling authentication is favorably improved.
As an alternative embodiment, the first determining module includes a first determining submodule, configured to determine the identity token of the second object indicated by the invoking authentication request; the first verification module comprises a first verification submodule and is used for verifying whether the second object is authorized to call the target interface or not according to the identity token and the interface parameters.
As an optional embodiment, the first verification sub-module includes a first verification unit, configured to perform an authentication operation on the second object according to the identity token to obtain an authentication result; a first obtaining unit, configured to obtain a valid interface list associated with the identity token when the identity verification result indicates pass; and the second verification unit is used for verifying whether the second object has the right to call the target interface or not according to the effective interface list and the interface parameters.
As an alternative embodiment, the first verification unit comprises a first processing subunit for determining a validity date of the identity token and a token signature in the identity token; and the first verification subunit is used for verifying the valid date and the token signature so as to carry out identity verification operation.
As an alternative embodiment, the second verification unit includes a second processing subunit, configured to determine whether the valid interface list includes a target interface indicated by the interface parameter; and the third processing subunit is used for determining that the second object has the right to call the target interface under the condition that the effective interface list contains the target interface.
As an optional embodiment, the apparatus further includes a second receiving module, configured to receive registration information of the second object, where the registration information includes identity information and interface call information of the second object; the second determining module is used for determining an interface list which the second object has the right to call according to the identity information and the interface calling information so as to obtain an effective interface list; and the first processing module is used for generating the identity token according to the identity information and the effective interface list.
As an optional embodiment, the second determining module includes a second determining sub-module, configured to determine, according to the interface call information, at least one unauthorized interface that the second object requests to call; the first processing submodule is used for carrying out calling authentication operation aiming at each unauthorized interface according to the identity information and the interface calling information so as to obtain a first authentication result aiming at each unauthorized interface; the third determining submodule is used for determining and issuing at least one third object of at least one unauthorized interface according to the interface identification of each unauthorized interface; the sending submodule is used for sending the identity information and the interface calling information to each third object so that each third object can carry out calling authentication operation aiming at the unauthorized interface to obtain a second authentication result aiming at each unauthorized interface; and the fourth determining submodule is used for determining an interface list which the second object has the right to call according to the first authentication result and the second authentication result.
As an optional embodiment, the system further includes a third receiving module, configured to receive a right obtaining request for any unauthorized interface sent by the second object; the third determining module is used for carrying out auditing operation on the permission obtaining request so as to determine whether the second object has the right to call the unauthorized interface; and the second processing module is used for adding the unauthorized interface into the valid interface list under the condition that the second object is determined to be authorized to call the unauthorized interface.
In the embodiment of the present disclosure, after obtaining the interface call request, the interface provider sends the identity token of the interface caller to the call authentication platform, so as to perform a call authentication operation for the target interface. The application program providing the interface service can be free from maintaining authentication configuration information aiming at each interface, the maintenance cost of calling the authentication data is low, and the maintenance difficulty is small; the calling authentication platform determines whether the interface caller has the calling authority for the target interface according to the effective interface list associated with the identity token, and compared with the calling authentication operation performed by utilizing a large amount of authentication configuration information associated with the target interface, the calling authentication platform is beneficial to improving the interface calling authentication efficiency.
Alternatively, at least part of the functions of any of the modules, sub-modules, or any of the modules in the first receiving module 401, the first determining module 402, the first verifying module 403, and the sending module 404 may be implemented in one module. Any one or more of the modules according to the embodiments of the present disclosure may be implemented by being split into a plurality of modules. Any one or more of the modules according to the embodiments of the present disclosure may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in any other reasonable manner of hardware or firmware by integrating or packaging the circuit, or in any one of three implementations, or in any suitable combination of any of the software, hardware, and firmware. Or one or more of the modules according to embodiments of the disclosure, may be implemented at least partly as computer program modules which, when executed, may perform corresponding functions.
For example, any plurality of the first receiving module 401, the first determining module 402, the first verifying module 403 and the sending module 404 may be combined and implemented in one module, or any one of them may be split into a plurality of modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of the other modules and implemented in one module. Alternatively, at least one of the first receiving module 401, the first determining module 402, the first verifying module 403 and the sending module 404 may be at least partially implemented as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented by hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or implemented by any one of three implementations of software, hardware and firmware, or any suitable combination of any of them. Alternatively, at least one of the first receiving module 401, the first determining module 402, the first verifying module 403 and the sending module 404 may be at least partially implemented as a computer program module, which, when executed, may perform a corresponding function.
Fig. 5 schematically shows a block diagram of an electronic device adapted to implement the processing method and apparatus for interface calls according to an embodiment of the present disclosure. The computer system illustrated in FIG. 5 is only one example and should not impose any limitations on the scope of use or functionality of embodiments of the disclosure.
As shown in fig. 5, a computer system 500 according to an embodiment of the present disclosure includes a processor 501, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)502 or a program loaded from a storage section 508 into a Random Access Memory (RAM) 503. The processor 501 may comprise, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 501 may also include onboard memory for caching purposes. Processor 501 may include a single processing unit or multiple processing units for performing different actions of a method flow according to embodiments of the disclosure.
In the RAM 503, various programs and data necessary for the operation of the system 500 are stored. The processor 501, the ROM 502, and the RAM 503 are connected to each other by a bus 504. The processor 501 performs various operations of the method flows according to the embodiments of the present disclosure by executing programs in the ROM 502 and/or the RAM 503. Note that the programs may also be stored in one or more memories other than the ROM 502 and the RAM 503. The processor 501 may also perform various operations of method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
Optionally, system 500 may also include an input/output (I/O) interface 505, input/output (I/O) interface 505 also being connected to bus 504. The system 500 may also include one or more of the following components connected to the I/O interface 505: an input portion 506 including a keyboard, a mouse, and the like; an output portion 507 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage portion 508 including a hard disk and the like; and a communication section 509 including a network interface card such as a LAN card, a modem, or the like. The communication section 509 performs communication processing via a network such as the internet. A driver 510 is also connected to the I/O interface 506 as needed. A removable medium 511 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 510 as necessary, so that a computer program read out therefrom is mounted into the storage section 508 as necessary.
Alternatively, the method flows according to embodiments of the present disclosure may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable storage medium, the computer program containing program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 509, and/or installed from the removable medium 511. The computer program, when executed by the processor 501, performs the above-described functions defined in the system of the embodiments of the present disclosure. Alternatively, the systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules.
The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.
Alternatively, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, a computer-readable storage medium may optionally include one or more memories other than ROM 502 and/or RAM 503 and/or ROM 502 and RAM 503 described above.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
The embodiments of the present disclosure have been described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.

Claims (11)

1. A processing method for interface calling comprises the following steps:
receiving a call authentication request of a first object, wherein the call authentication request is generated by the first object after receiving an interface call request of a second object;
determining the identity information of the second object indicated by the calling authentication request and the interface parameter of the target interface called by the second object request;
verifying whether the second object has the right to call the target interface according to the identity information and the interface parameters to obtain a verification result;
and sending the verification result to the first object so that the first object can determine whether to allow the second object to call the target interface according to the verification result.
2. The method of claim 1, wherein the determining identity information of the second object indicated by the invoke-authentication request comprises:
determining an identity token of the second object indicated by the invoking authentication request;
the verifying whether the second object has the right to call the target interface according to the identity information and the interface parameters comprises:
and verifying whether the second object is authorized to call the target interface or not according to the identity token and the interface parameters.
3. The method of claim 2, wherein said verifying whether the second object is authorized to invoke the target interface based on the identity token and the interface parameters comprises:
according to the identity token, performing identity verification operation on the second object to obtain an identity verification result;
obtaining a valid interface list associated with the identity token under the condition that the identity verification result indicates passing;
and verifying whether the second object has the right to call the target interface or not according to the effective interface list and the interface parameters.
4. The method of claim 3, wherein said authenticating the second object in accordance with the identity token comprises:
determining a valid date of the identity token and a token signature in the identity token;
and verifying the valid date and the token signature so as to perform the identity verification operation.
5. The method of claim 3, wherein said verifying whether the second object is authorized to invoke the target interface based on the list of valid interfaces and the interface parameters comprises:
determining whether the list of valid interfaces includes the target interface indicated by the interface parameter; and
determining that the second object has authority to invoke the target interface if the list of valid interfaces includes the target interface.
6. The method of claim 3, wherein the identity token and the list of valid interfaces are generated by a method comprising:
receiving registration information of the second object, wherein the registration information comprises identity information and interface calling information of the second object;
determining an interface list which the second object has the right to call according to the identity information and the interface calling information so as to obtain the effective interface list;
and generating the identity token according to the identity information and the effective interface list.
7. The method of claim 6, wherein the determining, according to the identity information and the interface call information, an interface list that the second object has right to call to obtain the valid interface list comprises:
determining at least one unauthorized interface which is requested to be called by the second object according to the interface calling information;
according to the identity information and the interface calling information, calling authentication operation aiming at each unauthorized interface is carried out to obtain a first authentication result aiming at each unauthorized interface;
determining to issue at least one third object of the at least one unauthorized interface according to the interface identifier of each unauthorized interface;
sending the identity information and the interface calling information to each third object so that each third object can carry out calling authentication operation aiming at the unauthorized interface to obtain a second authentication result aiming at each unauthorized interface;
and determining an interface list which the second object has the right to call according to the first authentication result and the second authentication result so as to obtain the effective interface list.
8. The method of any of claims 3 to 7, further comprising:
receiving a permission acquisition request which is sent by the second object and aims at any unauthorized interface;
performing an auditing operation on the permission acquisition request to determine whether the second object is authorized to call the unauthorized interface;
adding the unauthorized interface to the list of valid interfaces if it is determined that the second object is authorized to invoke the unauthorized interface.
9. An apparatus for processing interface calls, comprising:
the device comprises a first receiving module, a second receiving module and a third receiving module, wherein the first receiving module is used for receiving a calling authentication request of a first object, and the calling authentication request is generated after the first object receives an interface calling request of a second object;
the first determining module is used for determining the identity information of the second object indicated by the calling authentication request and the interface parameters of the target interface called by the second object request;
the first verification module is used for verifying whether the second object has the right to call the target interface according to the identity information and the interface parameters so as to obtain a verification result;
and the sending module is used for sending the verification result to the first object so that the first object can determine whether to allow the second object to call the target interface according to the verification result.
10. An electronic device, comprising:
one or more processors; and
a memory for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of any of claims 1-8.
11. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to carry out the method of any one of claims 1 to 8.
CN202010964221.6A 2020-09-14 2020-09-14 Interface call processing method and device Active CN113761503B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010964221.6A CN113761503B (en) 2020-09-14 2020-09-14 Interface call processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010964221.6A CN113761503B (en) 2020-09-14 2020-09-14 Interface call processing method and device

Publications (2)

Publication Number Publication Date
CN113761503A true CN113761503A (en) 2021-12-07
CN113761503B CN113761503B (en) 2024-05-17

Family

ID=78785733

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010964221.6A Active CN113761503B (en) 2020-09-14 2020-09-14 Interface call processing method and device

Country Status (1)

Country Link
CN (1) CN113761503B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114422940A (en) * 2022-01-19 2022-04-29 北京百度网讯科技有限公司 Positioning method, positioning device, electronic equipment and medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016188290A1 (en) * 2015-05-27 2016-12-01 阿里巴巴集团控股有限公司 Safety authentication method, device and system for api calling
CN110149328A (en) * 2019-05-22 2019-08-20 平安科技(深圳)有限公司 Interface method for authenticating, device, equipment and computer readable storage medium
CN110839087A (en) * 2020-01-13 2020-02-25 北京懿医云科技有限公司 Interface calling method and device, electronic equipment and computer readable storage medium
CN111639319A (en) * 2020-06-02 2020-09-08 北京字节跳动网络技术有限公司 User resource authorization method, device and computer readable storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016188290A1 (en) * 2015-05-27 2016-12-01 阿里巴巴集团控股有限公司 Safety authentication method, device and system for api calling
CN110149328A (en) * 2019-05-22 2019-08-20 平安科技(深圳)有限公司 Interface method for authenticating, device, equipment and computer readable storage medium
CN110839087A (en) * 2020-01-13 2020-02-25 北京懿医云科技有限公司 Interface calling method and device, electronic equipment and computer readable storage medium
CN111639319A (en) * 2020-06-02 2020-09-08 北京字节跳动网络技术有限公司 User resource authorization method, device and computer readable storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
AL-SINANI, H.S等: "A Universal Client-based Identity Management Tool", 《PUBLIC KEY INFRASTRUCTURES, SERVICES AND APPLICATIONS. 8TH EUROPEAN WORKSHOP (EUROPKI 2011)》, 31 December 2012 (2012-12-31) *
文勇军;黄浩;樊志良;唐立军;: "分布式日志系统REST安全接口设计", 网络安全技术与应用, no. 04, 15 April 2017 (2017-04-15) *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114422940A (en) * 2022-01-19 2022-04-29 北京百度网讯科技有限公司 Positioning method, positioning device, electronic equipment and medium
CN114422940B (en) * 2022-01-19 2024-05-14 北京百度网讯科技有限公司 Positioning method, positioning device, electronic equipment and medium

Also Published As

Publication number Publication date
CN113761503B (en) 2024-05-17

Similar Documents

Publication Publication Date Title
CN109981679B (en) Method and apparatus for performing transactions in a blockchain network
CN109033774B (en) Method and device for acquiring and feeding back user resources and electronic equipment
US11637707B2 (en) System and method for managing installation of an application package requiring high-risk permission access
CN110266764B (en) Gateway-based internal service calling method and device and terminal equipment
CN112333198B (en) Secure cross-domain login method, system and server
US20190158482A1 (en) Token based network service among iot applications
US9288201B2 (en) Disconnected credential validation using pre-fetched service tickets
WO2021238954A1 (en) Installation management of applet applications
CN110569643A (en) traffic management method and device based on block chain network
CN114666159B (en) Cloud service system, method, device, equipment and medium
CN110909355A (en) Unauthorized vulnerability detection method, system, electronic device and medium
CN110674531A (en) Residence information management method, device, server and medium based on block chain
CN111612452A (en) Intellectual property management system and method based on block chain
CN115622747A (en) API authorization authentication processing method and device, electronic equipment and storage medium
CN113761503B (en) Interface call processing method and device
CN112541828B (en) System, method, device, processor and storage medium for realizing open securities management and open securities API access control
US20230403154A1 (en) Verifier credential determination by a registrant
CN113132400A (en) Business processing method, device, computer system and storage medium
CN111817859A (en) Data sharing method, device, equipment and storage medium based on zero knowledge proof
CN112734349A (en) Interface generation method, data calling method, device and electronic equipment
CN115391801A (en) Method and device for updating encryption module in block chain system and related products
CN114861144A (en) Data authority processing method based on block chain
US7661111B2 (en) Method for assuring event record integrity
CN114780986B (en) Authentication data processing method and device, electronic equipment and medium
CN112132588A (en) Data processing method and device based on block chain, routing equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant