CN115766134A - Method and device for unified authentication of API gateway - Google Patents
Method and device for unified authentication of API gateway Download PDFInfo
- Publication number
- CN115766134A CN115766134A CN202211365718.1A CN202211365718A CN115766134A CN 115766134 A CN115766134 A CN 115766134A CN 202211365718 A CN202211365718 A CN 202211365718A CN 115766134 A CN115766134 A CN 115766134A
- Authority
- CN
- China
- Prior art keywords
- api
- authentication
- api gateway
- consumer
- gateway
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method and a device for unified authentication of an API gateway, wherein the method comprises the following steps: newly adding consumers in the API gateway and selecting an authentication mode from the consumers; configuring the authenticated parameters in the consumer and storing the configuration information of the consumer; binding the consumer into the API, and when the API gateway receives the access request and matches the API, the API gateway checks the request information according to the bound consumer information; if the verification is successful, the API gateway forwards the request information to the API and returns the service response to the API caller; if the verification is unsuccessful, the API gateway returns the request failure information to the API caller. In this way, the API gateway is used for completing authority verification, so that the request pressure of the back-end service is reduced; the authentication of the user and the service which are the processing objects is managed in a unified way, and all common authentication modes can be supported; binding different APIs on the created authentication through the tree structure of the APIs; after binding is successful, the use condition of authentication can be checked.
Description
Technical Field
The embodiment of the invention relates to the technical field of computer network authentication, in particular to a unified authentication method and device for an API gateway.
Background
An API (Application Programming Interface) is a development Interface of an Application program. Any one application system needs to expose an API if it needs to be called by another system. Since the API is directly exposed to the public network, there is a security risk, and therefore, an API gateway is used as a unified entry of the API, and all user requests pass through the API gateway. The API gateway is used as a uniform inlet of the API, and the user can put the authentication of the service into the API gateway to realize the authentication.
The network service generally comprises a client and a server, requests of calling parties such as the client or external partners are received through an API gateway in a unified mode, certain check and logic processing is carried out according to different logics of various interfaces, and then the requests are forwarded to a back-end server. Obviously, the API gateway is an intermediate bridge for receiving the client and the backend services in the network service, and serves as an entrance for providing services to the outside, like a gate of an enterprise service. On one hand, it needs to have enough capacity to deal with a large amount of external access, and on the other hand, it needs to provide certain security for internal services. With the development and popularization of networks, the performance requirements of the API gateway are higher and higher, and the high performance requirements cannot be met by simply caching the API gateway based on the memory database in the data access and exchange processes.
Such as the patent: "a method for implementing API gateway independent authentication based on application (application number: CN 202110131013.2)": the method realizes native API access right control by using a kong plug-in; the kong plug-in is an APP authentication plug-in; the method is realized by the following steps: creating an API, and selecting APP authentication during creation; issuing an API, and writing the APP authentication plug-in configuration into an API gateway during issuing; and the front-end page of the API gateway console creates an APP as the identity of calling the API by the user according to the user requirement. Compared with other authentication modes, the processing speed is higher, the authorization relation is persisted in a back-end database, a standby authentication interface is provided at the back end, the safe and stable calling of the API is effectively ensured, but the problems that the API gateway cannot simultaneously support various authentication modes, authentication information needs to be configured on each API in the current authentication mode, the operation is complicated, and the information bound by the authentication cannot be checked are not solved.
Disclosure of Invention
In order to solve the problems, the invention uses the API gateway to complete the authority verification, thereby reducing the request pressure of the back-end service; the authentication of the user and the service which are the processing objects is managed in a unified way, and all common authentication modes can be supported; binding different APIs on the created authentication through the tree structure of the APIs; after binding is successful, the use condition of authentication can be checked.
According to the embodiment of the invention, a method and a device for unified authentication of an API gateway are provided.
In a first aspect of the present invention, a method for unified authentication of an API gateway is provided. The method comprises the following steps:
s01: newly adding consumers in the API gateway, and selecting an authentication mode from the consumers;
s02: configuring authentication parameters in a consumer and storing configuration information of the consumer;
s03: binding the consumer into the API, and when the API gateway receives the access request and matches the API, the API gateway checks the request information according to the bound consumer information;
s04: if the verification is successful, the API gateway forwards the request information to the API and returns the service response to the API caller; if the verification is not successful, the API gateway returns request failure information to the API caller.
Further, the consumer described in S01 is used to identify the requestor of the service.
Further, the authentication method in S01 includes: openid-connect, jwt-auth, hmac-auth and basic-auth, wherein the processing objects of hmac-auth and basic-auth are users, and the processing objects of openid-connect and jwt-auth are services.
Furthermore, the processing object is a user, which indicates that each user has own authentication information; the processing objects are services, each service has own authentication information, the API gateway performs authentication and certification aiming at the services, a consumer configures a public key of the service, and the API gateway verifies the token of the user by using the public key.
Further, the specific steps of binding the consumer to the API described in S03 are:
s031: opening a tree structure of the API in the consumer;
s032: selecting an API to be bound, and if the authenticated processing object is a user, repeatedly binding one API by a plurality of consumers; if the authenticated processing object is a service, one API can not be bound repeatedly by a plurality of consumers.
Further, if the consumer stated in S03 does not bind the API, the access request is not verified.
In a second aspect of the present invention, an apparatus for unified authentication of an API gateway is provided. The device includes:
a newly added module: the method is used for adding new consumers in the API gateway and selecting authentication modes from the consumers;
a configuration module: the authentication method comprises the steps of configuring authentication parameters in a consumer and storing configuration information of the consumer;
a binding module: the system comprises an API gateway, a customer information management server and a customer information management server, wherein the API gateway is used for binding a customer into an API (application programming interface), and when the API gateway receives an access request and matches the API, the API gateway verifies the request information according to the bound customer information;
a checking module: the API gateway is used for judging whether the verification is successful or not, forwarding the request information to the API and returning the service response to the API calling party; if the verification is unsuccessful, the API gateway returns the request failure information to the API caller.
Further, the consumer described in the newly added module is used to identify the requestor of the service.
Further, the authentication method in the newly added module includes: the system comprises an openid-connect, a jwt-auth, an hmac-auth and a basic-auth, wherein the processing objects of the hmac-auth and the basic-auth are users, and the processing objects of the openid-connect and the jwt-auth are services.
Furthermore, the processing object is a user, which indicates that each user has own authentication information; the processing objects are services, each service has own authentication information, the API gateway performs authentication and certification aiming at the services, a consumer configures a public key of the service, and the API gateway verifies the token of the user by using the public key.
Further, the binding module further comprises:
a tree structure opening module: a tree structure for opening an API in a consumer;
a selection module: the API binding method is used for selecting the API needing to be bound, and if the authenticated processing object is a user, a plurality of consumers can repeatedly bind one API; if the authenticated processing object is a service, one API can not be bound repeatedly by a plurality of consumers.
Further, if the consumer in the binding module does not bind the API, the access request is not verified.
The above-mentioned english explanations:
token: token
The invention completes the authority verification by using the API gateway, thereby reducing the request pressure of the back-end service; the authentication of the user and the service which are the processing objects is managed in a unified way, and all common authentication modes can be supported; binding different APIs on the created authentication through the tree structure of the APIs; after binding is successful, the use condition of authentication can be checked.
It should be understood that the statements herein reciting aspects are not intended to limit the critical or essential features of any embodiment of the invention, nor are they intended to limit the scope of the invention. Other features of the present invention will become apparent from the following description.
Drawings
The above and other features, advantages and aspects of various embodiments of the present invention will become more apparent by referring to the following detailed description when taken in conjunction with the accompanying drawings. Wherein:
FIG. 1 shows a flow diagram of a method for unified authentication of an API gateway, according to an embodiment of the invention;
fig. 2 is a block diagram illustrating an apparatus for unified authentication of an API gateway according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, are within the scope of the present invention.
According to the embodiment of the invention, the method and the device for unified authentication of the API gateway are provided, the API gateway is used for completing authority verification, and the request pressure of back-end service is reduced; the authentication of the user and the service which are the processing objects is managed in a unified way, and all common authentication modes can be supported; binding different APIs on the created authentication through the tree structure of the APIs; after binding is successful, the use condition of authentication can be checked.
The principles and spirit of the present invention are explained in detail below with reference to several representative embodiments of the invention.
Fig. 1 is a schematic flowchart of a method for unified authentication of an API gateway according to an embodiment of the present invention. The method comprises the following steps:
s01: newly adding consumers in the API gateway, and selecting an authentication mode from the consumers;
s02: configuring authentication parameters in a consumer and storing configuration information of the consumer;
s03: binding the consumer into the API, and when the API gateway receives the access request and matches the API, the API gateway checks the request information according to the bound consumer information;
s04: if the verification is successful, the API gateway forwards the request information to the API and returns the service response to the API caller; if the verification is unsuccessful, the API gateway returns the request failure information to the API caller.
It should be noted that although the operations of the method of the present invention have been described in the above embodiments and the accompanying drawings in a particular order, this does not require or imply that these operations must be performed in this particular order, or that all of the operations shown must be performed, to achieve the desired results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions.
In order to clearly explain the method for unified authentication of API gateway, the following description is made with reference to two specific embodiments, however, it should be noted that this embodiment is only for better explaining the present invention and is not to be construed as an undue limitation to the present invention.
The method for unified authentication of API gateway is further described in more detail with two specific examples as follows:
example 1:
in this embodiment, the tenant performs authentication on the API gateway by using an authentication method of openid-connect.
The tenant adds consumers on the API gateway, selects openid-connect in the authentication mode, and configures the authentication parameters in the consumers: the public key in the API key pair.
After the configuration of the consumer is completed by the tenant, the consumer is bound into the API, and the API gateway receives API authentication request information sent by an API calling party and forwards the API authentication request information to a corresponding authentication and authorization server;
and the authentication and authorization server generates a token according to the user name, the password and the private key in the key pair, and responds the token to the API gateway.
The API gateway responds the token to the API caller, the API caller caches the token locally, and the API caller carries the token to send an API service request message to the API gateway.
The API gateway uses a pre-configured public key to verify whether token information is valid: if token information is verified to be valid, the API gateway forwards the received API service request to a back-end service corresponding to the API, the back-end service processes the service request and returns response information to the API gateway, and the API gateway returns a response of the back-end service to the API caller; otherwise, the API gateway replies the token verification failure information to the API caller, and the token failure scene comprises: token is illegal and token has expired.
Example 2:
in this embodiment, the tenant performs authentication on the API gateway by using the hmac-auth authentication method.
The tenant adds two consumers on the API gateway, the authentication mode selects hmac-auth, and the two consumers correspond to two API callers A and B of the tenant respectively.
The tenant configures authentication parameters in two consumers respectively: the public key, the private key and the encryption algorithm of the API caller A and the public key, the private key and the encryption algorithm of the API caller B are unique, and the public key of the API caller A and the public key of the caller B cannot be repeated.
After the configuration of the consumers is completed by the tenant, both the two consumers are bound into the API, the API gateway receives API request information sent by the API caller A and the API caller B, the request information carries a public key, an encryption algorithm and a signature, and the signature is generated according to a request URL (uniform resource locator), an HTTP (hyper text transport protocol) request method, the public key, a private key and the encryption algorithm; the API gateway matches the consumer corresponding to the API caller according to the entered public key; the API gateway generates a signature according to a public key, a private key and an encryption algorithm in the consumer and a request URL and an HTTP request method in the request information.
The API gateway compares the generated signature with the signature in the request information; if the signatures are the same, the API gateway forwards the received API service request to a back-end service corresponding to the API, the back-end service processes the service request and returns response information to the API gateway, and the API gateway returns a response of the back-end service to the API caller; otherwise, the API gateway replies the information with illegal signature to the API calling party.
Based on the same inventive concept, the invention also provides a device for unified authentication of the API gateway. The implementation of the device can be referred to the implementation of the method, and repeated details are not repeated. As shown in fig. 2, the apparatus 100 includes:
the new module 101 is added: the method is used for adding new consumers in the API gateway and selecting authentication modes from the consumers;
the configuration module 102: the authentication system is used for configuring parameters of authentication in a consumer and storing configuration information of the consumer;
the binding module 103: the system comprises an API gateway, a customer information management server and a customer information management server, wherein the API gateway is used for binding a customer into an API (application programming interface), and when the API gateway receives an access request and matches the API, the API gateway verifies the request information according to the bound customer information;
the verification module 104: the API gateway is used for judging whether the verification is successful or not, forwarding the request information to the API and returning the service response to the API calling party; if the verification is not successful, the API gateway returns request failure information to the API caller.
Wherein the binding module 103 further comprises:
tree structure opening module 1031: a tree structure for opening an API in a consumer;
the selection module 1032: the API binding method is used for selecting the API needing to be bound, and if the authenticated processing object is a user, a plurality of consumers can repeatedly bind one API; if the authenticated processing object is a service, one API can not be bound repeatedly by a plurality of consumers.
The device for unified authentication of the API gateway provided by the invention uses the API gateway to complete authority verification, thereby reducing the request pressure of back-end service; the authentication of the user and the service which are processing objects is managed uniformly, and all common authentication modes can be supported; binding different APIs on the created authentication through the tree structure of the APIs; after binding is successful, the use condition of authentication can be checked.
While the spirit and principles of the invention have been described with reference to several particular embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, nor is the division of aspects, which is for convenience only as the features in such aspects may not be combined to benefit. The invention is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.
The limitation of the protection scope of the present invention is understood by those skilled in the art, and various modifications or changes which can be made by those skilled in the art without inventive efforts based on the technical solution of the present invention are still within the protection scope of the present invention.
Claims (12)
1. A method for unified authentication of API gateway is characterized in that the method comprises the following steps:
s01: newly adding consumers in the API gateway and selecting an authentication mode from the consumers;
s02: configuring the authenticated parameters in the consumer and storing the configuration information of the consumer;
s03: binding the consumer into the API, and when the API gateway receives the access request and matches the API, the API gateway checks the request information according to the bound consumer information;
s04: if the verification is successful, the API gateway forwards the request information to the API and returns the service response to the API caller; if the verification is not successful, the API gateway returns request failure information to the API caller.
2. The method for unified authentication of API gateway of claim 1, wherein said consumer in S01 is used to identify the requestor of the service.
3. The method for unified authentication of API gateway according to claim 1, wherein the authentication method in S01 comprises: openid-connect, jwt-auth, hmac-auth and basic-auth, wherein the processing objects of hmac-auth and basic-auth are users, and the processing objects of openid-connect and jwt-auth are services.
4. The method as claimed in claim 3, wherein the processing object is a user, indicating that each user has its own authentication information; the processing objects are services, each service has own authentication information, the API gateway performs authentication and certification aiming at the services, a consumer configures a public key of the service, and the API gateway verifies the token of the user by using the public key.
5. The method for unified authentication of API gateway according to claim 1, wherein the specific step of binding the consumer to the API in S03 is:
s031: opening a tree structure of the API in the consumer;
s032: selecting an API to be bound, and if the authenticated processing object is a user, repeatedly binding one API by a plurality of consumers; if the authenticated processing object is a service, one API can not be bound repeatedly by a plurality of consumers.
6. The method for unified authentication of API gateway of claim 5, wherein the consumer in S03 does not check the access request if the API is not bound.
7. An apparatus for unified authentication of API gateway, the apparatus comprising:
a newly added module: the method is used for adding new consumers in the API gateway and selecting authentication modes from the consumers;
a configuration module: the authentication method comprises the steps of configuring authentication parameters in a consumer and storing configuration information of the consumer;
a binding module: the system comprises an API gateway, a customer information management server and a customer information management server, wherein the API gateway is used for binding a customer into an API (application programming interface), and when the API gateway receives an access request and matches the API, the API gateway verifies the request information according to the bound customer information;
a checking module: the API gateway is used for judging whether the verification is successful or not, forwarding the request information to the API and returning the service response to the API calling party; if the verification is not successful, the API gateway returns request failure information to the API caller.
8. The apparatus as claimed in claim 7, wherein the consumer in the newly added module is used to identify the service requester.
9. The device for unified authentication of API gateways of claim 7, wherein said authentication means in said newly added module comprises: the system comprises an openid-connect, a jwt-auth, an hmac-auth and a basic-auth, wherein the processing objects of the hmac-auth and the basic-auth are users, and the processing objects of the openid-connect and the jwt-auth are services.
10. The device for unified authentication of API gateway of claim 9, wherein said processing objects are users, indicating that each user has its own authentication information; the processing objects are services, each service has own authentication information, the API gateway performs authentication and certification aiming at the services, a consumer configures a public key of the service, and the API gateway verifies the token of the user by using the public key.
11. The apparatus for unified authentication of API gateway of claim 7, wherein said binding module further comprises:
tree structure opening module: a tree structure for opening an API in a consumer;
a selection module: the API binding method is used for selecting the API needing to be bound, and if the authenticated processing object is a user, a plurality of consumers can repeatedly bind one API; if the authenticated processing object is a service, one API can not be bound repeatedly by a plurality of consumers.
12. The apparatus as claimed in claim 11, wherein the consumer in the binding module does not check the access request if the API is not bound.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211365718.1A CN115766134A (en) | 2022-10-31 | 2022-10-31 | Method and device for unified authentication of API gateway |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211365718.1A CN115766134A (en) | 2022-10-31 | 2022-10-31 | Method and device for unified authentication of API gateway |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115766134A true CN115766134A (en) | 2023-03-07 |
Family
ID=85356060
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211365718.1A Pending CN115766134A (en) | 2022-10-31 | 2022-10-31 | Method and device for unified authentication of API gateway |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115766134A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116846975A (en) * | 2023-06-07 | 2023-10-03 | 浪潮智慧科技有限公司 | Consumption service method, equipment and medium based on API gateway |
-
2022
- 2022-10-31 CN CN202211365718.1A patent/CN115766134A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116846975A (en) * | 2023-06-07 | 2023-10-03 | 浪潮智慧科技有限公司 | Consumption service method, equipment and medium based on API gateway |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11296881B2 (en) | Using IP heuristics to protect access tokens from theft and replay | |
| US11792179B2 (en) | Computer readable storage media for legacy integration and methods and systems for utilizing same | |
| JP2003208404A (en) | Granular authentication for network user session | |
| EP2582115A1 (en) | A qualified electronic signature system, associated method and mobile phone device for a qualified electronic signature | |
| CN113742676B (en) | Login management method, login management device, login management server, login management system and storage medium | |
| KR20100038990A (en) | Apparatus and method of secrity authenticate in network authenticate system | |
| CA3006893A1 (en) | Digital identity network interface system | |
| CN111880919A (en) | Data scheduling method, system and computer equipment | |
| CN112187453A (en) | Digital certificate updating method and system, electronic equipment and readable storage medium | |
| CN115766134A (en) | Method and device for unified authentication of API gateway | |
| CN1481109A (en) | Identity authentication system with dynamic cipher based on wireless transmission platform | |
| US11689923B2 (en) | Method and system for generating a secure one-time passcode using strong authentication | |
| CN113784354A (en) | Request conversion method and device based on gateway | |
| CN109274699A (en) | Method for authenticating, device, server and storage medium | |
| CN114826692B (en) | Information login system, method, electronic device and storage medium | |
| CN114567446A (en) | Login authentication method and device, electronic equipment and storage medium | |
| CN111723347B (en) | Identity authentication method, identity authentication device, electronic equipment and storage medium | |
| CN113901428A (en) | Login method and device of multi-tenant system | |
| CN113824691A (en) | Method for implementing silent login strategy applied by mobile terminal third party H5 | |
| CN114579951A (en) | Service access method, electronic device and storage medium | |
| US20050120206A1 (en) | Method and system for rule-based certificate validation | |
| CN110784551A (en) | Data processing method, device, equipment and medium based on multiple tenants | |
| US8166294B1 (en) | Cryptographic framework | |
| CN111049808A (en) | Real-name authentication method and device | |
| US20240104525A1 (en) | Methods and systems for pre-verification of cryptocurrency transfers using test transactions |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |