CN116032627A - Unified authentication and authorization method and device based on micro-service architecture - Google Patents
Unified authentication and authorization method and device based on micro-service architecture Download PDFInfo
- Publication number
- CN116032627A CN116032627A CN202211733949.3A CN202211733949A CN116032627A CN 116032627 A CN116032627 A CN 116032627A CN 202211733949 A CN202211733949 A CN 202211733949A CN 116032627 A CN116032627 A CN 116032627A
- Authority
- CN
- China
- Prior art keywords
- authentication
- micro
- service
- client
- login request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Telephonic Communication Services (AREA)
Abstract
The application discloses a unified authentication and authorization method and device based on a micro-service architecture, which are applied to the technical field of computers, wherein the method is applied to an authentication and authorization system, the authentication and authorization system comprises a gateway, a unified authentication and authorization center and micro-services, and the method comprises the following steps: the gateway receives a login request sent by a client; the gateway judges whether the login request carries an authentication token or not, and if the login request carries the authentication token, the gateway sends the login request to the micro-service; if the login request does not carry the authentication token, the login request is sent to a unified authentication and authorization center; the unified authentication authorization center receives the login request and performs identity authentication on the login request; when the login request passes identity authentication, the unified authentication authorization center sends an authentication token to the gateway so that the gateway forwards the authentication token to the client; therefore, the problem of network security reduction caused by attack of the gateway is avoided, and the network security is improved.
Description
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a unified authentication and authorization method and apparatus based on a micro-service architecture.
Background
At present, large monomer systems are gradually transformed into a micro-service architecture, each system has a plurality of micro-services, and when an external request needs to access a back-end micro-service, security authentication needs to be carried out on the request.
At present, the existing technical scheme of micro-service authentication and authorization is completed in an API gateway, and downstream micro-service does not need authentication and authorization. After receiving the authentication token carried by the client request, the gateway decrypts and verifies the authentication token, and then forwards the decrypted user information to the downstream micro-service. With such a scheme, once an API gateway is breached or access to micro services across the gateway in some way, network security may be reduced.
Therefore, how to improve network security becomes an urgent issue to be resolved.
Disclosure of Invention
In view of the foregoing, a primary object of the present application is to provide a unified authentication and authorization method based on a micro-service architecture, so as to improve network security.
The first aspect of the present application provides a unified authentication and authorization method based on a micro-service architecture, where the method is applied to an authentication and authorization system, and the authentication and authorization system includes a gateway, a unified authentication and authorization center, and a micro-service, and the method includes:
the gateway receives a login request sent by a client;
the gateway judges whether the login request carries an authentication token or not, and if the login request carries the authentication token, the gateway sends the login request to the micro-service; if the login request does not carry the authentication token, the login request is sent to a unified authentication and authorization center;
the unified authentication authorization center receives the login request and performs identity authentication on the login request;
when the login request passes identity authentication, the unified authentication and authorization center sends an authentication token to the gateway so that the gateway forwards the authentication token to the client.
In some implementations of the first aspect of the present application, the method further includes:
the micro-service receives the login request and performs inverse coding on the authentication token to obtain a user account of the client;
the micro-service searches a public key corresponding to a user account of the client in a local cache;
the micro-service generates a signature using the public key and the authentication token and verifies the signature to generate a verification result.
In some implementations of the first aspect of the present application, the method further includes:
and when the signature verification result is passed, the micro-service searches a first resource identifier corresponding to the user account of the client in the local cache according to the user account.
In some implementations of the first aspect of the present application, the method further includes:
the micro-service analyzes the second resource identifier from the login request;
the micro service compares the first resource identifier with the second resource identifier and generates a comparison result;
if the comparison results are equal, the micro-service sends a login success message to the client.
In some implementations of the first aspect of the present application, the method further includes:
the micro-service judges whether the local cache contains a public key corresponding to a user account of the client;
if the local cache does not contain the public key corresponding to the user account of the client, the micro-service sends a public key allocation request to the unified authentication and authorization center;
the unified authentication authorization center receives a public key distribution request, distributes a public key for a user account of a client, and sends the public key to the micro-service;
the micro service receives the public key and writes the public key into the local cache.
In some implementations of the first aspect of the present application, the method further includes:
the micro-service judges whether a local cache contains a first resource identifier corresponding to a user account of a client;
if the local cache does not contain the first resource identifier corresponding to the user account of the client, the micro-service sends a resource identifier allocation request to the unified authentication and authorization center;
the unified authentication authorization center receives a resource identifier allocation request, allocates a first resource identifier for a user account of a client, and sends the first resource identifier to the micro service;
the micro service receives the first resource identifier and writes the first resource identifier into the local cache.
The second aspect of the application provides an authentication and authorization system, which comprises a gateway, a unified authentication and authorization center and a micro-service;
the gateway is used for receiving a login request sent by the client;
the gateway is also used for judging whether the login request carries an authentication token or not, if the login request carries the authentication token, the login request is sent to the micro-service, and if the login request does not carry the authentication token, the login request is sent to the unified authentication authorization center;
the unified authentication authorization center is used for receiving a login request and carrying out identity authentication on the login request;
and the unified authentication and authorization center is also used for sending an authentication token to the gateway when the login request passes identity authentication so that the gateway can forward the authentication token to the client.
In some implementations of the second aspect of the present application;
the micro-service is used for receiving the login request and performing inverse coding on the authentication token to obtain a user account of the client;
the micro service is also used for searching a public key corresponding to the user account of the client in the local cache;
the micro service is also used for generating a signature by utilizing the public key and the authentication token and checking the signature to generate a signature checking result.
In some implementations of the second aspect of the present application;
and the micro service is further used for searching a first resource identifier corresponding to the user account of the client in the local cache according to the user account when the signature verification result is passed.
A third aspect of the present application provides an electronic device comprising at least one processor, and at least one memory, bus, coupled to the processor; the processor and the memory complete communication with each other through a bus; the processor is configured to invoke the program instructions in the memory to perform the unified authentication authorization method based on the micro-service architecture as in the first aspect of the present application.
Compared with the prior art, the technical scheme provided by the application has the following beneficial effects:
the method comprises the steps that a login request sent by a client is received through a gateway; the gateway judges whether the login request carries an authentication token or not, and if the login request carries the authentication token, the gateway sends the login request to the micro-service; if the login request does not carry the authentication token, the login request is sent to a unified authentication and authorization center; the unified authentication authorization center receives the login request and performs identity authentication on the login request; when the login request passes identity authentication, the unified authentication authorization center sends an authentication token to the gateway so that the gateway forwards the authentication token to the client; therefore, the gateway does not need to carry out authentication and authorization and decryption and analysis of the authentication token in the whole authentication and authorization process, and the authentication and authorization service is decoupled to a certain extent, so that the problem of network security reduction caused by attack of the gateway is avoided, and the network security is improved.
Drawings
Fig. 1 is a flow chart of a unified authentication and authorization method based on a micro-service architecture according to an embodiment of the present application;
fig. 2 is a flow chart of another unified authentication and authorization method based on a micro-service architecture according to an embodiment of the present application;
fig. 3 is a flowchart of another unified authentication and authorization method based on a micro service architecture according to an embodiment of the present application;
fig. 4 is a flowchart of another unified authentication and authorization method based on a micro service architecture according to an embodiment of the present application;
fig. 5 is a logic judgment diagram of an authentication and authorization system according to an embodiment of the present application;
fig. 6 is a schematic diagram of an authentication and authorization system according to an embodiment of the present application;
fig. 7 is a schematic diagram of an electrical device according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
The terms "first," "second," "third," "fourth" and the like in the description and in the claims of this application and in the above-described figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments described herein may be implemented in other sequences than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The following explanation is made to the relevant terms:
micro-services: refers to splitting a large application into multiple independent modules, each called a micro-service. The key to the micro-services is a system architecture that allows the micro-services to be deployed, run, and upgraded independently, but that allows the micro-services to be structurally "loosely coupled" to the micro-services, while functionally representing a unified whole.
JWT: the whole English process is Jsonwebtoken, which is an open standard based on JSON and is executed for transferring declarations between network application environments. The token is designed to be compact and secure, and is particularly well suited for Single Sign On (SSO) scenarios for distributed sites. The declaration of JWT is typically used to pass authenticated user identity information between identity provider and service provider in order to obtain resources from the resource server, and some additional declaration information necessary for other business logic may be added, and the token may be used directly for authentication or encrypted.
API gateway: the API gateway is the only portal to the system that encapsulates the system internal architecture, providing a custom API for each client. It also has other responsibilities such as authentication, monitoring, load balancing, caching, request fragmentation and management, static response handling. The key point of the API gateway mode is that all clients and consumers access micro services through a unified gateway, and all non-business functions are processed at the gateway layer. Typically, the gateway is also an access API that provides REST/HTTP.
In the prior art, the authentication and authorization of the micro service are carried out by the API gateway, after the authentication and authorization are carried out by the API gateway, the downstream micro service does not need to be authenticated and authorized any more, and once the API gateway is broken or an attacker passes through the API gateway to access the micro service, the network security problem can be generated.
Referring to fig. 1, an embodiment of the present application provides a unified authentication and authorization method based on a micro-service architecture, where the method is applied to an authentication and authorization system, and the authentication and authorization system includes a gateway, a unified authentication and authorization center, and a micro-service, and the method includes the following steps:
s101: and the gateway receives a login request sent by the client.
In the embodiment of the application, the gateway can be called as an API gateway or a micro-service gateway, which is the only entry for the client to access the authentication and authorization system, and the request sent by the client needs to pass through the gateway first, so that the gateway is the first protection barrier for improving the network security.
S102: the gateway judges whether the login request carries an authentication token or not, and if the login request carries the authentication token, the gateway sends the login request to the micro-service; if the login request does not carry the authentication token, the login request is sent to a unified authentication and authorization center.
The authentication token may be JWT, and it should be noted that other authentication tokens are adopted without affecting the implementation of the embodiments of the present application.
In the step, the gateway is used for judging and forwarding the login request, and when the login request sent by the client does not carry an authentication token, the client is not finished with the authentication of the system, and the authentication needs to be forwarded to a unified authentication authorization center for authentication; when the login request sent by the client carries an authentication token, the authentication of the system which the client has passed is described, and the authentication is forwarded to the corresponding micro-service so as to realize the subsequent call of the micro-service by the client.
S103: and the unified authentication and authorization center receives the login request and performs identity authentication on the login request.
In the embodiment of the application, the gateway does not perform authentication of the authentication token, but is submitted to the unified authentication and authorization center to finish, and by adopting the working mode, even if the gateway is attacked, a client accessing the micro-service through the gateway cannot call or access the micro-service under the condition of no authentication token, so that the gateway is a second path of protection barrier for improving network security.
S104: when the login request passes identity authentication, the unified authentication and authorization center sends an authentication token to the gateway so that the gateway forwards the authentication token to the client.
After the unified authentication authorization center performs identity authentication on the login request, an authentication token is issued to the client, the authentication token is forwarded by the gateway and then sent to the client, and after the authentication token is received by the client, the client can pass through the verification of the gateway so as to perform the subsequent step of calling the micro service.
In the flow shown in fig. 1, authentication and authorization of the client are realized through the unified authentication and authorization center, so that potential network security risks caused by authentication and authorization by adopting the gateway are avoided, the service of authentication and authorization is further decoupled by adopting a protection mode of two network protection barriers, and the client crossing the gateway cannot access the micro service under the condition that the gateway is separated from the protection of the network, thereby improving the network security.
Referring to fig. 2, in the prior art, since the micro service can be accessed by a client crossing a gateway, the problem of jeopardizing network security is also generated, and in order to further improve network security, the present application further adds a step of decrypting and resolving the authentication token by the micro service on the basis of the flow shown in fig. 1, which specifically includes the following steps:
s201: the micro-service receives the login request and performs inverse coding on the authentication token to obtain a user account of the client.
The login request can be understood as a request of the client for calling the micro-service, in the embodiment of the application, after receiving the login request from the client, the micro-service does not allow the client to directly call the micro-service, but the authentication token is decrypted and parsed to judge whether the client has the authority of calling the micro-service, so that the network security is further improved, and the embodiment of the application realizes a third protection barrier for improving the network security.
The purpose of the anti-coding of the authentication token is to analyze the user account of the client from the authentication token, and the anti-coding mode can adopt a Base64 anti-coding technology or other anti-coding technologies without affecting the implementation of the embodiment of the application.
S202: the micro-service searches a public key corresponding to the user account of the client in the local cache.
The local cache can be used for buffering data generated during decryption and analysis and is divided in a local physical memory by the authentication and authorization system, and can be used for reducing the network load pressure of the authentication and authorization system; the public key may refer to a publicable key used to sign verify an authentication token.
S203: the micro-service generates a signature using the public key and the authentication token and verifies the signature to generate a verification result.
After the public key corresponding to the user account of the client is obtained, a signature of the authentication token may be generated according to the public key. The signature verification can also be called signature verification, the signature verification result after signature verification can be passed or failed, and the description of the signature verification result by adopting other modes does not affect the implementation of the embodiment of the application.
S204: and when the signature verification result is passed, the micro-service searches a first resource identifier corresponding to the user account of the client in the local cache according to the user account.
The resource identifier is also known as a uniform resource identifier or uniform resource identifier (UniformResource Identifier, URI), which may be used to uniquely identify information of a resource.
S205: the micro service parses the second resource identifier from the login request.
The micro service may obtain a second resource identifier by parsing the login request, where the second resource identifier is used as a comparison object of the first resource identifier.
S206: the micro service compares the first resource identifier with the second resource identifier and generates a comparison result.
In this step, the comparison result may be used as a basis for determining whether the client has permission to access the micro service, and when the comparison result is passed, it may be indicated that the client has permission to access the first resource identifier.
S207: if the comparison results are equal, the micro-service sends a login success message to the client.
In this step, when the first resource identifier is equal to the second resource identifier, it may be stated that the comparison result is passing, and the micro service sends a login success message to the client, and the login success message may state to the client that the client has allowed access to the micro service.
In the process shown in fig. 2, in order to further improve network security, a step of decrypting and analyzing an authentication token by a micro service is further added, the authentication token needs to be carried by a client for each login request, and the micro service needs to decrypt and analyze the authentication token to determine the login state of a user, so that the micro service is used as a third network protection barrier, network security is further improved, and security and stability of a system are ensured.
Referring to fig. 3, in order to avoid that the micro service cannot complete the analysis of the authentication token due to the fact that the public key corresponding to the user account of the client cannot be found in the local cache, the embodiment of the present application further increases the step of distributing the public key on the basis of the flow shown in fig. 2:
s301: the micro-service judges whether the local cache contains a public key corresponding to the user account of the client.
The purpose of the microservice to determine is to avoid the failure of signing the generated authentication token due to errors in subsequent flows.
S302: if the local cache does not contain the public key corresponding to the user account of the client, the micro-service sends a public key distribution request to the unified authentication and authorization center.
In the embodiment of the application, the unified authentication and authorization center has the function of distributing public keys, and when the micro-service cannot find the public key corresponding to the user account from the local cache, the public key can be distributed to the user account of the corresponding client after receiving the public key distribution request sent by the micro-service.
S303: and the unified authentication authorization center receives the public key distribution request, distributes a public key for the user account of the client and sends the public key to the micro service.
The public key is allocated to the user account of the client so that the public key corresponding to the user account of the client can be found from the local cache by the subsequent micro-service.
This step may be understood as that the unified certificate authority updates the public key of the local cache, where there may be other public keys corresponding to the user accounts of other clients that have invoked the micro service, where these other public keys are temporarily unused, and updating the public key of the local cache may further release the local cache.
S304: the micro service receives the public key and writes the public key into the local cache.
The purpose of writing the public key into the local cache is to avoid the situation that the micro service cannot find the public key corresponding to the user account of the client from the local cache, so that analysis fails.
In the flow shown in fig. 3, after the micro service determines that the local cache does not contain the public key corresponding to the user account of the client, the micro service requests to the unified authentication and authorization center to allocate the public key to the user account of the client, thereby avoiding that the micro service cannot complete the analysis of the authentication token.
Referring to fig. 4, in order to further avoid that a client that originally has permission to access a micro service cannot access the micro service due to the fact that a first resource identifier corresponding to a user account of the client cannot be found in a local cache, the embodiment of the present application further increases a step of allocating the first resource identifier on the basis of the flow shown in fig. 2:
s401: the micro-service judges whether the local cache contains a first resource identifier corresponding to a user account of the client.
The first resource identifier may be an access resource identifier of the micro-service through which the micro-service may be accessed; the purpose of the microservice to determine is to avoid that subsequent comparison steps cannot be performed according to the first resource identifier due to errors in subsequent flows.
S402: if the local cache does not contain the first resource identifier corresponding to the user account of the client, the micro-service sends a resource identifier allocation request to the unified authentication and authorization center.
The local cache does not contain the first resource identifier, i.e. the micro-service cannot find the first resource identifier from the local cache
In the embodiment of the application, the unified authentication and authorization center has the function of distributing the public resource identifier, and when the local cache does not contain the first resource identifier, the public key can be distributed for the user account of the corresponding client after receiving the public key distribution request sent by the micro service.
S403: the unified authentication and authorization center receives a resource identifier allocation request, allocates a first resource identifier for a user account of the client, and sends the first resource identifier to the micro service.
The first resource identifier is allocated to the user account of the client so that the first resource identifier corresponding to the user account of the client can be found in the local cache by the subsequent micro-service.
S404: the micro service receives the first resource identifier and writes the first resource identifier into the local cache.
The first resource identifier is written into the local cache to avoid the situation that the client which is authorized to access the micro-service cannot access the micro-service because the first resource identifier corresponding to the user account of the client cannot be found in the local cache.
In the flow shown in fig. 4, after the micro service determines that the local cache does not include the first resource identifier corresponding to the user account of the client, the micro service requests to the unified authentication and authorization center to allocate the first resource identifier to the user account of the client, so that the situation that the client originally having permission to access the micro service cannot access the micro service is avoided.
Referring to fig. 5, in a specific application scenario, the specific implementation steps of the authentication and authorization system may include the following steps:
s501: receiving a login request of a client; step S502 is performed.
S502: it is determined whether or not the JWT in the login request is empty, and if the JWT is empty, step S512 is executed, and if the JWT is not empty, step S503 is executed.
This step is used to determine whether the logging request sent by the client carries a JWT.
S503: acquiring a user account number and a public key according to the JWT; step S504 is performed.
Specifically, a Base64 anti-coding is utilized to analyze a user account of a client from the JWT, and a corresponding public key is searched in a local cache according to the user account.
S504: judging whether the public key is empty, if so, executing step S505; if the public key is not empty, step S507 is performed.
The method comprises the step of judging whether a public key corresponding to the user account does not exist in a local cache.
S505: the public key in the local cache is updated, and step S506 is performed.
The process of updating the public key in the local cache may be understood as a process in which the user account generates a corresponding public key and writes it into the local cache.
S506: whether the public key is empty is determined, if the public key is empty, step S512 is executed, and if the public key is not empty, step S507 is executed.
S507: judging whether the JWT passes the verification, if the JWT does not pass the verification, executing step S512; if the JWT passes the verification, step S508 is performed.
Specifically, the verification process may be that a signature of the JWT is generated by using a public key corresponding to the user account, and the signature of the JWT is verified.
S508: judging whether the URI corresponding to the user account exists in the local cache, and executing step S509 if the URI corresponding to the user account does not exist; if there is a URI corresponding to the user account, step S511 is performed.
S509: updating the URI in the local cache, step S510 is performed.
In this step, the process of updating the URI in the local cache may be understood as a process of generating a corresponding URI according to the user account number and writing the URI into the local cache.
S510: judging whether the URI corresponding to the user account exists in the local cache, and if not, executing step S512; if so, step S511 is performed.
S511: through a login request of the client.
The client is a calling party of the micro-service, and after a login request of the client, the client can carry the JWT to access the micro-service.
S512: and sending error information to the client.
Wherein the error information may be 401 an error code.
Referring to fig. 6, an embodiment of the present application provides an authentication and authorization system including a gateway 601, a unified authentication and authorization center 602, and a micro service 603.
The gateway is used for receiving a login request sent by the client;
the gateway is also used for judging whether the login request carries an authentication token or not, and if the login request carries the authentication token, the gateway is used for sending the login request to the micro-service; if the login request does not carry the authentication token, the login request is sent to a unified authentication and authorization center;
the unified authentication authorization center is used for receiving a login request and carrying out identity authentication on the login request;
and the unified authentication and authorization center is also used for sending an authentication token to the gateway when the login request passes identity authentication so that the gateway can forward the authentication token to the client.
In some implementations of the embodiments of the present application, the microservice is configured to receive a login request, and perform anti-encoding on an authentication token to obtain a user account of the client;
the micro service is also used for searching a public key corresponding to the user account of the client in the local cache;
the micro service is also used for generating a signature by utilizing the public key and the authentication token and checking the signature to generate a signature checking result.
In some implementations of the embodiments of the present application, the micro-service is further configured to, when the signature verification result is passed, search, by the micro-service, a first resource identifier corresponding to a user account of the client in the local cache according to the user account.
In some implementations of embodiments of the present application, the microservice is further configured to parse the second resource identifier from the login request;
the micro service is also used for comparing the first resource identifier with the second resource identifier and generating a comparison result;
the micro service is further configured to send a login success message to the client if the comparison results are equal.
In some implementations of the embodiments of the present application, the microservice is further configured to determine whether the local cache includes a public key corresponding to a user account of the client;
the micro-service is further used for sending a public key distribution request to the unified authentication and authorization center if the local cache does not contain the public key corresponding to the user account of the client;
the unified authentication authorization center is also used for receiving a public key distribution request, distributing a public key for a user account of the client and sending the public key to the micro-service;
the micro service is further configured to receive the public key and write the public key into the local cache.
In some implementations of the embodiments of the present application, the microservice is further configured to determine whether the local cache includes a first resource identifier corresponding to a user account of the client;
the micro-service is further used for sending a resource identifier allocation request to the unified authentication and authorization center if the local cache does not contain the first resource identifier corresponding to the user account of the client;
the unified authentication authorization center is also used for receiving a resource identifier allocation request, allocating a first resource identifier for a user account of the client and sending the first resource identifier to the micro service;
the micro service is further configured to receive the first resource identifier and write the first resource identifier into the local cache.
Referring to fig. 7, the present application also provides an electronic device 70, the electronic device 70 comprising at least one processor 701, and at least one memory 702, bus 703 connected to the processor 701; wherein, the processor 701 and the memory 702 complete communication with each other through the bus 703; the processor 701 is configured to invoke the program instructions in the memory 702 to implement a unified authentication and authorization method based on the micro-service architecture as described in fig. 1 to 4.
Finally, it should also be noted that in the embodiments of the present application, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. A unified authentication and authorization method based on a micro-service architecture, wherein the method is applied to an authentication and authorization system, the authentication and authorization system comprises a gateway, a unified authentication and authorization center and a micro-service, and the method comprises the following steps:
the gateway receives a login request sent by a client;
the gateway judges whether the login request carries an authentication token or not, and if the login request carries the authentication token, the gateway sends the login request to the micro-service; if the login request does not carry the authentication token, the login request is sent to the unified authentication and authorization center;
the unified authentication and authorization center receives the login request and performs identity authentication on the login request;
and when the login request passes identity authentication, the unified authentication and authorization center sends the authentication token to the gateway so that the gateway forwards the authentication token to the client.
2. The method according to claim 1, wherein the method further comprises:
the micro service receives the login request and carries out inverse coding on the authentication token to obtain a user account of the client;
the micro-service searches a public key corresponding to the user account of the client in a local cache;
the micro service generates a signature using the public key and the authentication token and performs signature verification on the signature to generate a signature verification result.
3. The method according to claim 2, wherein the method further comprises:
and when the signature verification result is that the user account passes, the micro service searches a first resource identifier corresponding to the user account of the client in the local cache according to the user account.
4. A method according to claim 3, characterized in that the method further comprises:
the micro-service resolves a second resource identifier from the login request;
the micro service compares the first resource identifier with the second resource identifier and generates a comparison result;
and if the comparison results are equal, the micro-service sends a login success message to the client.
5. The method according to claim 2, wherein the method further comprises:
the micro service judges whether the local cache contains a public key corresponding to the user account of the client;
if the local cache does not contain the public key corresponding to the user account of the client, the micro service sends a public key distribution request to the unified authentication and authorization center;
the unified authentication and authorization center receives the public key distribution request, distributes the public key for the user account of the client, and sends the public key to the micro-service;
the micro service receives the public key and writes the public key into the local cache.
6. A method according to claim 3, characterized in that the method further comprises:
the micro service judges whether the local cache contains a first resource identifier corresponding to a user account of the client;
if the local cache does not contain the first resource identifier corresponding to the user account of the client, the micro service sends a resource identifier allocation request to the unified authentication and authorization center;
the unified authentication and authorization center receives the resource identifier allocation request, allocates the first resource identifier for the user account of the client, and sends the first resource identifier to the micro-service;
the micro service receives the first resource identifier and writes the first resource identifier into the local cache.
7. An authentication and authorization system is characterized by comprising a gateway, a unified authentication and authorization center and a micro-service;
the gateway is used for receiving a login request sent by the client;
the gateway is further configured to determine whether the login request carries an authentication token, if the login request carries the authentication token, send the login request to the micro-service, and if the login request does not carry the authentication token, send the login request to the unified authentication authorization center;
the unified authentication authorization center is used for receiving the login request and carrying out identity authentication on the login request;
the unified authentication and authorization center is further configured to send the authentication token to the gateway when the login request passes identity authentication, so that the gateway forwards the authentication token to the client.
8. The authentication and authorization system according to claim 7, wherein:
the micro service is used for receiving the login request and performing inverse coding on the authentication token to obtain a user account of the client;
the micro service is further used for searching a public key corresponding to the user account of the client in a local cache;
the micro service is further used for generating a signature by utilizing the public key and the authentication token, and verifying the signature to generate a signature verification result.
9. The authentication authorization system according to claim 8, wherein:
and the micro service is further used for searching a first resource identifier corresponding to the user account of the client in the local cache according to the user account when the signature verification result is passed.
10. An electronic device comprising at least one processor, and at least one memory, bus coupled to the processor; the processor and the memory complete communication with each other through the bus; the processor is configured to invoke the program instructions in the memory to perform the unified authentication authorization method based on the micro-service architecture as recited in any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211733949.3A CN116032627A (en) | 2022-12-22 | 2022-12-22 | Unified authentication and authorization method and device based on micro-service architecture |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211733949.3A CN116032627A (en) | 2022-12-22 | 2022-12-22 | Unified authentication and authorization method and device based on micro-service architecture |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116032627A true CN116032627A (en) | 2023-04-28 |
Family
ID=86090762
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211733949.3A Pending CN116032627A (en) | 2022-12-22 | 2022-12-22 | Unified authentication and authorization method and device based on micro-service architecture |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116032627A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117811770A (en) * | 2023-12-01 | 2024-04-02 | 北京海泰方圆科技股份有限公司 | Login authentication method and device, electronic equipment and readable storage medium |
-
2022
- 2022-12-22 CN CN202211733949.3A patent/CN116032627A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117811770A (en) * | 2023-12-01 | 2024-04-02 | 北京海泰方圆科技股份有限公司 | Login authentication method and device, electronic equipment and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10891383B2 (en) | Validating computer resource usage | |
| CN112422532B (en) | Service communication method, system and device and electronic equipment | |
| US20220394026A1 (en) | Network identity protection method and device, and electronic equipment and storage medium | |
| CN111355726B (en) | Identity authorization login method and device, electronic equipment and storage medium | |
| CN112016106B (en) | Authentication calling method, device and equipment of open interface and readable storage medium | |
| CN110365684B (en) | Access control method and device for application cluster and electronic equipment | |
| JP6572750B2 (en) | Authentication control program, authentication control device, and authentication control method | |
| US9239911B2 (en) | Replacement of security credentials for secure proxying | |
| US8806192B2 (en) | Protected authorization for untrusted clients | |
| CN109981680B (en) | Access control implementation method and device, computer equipment and storage medium | |
| CN107634973B (en) | Service interface safe calling method | |
| CN110958119A (en) | Identity verification method and device | |
| CN107645474B (en) | Method and device for logging in open platform | |
| CN116032627A (en) | Unified authentication and authorization method and device based on micro-service architecture | |
| CN112968910B (en) | Replay attack prevention method and device | |
| KR20200125279A (en) | User Identification Method Using Block Chain and System thereof | |
| CN109525613B (en) | Request processing system and method | |
| CN115459929B (en) | Security verification method, security verification device, electronic equipment, security verification system, security verification medium and security verification product | |
| CN113225348B (en) | Request anti-replay verification method and device | |
| CN113055186B (en) | Cross-system service processing method, device and system | |
| US7661111B2 (en) | Method for assuring event record integrity | |
| US20220321345A1 (en) | Secure exchange of session tokens for claims-based tokens in an extensible system | |
| US11977620B2 (en) | Attestation of application identity for inter-app communications | |
| CN111935125B (en) | Authentication method and device based on distributed architecture and micro-service system | |
| CN114598481B (en) | Authorization authentication method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |