CN116089914A - Interface call authorization method, device, equipment and storage medium - Google Patents
Interface call authorization method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN116089914A CN116089914A CN202310138759.5A CN202310138759A CN116089914A CN 116089914 A CN116089914 A CN 116089914A CN 202310138759 A CN202310138759 A CN 202310138759A CN 116089914 A CN116089914 A CN 116089914A
- Authority
- CN
- China
- Prior art keywords
- authorization
- interface
- target application
- signature
- interface call
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000013475 authorization Methods 0.000 title claims abstract description 178
- 238000000034 method Methods 0.000 title claims abstract description 46
- 238000004590 computer program Methods 0.000 claims description 17
- 238000012986 modification Methods 0.000 claims description 17
- 230000004048 modification Effects 0.000 claims description 17
- 238000012795 verification Methods 0.000 claims description 12
- 238000004891 communication Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 6
- 238000013461 design Methods 0.000 description 5
- 238000013459 approach Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/121—Restricting unauthorised execution of programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Technology Law (AREA)
- Multimedia (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Telephonic Communication Services (AREA)
Abstract
The application discloses an interface call authorization method, device, equipment and storage medium, and relates to the technical field of computers. The method comprises the following steps: transmitting corresponding authorization related information to a target application on a client according to a received authorization instruction of a service owner to the target application; receiving an interface call request which is sent by the target application and contains a signature; the signature is generated based on the authorization-related information; and checking the signature of the interface calling request, and judging whether to execute corresponding interface calling operation according to the signature checking result. The authorization of the application level is realized by using the authorization related information, the purpose of finer management can be achieved, the management and control of the service owners on the authorities are enhanced, meanwhile, the risk of exposure of the user account passwords can be reduced, and the use experience of service users is not affected after one-time authorization.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method, an apparatus, a device, and a storage medium for authorizing interface call.
Background
When a user initiates a request to a client, the client application guides the user to an authorization server to authenticate, a client id and a callback address are needed during authentication, the authentication success authorization server sends an authorization code to the client application, the client application sends the authorization code to the authorization server through the authorization code, the client id and the client password to exchange a token, the authorization server verifies that the token is correct, then sends the token to the client application, and the subsequent client application carries the token to carry out interface call.
However, this approach is directed to individual user usage scenarios where after individual authorization the user is directly using the services of the authorized application, exposing all the individual rights; in addition, in the actual multi-tenant Service scenario of enterprises, especially, the multi-tenant SaaS Service (Software-as-a-Service), in many cases, the owner of the Service (authorized authorizer) is not the same person as the user who uses the Service daily, the authorization and use processes are not consistent, the rights of possession and use are not equivalent, which may lead to the Service user needing to wait repeatedly for the authorization of the Service owner to continue to use the Service of the authorized application. If the account numbers and passwords of the service owners are handed to users for use, the problem of data security management is also related, and the original purpose of using the OAuth2.0 protocol is also violated.
Disclosure of Invention
In view of the above, the present invention aims to provide an interface call authorization method, device, equipment and medium, which can realize the fine management of the authority of the application and reduce the risk of exposing the user account password. The specific scheme is as follows:
in a first aspect, the present application discloses an interface call authorization method, applied to an authorization server, including:
transmitting corresponding authorization related information to a target application on a client according to a received authorization instruction of a service owner to the target application;
receiving an interface call request which is sent by the target application and contains a signature; the signature is generated based on the authorization-related information;
and checking the signature of the interface calling request, and judging whether to execute corresponding interface calling operation according to the signature checking result.
Optionally, the authorization related information includes an API interface authentication sequence number and an API interface key.
Optionally, the receiving the interface call request including the signature sent by the target application includes:
receiving an interface call request which is sent by the target application and contains a signature; the signature is generated by encrypting the API interface verification sequence number by using the API interface key based on a hash algorithm.
Optionally, the sending corresponding authorization related information to the target application includes:
transmitting corresponding authorization related information to an authorization information receiving address corresponding to the target application; the authorization information receiving address is an address which is preconfigured by the target application and is used for receiving authorization related information.
Optionally, the signing verification is performed on the interface call request, and whether to execute the corresponding interface call operation is judged according to the signing verification result, including:
judging whether the target application has the authority of the target interface corresponding to the interface call request or not by checking the signature in the interface call request;
if yes, executing the operation of calling the target interface for the target application;
if not, the operation of calling the target interface for the target application is not executed.
Optionally, the interface invokes an authorization method, further including:
acquiring an authority modification instruction of the service owner to the target application;
and updating the authority configuration of the target application according to the authority modification instruction.
Optionally, the updating the permission configuration of the target application according to the permission modification instruction includes:
if the permission modification instruction is a permission disabling instruction, updating the permission configuration of the target application according to the permission disabling instruction, so that when an interface calling request containing a signature sent by the target application is received, the corresponding interface calling operation is not executed.
In a second aspect, the present application discloses an interface call authorization device, applied to an authorization server, including:
the information sending module is used for sending corresponding authorization related information to the target application according to the received authorization instruction of the service owner to the target application on the client;
the request receiving module is used for receiving an interface call request which is sent by the target application and contains a signature; the signature is generated based on the authorization-related information;
and the interface calling module is used for checking the signature of the interface calling request and judging whether to execute corresponding interface calling operation according to the signature checking result.
In a third aspect, the present application discloses an electronic device comprising:
a memory for storing a computer program;
and the processor is used for executing the computer program to realize the interface calling authorization method.
In a fourth aspect, the present application discloses a computer-readable storage medium for storing a computer program; wherein the computer program when executed by the processor implements the interface call authorization method described above.
In a fifth aspect, the present application discloses a computer program product that, when run on a computer, enables the aforementioned interface call authorization method.
In the application, corresponding authorization related information is sent to a target application on a client according to a received authorization instruction of a service owner to the target application; receiving an interface call request which is sent by the target application and contains a signature; the signature is generated based on the authorization-related information; and checking the signature of the interface calling request, and judging whether to execute corresponding interface calling operation according to the signature checking result. It can be seen that by sending the authorization related information capable of representing the authority level to the target application, so that when the target application requests the interface call, the interface call request containing the authorization related information is sent, and the authorization server can judge whether the target application has the related authority according to the information in the interface call request, and then execute the corresponding interface call operation according to the judgment result. Therefore, aiming at the design of the service usage scene of the enterprise multi-tenant service, two processes of service data authorization and service data usage are distinguished, authorization of an application level is realized by utilizing authorization related information, the purpose of finer management can be achieved, management and control of the service owners on the authorities are enhanced, meanwhile, the risk of exposure of user account passwords can be reduced, and the service user usage experience is not affected as long as one-time authorization is performed.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of an interface call authorization method provided in the present application;
FIG. 2 is a timing diagram of a specific interface call authorization provided herein;
FIG. 3 is a specific authorization disable timing diagram provided herein;
FIG. 4 is a block diagram of a specific interface call authorization system provided herein;
fig. 5 is a schematic structural diagram of an interface call authorization device provided in the present application;
fig. 6 is a block diagram of an electronic device provided in the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In the prior art, a network application program calls a single sign-on method based on an OAuth2.0 protocol for Web interface authorization, when a user initiates a request to a client, the client application guides the user to go to an authorization server for authentication, an authorization server after successful authentication sends an authorization code to the client application, the client application goes to the authorization server again to exchange a token, the authorization server sends the token to the client application after verification is correct, and the subsequent client application carries the token to carry out interface call. However, this approach exposes personal rights to individual user usage scenarios; moreover, in the actual enterprise multi-tenant service scenario, it is possible that the service user needs to wait repeatedly for the authorization of the service owner to continue using the authorized application service. If the account numbers and passwords of the service owners are handed to users for use, the problem of data security management is also related. In order to overcome the technical problems, the application provides an interface calling authorization method, which can realize the fine management of the authority of the application and reduce the risk of password exposure of a user account.
The embodiment of the application discloses an interface calling authorization method which is applied to an authorization server, and referring to fig. 1, the method can comprise the following steps:
step S11: and sending corresponding authorization related information to the target application according to the received authorization instruction of the service owner to the target application on the client.
In this embodiment, after receiving an authorization instruction of a service owner for a target application on a client, the authorization server sends corresponding authorization related information to the target application; the authorization-related information can characterize the authorization level of the target application, namely, the matched authorization-related information is sent to the target application according to the authorization of the service owner to the target application. The authorization server is a provider of enterprise SaaS service, and belongs to a called party of a business interface; the service owner, namely an administrator of the enterprise SaaS service, has the right to perform all operations on the enterprise SaaS service; the service user, i.e. the operating user in the enterprise SaaS service, has the operation authority of the business in the enterprise SaaS service, but does not have the authority of the operation of the service itself (such as deletion of the service).
For example, as shown in fig. 2, in this embodiment, the authorization related information may include an API interface verification sequence number and an API interface key. The API interface verification sequence number (AppKey) is an authorization ID for the target application, which may be an ISV application (Independent Software Vendors, independent software developer), and the service owner authorizes the target application to call the identity ID of the specific tenant call API for identity authentication. The API interface key (AppSecret) is an authorized Secret for ISV applications, and the service owner grants the API interface key an identity Secret for specific tenants to call the API for identity authentication. Therefore, by using the AppKey and the AppSecret to assign the authorization of the tenant to the application level to the SaaS service, the user can authorize different product services to different ISV applications, thereby achieving the purpose of finer management, greatly enhancing the management and control of the service owner to the authority, and having no influence on the use experience of the service user after only one authorization. And through the application of AppKey and AppSecret, the application of user account passwords is greatly reduced, the exposure risk is reduced, and the safety and privacy of user information are protected.
In this embodiment, the sending corresponding authorization related information to the target application may include: transmitting corresponding authorization related information to an authorization information receiving address corresponding to the target application; the authorization information receiving address is an address which is preconfigured by the target application and is used for receiving authorization related information. I.e. the authenticated target application is pre-required to configure an authorization information receiving address dedicated to receiving authorization related information sent by the authorization server. Namely, for the design of the service usage scenario of the enterprise multi-tenant service, two flows of service data authorization and service data usage are distinguished, and after an application is authorized by an owner of the service, authorization related information such as AppKey, appSecret is pushed to a receiving address pre-configured by the application based on the OAuth2.0 protocol.
Step S12: receiving an interface call request which is sent by the target application and contains a signature; the signature is generated based on the authorization-related information.
In this embodiment, the authorization server receives an interface call request including a signature sent by a target application; the signature is generated based on the authorization-related information. The target application stores the received authorization related information, generates a signature based on the stored authorization related information when the interface needs to be called, and then sends an interface calling request containing the signature for the target interface to the authorization server.
In this embodiment, the receiving the interface call request including the signature sent by the target application may include: receiving an interface call request which is sent by the target application and contains a signature; the signature is generated by encrypting the API interface verification sequence number by using the API interface key based on a hash algorithm. The Hash algorithm can be an SHA256 algorithm, is a very safe Hash algorithm, uses a Hash value with a length of 256 bits, namely, when an authorized ISV application initiates a service request, the ISV needs to encrypt an AppKey with an AppSecret based on the SHA256 algorithm to obtain a signature, and a subsequent client application carries the signature again to carry out interface call.
Step S13: and checking the signature of the interface calling request, and judging whether to execute corresponding interface calling operation according to the signature checking result.
In this embodiment, after receiving an interface call request sent by a client application, the authorization server performs signature verification according to a signature in the request, and then determines whether to execute a corresponding interface call operation according to a signature verification result. That is, the authorization server receives the request and then determines whether the call is valid or not according to the authorization corresponding to the authentication signature.
In this embodiment, the signing verifying the interface call request, and determining whether to execute the corresponding interface call operation according to the signing verifying result includes: judging whether the target application has the authority of the target interface corresponding to the interface call request or not by checking the signature in the interface call request; if yes, executing the operation of calling the target interface for the target application; if not, the operation of calling the target interface for the target application is not executed. If the target application is judged to have the calling authority of the target interface after authentication, the operation of calling the target interface for the target application is executed; and if the target application is judged to have no calling authority of the target interface after authentication, not executing the operation of calling the target interface for the target application.
In this embodiment, the interface calls an authorization method, and further includes:
s21: acquiring an authority modification instruction of the service owner to the target application;
s22: and updating the authority configuration of the target application according to the authority modification instruction.
In this embodiment, after the first authorization is completed, the client may still perform management such as permission modification, enabling, disabling, etc. on all the authorizations. In this embodiment, the client can not only continuously request the interface service only by one-time authorization, but also automatically withdraw the authorization, thereby increasing the controllability.
In this embodiment, the updating the permission configuration of the target application according to the permission modification instruction includes: if the permission modification instruction is a permission disabling instruction, updating the permission configuration of the target application according to the permission disabling instruction, so that when an interface calling request containing a signature sent by the target application is received, the corresponding interface calling operation is not executed.
For example, as shown in fig. 3, when the right modification instruction is a right disabling instruction, the authorization server updates the right configuration of the target application according to the right disabling instruction, and when receiving the signed interface call request sent by the target application after updating, it is determined that the interface call right does not exist in the target application, so that the corresponding interface call operation is not executed.
As can be seen from the above, in this embodiment, according to the received authorization instruction of the service owner to the target application on the client, corresponding authorization related information is sent to the target application; the authorization-related information can characterize the permission level of the target application; receiving an interface call request which is sent by the target application and contains a signature; the signature is generated based on the authorization-related information; and checking the signature of the interface calling request, and judging whether to execute corresponding interface calling operation according to the signature checking result. It can be seen that by sending the authorization related information capable of representing the authority level to the target application, so that when the target application requests the interface call, the interface call request containing the authorization related information is sent, and the authorization server can judge whether the target application has the related authority according to the information in the interface call request, and then execute the corresponding interface call operation according to the judgment result. Therefore, aiming at the design of the service usage scene of the enterprise multi-tenant service, two processes of service data authorization and service data usage are distinguished, authorization of an application level is realized by utilizing authorization related information, the purpose of finer management can be achieved, management and control of the service owners on the authorities are enhanced, meanwhile, the risk of exposure of user account passwords can be reduced, and the service user usage experience is not affected as long as one-time authorization is performed.
In the interface call authorization scheme of the present application, the system framework adopted may specifically be shown in fig. 4, and may specifically include: an authorization server and a number of clients establishing a communication connection with the authorization server. The server executes the step of interface calling authorization, which comprises the steps of sending corresponding authorization related information to a target application on a client according to a received authorization instruction of a service owner to the target application; the authorization-related information can characterize the permission level of the target application; receiving an interface call request which is sent by the target application and contains a signature; the signature is generated based on the authorization-related information; and checking the signature of the interface calling request, and judging whether to execute corresponding interface calling operation according to the signature checking result. By sending the authorization related information capable of representing the authority level to the target application, so that the target application sends an interface call request containing the authorization related information when requesting the interface call, the authorization server can judge whether the target application has the related authority according to the information in the interface call request, and then execute the corresponding interface call operation according to the judgment result. Therefore, aiming at the design of the service usage scene of the enterprise multi-tenant service, two processes of service data authorization and service data usage are distinguished, authorization of an application level is realized by utilizing authorization related information, the purpose of finer management can be achieved, management and control of the service owners on the authorities are enhanced, meanwhile, the risk of password exposure of user account numbers can be reduced, and the service user usage experience is not affected subsequently as long as one-time authorization is performed.
Correspondingly, the embodiment of the application also discloses an interface call authorization device, as shown in fig. 5, which comprises:
the information sending module 11 is configured to send corresponding authorization related information to a target application on a client according to a received authorization instruction of a service owner to the target application;
a request receiving module 12, configured to receive an interface call request including a signature sent by the target application; the signature is generated based on the authorization-related information;
and the interface calling module 13 is used for checking the signature of the interface calling request and judging whether to execute the corresponding interface calling operation according to the signature checking result.
As can be seen from the above, in this embodiment, according to the received authorization instruction of the service owner to the target application on the client, corresponding authorization related information is sent to the target application; receiving an interface call request which is sent by the target application and contains a signature; the signature is generated based on the authorization-related information; and checking the signature of the interface calling request, and judging whether to execute corresponding interface calling operation according to the signature checking result. It can be seen that by sending the authorization related information capable of representing the authority level to the target application, so that when the target application requests the interface call, the interface call request containing the authorization related information is sent, and the authorization server can judge whether the target application has the related authority according to the information in the interface call request, and then execute the corresponding interface call operation according to the judgment result. Therefore, aiming at the design of the service usage scene of the enterprise multi-tenant service, two processes of service data authorization and service data usage are distinguished, authorization of an application level is realized by utilizing authorization related information, the purpose of finer management can be achieved, management and control of the service owners on the authorities are enhanced, meanwhile, the risk of exposure of user account passwords can be reduced, and the service user usage experience is not affected as long as one-time authorization is performed.
In some embodiments, the authorization-related information includes an API interface authentication sequence number and an API interface key.
In some embodiments, the request receiving module 12 may specifically include:
an interface call request receiving unit, configured to receive an interface call request including a signature sent by the target application; the signature is generated by encrypting the API interface verification sequence number by using the API interface key based on a hash algorithm.
In some specific embodiments, the information sending module 11 may specifically include:
the authorization related information sending unit is used for sending corresponding authorization related information to an authorization information receiving address corresponding to the target application; the authorization information receiving address is an address which is preconfigured by the target application and is used for receiving authorization related information.
In some specific embodiments, the interface calling module 13 may specifically include:
the signature verification unit is used for judging whether the target application has the authority of the target interface corresponding to the interface call request or not by verifying the signature in the interface call request;
the execution unit is used for executing the operation of calling the target interface for the target application if the permission of the target interface corresponding to the interface calling request is possessed;
and the non-execution unit is used for not executing the operation of calling the target interface for the target application if the permission of the target interface corresponding to the interface calling request is not possessed.
In some specific embodiments, the interface invoking authorization means may specifically include:
a right modification instruction acquisition unit, configured to acquire a right modification instruction of the service owner to the target application;
and the permission updating unit is used for updating the permission configuration of the target application according to the permission modification instruction.
In some embodiments, the rights update unit may specifically include:
and the disabling unit is used for updating the authority configuration of the target application according to the authority disabling instruction if the authority modifying instruction is the authority disabling instruction, so that when an interface calling request which is sent by the target application and contains a signature is received, the corresponding interface calling operation is not executed.
Further, the embodiment of the application further discloses an electronic device, and referring to fig. 6, the content in the drawing should not be considered as any limitation on the scope of use of the application.
Fig. 6 is a schematic structural diagram of an electronic device 20 according to an embodiment of the present application. The electronic device 20 may specifically include: at least one processor 21, at least one memory 22, a power supply 23, a communication interface 24, an input output interface 25, and a communication bus 26. The memory 22 is used for storing a computer program, and the computer program is loaded and executed by the processor 21 to implement relevant steps in the interface call authorization method disclosed in any of the foregoing embodiments.
In this embodiment, the power supply 23 is configured to provide an operating voltage for each hardware device on the electronic device 20; the communication interface 24 can create a data transmission channel between the electronic device 20 and an external device, and the communication protocol to be followed is any communication protocol applicable to the technical solution of the present application, which is not specifically limited herein; the input/output interface 25 is used for acquiring external input data or outputting external output data, and the specific interface type thereof may be selected according to the specific application requirement, which is not limited herein.
The memory 22 may be a carrier for storing resources, such as a read-only memory, a random access memory, a magnetic disk, or an optical disk, and the resources stored thereon include an operating system 221, a computer program 222, and data 223 including authorization instructions, and the storage may be temporary storage or permanent storage.
The operating system 221 is used for managing and controlling various hardware devices on the electronic device 20 and the computer program 222, so as to implement the operation and processing of the processor 21 on the mass data 223 in the memory 22, which may be Windows Server, netware, unix, linux, etc. The computer program 222 may further include a computer program that can be used to perform other specific tasks in addition to the computer program that can be used to perform the interface call authorization method performed by the electronic device 20 as disclosed in any of the previous embodiments.
Further, the embodiment of the application also discloses a computer storage medium, wherein the computer storage medium stores computer executable instructions, and when the computer executable instructions are loaded and executed by a processor, the steps of the interface call authorization method disclosed in any one of the previous embodiments are realized.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, so that the same or similar parts between the embodiments are referred to each other. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Further, the embodiment of the application also discloses a computer program product, which can realize the steps of the interface call authorization method disclosed in any of the previous embodiments when running on a computer.
Finally, it is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The above detailed description of the method, the device, the equipment and the medium for authorizing interface call provided by the invention applies specific examples to illustrate the principle and the implementation of the invention, and the above examples are only used for helping to understand the method and the core idea of the invention; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in accordance with the ideas of the present invention, the present description should not be construed as limiting the present invention in view of the above.
Claims (10)
1. An interface call authorization method, applied to an authorization server, comprising:
transmitting corresponding authorization related information to a target application on a client according to a received authorization instruction of a service owner to the target application;
receiving an interface call request which is sent by the target application and contains a signature; the signature is generated based on the authorization-related information;
and checking the signature of the interface calling request, and judging whether to execute corresponding interface calling operation according to the signature checking result.
2. The interface call authorization method according to claim 1, wherein the authorization related information includes an API interface authentication sequence number and an API interface key.
3. The method of claim 2, wherein receiving the signed interface call request sent by the target application comprises:
receiving an interface call request which is sent by the target application and contains a signature; the signature is generated by encrypting the API interface verification sequence number by using the API interface key based on a hash algorithm.
4. The interface call authorization method according to claim 1, wherein the sending corresponding authorization-related information to the target application includes:
transmitting corresponding authorization related information to an authorization information receiving address corresponding to the target application; the authorization information receiving address is an address which is preconfigured by the target application and is used for receiving authorization related information.
5. The method according to claim 1, wherein the step of signing the interface call request and determining whether to execute the corresponding interface call operation according to the signing result includes:
judging whether the target application has the authority of the target interface corresponding to the interface call request or not by checking the signature in the interface call request;
if yes, executing the operation of calling the target interface for the target application;
if not, the operation of calling the target interface for the target application is not executed.
6. The interface call authorization method according to any one of claims 1 to 5, further comprising:
acquiring an authority modification instruction of the service owner to the target application;
and updating the authority configuration of the target application according to the authority modification instruction.
7. The interface call authorization method according to claim 6, wherein the updating the permission configuration for the target application according to the permission modification instruction includes:
if the permission modification instruction is a permission disabling instruction, updating the permission configuration of the target application according to the permission disabling instruction, so that when an interface calling request containing a signature sent by the target application is received, the corresponding interface calling operation is not executed.
8. An interface call authorization device, applied to an authorization server, comprising:
the information sending module is used for sending corresponding authorization related information to the target application according to the received authorization instruction of the service owner to the target application on the client;
the request receiving module is used for receiving an interface call request which is sent by the target application and contains a signature; the signature is generated based on the authorization-related information;
and the interface calling module is used for checking the signature of the interface calling request and judging whether to execute corresponding interface calling operation according to the signature checking result.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the interface call authorization method according to any one of claims 1 to 7.
10. A computer-readable storage medium storing a computer program; wherein the computer program when executed by a processor implements the interface call authorization method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310138759.5A CN116089914A (en) | 2023-02-14 | 2023-02-14 | Interface call authorization method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310138759.5A CN116089914A (en) | 2023-02-14 | 2023-02-14 | Interface call authorization method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116089914A true CN116089914A (en) | 2023-05-09 |
Family
ID=86213968
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310138759.5A Pending CN116089914A (en) | 2023-02-14 | 2023-02-14 | Interface call authorization method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116089914A (en) |
-
2023
- 2023-02-14 CN CN202310138759.5A patent/CN116089914A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111131242B (en) | Authority control method, device and system | |
| US11122028B2 (en) | Control method for authentication/authorization server, resource server, and authentication/authorization system | |
| CN112136303B (en) | Secure delegation of refresh tokens for time-consuming operations | |
| US20190199707A1 (en) | Using a service-provider password to simulate f-sso functionality | |
| US9100403B2 (en) | Apparatus and methods for providing authorized device access | |
| US20140189799A1 (en) | Multi-factor authorization for authorizing a third-party application to use a resource | |
| EP3525415A1 (en) | Information processing system and control method therefor | |
| US11210412B1 (en) | Systems and methods for requiring cryptographic data protection as a precondition of system access | |
| US8904504B2 (en) | Remote keychain for mobile devices | |
| KR20190024817A (en) | Authority transfer system, control method therefor, and client | |
| US11361101B2 (en) | Multi-party authentication and authorization | |
| US11411731B2 (en) | Secure API flow | |
| CN114008968A (en) | System, method and storage medium for license authorization in a computing environment | |
| US11695747B2 (en) | Multi-device single sign-on | |
| CN111371725A (en) | Method for improving security of session mechanism, terminal equipment and storage medium | |
| CN113271289B (en) | Method, system and computer storage medium for resource authorization and access | |
| Togan et al. | A smart-phone based privacy-preserving security framework for IoT devices | |
| CN112883357A (en) | Stateless login authentication method and device | |
| CN116996305A (en) | Multi-level security authentication method, system, equipment, storage medium and entry gateway | |
| JP7043480B2 (en) | Information processing system and its control method and program | |
| CN116089914A (en) | Interface call authorization method, device, equipment and storage medium | |
| CN112970017A (en) | Secure linking of devices to cloud storage | |
| US11949672B2 (en) | Authentication based on chain of strings generated from secret string | |
| US11977620B2 (en) | Attestation of application identity for inter-app communications | |
| CN113347190B (en) | Authentication method, system, slave station server, client, device and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |