[go: up one dir, main page]

CN113760395B - Method, device, equipment and computer-readable medium for interface authentication - Google Patents

Method, device, equipment and computer-readable medium for interface authentication Download PDF

Info

Publication number
CN113760395B
CN113760395B CN202010612703.5A CN202010612703A CN113760395B CN 113760395 B CN113760395 B CN 113760395B CN 202010612703 A CN202010612703 A CN 202010612703A CN 113760395 B CN113760395 B CN 113760395B
Authority
CN
China
Prior art keywords
interface
authentication
client
token
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010612703.5A
Other languages
Chinese (zh)
Other versions
CN113760395A (en
Inventor
初鹏飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jingdong Century Trading Co Ltd
Beijing Wodong Tianjun Information Technology Co Ltd
Original Assignee
Beijing Jingdong Century Trading Co Ltd
Beijing Wodong Tianjun Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jingdong Century Trading Co Ltd, Beijing Wodong Tianjun Information Technology Co Ltd filed Critical Beijing Jingdong Century Trading Co Ltd
Priority to CN202010612703.5A priority Critical patent/CN113760395B/en
Publication of CN113760395A publication Critical patent/CN113760395A/en
Application granted granted Critical
Publication of CN113760395B publication Critical patent/CN113760395B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/448Execution paradigms, e.g. implementations of programming paradigms
    • G06F9/4482Procedural
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Telephonic Communication Services (AREA)

Abstract

本发明公开了接口鉴权的方法、装置、设备和计算机可读介质,涉及计算机技术领域。该方法的一具体实施方式包括:在远程过程调用框架中,需要调用接口的客户端向服务端发送调用服务接口的调用请求,所述调用请求包括客户令牌,所述客户令牌是鉴权服务器分配给所述客户端的;所述服务端根据配置标识,从所述鉴权服务器获取所述接口的已授权客户令牌;所述服务端依据所述调用请求中的客户令牌和所述已授权客户令牌,对所述调用请求鉴权,并向所述客户端反馈鉴权结果该实施方式能够区分不同的接入端,进而保障服务的安全性。

The present invention discloses a method, device, equipment and computer-readable medium for interface authentication, and relates to the field of computer technology. A specific implementation of the method includes: in a remote procedure call framework, a client that needs to call an interface sends a call request for calling a service interface to a server, the call request includes a client token, and the client token is assigned to the client by an authentication server; the server obtains the authorized client token of the interface from the authentication server according to a configuration identifier; the server authenticates the call request based on the client token in the call request and the authorized client token, and feeds back the authentication result to the client. This implementation can distinguish different access terminals, thereby ensuring the security of the service.

Description

Method, apparatus, device and computer readable medium for interface authentication
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method, an apparatus, a device, and a computer readable medium for interface authentication.
Background
A number of services for a product, such as a member service, a coupon service, an order service, a personal information management service, etc., are in one application. Each service changes, resulting in the need for redeployment of the entire application.
The micro-service is to split the different services into independent applications, each independent application can be independently evolved, the updating and the deployment are not affected, the micro-service can be reused, and the service can be provided for more clients.
In the process of realizing the invention, the inventor finds that at least the following problems exist in the prior art that the client can call the service based on the call request in the micro service, however, different clients cannot be distinguished, so that any client can call the service, and the security of the service is difficult to ensure.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method, apparatus, device, and computer readable medium for interface authentication, which can distinguish between different access terminals, thereby guaranteeing service security.
To achieve the above object, according to an aspect of an embodiment of the present invention, there is provided a method for interface authentication, including:
In a remote procedure call framework, a client needing a call interface sends a call request for calling a service interface to a server, wherein the call request comprises a client token, and the client token is distributed to the client by an authentication server;
the server acquires an authorized client token of the interface from the authentication server according to the configuration identifier;
And the server authenticates the call request according to the client token in the call request and the authorized client token, and feeds back an authentication result to the client.
The server obtains the authorized client token of the interface from the authentication server according to the configuration identifier, and the method comprises the following steps:
The server side obtains the authorized client token of the interface from the authentication server through an authentication server filter based on the configuration identification and the service token.
The authentication server filter is one of a plurality of sequentially executed filters.
The obtaining the authorized client token of the interface from the authentication server comprises:
an authorized client token for a predefined method of the interface is obtained from the authentication server.
The service token is obtained after the service provider of the interface registers on the authentication server.
The method further comprises the steps of:
the service provider of the interface registers interface service on the authentication server to obtain the configuration identification;
The client applies for the call of the interface to the service provider through the authentication server;
and after the service provider authorizes the client to call the interface, the authentication server distributes the client token for the client.
According to a second aspect of an embodiment of the present invention, there is provided an apparatus for interface authentication, including:
The system comprises a sending module, a service terminal and a service terminal, wherein the sending module is used for sending a call request for calling a service interface to the service terminal by a client terminal needing to call the interface in a remote procedure call framework, the call request comprises a client token, and the client token is distributed to the client terminal by an authentication server;
the acquisition module is used for controlling the server to acquire the authorized client token of the interface from the authentication server according to the configuration identifier;
And the authentication module is used for controlling the server to authenticate the call request according to the client token in the call request and the authorized client token and feeding back an authentication result to the client.
According to a third aspect of an embodiment of the present invention, there is provided a method for interface authentication, including:
Receiving an authentication request sent by an interface authentication server, wherein the authentication request comprises a configuration identifier and a service token;
and if the service end authenticated by the interface passes the authentication according to the service token, feeding back the authorized client token of the interface corresponding to the configuration identifier to the service end authenticated by the interface.
The receiving the authentication request sent by the interface authentication server comprises the following steps:
And receiving an authentication request sent by the interface authentication server through an authentication server filter.
The method further comprises the steps of:
Receiving registration of a service provider of an interface and sending the configuration identification to the service provider of the interface;
And receiving a service application of a service provider of an interface, and sending the service token to the service provider of the interface.
The method further comprises the steps of:
Receiving a service application of a client needing to call an interface, and sending an approval message to a service provider of the interface;
And receiving an approval passing message sent by a service provider of the interface, and feeding back a client token of the interface corresponding to the configuration identifier to the client terminal needing to call the interface, wherein the client token belongs to the authorized client token.
According to a fourth aspect of an embodiment of the present invention, there is provided an apparatus for interface authentication, including:
The receiving module is used for receiving an authentication request sent by the interface authentication server, wherein the authentication request comprises a configuration identifier and a service token;
And the authentication module is used for determining that the interface authenticated service end passes authentication according to the service token, and feeding back the authorized client token of the interface corresponding to the configuration identifier to the interface authenticated service end.
According to a fifth aspect of an embodiment of the present invention, there is provided an electronic device for interface authentication, including:
one or more processors;
storage means for storing one or more programs,
The one or more programs, when executed by the one or more processors, cause the one or more processors to implement the methods as described above.
According to a sixth aspect of embodiments of the present invention, there is provided a computer readable medium having stored thereon a computer program which when executed by a processor implements a method as described above.
One embodiment of the invention has the advantages that in a remote procedure call framework, a client needing to call an interface sends a call request for calling a service interface to a server, the call request comprises a client token, the client token is distributed to the client by an authentication server, the server acquires an authorized client token of the interface from the authentication server according to a configuration identifier, and the server authenticates the call request and feeds an authentication result back to the client according to the client token and the authorized client token in the call request. Different access terminals can be distinguished based on the client token, so that the safety of the service is guaranteed.
Further effects of the above-described non-conventional alternatives are described below in connection with the embodiments.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
FIG. 1 is a schematic diagram of the main flow of a method of interface authentication according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a remote procedure call framework according to an embodiment of the present invention;
FIG. 3 is an interactive schematic diagram of an authentication server according to an embodiment of the present invention;
Fig. 4 is a flow diagram of registration at an authentication server according to an embodiment of the present invention;
FIG. 5 is a flow diagram of an authorized client token acquiring an interface according to an embodiment of the present invention;
FIG. 6 is a flow diagram of an authentication call request according to an embodiment of the invention;
FIG. 7 is a flow diagram of another authentication call request according to an embodiment of the invention;
FIG. 8 is a flow chart of a server interacting with an authentication server according to an embodiment of the present invention;
Fig. 9 is a schematic diagram of the main structure of an apparatus for interface authentication according to an embodiment of the present invention;
FIG. 10 is a schematic diagram of the main flow of a method of interface authentication according to another embodiment of the present invention;
fig. 11 is a schematic diagram of the main structure of an apparatus for interface authentication according to another embodiment of the present invention;
FIG. 12 is an exemplary system architecture diagram in which embodiments of the present invention may be applied;
Fig. 13 is a schematic diagram of a computer system suitable for use in implementing an embodiment of the invention.
Detailed Description
Exemplary embodiments of the present invention will now be described with reference to the accompanying drawings, in which various details of the embodiments of the present invention are included to facilitate understanding, and are to be considered merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
Currently, there are many external authentications to micro-service systems, most of which are performed by the hypertext transfer protocol (HTTP) protocol, which includes OAuth, SAML, openID Connect, etc. Some of the authentication methods described above are mature, such as OAuth, and there are also more complex SAML.
But in general, this is the authentication of external calls by the internal system, here external including a browser or Application Programming Interface (API), but there are currently few general approaches to authentication of micro-service internal interfaces based on remote procedure calls (Remote Procedure Call, RPC).
RPC is a remote procedure call, which is a protocol that requests services from a remote computer program over a network without requiring knowledge of the underlying network technology. RPC makes it easier to develop applications including network distributed multiprogramming.
For example, the default internal part of small and medium enterprises is safe, mutual authentication is not needed between departments, but for large enterprises with multiple institutions, the business lines are numerous, the requirements of system stability, safety, monitoring and statistics are met, and authentication is needed between the internal departments.
For authentication requirements in the above scenario, the current solutions mainly have the following ways:
The first mode is that the authentication is not verified.
The framework used, whether it be the commercially popular dubbo or the service invocation framework developed by each individual, is by default inside a secure network, since the outer layer has a secure boundary where the services within the boundary are trusted to each other and thus do not require authentication.
Aiming at the mode one:
default is within the safety margin and no verification is done, the main drawbacks are the following.
First, if an attacker invades the internal network outside the boundary, it means that all interfaces are exposed to the attacker, so that it can do any operation, which is a huge security risk.
Second, for the inside of the boundary, some important interfaces, such as modification involving finance, password, etc., need to control the scope of access, or control the source of access. The above mentioned important interfaces obviously cannot be opened to all internal applications either.
In addition, in some scenarios, statistics of access sources and information such as access times and frequencies of different sources are required, and these needs to be distinguished and authenticated for RPC clients.
And setting a token.
A common token is agreed between the server side and the client side of the RPC. If a new client wants to invoke this service, the token must be requested from the server and then carried as an implicit parameter when the service is invoked.
After the RPC framework receives the call request, the implicit parameters carried by the client are checked, the token in the implicit parameters is taken out, and the implicit parameters are compared with the token of the call service. If the service is the same token, the service is called, otherwise, the service is refused, and the related information is returned to the client.
Aiming at the second mode:
the RPC client and the server use the same token, and the method can achieve preliminary authentication, so that an external invader still cannot call internal services after entering an internal network. However, there is a great disadvantage that different clients cannot be distinguished, and because token cannot be dynamically allocated one-to-one to different clients, misuse is possible, and distinguishing statistics cannot be performed according to the source of the clients.
Mode three, API key.
There are various implementations of API keys, and how they are used in particular, depending on the particular technical scheme used by the system. Not only can the service caller be identified, but it can be subject to various restrictions, including access to specific resources, speed limits of the interface, etc. Many systems use a pattern of shared API keys that are verified using a hash operation message authentication code (HMAC). There are also some systems that employ public-key private key pairs.
Aiming at a mode III:
While satisfying the secure call, the complexity of dynamically assigning, dynamically managing keys or certificates is attendant. Especially in a distributed scenario, the client is itself a cluster, and a multiparty service needs to be invoked, which requires a complex set of management mechanisms. The same is true for the management of the service end, and the RPC is possibly called at high frequency, and the frequent encryption and decryption process with large operation amount also has tired service performance in the interior, so the scheme is not suitable for the situation of calling in the RPC framework.
In micro services, the client can call the service based on the call request, however, for the internal call of the RPC framework, the encryption and decryption process causes a large operand, thus affecting the internal service performance.
In summary, under the condition that the internal service performance is not affected, there is a technical problem that clients cannot be distinguished, so that any access terminal can call services, and service security is difficult to guarantee.
In order to solve the technical problem that different clients cannot be distinguished, the following technical scheme in the embodiment of the present invention may be adopted.
Referring to fig. 1, fig. 1 is a schematic diagram of a main flow of an interface authentication method according to an embodiment of the present invention, where a server obtains an authorized client token, so that a call request can be authenticated. As shown in fig. 1, the method specifically comprises the following steps:
S101, in a remote procedure call framework, a client needing a call interface sends a call request for calling a service interface to a server, wherein the call request comprises a client token, and the client token is distributed to the client by an authentication server.
An RPC framework is an architecture that employs an RPC-related protocol. Referring to fig. 2, fig. 2 is a schematic diagram of a remote procedure call framework according to an embodiment of the present invention, and fig. 2 includes 3 servers, namely, server a, server B, and server C.
The server A is deployed with an application, and the server B and the server C respectively provide services which can be used by the application.
An application deployed on server a needs to call a service used by an application on server B or server C, and because the application cannot be directly called without being in the same memory space, the application needs to express the semantics of the call and convey the data of the call through a network. That is, the application in server a invokes the service used by the application on server B or server C through the RPC.
In an embodiment of the invention, interface authentication involves a client invoking an interface, a service provider of the interface, a server and an authentication server.
It is understood that a server is a device that provides multiple services in an application to a client.
The specific procedure of registering a service and assigning a token is exemplarily described below. It can be understood that the service end obtains the service token, and the client end calling the interface distributes and obtains the client token.
Referring to fig. 3, fig. 3 is an interaction schematic diagram of an authentication server according to an embodiment of the present invention, which specifically includes:
s301, registering the service.
In one embodiment of the invention, the service provider of the interface registers for services. In particular, the service provider of the interface registers its own services on the authentication server.
It will be appreciated that one interface may provide one or more services. That is, in the case where the interface provides one service, the client calling the interface can call one service through the interface, and in the case where the interface provides a plurality of services, the client calling the interface can call a plurality of services through the interface.
S302, feeding back a configuration identifier.
The authentication server is used for verifying whether the server side has the right to acquire the authorized client token or not and verifying whether the client side has the right to call the interface or not.
In the embodiment of the invention, both the service provider of the interface and the client needing to call the interface need to register in the authentication server.
After the authentication server sends a request for registering the service to the service provider of the interface, the authentication server applies for the configuration identifier for the interface or configures the configuration identifier for the service application corresponding to the interface.
S303, applying for a service token.
The service provider of the interface sends a request for a service token to the authentication server.
S304, feeding back the service token.
The authentication server generates a service token which is used as a basis for the service end to access the authentication server. The configuration identifier and the service token can be provided for the service end by the service provider of the interface, so that the service end can conveniently provide the service for calling the interface for the client for calling the interface.
The above S301 to S304 are specific procedures in which the service provider of the interface registers with the authentication server and obtains the configuration identification and the service token.
S305, applying for a client token.
Before the interface is called, the server of the calling interface needs to register in the authentication server to acquire the client token. The client of the calling interface applies for the calling authority of the service through the authentication server.
S306, waiting for application.
The authentication server sends a message to be approved to a service provider of the interface, and the service provider of the interface determines whether the client is allowed to call the interface.
S307, approval passes.
And the service provider of the interface does not allow the client for calling the interface to call the interface, and the feedback approval does not pass.
S308, feeding back the client token.
In case of approval passing, the authentication server assigns a client token to the client. In this way, the client is facilitated to invoke the interface described above.
The specific procedure of the client calling the interface is to register with the authentication server and obtain the client token in S305 to S308.
It will be appreciated that the above-described registration steps of the server and the client invoking the interface may be summarized as follows.
Referring to fig. 4, fig. 4 is a schematic flow chart of registration at an authentication server according to an embodiment of the present invention, which specifically includes:
s401, the service provider of the interface registers the interface service in the authentication server to obtain the configuration identification.
In the embodiment of the invention, the configuration identifier is a parameter for distinguishing different RPC services accessed to the authentication server, and when the service provider of the interface accesses the authentication server, various configuration data under the service are acquired by using the configuration identifier.
S402, the client applies for the calling of the interface through the authentication server.
The client applies for the invocation of the interface by sending a request for applying for a client token to the authentication server.
S403, after the service provider of the interface authorizes the client to call the interface, the authentication server distributes a client token for the client.
After being authorized by the service provider of the interface, the authentication server distributes a client token to the client.
It will be appreciated that the client corresponds to a client token and the service provider of the interface corresponds to a service token. The above-mentioned tokens are two different tokens. The client accesses the interface through the client token, and the server uses the service token as the basis for accessing the authentication system.
It will be appreciated that the service token is obtained after the service provider of the interface registers with the authentication server.
After both the service provider and the client of the interface are registered with the authentication server, the client may initiate interface authentication to invoke the interface.
It can be understood that the technical solution in the embodiment of the present invention is applicable to the RPC framework in fig. 2. The client requiring the RPC sends a call request to the server to invoke the service interface.
In one embodiment of the invention, upon remote procedure call, the client is activated in the filter call chain, retrieving the assigned client token from the authentication server.
The filter call chain is a filter chain formed by a plurality of filters, can sequentially process a request, transmits the request to the next filter, and finally distributes the request to the control layer for service processing.
After the client token is obtained from the authentication server, a call request for calling the service interface can be sent to the server, and after the authentication is passed, the service interface can be called. Wherein the call request includes a client token. It will be appreciated that the client token is assigned to the client by the authentication server.
According to S305 to S308, the authentication server assigns a client token to each client that needs to invoke an interface. Because the clients are different, the client tokens for the clients are also different. That is, the client is in one-to-one correspondence with the client token, and the client can be known based on the client token.
S102, the server acquires the authorized client token of the interface from the authentication server according to the configuration identification.
In the embodiment of the invention, a filter call chain is called before RPC call of a server side. The filter call chain adds an authentication server filter in addition to the standard universal filter. The authentication server filter is essentially a client that acts as an authentication server.
In an embodiment of the invention, the authentication server filter is one of a plurality of sequentially executed filters.
Referring to fig. 5, fig. 5 is a schematic flow chart of acquiring an authorized client token of an interface according to an embodiment of the present invention, specifically including:
S501, the server starts an authentication server filter in a filter call chain.
The filter call chain comprises a plurality of filters, and after the server receives the call request and acquires the client token in the call request, the authentication server filter in the filter call chain is started.
S502, the filter calls an authentication server filter in the chain, and an authorized client token of the interface is obtained from the authentication server based on the configuration identification and the server token.
The authentication server filter connects the server and the authentication server, and is an adhesive for two large systems. The authentication server filter is equivalent to a client for the authentication server, and when the filter call chain goes to the node, the authentication server filter carries the configuration identifier and the server token of the server, and a specific network protocol is adopted to the authentication server to acquire the authorized client token of the interface. Illustratively, the authorized client tokens include a set of client tokens of a list of clients authorized by the interface.
An authorized client token for the interface is stored in the authentication server. An authorized client token, i.e., a client token that applies for the interface or method and has been approved.
Wherein the server token of the server is pre-allocated to the server by the authentication server.
In one embodiment of the invention, an authorized client token for a predefined method of interfacing is obtained from an authentication server. There are many ways in an interface that an authorized client token of a predefined method can be sent to the server. The predefined method may be one method or a plurality of methods.
And S103, the server authenticates the call request according to the client token and the authorized client token in the call request, and feeds back an authentication result to the client.
The server may authenticate the invocation request based on the client token and the authorized client token in the invocation request.
Referring to fig. 6, fig. 6 is a schematic flow chart of an authentication call request according to an embodiment of the present invention, specifically including:
s601, the server judges that the client token in the call request belongs to the authorized client token, and the call request authentication is successful.
Based on the client token and the authorized client token in the call request, the server judges that the client token in the call request belongs to the authorized client token, and the call request authentication is successful.
S602, feeding back authentication success to the client.
And if the authentication of the call request is successful, feeding back the authentication success to the client, and calling the service to continue to process the next node of the filter call chain.
In the RPC framework, the client receives the feedback result and performs subsequent processing based on the filter call chain.
In the embodiment of fig. 6, the server authenticates based on the client token and the authorized client token and feeds back the authentication result, thereby determining that the service can be invoked.
Referring to fig. 7, fig. 7 is a schematic flow chart of another authentication call request according to an embodiment of the present invention, specifically including:
S701, the server judges that the client token in the call request does not belong to the authorized client token, and the call request fails to authenticate.
Based on the client token and the authorized client token in the call request, the server side judges that the client token in the call request does not belong to the authorized client token, and the authentication of the call request fails.
S702, feeding back a response of rejecting the service to the client.
And if the call request authentication fails, feeding back a response of rejecting the service to the client.
In the embodiment of fig. 7, the server authenticates based on the client token and the authorized client token and feeds back authentication failure, thereby determining that the service cannot be invoked.
In the embodiment, in the remote procedure call framework, a client needing to call an interface sends a call request for calling a service interface to a server, the call request comprises a client token, the client token is distributed to the client by an authentication server, the server acquires an authorized client token of the interface from the authentication server according to a configuration identifier, and the server authenticates the call request and feeds back an authentication result to the client according to the client token and the authorized client token in the call request. Different access terminals can be distinguished based on the client token, so that the safety of the service is guaranteed.
Referring to fig. 8, fig. 8 is a schematic flow chart of interaction between a server and an authentication server according to an embodiment of the present invention, which specifically includes:
S801, acquiring an authorized client token according to the configuration identification.
And the server acquires the authorized client token from the authentication server according to the configuration identifier.
S802, feeding back an authorized client token.
The authentication server feeds back the authorized client token to the server.
S803, judging whether the client token belongs to an authorized client token.
The server judges that the client token belongs to the authorized client token, the authentication is successful, and the server judges that the client token does not belong to the authorized client token, the authentication is failed.
S804, feeding back the authentication result.
The server feeds back the authentication result to the client.
In the embodiment of the invention, the client is skillfully fused into a filter call chain of the RPC server, and the client is activated in the call chain to acquire the client token and the configuration identifier from the server of the authentication server when the RPC service is called each time, so that the authentication is performed on the client.
Referring to fig. 9, fig. 9 is a schematic diagram of a main structure of an interface authentication device according to an embodiment of the present invention, where the interface authentication device may implement an interface authentication method, as shown in fig. 9, where the interface authentication device specifically includes:
The sending module 901 is configured to send, in the remote procedure call framework, a call request for calling the service interface to the server by using a client that needs to call the interface, where the call request includes a client token, and the client token is allocated to the client by using the authentication server.
And the obtaining module 902 is configured to control the server to obtain the authorized client token of the interface from the authentication server according to the configuration identifier.
The authentication module 903 is configured to control the server to authenticate the call request according to the client token and the authorized client token in the call request, and feed back an authentication result to the client.
In one embodiment of the present invention, the obtaining module 902 is specifically configured to control the server to obtain, from the authentication server, the authorized client token of the interface through the authentication server filter based on the configuration identifier and the service token.
In one embodiment of the invention, the authentication server filter is one of a plurality of sequentially executed filters.
In one embodiment of the invention, the obtaining module 902 is specifically configured to obtain an authorized client token of a predefined method of interfacing from an authentication server.
In one embodiment of the invention, the service token is obtained after the service provider of the interface registers with the authentication server.
In one embodiment of the present invention, the authentication module 903 is specifically configured to control a service provider of an interface to register an interface service on an authentication server, and obtain a configuration identifier;
the control client applies for calling of the interface to the service provider of the interface through the authentication server;
After the service provider of the interface authorizes the client to call the interface, the authentication server is received to distribute a client token for the client.
Referring to fig. 10, fig. 10 is a schematic diagram of main flow of an interface authentication method according to another embodiment of the present invention, and an execution subject of the technical solution in fig. 10 is an authentication server, which specifically includes:
S1001, receiving an authentication request sent by an interface authentication server, wherein the authentication request comprises a configuration identifier and a service token.
In one embodiment of the invention, the service provider of the interface needs to register in the authentication server to obtain the configuration identification and the service token.
Specifically, the authentication server receives a registration of a service provider of the interface and sends a configuration identification to the service provider of the interface.
The authentication server receives a service application from the service provider of the interface and sends a service token to the service provider of the interface.
In one embodiment of the invention, the client that needs to invoke the interface needs to register in the authentication server to obtain the service token.
The authentication server receives a service application of a client needing to call an interface and sends an approval message to a service provider of the interface;
The authentication server receives an approval passing message sent by a service provider of the interface, and sends a feedback configuration identifier of a client needing to call the interface to a client token of the corresponding interface, wherein the client token belongs to an authorized client token.
The authentication server receives an authentication request sent by a server for interface authentication, and the server sends the authentication request to acquire an authorized client token of the interface corresponding to the configuration identifier so as to authenticate a call request sent by a client needing to call the interface. Wherein the authentication request includes a configuration identification and a service token.
In one embodiment of the invention, an authentication request sent by an interface authenticated server is received through an authentication server filter.
The authentication server filter is one of a plurality of sequentially executed filters. The filter call chain adds an authentication server filter in addition to the standard generic filter. The authentication server filter is essentially a client that acts as an authentication server.
S1002, determining that the interface authenticated service end passes authentication according to the service token, and feeding back an authorized client token with a configuration identifier corresponding to the interface authenticated service end.
The authentication server may determine, based on the service token, whether the interface-authenticated server may pass authentication. As an example, the authentication server searches the received service token in the stored authorized service tokens, and determines that the interface authenticated service end passes authentication.
And if the interface authentication server passes the authentication, the authentication server feeds back an authorized client token for configuring the corresponding interface to the interface authentication server.
In the embodiment of fig. 10, the authentication request sent by the server is received, and the authorized client token of the interface is fed back, so that the security of the service is ensured because different access terminals can be distinguished based on the client token.
Referring to fig. 11, fig. 11 is a schematic view of the main structure of an interface authentication apparatus according to another embodiment of the present invention;
the receiving module 1101 is configured to receive an authentication request sent by an interface authenticated service end, where the authentication request includes a configuration identifier and a service token.
And the authentication module 1102 is configured to determine that the service end authenticated by the interface passes authentication according to the service token, and feed back an authorized client token configured with a configuration identifier corresponding to the interface to the service end authenticated by the interface.
In one embodiment of the present invention, the receiving module 1101 is specifically configured to receive, through an authentication server filter, an authentication request sent by an interface authenticated server.
In one embodiment of the present invention, the authentication module 1102 is further configured to receive a registration of a service provider of the interface and send a configuration identifier to the service provider of the interface;
a service application of a service provider of the interface is received and a service token is sent to the service provider of the interface.
In one embodiment of the present invention, the authentication module 1102 is further configured to receive a service application of a client that needs to invoke an interface, and send an approval message to a service provider of the interface;
And receiving an approval passing message sent by a service provider of the interface, and identifying a client token of the corresponding interface to the feedback configuration of the client needing to call the interface, wherein the client token belongs to an authorized client token.
Fig. 12 illustrates an exemplary system architecture 1200 of a method of interface authentication or apparatus of interface authentication to which embodiments of the present invention may be applied.
As shown in fig. 12, the system architecture 1200 may include terminal devices 1201, 1202, 1203, a network 1204, and a server 1205. The network 1204 serves as a medium for providing communications links between the terminal devices 1201, 1202, 1203 and the server 1205. The network 1204 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
A user may interact with the server 1205 through the network 1204 using the terminal devices 1201, 1202, 1203 to receive or transmit messages or the like. The terminal devices 1201, 1202, 1203 may have various communication client applications installed thereon, such as a shopping class application, a web browser application, a search class application, an instant messaging tool, a mailbox client, social server software, and the like (by way of example only).
The terminal devices 1201, 1202, 1203 may be various electronic devices having a display screen and supporting web browsing, including, but not limited to, smartphones, tablets, laptop and desktop computers, and the like.
The server 1205 may be a server providing various services, such as a background management server (by way of example only) that provides support for shopping-type websites browsed by users using terminal devices 1201, 1202, 1203. The background management server may analyze and process the received data such as the product information query request, and feedback the processing result (e.g., the target push information, the product information—only an example) to the terminal device.
It should be noted that, the method for interface authentication provided in the embodiment of the present invention is generally executed by the server 1205, and accordingly, the device for interface authentication is generally disposed in the server 1205.
It should be understood that the number of terminal devices, networks and servers in fig. 12 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Referring now to FIG. 13, there is illustrated a schematic diagram of a computer system 1300 suitable for use in implementing an embodiment of the present invention. The terminal device shown in fig. 13 is only an example, and should not impose any limitation on the functions and the scope of use of the embodiment of the present invention.
As shown in fig. 13, the computer system 1300 includes a Central Processing Unit (CPU) 1301, which can execute various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 1302 or a program loaded from a storage section 1308 into a Random Access Memory (RAM) 1303. In the RAM 1303, various programs and data necessary for the operation of the system 1300 are also stored. The CPU 1301, ROM 1302, and RAM 1303 are connected to each other through a bus 1304. An input/output (I/O) interface 1305 is also connected to bus 1304.
Connected to the I/O interface 1305 are an input portion 1306 including a keyboard, a mouse, and the like, an output portion 1307 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, a speaker, and the like, a storage portion 1308 including a hard disk, and the like, and a communication portion 1309 including a network interface card such as a LAN card, a modem, and the like. The communication section 1309 performs a communication process via a network such as the internet. The drive 1310 is also connected to the I/O interface 1305 as needed. Removable media 1313, such as magnetic disks, optical disks, magneto-optical disks, semiconductor memory, and the like, is mounted on drive 1310 as needed so that a computer program read therefrom is mounted into storage portion 1308 as needed.
In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flow chart. In such embodiments, the computer program may be downloaded and installed from a network via the communication portion 1309 and/or installed from the removable medium 1313. The above-described functions defined in the system of the present invention are performed when the computer program is executed by a Central Processing Unit (CPU) 1301.
The computer readable medium shown in the present invention may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of a computer-readable storage medium may include, but are not limited to, an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules involved in the embodiments of the present invention may be implemented in software or in hardware. The described modules may also be provided in a processor, which may be described as, for example, a processor comprising a sending unit, an obtaining unit, a determining unit and a first processing unit. The names of these units do not constitute a limitation on the unit itself in some cases, and for example, the transmitting unit may also be described as "a unit that transmits a picture acquisition request to a connected server".
As a further aspect, the invention also provides a computer readable medium which may be comprised in the device described in the above embodiments or may be present alone without being fitted into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to include:
In a remote procedure call framework, a client needing a call interface sends a call request for calling a service interface to a server, wherein the call request comprises a client token, and the client token is distributed to the client by an authentication server;
the server acquires an authorized client token of the interface from the authentication server according to the configuration identifier;
And the server authenticates the call request according to the client token in the call request and the authorized client token, and feeds back an authentication result to the client.
According to the technical scheme of the embodiment of the invention, in a remote procedure call framework, a client needing to call an interface sends a call request for calling a service interface to a server, the call request comprises a client token, the client token is distributed to the client by an authentication server, the server acquires an authorized client token of the interface from the authentication server according to a configuration identifier, and the server authenticates the call request and feeds back an authentication result to the client according to the client token and the authorized client token in the call request. Different access terminals can be distinguished based on the client token, so that the safety of the service is guaranteed.
The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives can occur depending upon design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.

Claims (12)

1. A method of interface authentication, comprising:
In a remote procedure call framework, a client needing a call interface sends a call request for calling a service interface to a server, wherein the call request comprises a client token, and the client token is distributed to the client by an authentication server;
the server acquires an authorized client token of the interface from the authentication server according to the configuration identifier;
The server authenticates the call request according to the client token in the call request and the authorized client token, and feeds back an authentication result to the client;
The server obtains the authorized client token of the interface from the authentication server according to the configuration identifier, and the method comprises the following steps:
The server side obtains the authorized client token of the interface from the authentication server through an authentication server filter based on the configuration identification and the service token.
2. The method of interface authentication of claim 1, wherein the authentication server filter is one of a plurality of sequentially executed filters.
3. The method of interface authentication of claim 1, wherein said obtaining an authorized client token for the interface from the authentication server comprises:
an authorized client token for a predefined method of the interface is obtained from the authentication server.
4. The method of claim 1, wherein the service token is obtained after a service provider of an interface registers with the authentication server.
5. The method of interface authentication of claim 1, further comprising:
the service provider of the interface registers interface service on the authentication server to obtain the configuration identification;
The client applies for the call of the interface to the service provider through the authentication server;
and after the service provider authorizes the client to call the interface, the authentication server distributes the client token for the client.
6. An apparatus for interface authentication, comprising:
The system comprises a sending module, a service terminal and a service terminal, wherein the sending module is used for sending a call request for calling a service interface to the service terminal by a client terminal needing to call the interface in a remote procedure call framework, the call request comprises a client token, and the client token is distributed to the client terminal by an authentication server;
The acquisition module is used for controlling the server to acquire the authorized client token of the interface from the authentication server according to the configuration identifier; specifically, the server side obtains an authorized client token of the interface from the authentication server through an authentication server filter based on the configuration identifier and the service token;
And the authentication module is used for controlling the server to authenticate the call request according to the client token in the call request and the authorized client token and feeding back an authentication result to the client.
7. A method of interface authentication, comprising:
Receiving an authentication request sent by an interface authentication server, wherein the authentication request comprises a configuration identifier and a service token;
determining that the interface authenticated service end passes authentication according to the service token, and feeding back an authorized client token of the interface corresponding to the configuration identifier to the interface authenticated service end;
The receiving the authentication request sent by the interface authentication server comprises the following steps:
And receiving an authentication request sent by the interface authentication server through an authentication server filter.
8. The method of interface authentication of claim 7, further comprising:
Receiving registration of a service provider of an interface and sending the configuration identification to the service provider of the interface;
And receiving a service application of a service provider of an interface, and sending the service token to the service provider of the interface.
9. The method of interface authentication of claim 7, further comprising:
Receiving a service application of a client needing to call an interface, and sending an approval message to a service provider of the interface;
And receiving an approval passing message sent by a service provider of the interface, and feeding back a client token of the interface corresponding to the configuration identifier to the client terminal needing to call the interface, wherein the client token belongs to the authorized client token.
10. An apparatus for interface authentication, comprising:
The receiving module is used for receiving an authentication request sent by the interface authentication server, wherein the authentication request comprises a configuration identifier and a service token;
And the authentication module is used for determining that the interface authenticated service end passes authentication according to the service token, and feeding back the authorized client token of the interface corresponding to the configuration identifier to the interface authenticated service end.
11. An electronic device for interface authentication, comprising:
one or more processors;
storage means for storing one or more programs,
When executed by the one or more processors, cause the one or more processors to implement the method of any of claims 1-5 and 7-9.
12. A computer readable medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the method according to any of claims 1-5 and 7-9.
CN202010612703.5A 2020-06-30 2020-06-30 Method, device, equipment and computer-readable medium for interface authentication Active CN113760395B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010612703.5A CN113760395B (en) 2020-06-30 2020-06-30 Method, device, equipment and computer-readable medium for interface authentication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010612703.5A CN113760395B (en) 2020-06-30 2020-06-30 Method, device, equipment and computer-readable medium for interface authentication

Publications (2)

Publication Number Publication Date
CN113760395A CN113760395A (en) 2021-12-07
CN113760395B true CN113760395B (en) 2025-02-21

Family

ID=78785420

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010612703.5A Active CN113760395B (en) 2020-06-30 2020-06-30 Method, device, equipment and computer-readable medium for interface authentication

Country Status (1)

Country Link
CN (1) CN113760395B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109756337A (en) * 2017-11-06 2019-05-14 北京京东尚科信息技术有限公司 A kind of safety access method and device of service interface

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6732171B2 (en) * 2002-05-31 2004-05-04 Lefthand Networks, Inc. Distributed network storage system with virtualization
CN102378170B (en) * 2010-08-27 2014-12-10 中国移动通信有限公司 Method, device and system of authentication and service calling
CN107689870B (en) * 2017-08-29 2021-02-02 杭州绿湾网络科技有限公司 Client authentication method and system
US10715564B2 (en) * 2018-01-29 2020-07-14 Oracle International Corporation Dynamic client registration for an identity cloud service
CN109462595A (en) * 2018-11-29 2019-03-12 甘肃万维信息科技有限责任公司 Data-interface secure exchange method based on RestFul

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109756337A (en) * 2017-11-06 2019-05-14 北京京东尚科信息技术有限公司 A kind of safety access method and device of service interface

Also Published As

Publication number Publication date
CN113760395A (en) 2021-12-07

Similar Documents

Publication Publication Date Title
US11704427B2 (en) Systems and methods for providing data loss prevention via an embedded browser
CN112805699B (en) Multi-tenant identity cloud service with on-premises authentication integration
CN113239377B (en) Permission control method, device, equipment and storage medium
US10263855B2 (en) Authenticating connections and program identity in a messaging system
CN108293045B (en) Single sign-on identity management between local and remote systems
EP3942775B1 (en) Application integration using multiple user identities
US10277409B2 (en) Authenticating mobile applications using policy files
US10735426B2 (en) Secure asynchronous retrieval of data behind a firewall
EP3742369A1 (en) Systems and methods for establishing a channel between multiple devices
US9276926B2 (en) Secure and automated credential information transfer mechanism
JP6526181B2 (en) Smart card logon and coordinated full domain logon
JP6656157B2 (en) Network connection automation
CN113316783A (en) Two-factor identity authentication using a combination of active directory and one-time password token
CN113630377B (en) Single sign-on for hosted mobile devices
US11632247B2 (en) User security token invalidation
US9160731B2 (en) Establishing a trust relationship between two product systems
CN107920060B (en) Data access method and device based on account
US11146379B1 (en) Credential chaining for shared compute environments
WO2023185514A1 (en) Message transmission methods and apparatuses, storage medium and electronic device
CN113055186A (en) Cross-system service processing method, device and system
CN113760395B (en) Method, device, equipment and computer-readable medium for interface authentication
US9270621B1 (en) Securely providing messages from the cloud
CN115150154A (en) User login authentication method and related device
CN116346848A (en) Electric power operation and maintenance system based on image projection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant