Skip to main content

How to design interface authentication for third-party API docking?



I. Introduction

When doing interface docking with third-party systems, it is often necessary to consider the security of the interface. This article mainly shares several common authentication schemes for interface docking between systems.


2. Certification scheme

For example, after a single line by the delay task docking logistics system of this asynchronous scenario, belong to each other interactions between the system and the system, there is no user operation; it is not required when authentication credentials but the system user credentials, typically comprising app_id and app_secrect .


app_id and app_secrect are provided by the interface provider


2.1. Baic certification

This is a relatively simple authentication method. The client transmits the user name and password in plain text (Base64 encoding format) to the server for authentication.


By Headeradding key for Authorization, is Basic Username: base64 encoded passwords, such as app_id and app_secrect are zlt, then zlt:zltcharacters base64 encoding, the final pass is:


Authorization: Basic emx0OnpsdA==

 

2.1.1. Advantages

Simple and widely supported.


2.1.2. Disadvantages

The security is low, and it needs to cooperate with HTTPS to ensure the security of information transmission


Although the username and password are encoded in Base64, they can be easily decoded.

Not prevent replay attacks and middle attack .

 

2.2. Token authentication

Use Oauth2.0of 客户端模式performed Token authentication procedure as shown below:


file


After obtaining the access_token using Basic authentication, request the business interface through the token


2.2.1. Advantages

Security is relatively Baic认证improved, are issued every time the temporary use interface calls access_tokento replace 用户名和密码the chances of reducing the leakage of documents.


2.2.2. Disadvantages

Still Baic认证security problems.


2.3. Dynamic signature

The following parameters need to be transmitted every time the interface is called:


app_id application id

time current timestamp

nonce random number

sign signature

 

Wherein the signature generation method for the sign: use parameter app_id + time + nonce is added last and app_secrectbe md5 encrypted string, and all converted to uppercase.


If you need to realize the anti-tampering of the parameters, you only need to use all the request parameters of the interface as the generation parameters of the signature.


2.3.1. Advantages

Highest security


The server uses the same method to generate signatures for comparison and authentication, and does not need to be transmitted on the network app_secrect.

You can prevent man in the middle attacks .

By timethe time difference parameter, whether the request within a reasonable range, prevents replay attacks .

By noncebe idempotent judgment parameters.

2.3.2. Disadvantages

Not suitable for front-end applications, the js source code will expose the signature method and app_secrect


Labels:

Comments

Post a Comment

Popular posts from this blog

Defination of the essential properties of operating systems

Define the essential properties of the following types of operating sys-tems:  Batch  Interactive  Time sharing  Real time  Network  Parallel  Distributed  Clustered  Handheld ANSWERS: a. Batch processing:-   Jobs with similar needs are batched together and run through the computer as a group by an operator or automatic job sequencer. Performance is increased by attempting to keep CPU and I/O devices busy at all times through buffering, off-line operation, spooling, and multi-programming. Batch is good for executing large jobs that need little interaction; it can be submitted and picked up later. b. Interactive System:-   This system is composed of many short transactions where the results of the next transaction may be unpredictable. Response time needs to be short (seconds) since the user submits and waits for the result. c. Time sharing:-   This systems uses CPU scheduling and multipro-gramming to provide econ...
Post a Comment
Read more

What is a Fair lock in multithreading?

  Photo by  João Jesus  from  Pexels In Java, there is a class ReentrantLock that is used for implementing Fair lock. This class accepts optional parameter fairness.  When fairness is set to true, the RenentrantLock will give access to the longest waiting thread.  The most popular use of Fair lock is in avoiding thread starvation.  Since longest waiting threads are always given priority in case of contention, no thread can starve.  The downside of Fair lock is the low throughput of the program.  Since low priority or slow threads are getting locks multiple times, it leads to slower execution of a program. The only exception to a Fair lock is tryLock() method of ReentrantLock.  This method does not honor the value of the fairness parameter.
Post a Comment
Read more

What is the MES system? 12 Important Questions Answered

 What is MES system? MES is the execution layer between the planning layer and the on-site automation system. It is mainly responsible for workshop production management and scheduling execution. A well-designed MES system can integrate management functions such as production scheduling, product tracking, quality control, equipment failure analysis, network reporting, etc. on a unified platform. Using a unified database and connecting through the network can be used for the production department, quality inspection department, Process department, logistics department, etc. provide workshop management information services. The system helps companies implement complete closed-loop production by emphasizing the overall optimization of the manufacturing process, and assists companies in establishing an integrated and real-time ERP/MES/SFC information system. The main functions of the MES system: It provides flexible and powerful tools for enterprise production managers to monitor and m...
Post a Comment
Read more