I. Introduction
When doing interface docking with third-party systems, it is often necessary to consider the security of the interface. This article mainly shares several common authentication schemes for interface docking between systems.
2. Certification scheme
For example, after a single line by the delay task docking logistics system of this asynchronous scenario, belong to each other interactions between the system and the system, there is no user operation; it is not required when authentication credentials but the system user credentials, typically comprising app_id and app_secrect .
app_id and app_secrect are provided by the interface provider
2.1. Baic certification
This is a relatively simple authentication method. The client transmits the user name and password in plain text (Base64 encoding format) to the server for authentication.
By Headeradding key for Authorization, is Basic Username: base64 encoded passwords, such as app_id and app_secrect are zlt, then zlt:zltcharacters base64 encoding, the final pass is:
Authorization: Basic emx0OnpsdA==
2.1.1. Advantages
Simple and widely supported.
2.1.2. Disadvantages
The security is low, and it needs to cooperate with HTTPS to ensure the security of information transmission
Although the username and password are encoded in Base64, they can be easily decoded.
Not prevent replay attacks and middle attack .
2.2. Token authentication
Use Oauth2.0of 客户端模式performed Token authentication procedure as shown below:
file
After obtaining the access_token using Basic authentication, request the business interface through the token
2.2.1. Advantages
Security is relatively Baic认证improved, are issued every time the temporary use interface calls access_tokento replace 用户名和密码the chances of reducing the leakage of documents.
2.2.2. Disadvantages
Still Baic认证security problems.
2.3. Dynamic signature
The following parameters need to be transmitted every time the interface is called:
app_id application id
time current timestamp
nonce random number
sign signature
Wherein the signature generation method for the sign: use parameter app_id + time + nonce is added last and app_secrectbe md5 encrypted string, and all converted to uppercase.
If you need to realize the anti-tampering of the parameters, you only need to use all the request parameters of the interface as the generation parameters of the signature.
2.3.1. Advantages
Highest security
The server uses the same method to generate signatures for comparison and authentication, and does not need to be transmitted on the network app_secrect.
You can prevent man in the middle attacks .
By timethe time difference parameter, whether the request within a reasonable range, prevents replay attacks .
By noncebe idempotent judgment parameters.
2.3.2. Disadvantages
Not suitable for front-end applications, the js source code will expose the signature method and app_secrect
Comments
Post a Comment