Skip to main content

How to design interface authentication for third-party API docking?



I. Introduction

When doing interface docking with third-party systems, it is often necessary to consider the security of the interface. This article mainly shares several common authentication schemes for interface docking between systems.


2. Certification scheme

For example, after a single line by the delay task docking logistics system of this asynchronous scenario, belong to each other interactions between the system and the system, there is no user operation; it is not required when authentication credentials but the system user credentials, typically comprising app_id and app_secrect .


app_id and app_secrect are provided by the interface provider


2.1. Baic certification

This is a relatively simple authentication method. The client transmits the user name and password in plain text (Base64 encoding format) to the server for authentication.


By Headeradding key for Authorization, is Basic Username: base64 encoded passwords, such as app_id and app_secrect are zlt, then zlt:zltcharacters base64 encoding, the final pass is:


Authorization: Basic emx0OnpsdA==

 

2.1.1. Advantages

Simple and widely supported.


2.1.2. Disadvantages

The security is low, and it needs to cooperate with HTTPS to ensure the security of information transmission


Although the username and password are encoded in Base64, they can be easily decoded.

Not prevent replay attacks and middle attack .

 

2.2. Token authentication

Use Oauth2.0of 客户端模式performed Token authentication procedure as shown below:


file


After obtaining the access_token using Basic authentication, request the business interface through the token


2.2.1. Advantages

Security is relatively Baic认证improved, are issued every time the temporary use interface calls access_tokento replace 用户名和密码the chances of reducing the leakage of documents.


2.2.2. Disadvantages

Still Baic认证security problems.


2.3. Dynamic signature

The following parameters need to be transmitted every time the interface is called:


app_id application id

time current timestamp

nonce random number

sign signature

 

Wherein the signature generation method for the sign: use parameter app_id + time + nonce is added last and app_secrectbe md5 encrypted string, and all converted to uppercase.


If you need to realize the anti-tampering of the parameters, you only need to use all the request parameters of the interface as the generation parameters of the signature.


2.3.1. Advantages

Highest security


The server uses the same method to generate signatures for comparison and authentication, and does not need to be transmitted on the network app_secrect.

You can prevent man in the middle attacks .

By timethe time difference parameter, whether the request within a reasonable range, prevents replay attacks .

By noncebe idempotent judgment parameters.

2.3.2. Disadvantages

Not suitable for front-end applications, the js source code will expose the signature method and app_secrect


Labels:

Comments

Post a Comment

Popular posts from this blog

40 Redis interview questions for 2021 - 2022

  Redis interview questions 1.What is Redis?. 2. What is the data type of Redis? 3. What are the benefits of using Redis? 4. What are the advantages of Redis over Memcached? 5. What are the differences between Memcache and Redis? 6. Is Redis single-process and single-threaded? 7. What is the maximum storage capacity of a string type value? 8. What is the persistence mechanism of Redis? Their advantages and disadvantages? 9. Redis common performance problems and solutions: 10. What is the deletion strategy of redis expired keys? 11. Redis recycling strategy (elimination strategy)? 12. Why does edis need to put all data in memory? 13. Do you understand the synchronization mechanism of Redis? 14. What are the benefits of Pipeline? Why use pipeline? 15. Have you used Redis cluster? What is the principle of cluster? 16. Under what circumstances will the Redis cluster solution cause the entire cluster to be unavailable? 17. What are the Java clients supp...
Post a Comment
Read more

Recursion-maze problem - Rat in the Maze - Game

  package com.bei.Demo01_recursion; public class MiGong {     public static void main(String[] args)  {         //First create a two-dimensional array to simulate the maze         int [][]map=new int[8][7];         //Use 1 for wall         for (int i = 0; i <7 ; i++) {             map[0][i]=1;             map[7][i]=1;         }         for (int i = 0; i <8 ; i++) {             map[i][0]=1;             map[i][6]=1;         }         //Set the bezel         map[3][1]=1;         map[3][2]=1;         //Output         for (int i = 0; i <8 ; i++) {             for (int j = 0; j ...
Post a Comment
Read more

30 Best free 3D modeling software

Post a Comment
Read more