How to design interface authentication for third-party API docking?

One, foreword

When doing interface docking with the third party system, it is often necessary to consider the security of the interface. This paper mainly shares the authentication scheme of several common systems when doing interface docking.

Second, certification scheme

For example, the asynchronous scenario of connecting the logistics system through delayed tasks after placing an order belongs to the interaction between systems without user operation. So authentication requires not user credentials but system credentials, usually including app_id and app_secrect.

The app_id and app_secrect are provided by the interface provider

2.1. Baic certification

This is a relatively simple form of authentication, in which the client transmits the user name and password to the server in clear text (Base64 encoded format) for authentication.

For example, app_id = ZLT and app_secrect = ZLT, then base64 encode the ZLT: ZLT character, and finally pass the value as:

Authorization: Basic emx0OnpsdA==

Advantages of 2.1.1.

Simple and widely supported.

2.1.2. Shortcomings

Low security, need to cooperate with HTTPS to ensure the security of information transmission

1. Although the user name and password are Base64 encoded, they are easy to decode.
2. Cannot prevent replay attacks and man-in-the-middle attacks.

2.2. Token authentication

The client mode in OAuth2.0 is used for Token authentication. The process is shown in the following figure:

After obtaining the access_token through BASIC authentication, the service interface is requested through the token

Advantages of 2.2.1.

The security is improved compared to BAIC authentication, and the access_token is temporarily issued in place of the user name and password every time the interface is called to reduce the chance of leakage of credentials.

2.2.2. Shortcomings

There are still security issues with BAIC certification.

2.3. Dynamic signature

The following parameters need to be passed on each interface call:

• App_id application id
• Time The current timestamp
• Nonce random number
• Sign the signature

The sign signature is generated by MD5 encryption using the string appended app_secrect in the parameter app__id + time + nonce, and converted to uppercase.

If you want to implement tamper-proof parameters, you can simply use all the request parameters of the interface as the signature generation parameters

Advantages of 2.3.1.

Highest safety

1. The server uses the same way to generate the signature for comparison authentication without having to transmit it over the networkapp_secrect.
2. Can prevent man-in-the-middle attacks.
3. throughtimeParameter determines whether the time difference of the request is within a reasonable range and can be preventedReplay attack.
4. throughnonceThe idempotency of parameters was judged.

2.3.2. Shortcomings

Not suitable for use in front-end applications, the JS source code will expose the signature way with APP_SECRECT

Scan code concern has surprise!