Noun definition
- Third-party application: a third-party application, also called a client in this article.
- HTTP Service: Indicates the HTTP service provider.
- Resource Owner: Indicates the Owner of the Resource. In this document, the user is also called the login user.
- User Agent: The User Agent, which in this case refers to the browser.
- Authorization Server: A server used by service providers to process authentication.
- Resource Server: A Resource server on which service providers store user-generated resources. It can be the same server or a different server from the authentication server.
Research and development background
As the number of enterprise application systems increases, information islands are easily formed when each system manages its own user data independently. The decentralized user management mode hinders the evolution of enterprise applications to platforms. When the Internet business development of the enterprise to a certain scale, the construction of a unified standardized account management system is essential, because it is an important infrastructure, enterprise Internet cloud platform can bring unity for platform account management, identity authentication and user authorization ability, bring enterprises such as single sign-on (sso) across the system, the third party authorization login ability, It provides necessary conditions for building open platform and business ecosystem.
In a single application system, applications are integrated. Permission verification is generally performed for all requests. Requests are generally verified by a permission interceptor, and user information is cached in the session during login and retrieved from the cache for subsequent access.
With the rise of Restful apis and microservices, token-based authentication is now becoming more common. Tokens are different from Session ids in that they are not just keys. The Token usually contains user information. You can verify the identity by verifying the Token.
Token-based authentication has the following advantages:
- Stateless server: The Token mechanism does not need to store session information on the server, because the Token itself contains information about all users.
- High performance, because the Token authentication does not need to access the database or remote services for permission verification, which naturally improves performance.
- Support for mobile devices, support for cross-program calls, cookies are not allowed to break domain access, and Token does not have this problem.
Research and development goal
Through the standard security authentication process, heterogeneous systems or cross-services can flexibly achieve the integration of specified functions or services and unified security authentication.
- A typical token-based authentication process is as follows:
- The user enters the login information (or invokes the Token interface, passing in the user information) and sends it to the authentication service for authentication (the authentication service can be together with or separate from the server, depending on the micro-service split).
- The authentication service verifies whether the login information is correct, returns the interface (generally, the interface contains basic user information, permission scope, validity period and other information), and the client storage interface, which can be stored in the Session or database.
- The client puts the Token in the HTTP request header and invokes the relevant API.
- The invoked microservice verifies Token permissions.
- The server returns related resources and data.
Security authentication function point
- The third-party application client obtains the Access Token resource Access certificate from the authorization server using certificate information such as the client code/security code and the user name/password of the resource owner.
- Login authorization: The client uses the Access Token to Access server resources. The resource server verifies the validity of the Token, third-party application credentials, and resource owner User. The resource server reads the resource owner identity information (User) using the Token to load the permission items of the resource owner and performs login.
- In Access authentication, a third-party application client accesses server resources. The system verifies the validity and permission information of the Access Token and the correct Access Token. In this case, the resource server returns resource information.
- Certificate renewal: The Access token Access certificate expires. Renew the certificate validity period.
Technical selection analysis
- System authorization adopts OAuth2 open authorization standard password mode.
- Token uses the JWT standard.
1. OAuth open authorization
Open Authorization (OAuth) defines a secure, Open, and simple standard for user resource Authorization. A third party can obtain user Authorization information without knowing the user account and password.
There are four main ways of authorization:
-
Authorization Code Specifies the authorization code used between client and server applications.
-
Simplified modes are used with implicit mobile apps or Web apps that are built into the user’s device, such as when wechat is raised on the phone for authentication and authorization. Instead of going through the third-party application’s server, you request a token from the authentication server directly in the browser, skipping the “authorization code” step, hence the name. All steps are done in the browser, the token is visible to the visitor, and the client does not require authentication.
-
Resource Owner password Credentials In resource owner Password mode, applications are directly trusted (they are all developed by the same company). In password mode, users provide their user names and passwords to clients. The client uses this information to request authorization from the “service provider.” In this mode, the user must give his password to the client, but the client cannot store the password.
-
The client credentials Grant is used in application apis to authenticate clients to the service provider in their own name, not the user’s. Strictly speaking, the client-side pattern is not the problem that the OAuth framework addresses. In this model, users register directly with the client, and the client requests services from the “service provider” in its own name, with no authorization issues.
2. Json web token (JWT)
Json Web Token (JWT) is an open jSON-based standard (RFC 7519) implemented for the transfer of declarations between network application environments. The token is designed to be compact and secure, especially suitable for single sign-on (SSO) scenarios in distributed sites. The JWT declaration is generally used to pass authenticated user identity information between the identity provider and the service provider to obtain resources from the resource server, and to add some additional declaration information necessary for other business logic. The token can also be used directly for authentication or can be encrypted.
Authentication process logic
1. Authorize the system
The third-party application client obtains the Access Token resource Access certificate from the authorization server using certificate information such as the client code/security code and the user name/password of the resource owner.
System authorization grants Access tokens to customers
2. System authentication
The client uses the Access Token to Access server resources. The resource server verifies the validity of the Token, third-party applications, and resource owner User. The resource server reads the identity information of the resource owner using the Token and loads the permission of the resource owner to perform login.
The system verifies the validity and permission information of the Access Token, and verifies that the Access Token is correct. Then, the resource server returns the resource information.
3. Voucher renewal
Access Token Access certificate expiration You need to renew the token certificate validity period.
Interface design
1. Authorization certificate
Obtain the authorization certificate, verify the client identity and resource owner identity, and deliver the Token certificate.
The client code/security code must be generated after the third-party application is registered and approved by the system.
2. Renewal of authorization certificate
Obtain the renewal authorization certificate, verify the client identity information, verify the RefreshToken certificate, and issue the Token certificate.