Recently, there are a lot of open platforms connected, such as Taobao, JINGdong, Kuaishou, Douyin and other e-commerce platforms have basically connected all the open platforms, what is CRUD BODY may be like this!!

Although the docking of the major open platform has no technical content, but I also have to learn something is not, not in vain docking ha! After finishing these days, I probably have an open platform interface design routine in mind, so I organized it into an article to facilitate the realization of my own open platform interface when necessary.

Open platform focuses on several points:

  • Ease of use: interface design should be simple, request parameters should be known by name, so that service providers can quickly receive, provide services for users
  • Security: The open platform interface is exposed to the extranet, so the security of user data must be ensured
  • Stability: The open platform interface is used by upstream service providers and must be stable to provide service to service providers’ applications
  • .

Service provider application

Open platforms can be divided into several parts:

  1. Access Guide: Help service providers access open platforms
  2. Interface documentation: Helps service provider developers implement business functions
  3. Application: Identity of service provider application on open platform

The first step for service providers to access the open platform is to create applications. With service providers, the identity of service providers can be identified within the application platform, so that it is convenient to do traffic limiting and permission control.

Basic attributes

Service provider applications generally have three basic attributes: AppID, AppSecret, and authorization callback address:

  • Appid: unique identifier of the service application
  • Appsecret: used for service provider application key signature and identity authentication
  • Authorization callback address: used during authorization

Authorization certification

Authorization is not the authorization of the open platform to the application of the service provider, but the authorization of the application of the service provider by the customers (users) of the open platform, such as THE ERP application, that is, the store merchants of Taobao authorize the application to enable them to obtain the order of the store to fulfill the order.

So authorization requires three roles to complete:

  • Open platform
    • Provide an authorization page to guide customers to authorize service provider applications
    • After the customer completes authorization, switch to the one provided by the service providerAuthorization callback addressBring authorization information with you
  • Customer: Authorize service provider applications on the authorization page provided by the open platform
  • Service application: receives the authorization information called back by the open platform, completes the binding relationship between service application and customer, and saves authorization information

Of course, appID + AppSecret can also be used to directly authenticate the identity of the service provider application. This is suitable for when there is no third party, the data belongs to the open platform and has nothing to do with the customer, so there is no problem of customer authorization.

OAuth2Authorization mechanism

OAuth2 is a set of authorization standards, now the Internet do authorization basically use it, such as Github login, wechat public number authorization are based on OAuth2 applications.

If you are not familiar with OAuth2, please refer to my previous articles:

OAuth2 protocol integration with Spring Security OAuth2

Request parameters

Request parameters fall into two categories: system parameters and service parameters:

  • System parameters: Parameters that must be carried with each API call
  • Service parameters: Parameters provided by the open platform for different services.

Service parameters are determined by the service. System parameters generally include:

  • Appid: indicates the unique id of the service application
  • Appsecret: indicates the application key of the service provider
  • Timestamp: indicates the timestamp
  • Sign: To request a signature

System parameters are passed using URL parameters

Business parameters

Business parameters are the request parameters that are passed when the open platform interface is called. For example, an order query interface needs to receive the status parameter and return the order data after checking the database in order to query the order according to the dimension of order status.

Carrier of service parameters, such as Application /json, Application/X-www-form-urlencode, etc.

Business parameters are passed as POST request parameters and also need to participate in the signature, which will be mentioned later

Request a signature

To request the signature of the purpose is to prevent data been tampered with, common md5, sha can be used as a signature algorithm, in theory, just make sure the two sides can generate, signature and attestation such as alipay, the application of the high level of security is the use of asymmetric encryption, each generated a pair of private and public keys, and then exchange the public key can be used for attestation.

The signature generation method is customized. Here is a common signature generation method:

Sign = AppSecret + APPID + TIMESTAMP + service parameter (sorted) + AppSecret

Pseudo code


String appid = "abcd";
String appsecret = "12345";
Long timestamp = 948758686
// Order the map by the value of key
Map<String, Object> requestBody = new TreeMap<>();
requestBody.put("a".1);
requestBody.put("b".21);
requestBody.put("c".2);
// Convert to json string
String jsonBody = JSON.toJSONString(requestBody);
String sign  = DigestUtils.md5hex(appsecret + appid + timestamp + jsonBody + appsecret);
Copy the code

attestation

The verification step is similar to the signature generation step, and the imitation code is as follows:


String appid = request.getParameter("appid");
String appsecret = request.getParameter("appsecret");
Long timestamp = request.getParameter("timestamp");
// Take the requested business parameters and convert them to TreeMap
Map<String, Object> requestBody = new TreeMap<>(JSON.parseObject("Post request Parameters"));
// Convert to json string
String jsonBody = JSON.toJSONString(requestBody);
String sign  = DigestUtils.md5hex(appsecret + appid + timestamp + jsonBody + appsecret);
String originSign =  request.getParameter("sign");
if(Objects.equals(sign ,originSign )){
  // The signature was verified successfully
}else{
  // Failed to verify the signature
}
Copy the code

conclusion

The above is some ideas of open platform interface design, in fact, is also the docking of open platform, some of the open platform docking of some basic routines sorted out, I hope that one day can be used.

Some platforms have SDK and some are directly RESTAPI. It is quite happy to have SDK platform connected. Next time, I will give you the design of the whole platform SDK.

Under stage name jing Tianba Ge (Jing Tianba Bug), a Java programmer like making bugs, is currently preparing to debut on the road… Please give me a thumbs up.