How to design interface authentication for third-party API docking?

I. Introduction

When doing interface docking with third-party systems, it is often necessary to consider the security of the interface. This article mainly shares several common authentication schemes for interface docking between systems.

2. Certification scheme

For example, after the order is placed, the delayed task logistics system the asynchronous scenario, which belongs to the interaction between the system and the system, and there is no user operation; therefore, what is required for authentication is not user credentials but It is a system certificate, usually including app_id and app_secrect .

app_id and app_secrect are provided by the interface provider

2.1. Baic certification

This is a relatively simple authentication method. The client transmits the user name and password in plain text (Base64 encoding format) to the server for authentication.

By Header , the value is the base64 encoding of the Basic username: password, for example, app_id and app_secrect are both zlt , and then zlt:zlt characters, and the final value is:

Authorization: Basic emx0OnpsdA==

2.1.1. Advantages

Simple and widely supported.

2.1.2. Disadvantages

The security is low, and it needs to cooperate with HTTPS to ensure the security of information transmission

1. Although the username and password are encoded in Base64, they can be easily decoded.
2. Can not prevent replay attack and man-in-the-middle attack .

2.2. Token authentication

Use Oauth2.0 in client authentication Token mode, the flow as shown below:

After obtaining the access_token using Basic authentication, request the business interface through the token

2.2.1. Advantages

The security Baic authentication. Every time the interface is called, the temporary issued access_token used instead of the username and password to reduce the chance of credential leakage.

2.2.2. Disadvantages

There are still the security issues of Baic certification.

2.3. Dynamic signature

The following parameters need to be transmitted every time the interface is called:

• app_id application id
• time current timestamp
• nonce random number
• sign signature

The way to generate the sign signature is: use the parameter
app_id + time + nonce and append app_secrect at the end for md5 encryption and convert all to uppercase.

If you need to realize the anti-tampering of the parameters, you only need to use all the request parameters of the interface as the generation parameters of the signature.

2.3.1. Advantages

Highest security

1. The server uses the same method to generate signatures for comparison authentication, without transmitting app_secrect on the network.
2. Can prevent man-in-the-middle attack .
3. Using the time parameter to determine whether the requested time difference is within a reasonable range can prevent the replay attack .
4. nonce idempotence through the 060de65205034e parameter.

2.3.2. Disadvantages

Not suitable for front-end applications, the js source code will expose the signature method and app_secrect

Scan the QR code to pay attention to surprises!