1
头图

There are a lot of open platforms that have been docked recently. The open platforms of e-commerce platforms such as Taobao, CRUD BODY have basically been docked many times. What is 06151d6ed65aab may be like this! ! !

Although there is no technical content in docking with major open platforms, we also have to learn something, not to dock in vain! After several days of sorting out, I probably have an open platform interface design routine in my mind, so I organize it into an article to facilitate the time needed to implement my open platform interface.

Several points that open platforms are more concerned about:

  • Ease of use: The interface design should be concise, and the request parameters should be well-known, so that the service provider can quickly receive it and provide services to users
  • Security: The open platform interface is exposed to the external network, and the security of user data must be guaranteed
  • Stability: The open platform interface is used by upstream service providers, and it must be ensured to provide services for service provider applications stably
  • ...

Service Provider Application

The open platform can be divided into several parts:

  1. Access Guide: Help service providers access the open platform
  2. Interface documentation: help developers of service providers to realize business functions
  3. Application: The identity of the service provider's application on the open platform

The first step for a service provider to access an open platform is to create an application. With the service provider’s application platform, the identity of the service provider can be identified, so that it is very convenient to perform current limiting and permission control.

Basic attributes

Service provider applications generally have three basic attributes: appid, appsecret, and authorization callback address:

  • appid: the unique identifier of the service provider application
  • appsecret: used when signing and verifying the identity of the service provider’s application
  • Authorization callback address: will be used during authorization

Authorized authentication

Authorization is not the authorization of the open platform to the application of the service provider, but the authorization of the customer (user) of the open platform to the application of the service provider, such as ERP application, that is, Taobao store merchants authorize the application so that it can be pulled to the store Order to complete the order fulfillment.

淘宝授权页

So authorization requires three roles to complete:

  • Open platform

    • Provide an authorization page to guide customers to complete the authorization of the service provider application
    • After the customer completes the authorization, jump to the authorization callback address provided by the service provider application and bring the authorization information
  • Customer: complete the authorization of the service provider application in the authorization page provided by the open platform
  • Service provider application: receive the authorization information callback from the open platform, complete the binding relationship between the service provider application and the customer, and save the authorization information
Of course, you can also use appid + appsecret to directly authenticate the identity of the service provider's application. This is suitable for when there is no third party, the data belongs to the open platform, and has no relationship with the customer, so there is no problem of requiring customer authorization.

OAuth2 authorization mechanism

OAuth2 is a set of authorization standards, and now the Internet basically uses it for authorization, such as github login, authorization, etc. are all based on the application of OAuth2

If you don’t understand OAuth2 you can refer to my previous article:

takes you to understand the integration of OAuth2 protocol and Spring Security OAuth2!

授权流程

Request parameter

Request parameters are divided into two categories: system parameters, business parameters:

  • System parameters: parameters that must be carried in each API call
  • Business parameters: the parameters provided by the open platform according to different services.

The business parameters are determined according to the business. First, the system parameters generally include:

  • appid: the unique identifier of the service provider application
  • appsecret: service provider application secret
  • timestamp: timestamp
  • sign: request signature
System parameters are passed using url parameters

Business parameters

Business parameters are the request parameters passed when the open platform interface is called. For example, for an order query interface, if you want to query the order according to the dimensions of the order status of , the order query interface needs to receive the status parameter, and then return the order data after checking the database.

The carrier of business parameters, commonly used such as: application/json , application/x-www-form-urlencode etc.

Business parameters are passed in the way of post request parameters, and they also need to participate in the signature. The signature will be mentioned later

Request signature

The purpose of signing the request is to prevent data from being tampered with. The common md5 and sha can be used as the signature algorithm. In theory, it is enough to ensure that both parties can generate signatures and verify signatures. High-security applications such as Alipay are used. asymmetric encryption, both parties each generate a pair of private key and public key, and then exchange the public key for signature verification.

The method of generating signatures is defined by yourself. Here is a common way of generating signatures:

sign = appsecret + appid + timestamp + business parameters (after sorting) + appsecret

pseudo code


String appid = "abcd";
String appsecret = "12345";
Long timestamp = 948758686
//有序map,按key的值排序
Map<String, Object> requestBody = new TreeMap<>();
requestBody.put("a", 1);
requestBody.put("b",21);
requestBody.put("c", 2);
//转换成json字符串
String jsonBody = JSON.toJSONString(requestBody);
String sign  = DigestUtils.md5hex(appsecret + appid + timestamp + jsonBody + appsecret);

Verification

The signature verification steps are similar to those of generating signatures, and the imitation code is as follows:


String appid = request.getParameter("appid");
String appsecret = request.getParameter("appsecret");
Long timestamp = request.getParameter("timestamp");
//拿出请求的业务参数,转成TreeMap
Map<String, Object> requestBody = new TreeMap<>(JSON.parseObject("post请求参数"));
//转换成json字符串
String jsonBody = JSON.toJSONString(requestBody);
String sign  = DigestUtils.md5hex(appsecret + appid + timestamp + jsonBody + appsecret);
String originSign =  request.getParameter("sign");
if(Objects.equals(sign ,originSign )){
  //验证签名成功
}else{
  //验证签名失败
}

Summarize

The above are some ideas for the design of open platform interfaces. In fact, there are more open platforms for docking. Some basic routines for docking with those open platforms are sorted out, and I hope they can be used one day.

There are a lot of problems when docking open platforms. Some platforms have SDKs and some are directly restapi . Platforms with SDKs are still very happy to dock. I will give you the design of the entire platform SDK in the next issue.

Under the stage name Shocking Ba Ge (Shocking Bug), a Java programmer who likes to make bugs, is currently preparing for his debut. . . , Remember to give me a like, encourage and encourage!

架构文摘
413 声望40 粉丝