There are a lot of open platforms that have been docked recently. The open platforms of e-commerce platforms such as Taobao, CRUD BODY
have basically been docked many times. What is 06151d6ed65aab may be like this! ! !
Although there is no technical content in docking with major open platforms, we also have to learn something, not to dock in vain! After several days of sorting out, I probably have an open platform interface design routine in my mind, so I organize it into an article to facilitate the time needed to implement my open platform interface.
Several points that open platforms are more concerned about:
- Ease of use: The interface design should be concise, and the request parameters should be well-known, so that the service provider can quickly receive it and provide services to users
- Security: The open platform interface is exposed to the external network, and the security of user data must be guaranteed
- Stability: The open platform interface is used by upstream service providers, and it must be ensured to provide services for service provider applications stably
- ...
Service Provider Application
The open platform can be divided into several parts:
- Access Guide: Help service providers access the open platform
- Interface documentation: help developers of service providers to realize business functions
- Application: The identity of the service provider's application on the open platform
The first step for a service provider to access an open platform is to create an application. With the service provider’s application platform, the identity of the service provider can be identified, so that it is very convenient to perform current limiting and permission control.
Basic attributes
Service provider applications generally have three basic attributes: appid, appsecret, and authorization callback address:
- appid: the unique identifier of the service provider application
- appsecret: used when signing and verifying the identity of the service provider’s application
- Authorization callback address: will be used during authorization
Authorized authentication
Authorization is not the authorization of the open platform to the application of the service provider, but the authorization of the customer (user) of the open platform to the application of the service provider, such as ERP application, that is, Taobao store merchants authorize the application so that it can be pulled to the store Order to complete the order fulfillment.
So authorization requires three roles to complete:
Open platform
- Provide an authorization page to guide customers to complete the authorization of the service provider application
- After the customer completes the authorization, jump to the
authorization callback address provided by the service provider application and bring the authorization information
- Customer: complete the authorization of the service provider application in the authorization page provided by the open platform
- Service provider application: receive the authorization information callback from the open platform, complete the binding relationship between the service provider application and the customer, and save the authorization information
Of course, you can also use appid + appsecret to directly authenticate the identity of the service provider's application. This is suitable for when there is no third party, the data belongs to the open platform, and has no relationship with the customer, so there is no problem of requiring customer authorization.
OAuth2
authorization mechanism
OAuth2
is a set of authorization standards, and now the Internet basically uses it for authorization, such as github
login, authorization, etc. are all based on the application of
OAuth2
If you don’t understand OAuth2
you can refer to my previous article:
takes you to understand the integration of OAuth2 protocol and Spring Security OAuth2!
Request parameter
Request parameters are divided into two categories: system parameters,
business parameters:
- System parameters: parameters that must be carried in each API call
- Business parameters: the parameters provided by the open platform according to different services.
The business parameters are determined according to the business. First, the system parameters generally include:
- appid: the unique identifier of the service provider application
- appsecret: service provider application secret
- timestamp: timestamp
- sign: request signature
System parameters are passed using url parameters
Business parameters
Business parameters are the request parameters passed when the open platform interface is called. For example, for an order query interface, if you want to query the order according to the dimensions of the order status of , the order query interface needs to receive the
status
parameter, and then return the order data after checking the database.
The carrier of business parameters, commonly used such as: application/json
, application/x-www-form-urlencode
etc.
Business parameters are passed in the way of post request parameters, and they also need to participate in the signature. The signature will be mentioned later
Request signature
The purpose of signing the request is to prevent data from being tampered with. The common md5
and sha
can be used as the signature algorithm. In theory, it is enough to ensure that both parties can generate signatures and verify signatures. High-security applications such as Alipay are used. asymmetric encryption, both parties each generate a pair of private key and public key, and then exchange the public key for signature verification.
The method of generating signatures is defined by yourself. Here is a common way of generating signatures:
sign = appsecret + appid + timestamp + business parameters (after sorting) + appsecret
pseudo code
String appid = "abcd";
String appsecret = "12345";
Long timestamp = 948758686
//有序map,按key的值排序
Map<String, Object> requestBody = new TreeMap<>();
requestBody.put("a", 1);
requestBody.put("b",21);
requestBody.put("c", 2);
//转换成json字符串
String jsonBody = JSON.toJSONString(requestBody);
String sign = DigestUtils.md5hex(appsecret + appid + timestamp + jsonBody + appsecret);
Verification
The signature verification steps are similar to those of generating signatures, and the imitation code is as follows:
String appid = request.getParameter("appid");
String appsecret = request.getParameter("appsecret");
Long timestamp = request.getParameter("timestamp");
//拿出请求的业务参数,转成TreeMap
Map<String, Object> requestBody = new TreeMap<>(JSON.parseObject("post请求参数"));
//转换成json字符串
String jsonBody = JSON.toJSONString(requestBody);
String sign = DigestUtils.md5hex(appsecret + appid + timestamp + jsonBody + appsecret);
String originSign = request.getParameter("sign");
if(Objects.equals(sign ,originSign )){
//验证签名成功
}else{
//验证签名失败
}
Summarize
The above are some ideas for the design of open platform interfaces. In fact, there are more open platforms for docking. Some basic routines for docking with those open platforms are sorted out, and I hope they can be used one day.
There are a lot of problems when docking open platforms. Some platforms have SDKs and some are directly restapi
. Platforms with SDKs are still very happy to dock. I will give you the design of the entire platform SDK in the next issue.
Under the stage name Shocking Ba Ge (Shocking Bug), a Java programmer who likes to make bugs, is currently preparing for his debut. . . , Remember to give me a like, encourage and encourage!
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用
。你还可以使用@
来通知其他用户。