How to design interface authentication for third-party API Interconnection?

One, foreword

When interconnecting interfaces with third-party systems, you need to consider interface security. This article mainly shares several authentication schemes for interconnecting interfaces between systems.

 

Two, certification scheme

For example, the asynchronous scenario where the logistics system is connected through delayed tasks after an order is placed belongs to the interaction between systems and there is no user operation. Therefore, authentication requires not user credentials but system credentials, usually including app_id and APP_secrect.

App_id and app_secrect are provided by the interface provider

2.1. Baic certification

This is a simple authentication method. The client transmits the user name and password to the server in plain text (Base64 encoding format) for authentication.

Add the key to the Header as Authorization and the value as Basic. For example, app_id is ZLT and app_secrect is ZLT. Then, base64 encodes the ZLT: ZLT characters.

Authorization: Basic emx0OnpsdA==
Copy the code

 

Advantages of 2.1.1.

Simple and widely supported.

2.1.2. Shortcomings

The security is low. HTTPS is required to ensure the security of information transmission

1. Although the username and password are Base64 encoded, they can be easily decoded.
2. Cannot prevent replay attacks and man-in-the-middle attacks.

 

2.2. Token authentication

The client mode in Oauth2.0 is used for Token authentication, and the process is as follows:

After obtaining the Access_token in Basic authentication mode, you can use the token to request the service interface

 

Advantages of 2.2.1.

Security is improved compared with Baic authentication. Each interface invocation uses temporary access_token instead of user name and password to reduce the probability of certificate leakage.

2.2.2. Shortcomings

There are still security issues with Baic certification.

 

2.3. Dynamic Signature

The following parameters need to be passed each time the interface is called:

• App_id application id
• Time Indicates the current time stamp
• Nonce random number
• Sign the signature

 

The generation mode of sign signature is as follows: Use app_id + time + nonce and append app_secrect at the end for MD5 encryption, and convert all of them to uppercase.

If tamper-proof parameters are required, all request parameters of the interface are used as signature generation parameters

Advantages of 2.3.1.

Highest security

1. The server uses the same method to generate signatures for comparison authentication and does not need to transmit them over the networkapp_secrect.
2. Prevents man-in-the-middle attacks.
3. throughtimeParameter determines whether the time difference between requests is within a reasonable range and can be preventedReplay attack.
4. throughnonceParameters are judged idempotent.

2.3.2. Shortcomings

Not suitable for front-end application use, JS source code will expose the signature mode with app_secrect