Author: Yao Bo, Xianyu Technology

background

The user identity and equity system (or membership equity system) is almost the standard configuration of major mature apps. The user identity and equity system provides different levels of product permissions to different users by giving them identities (members, levels), which is an important tool for active operation and commercialization of users. At the same time, user identity is also an important mark used to distinguish user influence, quality and other key capabilities (such as the big V of Weibo), which plays a very key role in both e-commerce and social products. From the perspective of technology implementation, this paper will take the user identity and rights system of Xianyu APP as an example to introduce how to design a user identity and rights system with good expansibility.

Problems and Challenges

• [Management of identity rights and Interests] In common identity rights and interests management scenarios, users can acquire multiple identities at the same time, multiple identities may have overlapping rights and interests, the same rights and interests may have differences in content (such as quantity), and the rights and interests need to be merged when the rights and interests are repeated. How to abstract the concept of identity and rights and interests is the core problem to be solved in the whole system. , when the user identity give 】 【 won an identity, both big v tag and membership grade, all want to display on the app, the characteristic of the mind in passing, different identity might have the same label (example: the area of idle fish sellers, play talent show v standard), the same status may have different personalized content (example: How to uniformly manage the disclosure of user identity in the whole APP link is also a problem that needs to be solved by the identity rights system. • [Identity conferment] Different products have different ways of identity conferment, common are paid purchase, points upgrade, certification, operation plus white, etc., in the conferment process will also add a wealth of upgrade routes (grade system, etc.), the same product will have a variety of ways at the same time. How to support multiple ways of identity giving and how to support the extension of different identities is also an important problem to be solved technically.

This article as a wandering fish rights system as an example, according to the definition of identity rights system of identity rights, management, identity has carried on the detailed introduction, at the same time in idle fish user authentication process, for example, introduced how to decouple identity management and identity gives two process, and in the process of identity to do identity can be extended.

The technical implementation

Concept of carding

• An identity is an identity token that is granted to a user after meeting certain access conditions. An identity, technically, is a record/system label associated with a user. • Equity is the privilege that a user obtains in an existing business by virtue of having an identity. We use a key-value pair to represent an equity. Key represents the equity, value represents the value of the equity. This value can be a number, Boolean, a text with a placeholder, etc. The provider of the equity provides the specific equity based on the value of the equity. • A transparent label is a user-based displayable descriptor that is acquired based on an explicit interest in an identity, which can be rendered on client and front-end pages to make the identity explicit. The description of a label can be a text, an image URL, a set of elements that the client can recognize, and so on, and the client can render from the content of the label. • Authentication refers to an authentication application initiated by a user in the hope of obtaining an identity, after which an identity will be obtained. A certification in technical implementation is a certification record, including the status of the certification, the information associated with the certification (including submitted forms, audit results, etc.).

Note: authentication is a way to obtain identity. This article takes authentication process as an example to introduce how to implement an identity granting process. It is worth noting that in our design, the revealing of identity is designed as an equity.

Resolution of the system

Our corresponding system is divided into three independent modules: identity rights service, user label service, authentication service (represented by authentication service as the identity grant module). The functions and boundaries of the three systems are defined as follows:

• [Identity rights service] : Manages the user’s identity and the relationship between identity and rights. The operator can configure the rights and interests corresponding to the identity through the system. The system can calculate and merge the rights and interests of the user. • User label Service: delivers transparent labels of users to the whole link based on the rights and interests of users, personalized data, and other external services. Each scene of the whole link can query the user labels that can be rendered by the current scene using different rules. The label system can customize different rules differently, so that different scenes can be subscribed and expanded as needed. • [Authentication service] : Manage the authentication process of users. Users initiate applications through authentication service. The system verifies the access and forms of users, forwards the forms to the operation audit, and processes the audit results. After the authentication succeeds, the user is added through the id service interface. Similarly, points, whitelists, and user rating systems can all be accessed in this way.

Design based on the above, the user through identity authentication service, rights and interests of the disclosing party according to the identity services query the corresponding rights and privileges, and user label service to support the rights and interests of them, in app side rendering the identity of the user, so as to realize the identity explicit, full meet the ability of the user authentication – through. The following describes how each system is implemented.

[Identity rights service] realization

[Identity rights service] Based on identity rights configuration and user label system (user label service of the Group). We write the configuration of identity rights and interests into the identity rights and interests configuration table, and publish it to the memory of each server through the configuration center after editing. On the other hand, the user authentication process, whitelist and other services write the identity into the label system of UIC through the identity service interface. The label system is the user-label management system implemented by the group, which can quickly query whether a user has a certain label based on cache. An identity is represented by a tag (or database + cache without a tag system). Inquire on the rights and interests of the disclosing party rights and interests of users, we quickly read all user identity from the user label system, according to the memory of identity – rights configuration, through an identity – interest calculation function (input status and rights configuration schema, output equity), the rights and interests of a merger and merit to heavy (merger way according to the rights and interests of different rights configuration, Such as logic or, maximum value, character concatenation, etc.), returns the calculated result (equity) to the equity provider.

[User label service] implementation

[User label service] realizes the label revealing of user dimension. The service can return the label that the user needs to reveal based on the identity rights service, user personalized data, external services, etc. The label description includes but is not limited to picture URL, text, complex structure, etc. The service supports customization based on rule ids. You can customize the combination of labels to be disclosed according to different rule ids. In each scenario, you can select appropriate rule ids to subscribe based on the labels to be displayed.

[Certification service] implementation

[Authentication Service] Defines a standard authentication process to manage the authentication status in a unified manner. At the same time, the services of different authentication processes can implement the extension interface through the extension interface, so as to achieve the standardization of the process and the content can be expanded. The whole process of certification service is divided into three stages: certification query, form submission and audit result processing. In the certification process, the system maintains four different states: uncertified, audited, audited and audited. Different certification processes have the same state flow, which is unified by the certification service. In authentication query, different authentication processes have different access conditions; In the process of form submission, different authentication processes have different form fields and validity requirements. In the audit results, there are different ways to deal with the audit results of different certification processes. Therefore, the authentication process provides three extension interfaces. The first extension interface is used to achieve the decision of access conditions and form rendering. The second extension interface is used to validate user forms and generate audit data forms. A third extended interface is used to process audit results. Therefore, in our authentication service, we only need to implement the above three extended interfaces to complete the access of a new authentication process.

conclusion

Based on idle fish identity rights and interests of the system implementation, for example, introduced how to a concept of identity rights system definition, module disassembly, technical implementation, at the same time in idle fish authentication process, for example introduces how to implement, access to the identity of the different channels, and hope to identity rights design have some reference function in the system.