CN111865984A - Stateless authentication method for micro-service system - Google Patents
Stateless authentication method for micro-service system Download PDFInfo
- Publication number
- CN111865984A CN111865984A CN202010702725.0A CN202010702725A CN111865984A CN 111865984 A CN111865984 A CN 111865984A CN 202010702725 A CN202010702725 A CN 202010702725A CN 111865984 A CN111865984 A CN 111865984A
- Authority
- CN
- China
- Prior art keywords
- token
- micro
- service
- stateless
- jwt
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/51—Discovery or management thereof, e.g. service location protocol [SLP] or web services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a stateless authentication method for a micro-service system, relating to the technical field of data authentication; the method comprises the steps of obtaining a token for user authentication, sending the token to a micro service gateway, carrying out unified authentication on the token by the micro service gateway and obtaining user information, packaging the user information through the micro service gateway based on a JWT protocol to generate a stateless JWT token and forwarding the stateless JWT token to a target micro service, checking and analyzing the JWT token aiming at the target micro service based on the JWT protocol to obtain user information, carrying out service logic processing, and feeding back a result to a user to finish stateless authentication.
Description
Technical Field
The invention discloses a stateless authentication method, relates to the technical field of data authentication, and particularly relates to a stateless authentication method for a micro-service system.
Background
The authentication of the application and service in the existing micro service system mostly adopts the mode based on OAuth2 protocol, JWT protocol and session, etc. However, the stateful service, such as session or OAuth2 protocol, has strong dependency on the server because the user information is stored in the server, and as the user amount increases, the user information stored in the server increases more and more, and the pressure of the server also increases continuously. In contrast, the JWT protocol is stateless, the user information is not stored in the server, the user information is stored in the character string, the server is requested to analyze according to the JWT protocol rule every time to obtain the user information, the pressure on the server is not increased, but the JWT protocol is easy to cause performance reduction, occupies a large amount of bandwidth and other problems due to the fact that the length of the JWT protocol is too long.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides a stateless authentication method for a micro service system, so that the authentication of each service in the micro service system becomes simple, flexible, efficient and reliable.
The specific scheme provided by the invention is as follows:
a stateless authentication method for a microservice system: a token for authentication of the user is obtained,
the token is sent to the micro service gateway, the micro service gateway performs unified authentication through the token and acquires user information,
packaging user information through a micro-service gateway based on a JWT protocol to generate a stateless JWT token and forwarding the stateless JWT token to a target micro-service, checking the JWT token based on the JWT protocol aiming at the target micro-service and analyzing to obtain user information, and after carrying out service logic processing, feeding back a result to a user to finish stateless authentication.
In the stateless authentication method for the micro service system, the token is sent to the micro service gateway through an http request, and the micro service gateway obtains the user session information according to an agreed session sharing mode.
In the stateless authentication method for the micro-service system, user information is packaged through a micro-service gateway based on a JWT protocol, a digital signature is calculated by using a symmetric key of a target micro-service based on an HMAC algorithm, and finally a self-verifiable JWT token is generated and is simultaneously forwarded to the target micro-service.
In the stateless authentication method for the micro-service system, the symmetric keys of JWToken corresponding to all target micro-services are persistently stored by using the database, so that the micro-service gateway uniformly manages the symmetric keys of all target micro-services.
A stateless authentication system for a microservice system comprises an acquisition module, a transmission module and a check analysis module,
the acquisition module acquires a token for user authentication, sends the token to the micro service gateway, so that the micro service gateway performs unified authentication through the token and acquires user information,
the transfer module encapsulates user information through the micro-service gateway based on a JWT protocol, generates stateless JWTTokens and forwards the stateless JWTTokens to the target micro-service, the check analysis module checks and analyzes the JWTTWtokkens for the target micro-service based on the JWT protocol to obtain user information, and after the target micro-service is subjected to service logic processing, a result fed back to a user is obtained, and stateless authentication is completed.
The acquisition module in the stateless authentication system for the micro service system sends the token to the micro service gateway through an http request, so that the micro service gateway acquires the user session information according to an agreed session sharing mode.
The transfer module in the stateless authentication system for the micro-service system encapsulates user information through a micro-service gateway based on a JWT protocol, calculates a digital signature based on an HMAC algorithm by using a symmetric key of a target micro-service, and finally generates a self-verifiable JWT token and forwards the JWT token to the target micro-service.
The stateless authentication system for the micro-service system further comprises a storage module, and the storage module is used for performing database persistent storage on the symmetric keys of the JWT Token corresponding to all the target micro-services, so that the micro-service gateway uniformly manages the symmetric keys of all the target micro-services.
The invention has the advantages that:
the invention provides a stateless authentication method for a micro service system, which utilizes a micro service gateway to realize the uniform authentication between application and service, and between service and service in the micro service system, wherein the service and the service adopt a JWT protocol, and a request can be completed only by connecting once, thereby reducing the pressure of an authentication center; the micro service gateway is used for uniformly intercepting and processing the request, so that the reliability of the system is enhanced, the docking difficulty is reduced, and the stable operation of the service platform can be realized under high pressure.
Drawings
FIG. 1 is a schematic diagram of the application of the method of the present invention.
Detailed Description
OAuth is an open network standard for authorization by which a third party application can obtain specific resources held by a resource owner (user) at a service provider (a facilitator that provides services to the user). In this standard, the third-party application cannot directly log in the service provider, the resource owner is only responsible for making decisions on whether to authorize or not and which resources to authorize, and according to the decision result, the third-party application can obtain a time-efficient and authorization-scope token and obtain specific resources from the service provider through the token.
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a protocol for securely transferring information between two points in a self-contained JSON format. The transmitted information is verifiable and trusted because it uses a digital signature. The JWT can digitally sign by using a key (HMAC algorithm) or a public/private key pair (RSA algorithm).
Redis is an open source log-type and Key-Value database which is written by using ANSI C language, supports network, can be based on memory and can also be persistent, and provides API of multiple languages.
The present invention is further described below in conjunction with the following figures and specific examples so that those skilled in the art may better understand the present invention and practice it, but the examples are not intended to limit the present invention.
The invention provides a stateless authentication method for a micro service system, which comprises the following steps: a token for authentication of the user is obtained,
the token is sent to the micro service gateway, the micro service gateway performs unified authentication through the token and acquires user information,
packaging user information through a micro-service gateway based on a JWT protocol to generate a stateless JWT token and forwarding the stateless JWT token to a target micro-service, checking the JWT token based on the JWT protocol aiming at the target micro-service and analyzing to obtain user information, and after carrying out service logic processing, feeding back a result to a user to finish stateless authentication.
The method of the invention realizes the unified authentication between the application and the service in the micro service system and between the service and the service, the service and the service adopt the JWT protocol, and one-time request can be completed only by one-time connection, thereby reducing the pressure of an authentication center; the micro service gateway is used for uniformly intercepting and processing the request, so that the reliability of the system is enhanced, the docking difficulty is reduced, and the stable operation of the service platform can be realized under high pressure.
In a specific embodiment of the present invention, the following description specifically describes that the filter linked list of the gateway is used to implement the user information acquisition and the secondary encapsulation of the user information and the request:
wherein, the authentication token (token) obtained from the authentication center by the user is obtained, the user applies for the token to the authentication center based on OAuth2 protocol through a user name/password mode, the token is encrypted by AES,
the token is sent to the micro service gateway through an http request, at the moment, the micro service gateway obtains the user session information according to the appointed session sharing mode,
the user information is read, the authentication center can cache the user information into Redis and set the validity period, the micro service gateway can conveniently obtain the user information through the decrypted token,
passing the user information to the filter of the corresponding microservice: by configuring the assertion address, the micro service gateway can quickly find the filter of the service requested by the user, and then the user information is transmitted to the target filter step by step through the filter linked list of the micro service gateway,
in the target filter, after the filter obtains the user information, the user information is packaged into a request header through a JWT protocol to generate a JWT Token and is forwarded to the target micro service, each micro service generates a set of JWT symmetric keys respectively, all the symmetric keys are stored in a database and cached in Redis, so that the micro service gateway can uniformly manage the keys of all the micro services, and the problem of over-high bandwidth occupation does not exist because the micro services and all the services are called for internal requests,
After capturing the request from the micro service gateway, the target micro service decrypts the JWT Token by using its own key to obtain the user information, and feeds back the result to the user after further business logic processing, thus completing a complete authentication.
Meanwhile, the invention also provides a stateless authentication system for the microservice system, which comprises an acquisition module, a transmission module and a verification analysis module,
the acquisition module acquires a token for user authentication, sends the encrypted token to the micro service gateway, so that the micro service gateway performs unified authentication through the token and acquires user information,
the transfer module encapsulates user information through the micro-service gateway based on a JWT protocol, generates stateless JWTTokens and forwards the stateless JWTTokens to the target micro-service, the check analysis module checks and analyzes the JWTTWtokkens for the target micro-service based on the JWT protocol to obtain user information, and after the target micro-service is subjected to service logic processing, a result fed back to a user is obtained, and stateless authentication is completed.
The information interaction, execution process and other contents between the modules in the system are based on the same concept as the method embodiment of the present invention, and specific contents can be referred to the description in the method embodiment of the present invention, and are not described herein again.
The above-mentioned embodiments are merely preferred embodiments for fully illustrating the present invention, and the scope of the present invention is not limited thereto. The equivalent substitution or change made by the technical personnel in the technical field on the basis of the invention is all within the protection scope of the invention. The protection scope of the invention is subject to the claims.
Claims (8)
1. A stateless authentication method for micro service system features that the token for user authentication is obtained,
the token is sent to the micro service gateway, the micro service gateway performs unified authentication through the token and acquires user information,
packaging user information through a micro-service gateway based on a JWT protocol to generate a stateless JWT token and forwarding the stateless JWT token to a target micro-service, checking the JWT token based on the JWT protocol aiming at the target micro-service and analyzing to obtain user information, and after carrying out service logic processing, feeding back a result to a user to finish stateless authentication.
2. The stateless authentication method for the microservice system according to claim 1, wherein the token is sent to the microservice gateway by an http request, and the microservice gateway obtains the user information according to an agreed session sharing mode.
3. The stateless authentication method of claim 1 or 2, wherein the user information is encapsulated by the servlet gateway based on the JWT protocol, and the symmetric key of the target servlet is used to calculate the digital signature based on the HMAC algorithm, and finally the self-verifiable JWT token is generated and forwarded to the target servlet.
4. The stateless authentication method of claim 3, wherein the symmetric keys of the JWT Token corresponding to all target microservices are persistently stored by using the database, so that the microservice gateway uniformly manages the symmetric keys of the target microservices.
5. A stateless authentication system for a micro-service system is characterized by comprising an acquisition module, a transmission module and a verification and analysis module,
the acquisition module acquires a token for user authentication, sends the token to the micro service gateway, so that the micro service gateway performs unified authentication through the token and acquires user information,
the transfer module encapsulates user information through the micro-service gateway based on a JWT protocol, generates stateless JWTTokens and forwards the stateless JWTTokens to the target micro-service, the check analysis module checks and analyzes the JWTTWtokkens for the target micro-service based on the JWT protocol to obtain user information, and after the target micro-service is subjected to service logic processing, a result fed back to a user is obtained, and stateless authentication is completed.
6. The stateless authentication system of claim 5, wherein the obtaining module sends the token to the microservice gateway through an http request, so that the microservice gateway obtains the user information according to an agreed session sharing manner.
7. The stateless authentication system of claim 5 or 6, wherein the delivery module encapsulates the user information via the microservice gateway based on the JWT protocol, and computes the digital signature based on the HMAC algorithm using the symmetric key of the target microservice, and finally generates a self-verifiable JWT token and forwards it to the target microservice.
8. The stateless authentication system of claim 7 further comprising a storage module, wherein the storage module performs database persistent storage on the symmetric keys of the JWT Token corresponding to all target microservices, so that the microservice gateway uniformly manages the symmetric keys of the target microservices.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010702725.0A CN111865984A (en) | 2020-07-21 | 2020-07-21 | Stateless authentication method for micro-service system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010702725.0A CN111865984A (en) | 2020-07-21 | 2020-07-21 | Stateless authentication method for micro-service system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111865984A true CN111865984A (en) | 2020-10-30 |
Family
ID=73002297
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010702725.0A Pending CN111865984A (en) | 2020-07-21 | 2020-07-21 | Stateless authentication method for micro-service system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111865984A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112491895A (en) * | 2020-11-30 | 2021-03-12 | 武汉海昌信息技术有限公司 | Identity authentication method, storage medium and system based on micro-service |
| CN112653556A (en) * | 2020-12-24 | 2021-04-13 | 光大兴陇信托有限责任公司 | TOKEN-based micro-service security authentication method, device and storage medium |
| CN112671777A (en) * | 2020-12-25 | 2021-04-16 | 中国农业银行股份有限公司 | User identity authentication method, device and equipment |
| CN112738069A (en) * | 2020-12-25 | 2021-04-30 | 神思旭辉医疗信息技术有限责任公司 | Fusion method, system and server based on stateful authentication mechanism and stateless authentication mechanism |
| CN113158218A (en) * | 2021-05-21 | 2021-07-23 | 上海幻电信息科技有限公司 | Data encryption method and device and data decryption method and device |
| CN114338223A (en) * | 2022-01-14 | 2022-04-12 | 百果园技术(新加坡)有限公司 | User authentication method, system, device, equipment and storage medium |
| CN114928460A (en) * | 2022-02-14 | 2022-08-19 | 上海大学 | Multi-tenant application integration framework system based on micro-service architecture |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108901022A (en) * | 2018-06-28 | 2018-11-27 | 深圳云之家网络有限公司 | A kind of micro services universal retrieval method and gateway |
| CN109756448A (en) * | 2017-11-02 | 2019-05-14 | 广东亿迅科技有限公司 | API gateway method for managing security and its system based on micro services |
| US10331424B1 (en) * | 2018-07-27 | 2019-06-25 | Modo Labs, Inc. | User interface development through web service data declarations |
-
2020
- 2020-07-21 CN CN202010702725.0A patent/CN111865984A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109756448A (en) * | 2017-11-02 | 2019-05-14 | 广东亿迅科技有限公司 | API gateway method for managing security and its system based on micro services |
| CN108901022A (en) * | 2018-06-28 | 2018-11-27 | 深圳云之家网络有限公司 | A kind of micro services universal retrieval method and gateway |
| US10331424B1 (en) * | 2018-07-27 | 2019-06-25 | Modo Labs, Inc. | User interface development through web service data declarations |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112491895A (en) * | 2020-11-30 | 2021-03-12 | 武汉海昌信息技术有限公司 | Identity authentication method, storage medium and system based on micro-service |
| CN112653556A (en) * | 2020-12-24 | 2021-04-13 | 光大兴陇信托有限责任公司 | TOKEN-based micro-service security authentication method, device and storage medium |
| CN112653556B (en) * | 2020-12-24 | 2022-09-23 | 光大兴陇信托有限责任公司 | TOKEN-based micro-service security authentication method, device and storage medium |
| CN112671777A (en) * | 2020-12-25 | 2021-04-16 | 中国农业银行股份有限公司 | User identity authentication method, device and equipment |
| CN112738069A (en) * | 2020-12-25 | 2021-04-30 | 神思旭辉医疗信息技术有限责任公司 | Fusion method, system and server based on stateful authentication mechanism and stateless authentication mechanism |
| CN112671777B (en) * | 2020-12-25 | 2023-04-07 | 中国农业银行股份有限公司 | User identity authentication method, device and equipment |
| CN113158218A (en) * | 2021-05-21 | 2021-07-23 | 上海幻电信息科技有限公司 | Data encryption method and device and data decryption method and device |
| CN114338223A (en) * | 2022-01-14 | 2022-04-12 | 百果园技术(新加坡)有限公司 | User authentication method, system, device, equipment and storage medium |
| CN114338223B (en) * | 2022-01-14 | 2024-01-09 | 百果园技术(新加坡)有限公司 | User authentication method, system, device, equipment and storage medium |
| CN114928460A (en) * | 2022-02-14 | 2022-08-19 | 上海大学 | Multi-tenant application integration framework system based on micro-service architecture |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111865984A (en) | Stateless authentication method for micro-service system | |
| USRE49673E1 (en) | Systems and methods for secure data exchange | |
| US20200067903A1 (en) | Integration of Publish-Subscribe Messaging with Authentication Tokens | |
| WO2020163083A1 (en) | System and method for hardening security between web services using protected forwarded access tokens | |
| US11303431B2 (en) | Method and system for performing SSL handshake | |
| CN108156178B (en) | SSL/TLS data monitoring system and method | |
| US10262146B2 (en) | Application-to-application messaging over an insecure application programming interface | |
| US20110035582A1 (en) | Network authentication service system and method | |
| US20130291089A1 (en) | Data communication method and device and data interaction system based on browser | |
| US11582020B2 (en) | Homomorphic encryption offload for lightweight devices | |
| CN111600914B (en) | Data transmission method, server and client | |
| US20220217124A1 (en) | Web encryption for web messages and application programming interfaces | |
| CN108769743B (en) | Video playing control method, system, node and computer storage medium | |
| CN111698264A (en) | Method and apparatus for maintaining user authentication sessions | |
| US11095460B2 (en) | Certificate application operations | |
| CN112689003A (en) | Service request forwarding method, device, equipment and storage medium | |
| EP4018621A1 (en) | Method and system for managing secure iot device applications | |
| CN114826692B (en) | Information login system, method, electronic device and storage medium | |
| US10044682B2 (en) | Technique for distributing a piece of content in a content distribution network | |
| CN113259436B (en) | Network request processing method and device | |
| US11271968B2 (en) | Zero round trip time transmission for anticipatory request messages | |
| US20170171293A1 (en) | Compact content delivery via a restricted-bandwidth communication channel | |
| CN115914367B (en) | Message pushing method and system of intelligent device | |
| US20230421396A1 (en) | Systems and methods for performing two-tiered multi-party computation signing procedures to perform blockchain operations | |
| CN117750359A (en) | Data transmission method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201030 |