WO2023045970A1 - Method and apparatus for determining access token - Google Patents

Method and apparatus for determining access token Download PDF

Info

Publication number
WO2023045970A1
WO2023045970A1 PCT/CN2022/120217 CN2022120217W WO2023045970A1 WO 2023045970 A1 WO2023045970 A1 WO 2023045970A1 CN 2022120217 W CN2022120217 W CN 2022120217W WO 2023045970 A1 WO2023045970 A1 WO 2023045970A1
Authority
WO
WIPO (PCT)
Prior art keywords
access token
server
token
preset
request
Prior art date
Application number
PCT/CN2022/120217
Other languages
French (fr)
Chinese (zh)
Inventor
黄定朝
Original Assignee
深圳前海微众银行股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳前海微众银行股份有限公司 filed Critical 深圳前海微众银行股份有限公司
Publication of WO2023045970A1 publication Critical patent/WO2023045970A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos

Definitions

  • Embodiments of the present invention relate to the field of financial technology (Fintech), and in particular to a method and device for determining an access token.
  • Fetech financial technology
  • the API When authenticating an interface, generally the API requests the client to send a request to the server to obtain an access token carrying user authentication information. After receiving the request, the server determines whether the user authentication information is correct. When the information is correct, determine the access token access_token, and return the access_token to the API request client.
  • each user authentication information corresponds to only one valid access_token within a period of time
  • the interface of the application server cannot be called.
  • the access_token needs to be cached in the cache server, and the access_token is periodically obtained from the interface open platform to update the access_token in the cache server.
  • access_token in the cache server expires, when multiple application servers receive API requests at the same time, that is, multiple application servers need to update the access_token at the same time, because it takes a certain time to obtain the access_token from the interface open platform, and the latest access_token is the same as the previous one.
  • access_token has a one-minute coexistence period, that is, all other access_tokens expire.
  • the present invention provides a method and device for determining an access token, which is used to solve the problem in the prior art that the effect of obtaining a valid access token is poor.
  • the present invention provides a method for determining an access token, which is applied to an application server, including: receiving a request for obtaining an access token sent by a first API interface client, and the request for obtaining an access token carries User credential and credential key; determine whether the access token corresponding to the user credential is obtained from the preset cache server; when the access token corresponding to the user credential is not obtained from the preset cache server, Send a request to acquire a distributed lock to the preset cache server; the distributed lock is used to control the application server so that only one application server updates the access token at the same time; when receiving the feedback from the preset cache server based on the user credential and the credential key, send an access token request to the interface open platform server, receive the new access token fed back by the interface open platform server, and transfer the new The access token is sent to the first API interface client.
  • the method further includes: when it is determined that the access token corresponding to the user credential is obtained from the preset cache server When verifying the valid duration of the corresponding access token; when it is determined that the valid duration of the corresponding access token is verified, send the corresponding access token to the first API interface client.
  • the access token when it is determined that the access token corresponding to the user credential is obtained from the preset cache server, the access token is not directly fed back to the first API interface client, but the access token is In this way, it is possible to ensure that the access token finally fed back to the client of the first API interface is valid.
  • verifying the valid duration of the corresponding access token includes: determining the remaining valid duration of the corresponding access token; determining whether the remaining valid duration is greater than a preset duration, wherein the preset The duration is correspondingly determined based on the data refresh duration and guaranteed duration of the preset cache server; when it is determined that the remaining valid duration is greater than the preset duration, it is determined that the verification of the corresponding valid duration of the access token is passed.
  • the method further includes: when it is determined that the remaining valid duration is not greater than the preset duration, then sending the acquisition distribution to the preset cache server lock request.
  • the method further includes: determining whether the first time interval from the moment when the request to acquire the distributed lock is sent to the current moment reaches the preset A time interval is set; when it is determined that the first time interval reaches the preset time interval and the target distributed lock is not received, a request for acquiring a distributed lock is sent to the preset cache server.
  • requests for acquiring distributed locks can be regularly sent to the preset cache server, so as to ensure that the preset cache server can receive the request for acquiring distributed locks and respond to the request for distributed locks.
  • the method further includes: targeting the first API interface The client sends to the preset cache server whether the cumulative number of requests for acquiring distributed locks reaches the preset threshold; Send a request to acquire a distributed lock.
  • the number of acquisitions of distributed locks can be limited, and the service life of the application server can be extended as much as possible on the basis of realizing the requirement of acquiring distributed locks.
  • the access token in the preset cache server is correspondingly updated based on the access token determined by the timed task in the timer corresponding to the preset cache server.
  • the access token in the preset cache server can be automatically updated based on the scheduled task, that is, to ensure that the final access token in the preset cache server is within the validity period as much as possible.
  • the present invention provides a device for determining an access token, which is applied to an application server and includes: a receiving unit, configured to receive a request for obtaining an access token sent by a first API interface client, the obtaining the access token The request carries the user certificate and the certificate key; the obtaining unit is used to determine whether the access token corresponding to the user certificate is obtained from the preset cache server; the sending unit is used to obtain the access token corresponding to the user certificate from the preset cache server; When the access token corresponding to the user credential is obtained in the server, a request for obtaining a distributed lock is sent to the preset cache server; the distributed lock is used to control the application server so that only one application server accesses at the same time Renewal of the token; a processing unit, configured to send an access token request to the interface open platform server based on the user credential and the credential key when receiving the target distributed lock fed back by the preset cache server , receiving a new access token fed back by the interface open platform server, and sending the new
  • the device further includes a verification unit, configured to: when it is determined that the access token corresponding to the user credential is obtained from the preset cache server, verify the validity period of the corresponding access token Verifying: sending the corresponding access token to the first API interface client when it is determined that the valid duration of the corresponding access token passes the verification.
  • a verification unit configured to: when it is determined that the access token corresponding to the user credential is obtained from the preset cache server, verify the validity period of the corresponding access token Verifying: sending the corresponding access token to the first API interface client when it is determined that the valid duration of the corresponding access token passes the verification.
  • the verification unit is specifically configured to: determine the remaining valid duration of the corresponding access token; determine whether the remaining valid duration is greater than a preset duration, wherein the preset duration is based on the preset
  • the data refresh duration and guaranteed duration of the cache server are determined correspondingly; when it is determined that the remaining valid duration is greater than the preset duration, it is determined that the valid duration verification of the corresponding access token is passed.
  • the verification unit is further configured to: send a request for acquiring a distributed lock to the preset cache server when it is determined that the remaining valid duration is not greater than the preset duration.
  • the device after sending the request for acquiring a distributed lock to the preset cache server, the device further includes a judging unit, configured to: determine the first time from the moment when the request for acquiring a distributed lock is sent to the current moment Interval, whether the preset time interval is reached; when it is determined that the first time interval reaches the preset time interval, and the target distributed lock is not received, send a request to acquire the distributed lock to the preset cache server ask.
  • a judging unit configured to: determine the first time from the moment when the request for acquiring a distributed lock is sent to the current moment Interval, whether the preset time interval is reached; when it is determined that the first time interval reaches the preset time interval, and the target distributed lock is not received, send a request to acquire the distributed lock to the preset cache server ask.
  • the judging unit is further configured to: for the first time interval The API interface client sends to the preset cache server whether the cumulative number of requests for acquiring distributed locks reaches the preset threshold; when it is determined that the cumulative number of times does not reach the preset threshold, the preset The cache server sends a request to acquire a distributed lock.
  • the access token in the preset cache server is correspondingly updated based on the access token determined by the timed task in the timer corresponding to the preset cache server.
  • the present invention provides a computer device, including a program or an instruction, and when the program or instruction is executed, is used to execute the above-mentioned first aspect and each optional method of the first aspect.
  • the present invention provides a storage medium, including a program or an instruction, and when the program or instruction is executed, is used to execute the above-mentioned first aspect and each optional method of the first aspect.
  • FIG. 1 is a schematic diagram of a method for determining an access token provided by an embodiment of the present invention
  • FIG. 2 is a schematic flowchart of steps of a method for determining an access token provided by an embodiment of the present invention
  • FIG. 3 is a schematic flowchart of another step of a method for determining an access token provided by an embodiment of the present invention
  • Figure 4 is a signaling interaction diagram between an application server and a preset cache server and an interface open platform server provided by an embodiment of the present invention
  • Fig. 5 is a schematic structural diagram of an apparatus for determining an access token provided by an embodiment of the present invention.
  • access_token the access token, which is the globally unique interface calling credential of the server corresponding to the application access interface open platform.
  • the user credential which is the unique credential of the third-party user assigned to each third-party user by the server corresponding to the interface open platform;
  • the credential key which can also be called a private key, is the unique credential key of a third-party user assigned to each third-party user by the server corresponding to the interface open platform;
  • Redis Remote Dictionary Server, remote dictionary service: an open source, network-enabled, memory-based and persistent log-type, Key-Value database, and provides APIs in multiple languages, that is, a high-performance kay-value cache server;
  • Open interface platform refers to a software system that exposes its API (Application Programming Interface, application programming interface) or functions so that external programs can increase the functions of the software system or use the resources of the software system without changing the software system
  • API Application Programming Interface
  • the source code, that is, the platform that provides an open API is called an open interface platform.
  • the API when authenticating an interface, the API generally requests the client to send a request for obtaining an access token carrying user authentication information to the server. After receiving the request, the server determines whether the user authentication information is correct. When it is confirmed that the user authentication information is correct, the access token access_token is determined, and the access_token is returned to the API request client.
  • access_token that is, for each user authentication information, only one access_token is allowed to be valid for a period of time.
  • access_token that has expired is used to call the interface of the application server, an error will be reported to the client that sent the API request.
  • the number of times the application server can obtain access_token is limited. For example, each application server can obtain access_token up to 8000 times a day, so the access_token needs to be cached in the cache server and refreshed regularly.
  • the access_token is only stored in the corresponding cache server, when the access_token in the system cache expires, if multiple servers update the access_token at the same time, the expired access_token may be updated to the cache server, causing some servers to Get expired access_token.
  • the application server receives the first API request and obtains the access_token from the cache server. When it finds that the access_token has expired, it needs to request a new access_token from the server corresponding to the interface open platform. Further, after the access_token is obtained, the access_token in the cache server is updated.
  • the second API request is received, that is, the access_token is still cached from the cache server, because the access_token for the first API request.
  • the new access_token obtained from an API request has not been returned, and the access_token obtained from the cache server is still an expired old access_token. Therefore, a new access_token will be applied to the interface open platform, and the access_token in the cache server will also be updated after the access_token is obtained. .
  • the interface opening platform Before the new access_token is returned, all the access_tokens obtained from the cache server during this period of time by API requests are old access_tokens that have expired.
  • the trigger Apply to the interface open platform to obtain the access_token corresponding to all API requests. In this way, the interface opening platform will receive multiple requests for access_token, and then the interface opening platform will return the latest access_token and update the access_token in the cache server at the same time.
  • the interface open platform is only valid for the latest access_token, and the latest access_token and the previous access_token have a one-minute coexistence period, and the rest of the access_tokens are all expired, which will lead to the acquisition of the new access_token before returning. , for all API requests during this period, only two requests will be successful, and the rest will fail due to the expiration of the access_token.
  • the embodiment of the present invention provides a method for determining the access token. Through the distributed lock, it is guaranteed that only one application server is updating the access_token, and other servers obtain the access_token from the cache server, thereby ensuring the uniqueness of the access_token. Make sure that the call authentication for each API request is normal.
  • the server 102 communicates, and the application server 102 can also communicate with the preset cache server 103 and the server 104 .
  • direct or indirect connection is performed through wired or wireless communication, which is not limited in the present invention.
  • the application server 102 includes an application server 102-1, an application server 102-2, . . . , and an application server 102-n, where n is a positive integer greater than 2.
  • the "server corresponding to the open interface platform” is referred to as the "open interface platform server” hereinafter.
  • an application system is correspondingly deployed on n application servers 102.
  • the access_token corresponds to only one appid in the interface open platform, that is, the access_token is consistent, and the appid and appsecret are obtained from the interface open platform.
  • the corresponding access_token is placed in the preset cache server 103, and when the api interface is called, the access_token is obtained from the preset cache server 103 to interact with the interface open platform.
  • the electronic device 101 that sends the request for obtaining the access token interacts with one application server 102 (for example, the application server 102-1) each time, when the application server 102-1 retrieves from the corresponding preset cache server 103,
  • the application server 102-1 sends a request for obtaining the access_token to the server 104 corresponding to the interface open platform, thereby determining the appid corresponding to the user credential. new access_token, and update and cache the new access_token in the preset cache server 103.
  • the cache server that specifically interacts with the electronic device 101 may be determined by the application system based on the load conditions of the respective application servers, which is not limited in the present invention.
  • the preset cache server can be a redis server, and of course, it can also be other servers capable of caching data, which is not limited in the present invention.
  • the application server 102, the preset cache server 103, and the server 104 can be independent physical servers, or server clusters or distributed systems composed of multiple physical servers, or provide cloud services, cloud databases, cloud computing, Cloud servers for basic cloud computing services such as cloud functions, cloud storage, network services, cloud communications, middleware services, domain name services, security services, CDN (Content Delivery Network, content distribution network), and big data and artificial intelligence platforms.
  • the electronic device 101 may be a smart phone, a tablet computer, a notebook computer, a desktop computer, a smart TV, a smart wearable device, etc. or a server, but is not limited thereto.
  • the embodiments of the present invention provide method operation steps as shown in the following embodiments or drawings, more or less operation steps may be included in the method based on routine or no creative effort. In the steps that logically do not have a necessary causal relationship, the execution order of these steps is not limited to the execution order provided in the embodiment of the present invention.
  • the method can be executed sequentially or in parallel according to the methods shown in the embodiments or drawings during the actual processing process or when the device is executed (for example, a parallel processor or an application environment for multi-thread processing).
  • Step 201 Receive a request for obtaining an access token sent by the client of the first API interface, and the request for obtaining the access token carries a user credential and a credential key.
  • Step 202 Determine whether the access token corresponding to the user credential is obtained from the preset cache server.
  • the application server may receive the request for obtaining the access token sent by the first API interface client, and the request for obtaining the access token carries the user certificate and certificate key, and then the application server determines whether to use the preset In the cache server, the access token corresponding to the user credential is obtained. Specifically, when the access token corresponding to the user credential is not obtained from the preset cache server, step 203 is executed.
  • the valid duration verification of the access token corresponding to the user credential is performed.
  • the user The access token corresponding to the credential is sent to the first API interface client.
  • the following steps can be used, but not limited to, to verify the valid duration of the access token corresponding to the user credential:
  • Step a Determine the remaining validity period of the access token corresponding to the user credential.
  • the application server may analyze the information of the access token corresponding to the user credential, and determine the remaining valid duration of the access token corresponding to the user credential. Specifically, the application server may determine the remaining valid duration of the access token corresponding to the user credential based on the expiration time and valid duration corresponding to the access token.
  • Step b Determine whether the remaining effective duration is greater than a preset duration, wherein the preset duration is determined based on the corresponding data refresh duration and guarantee duration of the preset cache server.
  • the preset cache server data refresh duration may be 30 minutes and the guaranteed duration is 10 minutes
  • the preset duration may be 40 minutes.
  • the data refresh duration may be within 0-120 minutes, and may be determined based on actual implementation, which is not limited in this application.
  • the remaining valid duration can be compared with the preset duration. Specifically, when it is determined that the remaining valid duration is greater than the preset duration, step c is performed; when it is determined that the remaining effective duration is not greater than the preset duration, step d is performed.
  • Step c When it is determined that the remaining valid duration is greater than the preset duration, it is determined that the verification of the valid duration of the access token corresponding to the user credential is passed.
  • Step d When it is determined that the remaining effective duration is not greater than the preset duration, send a request to acquire the distributed lock to the preset cache server.
  • Step 203 When the access token corresponding to the user credential is not obtained from the preset cache server, send a request for acquiring a distributed lock to the preset cache server; the distributed lock is used to control the application server so that only one application at a time The server updates the access token.
  • a request for acquiring a distributed lock is sent to the preset cache server, and when the target distributed lock is not received, the Determine whether the first time interval from the moment when the distributed lock request is sent to the current moment has reached the preset time interval; when it is determined that the first time interval has reached the preset time interval and the target distributed lock has not been received, send Let the cache server send a request to acquire a distributed lock.
  • the application server when the application server fails to grab the target distributed lock for the first time, it may continue to send a request for acquiring the distributed lock to the preset cache server after a preset time interval.
  • the application server may also execute the first API interface client to send the preset Whether the cumulative number of times the cache server sends the request to acquire the distributed lock reaches the preset threshold; when it is determined that the accumulated number does not reach the preset threshold, send a request to the preset cache server to acquire the distributed lock.
  • the application server when the application server fails to acquire the target distributed lock for the first time, it can acquire it again at a preset time interval, and the number of retries should be less than the preset threshold. For example, the application server can acquire it again every 100 milliseconds, at most Retry 10 times until the target distributed lock is acquired.
  • Step 204 When receiving the target distributed lock fed back by the preset cache server, based on the user certificate and certificate key, send a request to obtain an access token to the interface open platform server, and receive a new access token fed back by the interface open platform server , sending the new access token to the first API interface client.
  • the application server when it receives the target distributed lock fed back by the preset cache server, based on the user credential and credential key, it sends an access token request to the interface open platform server, and then the interface open platform server determines Whether the user credential and credential key conform to the corresponding preset format, when it is determined that the user credential and credential key conform to the corresponding preset format, it can be determined that the user credential and credential key are verified, and when it is determined that the user credential and credential After the key verification is passed, a new token can be fed back to the application server, so that the application server can receive the new access token fed back by the interface open platform server, and send the new access token to the first API interface client.
  • the application server can also update the access token in the cache server based on the new access token, and release the target distributed lock, so that other application servers can acquire the target distributed lock and obtain a new access token .
  • the access token in the preset cache server is updated based on the access token determined by the timed task in the timer corresponding to the preset cache server.
  • the specific process of enabling a scheduled task and regularly updating the target access_token in the preset cache server every 30 minutes is as follows:
  • the target access_token in the redis server cache does not exist, or the remaining valid time is less than 40 minutes, apply for the latest access_token from the interface open platform server, and if the access_token is successfully obtained from the open platform, update the latest access_token to redis In the cache, the latest access_token includes the value of access_token, expiration time and valid duration;
  • the access token cached in the redis server can be updated based on the timer in the redis server, so as to ensure that the access token cached in the redis server is also within the validity period, and because the access token obtained during the update is Correspondingly determined from the interface open platform server, that is, the access tokens stored in the redis server are all generated by the interface open platform server, and the access tokens are all stored in association with user credentials, so subsequent application servers can be accessed from the redis server based on user credentials Obtain its corresponding access token from .
  • FIG. 3 is a schematic diagram of determining an access token according to an embodiment of the present application.
  • Step 301 Receive a request for obtaining an access token sent by the client of the first API interface
  • Step 302 Determine whether there is an access token corresponding to the user credential carried in the request for obtaining the access token in the preset cache server. When it is determined that the preset cache server has an access token corresponding to the user credential carried in the request for obtaining the access token, perform step 305; when it is determined that the preset cache server does not exist access token, go to step 303.
  • Step 303 Send a request for obtaining a new access token to the interface open platform server, so that the interface open platform server generates a new access token based on the user credential and the credential key through an encryption algorithm.
  • Step 304 Receive a new access token sent by the interface open platform server.
  • Step 305 Validate the access token corresponding to the user credential; when it is determined that the access token is not verified, execute step 306; when it is determined that the access token is valid, execute step 308.
  • Step 306 When it is determined that the access token has not been verified, send a request for obtaining a new access token to the interface opening platform server, so that the interface opening platform server generates a new access token based on the user certificate and certificate key through an encryption algorithm. token.
  • Step 307 Receive a new access token sent by the interface open platform server.
  • Step 308 Send the access token to the first API interface client.
  • access_token is a unique access identifier obtained from the interface open platform through appid and secret. It can only be used for authentication when the access_token is within the validity period, otherwise access is denied.
  • FIG. 4 it is a signaling interaction diagram of an application server, a preset cache server, and an interface open platform server provided by an embodiment of the present invention.
  • Step 401 the application server sends a request to the redis server to acquire the target access_token corresponding to the appid.
  • the application server can receive the request sent by the client to obtain the access token, and the request to obtain the access token carries the appid and app secret, so the application server can send the request corresponding to the appid to the redis server.
  • the request for the target access_token can be received from the client to obtain the access token, and the request to obtain the access token carries the appid and app secret, so the application server can send the request corresponding to the appid to the redis server.
  • the request for the target access_token can be received from the client to obtain the access token, and the request to obtain the access token carries the appid and app secret, so the application server can send the request corresponding to the appid to the redis server.
  • the request for the target access_token can be received from the client to obtain the access token, and the request to obtain the access token carries the appid and app secret, so the application server can send the request corresponding to the appid to the redis server.
  • the request for the target access_token
  • Step 402 the redis server judges whether the target access_token exists, and if so, feeds back the target access_token to the application server;
  • the application server when the application server obtains the target access_token from the redis server, it also needs to judge whether the target access_token has passed the validity period. If it has passed the validity period, it still needs to obtain the latest access_token from the interface open platform server. When the target access_token is within the validity period, the client can use the access_token to implement api calls.
  • Step 403 the application server sends a request for acquiring the redis distributed lock to the redis server.
  • Step 404 the redis server returns the target distributed lock to the application server.
  • Step 405 Based on the appid and appsecret carried in the request for obtaining an access token sent by the client, the application server sends a request for obtaining a new access_token corresponding to the appid to the interface open platform server.
  • Step 406 The interface opening platform server returns a new access_token corresponding to the appid to the application server.
  • Step 407 the application server sends a new access_token corresponding to the appid to the redis server, and releases the target distributed lock.
  • the first client, the second client and the third client respectively send the same appid1 and appsecret1 requests to obtain access tokens, and in the order of time from first to last, the first client sends the first access token request access token request, the second client sends a second request for obtaining an access token, and the third client sends a third request for obtaining an access token, and application server 1, application server 2, and application server 3 respectively receive the first One API obtains a request for an access token, the second API obtains a request for an access token, and the third API obtains a request for an access token.
  • the application server 1 can determine whether the access token corresponding to appid1 is obtained from the redis server; when the access token corresponding to appid1 is not obtained from the redis server, send a request to the redis server to obtain a distributed lock ;
  • the interface open platform server determines whether appid1 and appsecret1 conform to the corresponding preset format, when When it is determined that appid1 and appsecret1 conform to the corresponding preset format, it can be determined that the verification of appid1 and appsecret1 has passed, and when it is determined that appid1 and appsecret1 have passed the verification, a new access token can be fed back to application server 2, so that application server 1 can receive The new access token fed back by the interface open platform server.
  • the application server 1 can send the new access token to the first client, and then send the new access token to the redis server, so that the redis server can update the access token corresponding to appid1, that is, after this moment, The latest access token corresponding to appid1 is cached in the redis server. It can be seen that what the first client acquires is a valid access token.
  • application server 2 can verify appid1 and appsecret1, when it is determined that appid1 and appsecret1 have passed the verification, determine whether to obtain the access token corresponding to appid1 from the redis server, when the redis server saves the application server 1 When corresponding to the updated access token, the access token corresponding to appid1 can be obtained, and then the valid duration of the access token can be verified.
  • the access token corresponding to appid1 can be obtained, and then the valid duration of the access token can be verified.
  • the application server 2 When the application server 2 determines that the valid duration of the access token is verified, it can send the access token to the second client, and then send the access token to the redis server, so that the redis server can verify the access token corresponding to appid1 Update, that is, after this moment, the access token is cached in the redis server. It can be seen that what the second client obtains is a valid access token.
  • the application server 2 when it does not obtain the access token corresponding to appid1 from the redis server, it sends a request to the redis server to obtain a distributed lock; when receiving the target distributed lock fed back by the redis server, it uses appid1 and appsecret1 , and send a request to obtain an access token to the interface open platform server, and then, the interface open platform server determines whether appid1 and appsecret1 conform to the corresponding preset format, and when it is determined that appid1 and appsecret1 conform to the corresponding preset format, then it can determine whether appid1 and appsecret1 conform to the corresponding preset format. Appsecret1 passes the verification, and after it is determined that appid1 and appsecret1 pass the verification, a new access token may be fed back to the application server 2 .
  • the application server 2 can receive the new access token fed back by the interface open platform server, send the new access token to the second client, and then send the new access token to the redis server, so that the redis server can
  • the access token corresponding to appid1 is updated, that is, after this moment, the latest token corresponding to appid1 is cached in the redis server, then the second client obtains a valid access token.
  • the application server 3 can verify appid1 and appsecret1, when it is determined that the verification of appid1 and appsecret1 is passed, it is determined whether the access token corresponding to appid1 is obtained from the redis server.
  • the redis server saves the application server 1
  • the application server 2 corresponds to the updated access token, it can obtain the access token corresponding to appid1, and then verify the valid duration of the access token.
  • the application server 3 After the application server 3 determines that the valid duration of the access token is verified, it can send the access token to the third client, and then send the access token to the redis server, so that the redis server can verify the access token corresponding to appid1 Update, that is, after this moment, the access token is cached in the redis server. It can be seen that what the third client acquires is a valid access token.
  • the application server 3 when it does not obtain the access token corresponding to appid1 from the redis server, it sends a request to the redis server to obtain a distributed lock; when receiving the target distributed lock fed back by the redis server, it uses appid1 and appsecret1 , and send a request to obtain an access token to the interface open platform server, and then, the interface open platform server determines whether appid1 and appsecret1 conform to the corresponding preset format, and when it is determined that appid1 and appsecret1 conform to the corresponding preset format, then it can determine whether appid1 and appsecret1 conform to the corresponding preset format. The appsecret1 is verified, and after appid1 and appsecret1 are determined to pass the verification, a new access token can be fed back to the application server 3 .
  • the application server 3 can receive the new access token fed back by the interface open platform server, send the new access token to the third client, and then send the new access token to the redis server, so that the redis server can
  • the access token corresponding to appid1 is updated, that is, after this moment, the latest token corresponding to appid1 is cached in the redis server, then the third client obtains a valid access token.
  • first client, the second client and the third client target different appids, they can all be executed according to the execution method of the first client in the preceding example, so as to obtain a valid access token .
  • the present invention provides a device for determining an access token, including: a receiving unit 501, configured to receive a request for obtaining an access token sent by a first API interface client, the request for obtaining an access token carrying the user certificate and certificate key; the obtaining unit 502 is used to determine whether the access token corresponding to the user certificate is obtained from the preset cache server; the sending unit 503 is used to When the access token corresponding to the user credential is obtained in the server, a request for obtaining a distributed lock is sent to the preset cache server; the distributed lock is used to control the application server so that only one application server accesses at the same time Renewal of the token; the processing unit 504 is configured to send an access token to the interface open platform server based on the user credential and the credential key when receiving the target distributed lock fed back by the preset cache server request, receive a new access token fed back by the interface open platform server, and send the new access token to the first API interface client.
  • a receiving unit 501 configured to receive a request for obtaining
  • the device further includes a verification unit, configured to: when it is determined that the access token corresponding to the user credential is obtained from the preset cache server, verify the validity period of the corresponding access token Verifying: sending the corresponding access token to the first API interface client when it is determined that the valid duration of the corresponding access token passes the verification.
  • a verification unit configured to: when it is determined that the access token corresponding to the user credential is obtained from the preset cache server, verify the validity period of the corresponding access token Verifying: sending the corresponding access token to the first API interface client when it is determined that the valid duration of the corresponding access token passes the verification.
  • the verification unit is specifically configured to: determine the remaining valid duration of the corresponding access token; determine whether the remaining valid duration is greater than a preset duration, wherein the preset duration is based on the preset
  • the data refresh duration and guaranteed duration of the cache server are determined correspondingly; when it is determined that the remaining valid duration is greater than the preset duration, it is determined that the valid duration verification of the corresponding access token is passed.
  • the verification unit is further configured to: send a request for acquiring a distributed lock to the preset cache server when it is determined that the remaining valid duration is not greater than the preset duration.
  • the device after sending the request for acquiring a distributed lock to the preset cache server, the device further includes a judging unit, configured to: determine the first time from the moment when the request for acquiring a distributed lock is sent to the current moment Interval, whether the preset time interval is reached; when it is determined that the first time interval reaches the preset time interval, and the target distributed lock is not received, send a request to acquire the distributed lock to the preset cache server ask.
  • a judging unit configured to: determine the first time from the moment when the request for acquiring a distributed lock is sent to the current moment Interval, whether the preset time interval is reached; when it is determined that the first time interval reaches the preset time interval, and the target distributed lock is not received, send a request to acquire the distributed lock to the preset cache server ask.
  • the judging unit is further configured to: for the first time interval The API interface client sends to the preset cache server whether the cumulative number of requests for acquiring distributed locks reaches the preset threshold; when it is determined that the cumulative number of times does not reach the preset threshold, the preset The cache server sends a request to acquire a distributed lock.
  • the access token in the preset cache server is correspondingly updated based on the access token determined by the timed task in the timer corresponding to the preset cache server.
  • An embodiment of the present invention provides a computer device, including a program or an instruction.
  • the program or instruction When the program or instruction is executed, it is used to execute a method for determining an access token and any optional method provided in the embodiment of the present invention.
  • An embodiment of the present invention provides a storage medium, including a program or an instruction.
  • the program or instruction When executed, it is used to execute a method for determining an access token and any optional method provided in the embodiment of the present invention.
  • the embodiments of the present invention may be provided as methods, systems, or computer program products. Accordingly, the present invention can take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, optical storage, etc.) having computer-usable program code embodied therein.
  • These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions
  • the device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Theoretical Computer Science (AREA)
  • Medical Informatics (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Databases & Information Systems (AREA)
  • Computing Systems (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

Disclosed in the present invention are a method and apparatus for determining an access token. The method comprises: receiving a request for acquiring an access token, wherein the request is sent by a first API client and carries a user credential and a credential key; determining whether an access token corresponding to the user credential is acquired from a preset cache server; when the access token corresponding to the user credential is not acquired from the preset cache server, sending, to the preset cache server, a request for acquiring a distributed lock; and when a target distributed lock that is fed back by the preset cache server is received, sending, on the basis of the user credential and the credential key and to an interface open platform server, the request for acquiring the access token, receiving a new access token that is fed back by the interface open platform server, and sending the new access token to the first API client. By means of the method, a valid and accurate access token can be acquired, thereby improving the efficiency of acquiring the access token.

Description

一种确定访问令牌的方法及装置A method and device for determining an access token
相关申请的交叉引用Cross References to Related Applications
本申请要求在2021年09月24日提交中国专利局、申请号为202111124112.4、申请名称为“一种确定访问令牌的方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese patent application with the application number 202111124112.4 and the application title "A Method and Device for Determining an Access Token" submitted to the China Patent Office on September 24, 2021, the entire contents of which are incorporated by reference in In this application.
技术领域technical field
本发明实施例涉及金融科技(Fintech)领域,尤其涉及一种确定访问令牌的方法及装置。Embodiments of the present invention relate to the field of financial technology (Fintech), and in particular to a method and device for determining an access token.
背景技术Background technique
随着计算机技术的发展,越来越多的技术应用在金融领域,传统金融业正在逐步向金融科技转变,但由于金融行业的安全性、实时性要求,也对技术提出的更高的要求。With the development of computer technology, more and more technologies are applied in the financial field, and the traditional financial industry is gradually transforming into financial technology. However, due to the security and real-time requirements of the financial industry, higher requirements are also placed on technology.
目前,在APP(Application,应用程序)开放API(Application Programming Interface,应用程序接口)的设计中,由于大多数接口涉及到用户的个人信息以及产品的敏感数据,因而需要对这些接口进行身份验证,以保护用户的个人信息。At present, in the design of APP (Application, application program) open API (Application Programming Interface, application program interface), since most of the interfaces involve the user's personal information and sensitive data of the product, these interfaces need to be authenticated, To protect users' personal information.
在对接口进行身份验证时,一般是API请求客户端向服务器端发送一次携带用户认证信息的获取访问令牌的请求,服务器端接收到该请求后,确定用户认证信息是否正确,当确定用户认证信息正确时,确定访问令牌access_token,且向API请求客户端反馈access_token。When authenticating an interface, generally the API requests the client to send a request to the server to obtain an access token carrying user authentication information. After receiving the request, the server determines whether the user authentication information is correct. When the information is correct, determine the access token access_token, and return the access_token to the API request client.
具体的,由于每个用户认证信息仅在一个时间段内对应一个有效的access_token,因此,当对应的有效的access_token过期时,无法调用应用服务器的接口。并且,由于应用服务器对access_token的获取是有次数限制的,因此access_token需要缓存在缓存服务器中,并定时从接口开放平台获取access_token,以对缓存服务器中的access_token进行更新。Specifically, since each user authentication information corresponds to only one valid access_token within a period of time, when the corresponding valid access_token expires, the interface of the application server cannot be called. Moreover, since the application server has a limited number of access_token acquisitions, the access_token needs to be cached in the cache server, and the access_token is periodically obtained from the interface open platform to update the access_token in the cache server.
然而,当缓存服务器中的access_token过期时,当多个应用服务器同时接收API请求时,即多个应用服务器同时需要更新access_token,由于从接口开放平台获取access_token需要一定时间,且最新的access_token和前一个access_token有一分钟的共存期,即其余的access_token全部过期。However, when the access_token in the cache server expires, when multiple application servers receive API requests at the same time, that is, multiple application servers need to update the access_token at the same time, because it takes a certain time to obtain the access_token from the interface open platform, and the latest access_token is the same as the previous one. access_token has a one-minute coexistence period, that is, all other access_tokens expire.
这样,就会导致在获取新的access_token返回去前,这段时间的所有API请求,只会有两个请求是成功的,其余都因access_token过期失效而请求失败。可见,现有技术中存在获取有效的访问令牌效果较差的问题。In this way, before the new access_token is obtained and returned, only two of the API requests during this period will be successful, and the rest will fail due to the expiration of the access_token. It can be seen that there is a problem in the prior art that the effect of obtaining a valid access token is poor.
发明内容Contents of the invention
本发明提供一种确定访问令牌的方法及装置,用于解决现有技术中获取有效的访问令牌效果较差的问题。The present invention provides a method and device for determining an access token, which is used to solve the problem in the prior art that the effect of obtaining a valid access token is poor.
第一方面,本发明提供一种确定访问令牌的方法,应用于应用服务器,包括:接收第一API接口客户端发送的获取访问令牌的请求,所述获取访问令牌的请求中携带有用户凭证和凭证密钥;确定是否从预设缓存服务器中获取到所述用户凭证对应的访问令牌;当未从所述预设缓存服务器中获取到所述用户凭证对应的访问令牌时,向所述预设缓存服务器发送获取分布式锁的请求;所述分布式锁用于控制应用服务器,使得同一时间仅一个应用服务器进行访问令牌的更新;当接收到所述预设缓存服务器反馈的目标分布式锁,则基于所述用户凭证和所述凭证密钥,向接口开放平台服务器发送获取访问令牌请求,接收所述接口开放平台服务器反馈的新的访问令牌,将所述新的访问令牌发送给所述第一API接口客户端。In a first aspect, the present invention provides a method for determining an access token, which is applied to an application server, including: receiving a request for obtaining an access token sent by a first API interface client, and the request for obtaining an access token carries User credential and credential key; determine whether the access token corresponding to the user credential is obtained from the preset cache server; when the access token corresponding to the user credential is not obtained from the preset cache server, Send a request to acquire a distributed lock to the preset cache server; the distributed lock is used to control the application server so that only one application server updates the access token at the same time; when receiving the feedback from the preset cache server based on the user credential and the credential key, send an access token request to the interface open platform server, receive the new access token fed back by the interface open platform server, and transfer the new The access token is sent to the first API interface client.
上述方法中,当预设缓存服务器中没有用户凭证对应的访问令牌时,需要向预设缓存服务器发送获取分布式锁的请求,从而当接收到预设缓存服务器反馈的目标分布式锁,则通过目标分布式锁,保证仅该应用服务器在更新访问令牌,因此保证新的获取的访问令牌的唯一性和有效性,避免出现获取到过期的访问令牌的情况出现。In the above method, when there is no access token corresponding to the user credential in the preset cache server, it is necessary to send a request to acquire the distributed lock to the preset cache server, so that when the target distributed lock fed back by the preset cache server is received, then Through the target distributed lock, it is guaranteed that only the application server is updating the access token, so the uniqueness and validity of the newly obtained access token are guaranteed, and the situation of obtaining an expired access token is avoided.
可选的,确定是否从预设缓存服务器中,获取到所述用户凭证对应的访问令牌后,所述方法还包括:当确定从所述预设缓存服务器中,获取到所述用户凭证对应的访问令牌时,对所述对应的访问令牌进行有效时长验证;当确定所述对应的访问令牌有效时长验证通过时,将所述对应的访问令牌发送给所述第一API接口客户端。Optionally, after determining whether the access token corresponding to the user credential is obtained from the preset cache server, the method further includes: when it is determined that the access token corresponding to the user credential is obtained from the preset cache server When verifying the valid duration of the corresponding access token; when it is determined that the valid duration of the corresponding access token is verified, send the corresponding access token to the first API interface client.
上述方法中,当确定从预设缓存服务器中,获取到用户凭证对应的访问令牌时,并未直接将该访问令牌反馈给第一API接口客户端,而是对该访问令牌进行了有效时长验证,这样,可以尽量确保最终反馈给第一API接口客户端的访问令牌是有效的。In the above method, when it is determined that the access token corresponding to the user credential is obtained from the preset cache server, the access token is not directly fed back to the first API interface client, but the access token is In this way, it is possible to ensure that the access token finally fed back to the client of the first API interface is valid.
可选的,对所述对应的访问令牌进行有效时长验证,包括:确定所述对应的访问令牌的剩余有效时长;确定所述剩余有效时长是否大于预设时长,其中,所述预设时长基于所述预设缓存服务器的数据刷新时长和保障时长对应确定;当确定所述剩余有效时长大于所述预设时长时,确定对所述对应的访问令牌的有效时长验证通过。Optionally, verifying the valid duration of the corresponding access token includes: determining the remaining valid duration of the corresponding access token; determining whether the remaining valid duration is greater than a preset duration, wherein the preset The duration is correspondingly determined based on the data refresh duration and guaranteed duration of the preset cache server; when it is determined that the remaining valid duration is greater than the preset duration, it is determined that the verification of the corresponding valid duration of the access token is passed.
上述方法中,提供了对用户凭证对应的访问令牌进行有效时长验证的具体方式,基于该方式,可以简单高效的实现对访问令牌的有效时长验证。In the above method, a specific method of verifying the valid duration of the access token corresponding to the user credential is provided. Based on this method, the valid duration verification of the access token can be implemented simply and efficiently.
可选的,确定所述剩余有效时长是否大于预设时长后,所述方法还包括:当确定所述剩余有效时长不大于所述预设时长时,则向所述预设缓存服务器发送获取分布式锁的请求。Optionally, after determining whether the remaining valid duration is greater than a preset duration, the method further includes: when it is determined that the remaining valid duration is not greater than the preset duration, then sending the acquisition distribution to the preset cache server lock request.
基于上述方法,提供了一种当确定存在访问令牌,但访问令牌即将或已经失效时,获取新的访问令牌的方式,从而可以使得应用服务器可以获取到具备有效性的访问令牌。Based on the above method, there is provided a way to obtain a new access token when it is determined that there is an access token but the access token is about to or has expired, so that the application server can obtain a valid access token.
可选的,向所述预设缓存服务器发送获取分布式锁的请求之后,所述方法还包括:确定从发送所述获取分布式锁请求的时刻到当前时刻的第一时间间隔,是否达到预设时间间隔;当确定所述第一时间间隔达到所述预设时间间隔,且未接收到所述目标分布式锁,则向所述预设缓存服务器发送获取分布式锁的请求。Optionally, after sending the request to acquire the distributed lock to the preset cache server, the method further includes: determining whether the first time interval from the moment when the request to acquire the distributed lock is sent to the current moment reaches the preset A time interval is set; when it is determined that the first time interval reaches the preset time interval and the target distributed lock is not received, a request for acquiring a distributed lock is sent to the preset cache server.
基于上述方法,可以规律性的向预设缓存服务器发送获取分布式锁的请求,从而尽量确保预设缓存服务器可以接收到获取分布式锁的请求,并对分布式锁的请求进行响应。Based on the above method, requests for acquiring distributed locks can be regularly sent to the preset cache server, so as to ensure that the preset cache server can receive the request for acquiring distributed locks and respond to the request for distributed locks.
可选的,在确定所述第一时间间隔达到所述预设时间间隔之后,向所述预设缓存服务器发送获取分布式锁的请求之前,所述方法还包括:针对所述第一API接口客户端,向所述预设缓存服务器发送获取分布式锁的请求的累积次数是否达到预设次数阈值;当确定所述累积次数未达到所述预设次数阈值时,向所述预设缓存服务器发送获取分布式锁的请求。Optionally, after it is determined that the first time interval reaches the preset time interval, before sending a request for acquiring a distributed lock to the preset cache server, the method further includes: targeting the first API interface The client sends to the preset cache server whether the cumulative number of requests for acquiring distributed locks reaches the preset threshold; Send a request to acquire a distributed lock.
基于上述方法,可以对分布式锁的获取次数进行限制,在实现获取分布式的需求的基础上,尽量延长应用服务器的使用期限。Based on the above method, the number of acquisitions of distributed locks can be limited, and the service life of the application server can be extended as much as possible on the basis of realizing the requirement of acquiring distributed locks.
可选的,所述预设缓存服务器中的访问令牌,基于所述预设缓存服务器对应的定时器中的定时任务确定的访问令牌对应更新。Optionally, the access token in the preset cache server is correspondingly updated based on the access token determined by the timed task in the timer corresponding to the preset cache server.
基于上述方法,可以使得预设缓存服务器中的访问令牌,基于定时任务进行自动更新,即确保最终预设缓存服务器中的访问令牌的尽量处于有效期限内。Based on the above method, the access token in the preset cache server can be automatically updated based on the scheduled task, that is, to ensure that the final access token in the preset cache server is within the validity period as much as possible.
第二方面,本发明提供一种确定的访问令牌的装置,应用于应用服务器包括:接收单元,用于接收第一API接口客户端发送的获取访问令牌的请求,所述获取访问令牌的请求中携带有用户凭证和凭证密钥;获取单元,用于确定是否从预设缓存服务器中获取到所述用户凭证对应的访问令牌;发送单元,用于当未从所述预设缓存服务器中获取到所述用户凭证对应的访问令牌时,向所述预设缓存服务器发送获取分布式锁的请求;所述分布式锁用于控制应用服务器,使得同一时间仅一个应用服务器进行访问令牌的更新;处理单元,用于当接收到所述预设缓存服务器反馈的目标分布式锁,则基于所述用户凭证和所述凭证密钥,向接口开放平台服务器发送获取访问令牌请求,接收所述接口开放平台服务器反馈的新的访问令牌,将所述新的访问令牌发送给所述第一API接口客户端。In a second aspect, the present invention provides a device for determining an access token, which is applied to an application server and includes: a receiving unit, configured to receive a request for obtaining an access token sent by a first API interface client, the obtaining the access token The request carries the user certificate and the certificate key; the obtaining unit is used to determine whether the access token corresponding to the user certificate is obtained from the preset cache server; the sending unit is used to obtain the access token corresponding to the user certificate from the preset cache server; When the access token corresponding to the user credential is obtained in the server, a request for obtaining a distributed lock is sent to the preset cache server; the distributed lock is used to control the application server so that only one application server accesses at the same time Renewal of the token; a processing unit, configured to send an access token request to the interface open platform server based on the user credential and the credential key when receiving the target distributed lock fed back by the preset cache server , receiving a new access token fed back by the interface open platform server, and sending the new access token to the first API interface client.
可选的,所述装置还包括验证单元,用于:当确定从所述预设缓存服务器中,获取到所述用户凭证对应的访问令牌时,对所述对应的访问令牌进行有效时长验证;当确定所述对应的访问令牌有效时长验证通过时,将所述对应的访问令牌发送给所述第一API接口客户端。Optionally, the device further includes a verification unit, configured to: when it is determined that the access token corresponding to the user credential is obtained from the preset cache server, verify the validity period of the corresponding access token Verifying: sending the corresponding access token to the first API interface client when it is determined that the valid duration of the corresponding access token passes the verification.
可选的,所述验证单元,具体用于:确定所述对应的访问令牌的剩余有效时长;确定所述剩余有效时长是否大于预设时长,其中,所述预设时长基于所述预设缓存服务器的数据刷新时长和保障时长对应确定;当确定所述剩余有效时长大于所述预设时长时,确定对所述对应的访问令牌的有效时长验证通过。Optionally, the verification unit is specifically configured to: determine the remaining valid duration of the corresponding access token; determine whether the remaining valid duration is greater than a preset duration, wherein the preset duration is based on the preset The data refresh duration and guaranteed duration of the cache server are determined correspondingly; when it is determined that the remaining valid duration is greater than the preset duration, it is determined that the valid duration verification of the corresponding access token is passed.
可选的,所述验证单元,还用于:当确定所述剩余有效时长不大于所述预设时长时,则向所述预设缓存服务器发送获取分布式锁的请求。Optionally, the verification unit is further configured to: send a request for acquiring a distributed lock to the preset cache server when it is determined that the remaining valid duration is not greater than the preset duration.
可选的,向所述预设缓存服务器发送获取分布式锁的请求之后,所述装置还包括判断单元,用于:确定从发送所述获取分布式锁请求的时刻到当前时刻的第一时间间隔,是否达到预设时间间隔;当确定所述第一时间间隔达到所述预设时间间隔,且未接收到所述目标分布式锁,则向所述预设缓存服务器发送获取分布式锁的请求。Optionally, after sending the request for acquiring a distributed lock to the preset cache server, the device further includes a judging unit, configured to: determine the first time from the moment when the request for acquiring a distributed lock is sent to the current moment Interval, whether the preset time interval is reached; when it is determined that the first time interval reaches the preset time interval, and the target distributed lock is not received, send a request to acquire the distributed lock to the preset cache server ask.
可选的,在确定所述第一时间间隔达到所述预设时间间隔之后,向所述预设缓存服务器发送获取分布式锁的请求之前,所述判断单元还用于:针对所述第一API接口客户端,向所述预设缓存服务器发送获取分布式锁的请求的累积次数是否达到预设次数阈值;当确定所述累积次数未达到所述预设次数阈值时,向所述预设缓存服务器发送获取分布式锁的请求。Optionally, after determining that the first time interval reaches the preset time interval, before sending a request for acquiring a distributed lock to the preset cache server, the judging unit is further configured to: for the first time interval The API interface client sends to the preset cache server whether the cumulative number of requests for acquiring distributed locks reaches the preset threshold; when it is determined that the cumulative number of times does not reach the preset threshold, the preset The cache server sends a request to acquire a distributed lock.
可选的,所述预设缓存服务器中的访问令牌,基于所述预设缓存服务器对应的定时器中的定时任务确定的访问令牌对应更新。Optionally, the access token in the preset cache server is correspondingly updated based on the access token determined by the timed task in the timer corresponding to the preset cache server.
上述第二方面及第二方面各个可选装置的有益效果,可以参考上述第一方面及第一方面各个可选方法的有益效果,这里不再赘述。For the beneficial effects of the above-mentioned second aspect and each optional device of the second aspect, reference may be made to the beneficial effects of the above-mentioned first aspect and each optional method of the first aspect, which will not be repeated here.
第三方面,本发明提供一种计算机设备,包括程序或指令,当所述程序或指令被执行时,用以执行上述第一方面及第一方面各个可选的方法。In a third aspect, the present invention provides a computer device, including a program or an instruction, and when the program or instruction is executed, is used to execute the above-mentioned first aspect and each optional method of the first aspect.
第四方面,本发明提供一种存储介质,包括程序或指令,当所述程序或指令被执行时,用以执行上述第一方面及第一方面各个可选的方法。In a fourth aspect, the present invention provides a storage medium, including a program or an instruction, and when the program or instruction is executed, is used to execute the above-mentioned first aspect and each optional method of the first aspect.
附图说明Description of drawings
为了更清楚地说明本发明实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简要介绍。In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the following will briefly introduce the drawings that need to be used in the description of the embodiments.
图1为本发明实施例提供的确定访问令牌方法的示意图;FIG. 1 is a schematic diagram of a method for determining an access token provided by an embodiment of the present invention;
图2为本发明实施例提供的一种确定访问令牌方法的步骤流程示意图;FIG. 2 is a schematic flowchart of steps of a method for determining an access token provided by an embodiment of the present invention;
图3为本发明实施例提供的一种确定访问令牌方法的另一步骤流程示意图;FIG. 3 is a schematic flowchart of another step of a method for determining an access token provided by an embodiment of the present invention;
图4为本发明实施例提供的应用服务器与预设缓存服务器以及接口开放平台服务器的 信令交互图;Figure 4 is a signaling interaction diagram between an application server and a preset cache server and an interface open platform server provided by an embodiment of the present invention;
图5为本发明实施例提供的一种确定访问令牌装置的结构示意图。Fig. 5 is a schematic structural diagram of an apparatus for determining an access token provided by an embodiment of the present invention.
具体实施方式Detailed ways
为了更好的理解上述技术方案,下面将结合说明书附图及具体的实施方式对上述技术方案进行详细的说明,应当理解本发明实施例以及实施例中的具体特征是对本发明技术方案的详细的说明,而不是对本发明技术方案的限定,在不冲突的情况下,本发明实施例以及实施例中的技术特征可以相互结合。In order to better understand the above-mentioned technical solution, the above-mentioned technical solution will be described in detail below in conjunction with the accompanying drawings and specific implementation methods. It should be understood that the embodiments of the present invention and the specific features in the embodiments are detailed descriptions of the technical solution of the present invention. To illustrate, rather than limit, the technical solutions of the present invention, the embodiments of the present invention and the technical features in the embodiments may be combined without conflict.
需要说明的是,本发明的说明书和权利要求中的术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的图像在适当情况下可以互换,以便这里描述的本发明的实施例能够以除了在这里图示或描述的那些以外的顺序实施。以下示例性实施例中所描述的实施方式并不代表与本发明相一致的所有实施方式。相反,它们仅是与如所附权利要求书中所详述的、本发明的一些方面相一致的装置和方法的例子。It should be noted that the terms "first" and "second" in the specification and claims of the present invention are used to distinguish similar objects, but not necessarily used to describe a specific sequence or sequence. It is to be understood that the images so used are interchangeable under appropriate circumstances such that the embodiments of the invention described herein can be practiced in sequences other than those illustrated or described herein. The implementations described in the following exemplary examples do not represent all implementations consistent with the present invention. Rather, they are merely examples of apparatuses and methods consistent with aspects of the invention as recited in the appended claims.
为便于理解本发明实施例提供的技术方案,这里先对本发明实施例使用的一些关键名词进行解释:In order to facilitate the understanding of the technical solutions provided by the embodiments of the present invention, some key terms used in the embodiments of the present invention are first explained here:
access_token:即访问令牌,是应用程序访问接口开放平台对应的服务器的全局唯一接口调用凭据。access_token: the access token, which is the globally unique interface calling credential of the server corresponding to the application access interface open platform.
appid:即用户凭证,是接口开放平台对应的服务器为每个第三方用户分配的第三方用户唯一凭证;appid: the user credential, which is the unique credential of the third-party user assigned to each third-party user by the server corresponding to the interface open platform;
appsecret:即凭证密钥,也可以称为私钥,是接口开放平台对应的服务器为每个第三方用户分配的第三方用户唯一凭证密钥;appsecret: the credential key, which can also be called a private key, is the unique credential key of a third-party user assigned to each third-party user by the server corresponding to the interface open platform;
redis(Remote Dictionary Server,远程字典服务):一个开源的、支持网络、可基于内存亦可持久化的日志型、Key-Value数据库,并提供多种语言的API,即一个高性能的kay-value的缓存服务器;redis (Remote Dictionary Server, remote dictionary service): an open source, network-enabled, memory-based and persistent log-type, Key-Value database, and provides APIs in multiple languages, that is, a high-performance kay-value cache server;
接口开放平台:是指软件***通过公开其API(Application Programming Interface,应用程序接口)或函数来使外部的程序可以增加该软件***的功能或使用该软件***的资源,而不需要更改该软件***的源代码,即提供开放API的平台本身就被称为接口开放平台。Open interface platform: refers to a software system that exposes its API (Application Programming Interface, application programming interface) or functions so that external programs can increase the functions of the software system or use the resources of the software system without changing the software system The source code, that is, the platform that provides an open API is called an open interface platform.
下面对本发明实施例的设计思想进行简要介绍:The design idea of the embodiment of the present invention is briefly introduced below:
目前,在APP(Application,应用程序)开放API的设计中,由于大多数接口涉及到用户的个人信息以及产品的敏感数据,因而需要对这些接口进行身份验证,以保护用户的 个人信息。At present, in the design of APP (Application, application program) open API, since most of the interfaces involve user's personal information and sensitive data of products, it is necessary to authenticate these interfaces to protect the user's personal information.
具体的,在对接口进行身份验证时,一般是API请求客户端向服务器端发送一次携带用户认证信息的获取访问令牌的请求,服务器端接收到该请求后,确定用户认证信息是否正确,当确定用户认证信息正确时,确定访问令牌access_token,且向API请求客户端反馈access_token。Specifically, when authenticating an interface, the API generally requests the client to send a request for obtaining an access token carrying user authentication information to the server. After receiving the request, the server determines whether the user authentication information is correct. When it is confirmed that the user authentication information is correct, the access token access_token is determined, and the access_token is returned to the API request client.
然而,鉴于access_token的特性,即针对每个用户认证信息,一段时间内只允许有一个access_token有效,当使用过了有效期限的access_token调用应用服务器的接口时,将会向发送API请求的客户端报错,并且应用服务器对access_token的获取是有次数限制的,例如每个应用服务器每天最多获取8000次的access_token,因此access_token需要缓存在缓存服务器中,并定时刷新。However, in view of the characteristics of access_token, that is, for each user authentication information, only one access_token is allowed to be valid for a period of time. When the access_token that has expired is used to call the interface of the application server, an error will be reported to the client that sent the API request. , and the number of times the application server can obtain access_token is limited. For example, each application server can obtain access_token up to 8000 times a day, so the access_token needs to be cached in the cache server and refreshed regularly.
然而,由于access_token只是存放在对应的缓存服务器中,当***缓存中的access_token过期时,对于多个服务器同时更新access_token的情况,可能会导致把已失效的access_token更新到缓存服务器中,从而导致部分服务器获取到过期的access_token。However, since the access_token is only stored in the corresponding cache server, when the access_token in the system cache expires, if multiple servers update the access_token at the same time, the expired access_token may be updated to the cache server, causing some servers to Get expired access_token.
例如,应用服务器接收到第一个API请求,从缓存服务器中获取access_token,当发现access_token已过有效期限,则需要向接口开放平台对应的服务器请求新的access_token。进一步地,当获取到access_token后更新缓存服务器中的access_token。For example, the application server receives the first API request and obtains the access_token from the cache server. When it finds that the access_token has expired, it needs to request a new access_token from the server corresponding to the interface open platform. Further, after the access_token is obtained, the access_token in the cache server is updated.
然而,在还未从接口开放平台对应的服务器中获取到,针对第一个API请求的access_token的情况下,接收到第二个API请求,即仍从缓存服务器中缓存获取access_token,因针对第一个API请求获取的新的access_token尚未返回,从缓存服务器中获取的access_token还是过期失效的旧的access_token,因而,也会向接口开放平台申请新的access_token,获取到access_token后同样更新缓存服务器中的access_token。However, when the access_token for the first API request has not been obtained from the server corresponding to the interface open platform, the second API request is received, that is, the access_token is still cached from the cache server, because the access_token for the first API request The new access_token obtained from an API request has not been returned, and the access_token obtained from the cache server is still an expired old access_token. Therefore, a new access_token will be applied to the interface open platform, and the access_token in the cache server will also be updated after the access_token is obtained. .
具体的,从接口开放平台获取access_token需要一定时间,在新的access_token还没有返回之前,这段时间的所有API请求从缓存服务器中获取到的access_token都是已过期的旧access_token,此时,会触发向接口开放平台申请,获取与所有API请求对应的access_token的任务。这样,接口开放平台就会收到多次的申请access_token的请求,然后接口开放平台执行返回最新的access_token,同时更新缓存服务器中的access_token的操作。Specifically, it takes a certain amount of time to obtain the access_token from the interface open platform. Before the new access_token is returned, all the access_tokens obtained from the cache server during this period of time by API requests are old access_tokens that have expired. At this time, the trigger Apply to the interface open platform to obtain the access_token corresponding to all API requests. In this way, the interface opening platform will receive multiple requests for access_token, and then the interface opening platform will return the latest access_token and update the access_token in the cache server at the same time.
由于在实际实施过程中,接口开放平台只会对最新的access_token有效,且最新的access_token和前一个access_token有一分钟的共存期,其余的access_token全部过期,这样就会导致在获取新的access_token返回去前,这段时间的所有API请求,只会有两个请求是成功的,其余都因access_token过期失效而请求失败。Because in the actual implementation process, the interface open platform is only valid for the latest access_token, and the latest access_token and the previous access_token have a one-minute coexistence period, and the rest of the access_tokens are all expired, which will lead to the acquisition of the new access_token before returning. , for all API requests during this period, only two requests will be successful, and the rest will fail due to the expiration of the access_token.
鉴于此,本发明实施例提供一种确定访问令牌的方法,通过分布式锁,保证对 access_token只有一个应用服务器在更新,其他服务器都是从缓存服务器中获取access_token,从而保证access_token的唯一性,确保针对每个API请求的调用鉴权正常。In view of this, the embodiment of the present invention provides a method for determining the access token. Through the distributed lock, it is guaranteed that only one application server is updating the access_token, and other servers obtain the access_token from the cache server, thereby ensuring the uniqueness of the access_token. Make sure that the call authentication for each API request is normal.
介绍完本发明实施例的设计思想之后,下面对本发明实施例中的确定访问令牌的技术方案适用的应用场景做一些简单介绍,需要说明的是,本发明实施例描述的应用场景是为了更加清楚的说明本发明实施例的技术方案,并不构成对于本发明实施例提供的技术方案的限定,本领域普通技术人员可知,随着新应用场景的出现,本发明实施例提供的技术方案对于类似的技术问题,同样适用。After introducing the design idea of the embodiment of the present invention, the following briefly introduces the applicable application scenarios of the technical solution for determining the access token in the embodiment of the present invention. It should be noted that the application scenarios described in the embodiment of the present invention are for more Clearly explaining the technical solutions of the embodiments of the present invention does not constitute a limitation to the technical solutions provided by the embodiments of the present invention. Those of ordinary skill in the art know that with the emergence of new application scenarios, the technical solutions provided by the embodiments of the present invention are of great importance to Similar technical issues apply as well.
在本发明实施例中,请参见图1所示的应用场景示意图,该场景中包括电子设备101、应用服务器102、预设缓存服务器103和接口开放平台对应的服务器104,电子设备101可以与应用服务器102进行通信,且应用服务器102和预设缓存服务器103以及服务器104之间也可以进行通信。例如通过有线或无线通信方式进行直接或间接地连接,本发明不做限制。其中,应用服务器102包括应用服务器102-1、应用服务器102-2、……、应用服务器102-n,n为大于2的正整数。需要说明的是,为了便于描述,后文中将“接口开放平台对应的服务器”称为“接口开放平台服务器”。In the embodiment of the present invention, please refer to the schematic diagram of the application scenario shown in FIG. The server 102 communicates, and the application server 102 can also communicate with the preset cache server 103 and the server 104 . For example, direct or indirect connection is performed through wired or wireless communication, which is not limited in the present invention. Wherein, the application server 102 includes an application server 102-1, an application server 102-2, . . . , and an application server 102-n, where n is a positive integer greater than 2. It should be noted that, for ease of description, the "server corresponding to the open interface platform" is referred to as the "open interface platform server" hereinafter.
在该场景中,一个应用***,对应部署于n台应用服务器102,为保证1个access_token在接口开放平台中仅与一个appid对应,即access_token一致,通过appid和appsecret,从接口开放平台获取到的对应的access_token放在预设缓存服务器103中,在api接口调用时,再从预设缓存服务器103中获取access_token,跟接口开放平台交互。In this scenario, an application system is correspondingly deployed on n application servers 102. In order to ensure that one access_token corresponds to only one appid in the interface open platform, that is, the access_token is consistent, and the appid and appsecret are obtained from the interface open platform. The corresponding access_token is placed in the preset cache server 103, and when the api interface is called, the access_token is obtained from the preset cache server 103 to interact with the interface open platform.
在该场景中,发送获取访问令牌的请求的电子设备101每次与一个应用服务器102(例如应用服务器102-1)进行交互,当应用服务器102-1从对应的预设缓存服务器103中,无法找到与该获取访问令牌的请求中用户凭证即appid,对应的access_token时,则应用服务器102-1,向接口开放平台对应的服务器104发送获取access_token的请求,从而确定与用户凭证appid对应的新的access_token,并将新的access_token更新缓存到预设缓存服务器103中。需要说明的是,与电子设备101具体交互的缓存服务器可以由应用***基于各个应用服务器的负载情况等对应确定,本发明中对此不做限制。In this scenario, the electronic device 101 that sends the request for obtaining the access token interacts with one application server 102 (for example, the application server 102-1) each time, when the application server 102-1 retrieves from the corresponding preset cache server 103, When the access_token corresponding to the user credential appid in the request for obtaining the access token cannot be found, the application server 102-1 sends a request for obtaining the access_token to the server 104 corresponding to the interface open platform, thereby determining the appid corresponding to the user credential. new access_token, and update and cache the new access_token in the preset cache server 103. It should be noted that the cache server that specifically interacts with the electronic device 101 may be determined by the application system based on the load conditions of the respective application servers, which is not limited in the present invention.
具体的,预设缓存服务器可以为redis服务器,当然,也可以是其它可以缓存数据的服务器,本发明中对此不做限制。Specifically, the preset cache server can be a redis server, and of course, it can also be other servers capable of caching data, which is not limited in the present invention.
其中,应用服务器102、预设缓存服务器103以及服务器104可以是独立的物理服务器,也可以是多个物理服务器构成的服务器集群或者分布式***,还可以是提供云服务、云数据库、云计算、云函数、云存储、网络服务、云通信、中间件服务、域名服务、安全服务、CDN(Content Delivery Network,内容分发网络)、以及大数据和人工智能平台等基 础云计算服务的云服务器。电子设备101可以是智能手机、平板电脑、笔记本电脑、台式计算机、智能电视、智能穿戴式设备等或者可以是服务器,但并不局限于此。Among them, the application server 102, the preset cache server 103, and the server 104 can be independent physical servers, or server clusters or distributed systems composed of multiple physical servers, or provide cloud services, cloud databases, cloud computing, Cloud servers for basic cloud computing services such as cloud functions, cloud storage, network services, cloud communications, middleware services, domain name services, security services, CDN (Content Delivery Network, content distribution network), and big data and artificial intelligence platforms. The electronic device 101 may be a smart phone, a tablet computer, a notebook computer, a desktop computer, a smart TV, a smart wearable device, etc. or a server, but is not limited thereto.
为进一步说明本发明实施例提供的确定访问令牌的方法的方案,下面结合附图以及具体实施方式对此进行详细的说明。虽然本发明实施例提供了如下述实施例或附图所示的方法操作步骤,但基于常规或者无需创造性的劳动在所述方法中可以包括更多或者更少的操作步骤。在逻辑上不存在必要因果关系的步骤中,这些步骤的执行顺序不限于本发明实施例提供的执行顺序。所述方法在实际的处理过程中或者装置执行时,可以按照实施例或者附图所示的方法顺序执行或者并行执行(例如并行处理器或者多线程处理的应用环境)。In order to further illustrate the scheme of the method for determining the access token provided by the embodiment of the present invention, it will be described in detail below in conjunction with the accompanying drawings and specific implementation methods. Although the embodiments of the present invention provide method operation steps as shown in the following embodiments or drawings, more or less operation steps may be included in the method based on routine or no creative effort. In the steps that logically do not have a necessary causal relationship, the execution order of these steps is not limited to the execution order provided in the embodiment of the present invention. The method can be executed sequentially or in parallel according to the methods shown in the embodiments or drawings during the actual processing process or when the device is executed (for example, a parallel processor or an application environment for multi-thread processing).
以下结合图2所示的方法流程图对本发明实施例中确定访问令牌的方法进行说明,下面对本发明实施例的方法流程进行介绍。The method for determining the access token in the embodiment of the present invention will be described below with reference to the method flowchart shown in FIG. 2 , and the method flow in the embodiment of the present invention will be introduced below.
步骤201:接收第一API接口客户端发送的获取访问令牌的请求,获取访问令牌的请求中携带有用户凭证和凭证密钥。Step 201: Receive a request for obtaining an access token sent by the client of the first API interface, and the request for obtaining the access token carries a user credential and a credential key.
步骤202:确定是否从预设缓存服务器中获取到用户凭证对应的访问令牌。Step 202: Determine whether the access token corresponding to the user credential is obtained from the preset cache server.
在本申请实施例中,应用服务器可以接收第一API接口客户端发送的获取访问令牌的请求,获取访问令牌的请求中携带有用户凭证和凭证密钥,然后应用服务器确定是否从预设缓存服务器中,获取到用户凭证对应的访问令牌。具体的,当未从预设缓存服务器中,获取到用户凭证对应的访问令牌,则执行步骤203。In this embodiment of the application, the application server may receive the request for obtaining the access token sent by the first API interface client, and the request for obtaining the access token carries the user certificate and certificate key, and then the application server determines whether to use the preset In the cache server, the access token corresponding to the user credential is obtained. Specifically, when the access token corresponding to the user credential is not obtained from the preset cache server, step 203 is executed.
当从预设缓存服务器中,可以获取到用户凭证对应的访问令牌,则对用户凭证对应的访问令牌进行有效时长验证,当确定用户凭证对应的访问令牌有效时长验证通过时,将用户凭证对应的访问令牌发送给第一API接口客户端。When the access token corresponding to the user credential can be obtained from the preset cache server, the valid duration verification of the access token corresponding to the user credential is performed. When it is determined that the valid duration verification of the access token corresponding to the user credential passes, the user The access token corresponding to the credential is sent to the first API interface client.
在本发明实施例中,可以采用但不限于以下步骤对用户凭证对应的访问令牌进行有效时长验证:In the embodiment of the present invention, the following steps can be used, but not limited to, to verify the valid duration of the access token corresponding to the user credential:
步骤a:确定用户凭证对应的访问令牌的剩余有效时长。Step a: Determine the remaining validity period of the access token corresponding to the user credential.
在本发明实施例中,应用服务器可以对用户凭证对应的访问令牌的信息进行解析,确定用户凭证对应的访问令牌的剩余有效时长。具体的,应用服务器可以基于访问令牌对应的到期时间和有效时长,对应确定用户凭证对应的访问令牌的剩余有效时长。In the embodiment of the present invention, the application server may analyze the information of the access token corresponding to the user credential, and determine the remaining valid duration of the access token corresponding to the user credential. Specifically, the application server may determine the remaining valid duration of the access token corresponding to the user credential based on the expiration time and valid duration corresponding to the access token.
步骤b:确定剩余有效时长是否大于预设时长,其中,预设时长基于预设缓存服务器的数据刷新时长和保障时长对应确定。Step b: Determine whether the remaining effective duration is greater than a preset duration, wherein the preset duration is determined based on the corresponding data refresh duration and guarantee duration of the preset cache server.
在本发明实施例中,若预设缓存服务器的数据刷新时长为30分钟,且保障时长为10分钟,则预设时长可以为40分钟。具体的,数据刷新时长可以为0-120分钟内的时长,可以基于实际实施对应确定,本申请对此不做限制。In the embodiment of the present invention, if the preset cache server data refresh duration is 30 minutes and the guaranteed duration is 10 minutes, then the preset duration may be 40 minutes. Specifically, the data refresh duration may be within 0-120 minutes, and may be determined based on actual implementation, which is not limited in this application.
在本发实施例中,当确定剩余有效时长以及预设时长之后,可以将剩余有效时长和预设时长进行比对,具体的,当确定剩余有效时长大于预设时长时,执行步骤c;当确定剩余有效时长不大于预设时长时,执行步骤d。In the embodiment of the present invention, after determining the remaining valid duration and the preset duration, the remaining valid duration can be compared with the preset duration. Specifically, when it is determined that the remaining valid duration is greater than the preset duration, step c is performed; when When it is determined that the remaining effective duration is not greater than the preset duration, step d is performed.
步骤c:当确定剩余有效时长大于预设时长时,确定对用户凭证对应的访问令牌的有效时长验证通过。Step c: When it is determined that the remaining valid duration is greater than the preset duration, it is determined that the verification of the valid duration of the access token corresponding to the user credential is passed.
步骤d:当确定剩余有效时长不大于预设时长时,则向预设缓存服务器发送获取分布式锁的请求。Step d: When it is determined that the remaining effective duration is not greater than the preset duration, send a request to acquire the distributed lock to the preset cache server.
这样,可以有效防止access_token的剩余有效时间较少例如为0分钟时,但预设缓存服务器的刷新时间还没到,因而导致该段时间access_token已经过期的情况出现,即确保最终获取到的access_token是有效的。In this way, it can effectively prevent the remaining valid time of access_token from being less, for example, 0 minutes, but the refresh time of the preset cache server has not yet arrived, so that the access_token has expired during this period, that is, ensure that the access_token finally obtained is Effective.
步骤203:当未从预设缓存服务器中获取到用户凭证对应的访问令牌时,向预设缓存服务器发送获取分布式锁的请求;分布式锁用于控制应用服务器,使得同一时间仅一个应用服务器进行访问令牌的更新。Step 203: When the access token corresponding to the user credential is not obtained from the preset cache server, send a request for acquiring a distributed lock to the preset cache server; the distributed lock is used to control the application server so that only one application at a time The server updates the access token.
在本发明实施例中,当未从预设缓存服务器中获取到用户凭证对应的访问令牌时,向预设缓存服务器发送获取分布式锁的请求,当未接收到目标分布式锁时,可以确定从发送获取分布式锁请求的时刻到当前时刻的第一时间间隔,是否达到预设时间间隔;当确定第一时间间隔达到预设时间间隔,且未接收到目标分布式锁,则向预设缓存服务器发送获取分布式锁的请求。In the embodiment of the present invention, when the access token corresponding to the user credential is not obtained from the preset cache server, a request for acquiring a distributed lock is sent to the preset cache server, and when the target distributed lock is not received, the Determine whether the first time interval from the moment when the distributed lock request is sent to the current moment has reached the preset time interval; when it is determined that the first time interval has reached the preset time interval and the target distributed lock has not been received, send Let the cache server send a request to acquire a distributed lock.
可见,在本发明实施例中,当应用服务器首次未抢到目标分布式锁时,则可以在预设时间间隔后,继续向预设缓存服务器发送获取分布式锁的请求。It can be seen that in the embodiment of the present invention, when the application server fails to grab the target distributed lock for the first time, it may continue to send a request for acquiring the distributed lock to the preset cache server after a preset time interval.
在本发明实施例中,在应用服务器确定第一时间间隔达到预设时间间隔之后,向预设缓存服务器发送获取分布式锁的请求之前,还可以执行针对第一API接口客户端,向预设缓存服务器发送获取分布式锁的请求的累积次数是否达到预设次数阈值;当确定累积次数未达到预设次数阈值时,向预设缓存服务器发送获取分布式锁的请求。In the embodiment of the present invention, after the application server determines that the first time interval reaches the preset time interval, before sending the request for acquiring the distributed lock to the preset cache server, it may also execute the first API interface client to send the preset Whether the cumulative number of times the cache server sends the request to acquire the distributed lock reaches the preset threshold; when it is determined that the accumulated number does not reach the preset threshold, send a request to the preset cache server to acquire the distributed lock.
很显然,当应用服务器首次未获取到目标分布式锁之后,可以间隔预设时间再获取一次,且重试次数要小于预设次数阈值,例如应用服务器可以是每隔100毫秒再获取一次,最多重试10次,直到获取到目标分布式锁为止。Obviously, when the application server fails to acquire the target distributed lock for the first time, it can acquire it again at a preset time interval, and the number of retries should be less than the preset threshold. For example, the application server can acquire it again every 100 milliseconds, at most Retry 10 times until the target distributed lock is acquired.
步骤204:当接收到预设缓存服务器反馈的目标分布式锁,则基于用户凭证和凭证密钥,向接口开放平台服务器发送获取访问令牌请求,接收接口开放平台服务器反馈的新的访问令牌,将新的访问令牌发送给第一API接口客户端。Step 204: When receiving the target distributed lock fed back by the preset cache server, based on the user certificate and certificate key, send a request to obtain an access token to the interface open platform server, and receive a new access token fed back by the interface open platform server , sending the new access token to the first API interface client.
在本发明实施例中,当应用服务器接收到预设缓存服务器反馈的目标分布式锁,则基 于用户凭证和凭证密钥,向接口开放平台服务器发送获取访问令牌请求,然后接口开放平台服务器确定用户凭证和凭证密钥是否符合对应的预设格式,当确定用户凭证和凭证密钥符合对应的预设格式时,则可以确定对用户凭证和凭证密钥验证通过,且当确定用户凭证和凭证密钥验证通过之后,可以向应用服务器反馈新的令牌,从而应用服务器可以接收接口开放平台服务器反馈的新的访问令牌,将新的访问令牌发送给第一API接口客户端。In the embodiment of the present invention, when the application server receives the target distributed lock fed back by the preset cache server, based on the user credential and credential key, it sends an access token request to the interface open platform server, and then the interface open platform server determines Whether the user credential and credential key conform to the corresponding preset format, when it is determined that the user credential and credential key conform to the corresponding preset format, it can be determined that the user credential and credential key are verified, and when it is determined that the user credential and credential After the key verification is passed, a new token can be fed back to the application server, so that the application server can receive the new access token fed back by the interface open platform server, and send the new access token to the first API interface client.
进一步地,应用服务器还可以基于新的访问令牌更新缓存服务器中的访问令牌,并释放目标分布式锁,以使其他应用服务器可以获取到目标分布式锁,进行新的访问令牌的获取。Further, the application server can also update the access token in the cache server based on the new access token, and release the target distributed lock, so that other application servers can acquire the target distributed lock and obtain a new access token .
可选的,在本发明实施例中,预设缓存服务器中的访问令牌,基于预设缓存服务器对应的定时器中的定时任务确定的访问令牌对应更新。Optionally, in this embodiment of the present invention, the access token in the preset cache server is updated based on the access token determined by the timed task in the timer corresponding to the preset cache server.
例如,启用定时任务,每30分钟定时更新预设缓存服务器中目标access_token的具体过程如下:For example, the specific process of enabling a scheduled task and regularly updating the target access_token in the preset cache server every 30 minutes is as follows:
a):启用redis服务器中的定时器的定时任务,每隔30分钟从redis服务器缓存中读取目标access_token,判断目标access_token是否存在,如果目标access_token不存在,则应用服务器需要向接口开放平台服务器获取目标access_token;a): Enable the timing task of the timer in the redis server, read the target access_token from the redis server cache every 30 minutes, and judge whether the target access_token exists. If the target access_token does not exist, the application server needs to obtain it from the interface open platform server target access_token;
b):如果目标access_token存在,则判断access_token的剩余有效时长是否大于40分钟,具体的,40分钟为基于保障时长为10分钟和定时刷新时长为30分钟所确定;如果剩余的有效时长小于40分钟,则应用服务器需要向开放平台获取新的access_token;b): If the target access_token exists, determine whether the remaining valid duration of the access_token is greater than 40 minutes. Specifically, 40 minutes is determined based on a guaranteed duration of 10 minutes and a scheduled refresh duration of 30 minutes; if the remaining valid duration is less than 40 minutes , the application server needs to obtain a new access_token from the open platform;
c):向redis服务器获取分布式锁,如果获取目标分布式锁失败,则每隔100毫秒再获取一次,最多重试10次,直到获取到分布式锁为止,如果连续10次都获取redis分布式锁失败,则退出本次定时任务;c): Obtain a distributed lock from the redis server. If the acquisition of the target distributed lock fails, it will be acquired again every 100 milliseconds, and retry up to 10 times until the distributed lock is acquired. If the redis distribution is acquired 10 times in a row If the lock fails, exit the scheduled task;
d):当获取目标分布式锁成功,从redis服务器缓存中读取目标access_token,判断access_token是否存在,如果从缓存中取到的access_token的剩余有效时间大于40分钟,则表明目标access_token已经被别的应用服务器的定时器或api调用更新了,则退出本次定时任务;d): When the target distributed lock is successfully obtained, read the target access_token from the redis server cache to determine whether the access_token exists. If the remaining valid time of the access_token obtained from the cache is greater than 40 minutes, it indicates that the target access_token has been used by others If the timer or api call of the application server is updated, exit the scheduled task;
e):如果redis服务器缓存中的目标access_token不存在,或者剩余的有效时间小于40分钟,则向接口开放平台服务器申请最新的access_token,从开放平台获取access_token成功,则把该最新的access_token更新到redis缓存中,最新的access_token包括access_token的值和到期时间和有效时长;e): If the target access_token in the redis server cache does not exist, or the remaining valid time is less than 40 minutes, apply for the latest access_token from the interface open platform server, and if the access_token is successfully obtained from the open platform, update the latest access_token to redis In the cache, the latest access_token includes the value of access_token, expiration time and valid duration;
f):释放redis分布式锁。f): Release the redis distributed lock.
可见,可以基于redis服务器中的定时器,对redis服务器中缓存的访问令牌进行更新, 从而尽量确保redis服务器中缓存的访问令牌也是处于有效期内,且由于更新时所获取的访问令牌是从接口开放平台服务器中对应确定,即redis服务器中保存的访问令牌均是接口开放平台服务器生成的,且访问令牌均与用户凭证关联存储,因而后续应用服务器,可以基于用户凭证从redis服务器中获取其对应的访问令牌。It can be seen that the access token cached in the redis server can be updated based on the timer in the redis server, so as to ensure that the access token cached in the redis server is also within the validity period, and because the access token obtained during the update is Correspondingly determined from the interface open platform server, that is, the access tokens stored in the redis server are all generated by the interface open platform server, and the access tokens are all stored in association with user credentials, so subsequent application servers can be accessed from the redis server based on user credentials Obtain its corresponding access token from .
请参阅图3所示,图3为本申请实施例提供一种确定访问令牌的示意图。Please refer to FIG. 3 . FIG. 3 is a schematic diagram of determining an access token according to an embodiment of the present application.
步骤301:接收第一API接口客户端发送的获取访问令牌的请求;Step 301: Receive a request for obtaining an access token sent by the client of the first API interface;
步骤302:判断预设缓存服务器中,是否存在与获取访问令牌的请求中携带的用户凭证对应的访问令牌。当确定预设缓存服务器存在与获取访问令牌的请求中携带的用户凭证对应的访问令牌,执行步骤305;当确定预设缓存服务器不存在与获取访问令牌的请求中携带的用户凭证对应的访问令牌,执行步骤303。Step 302: Determine whether there is an access token corresponding to the user credential carried in the request for obtaining the access token in the preset cache server. When it is determined that the preset cache server has an access token corresponding to the user credential carried in the request for obtaining the access token, perform step 305; when it is determined that the preset cache server does not exist access token, go to step 303.
步骤303:向接口开放平台服务器发送获取新的访问令牌的请求,以使接口开放平台服务器,通过加密算法基于用户凭证和凭证密钥,生成新的访问令牌。Step 303: Send a request for obtaining a new access token to the interface open platform server, so that the interface open platform server generates a new access token based on the user credential and the credential key through an encryption algorithm.
步骤304:接收接口开放平台服务器发送的新的访问令牌。Step 304: Receive a new access token sent by the interface open platform server.
步骤305:对与用户凭证对应的访问令牌进行有效验证;当确定访问令牌未验证通过时,执行步骤306;当确定访问令牌有效时,执行步骤308。Step 305: Validate the access token corresponding to the user credential; when it is determined that the access token is not verified, execute step 306; when it is determined that the access token is valid, execute step 308.
步骤306:当确定访问令牌未验证通过时,向接口开放平台服务器发送获取新的访问令牌的请求,以使接口开放平台服务器,通过加密算法基于用户凭证和凭证密钥,生成新的访问令牌。Step 306: When it is determined that the access token has not been verified, send a request for obtaining a new access token to the interface opening platform server, so that the interface opening platform server generates a new access token based on the user certificate and certificate key through an encryption algorithm. token.
步骤307:接收接口开放平台服务器发送的新的访问令牌。Step 307: Receive a new access token sent by the interface open platform server.
步骤308:将访问令牌发送给第一API接口客户端。Step 308: Send the access token to the first API interface client.
可见,客户端发送API请求时,需要从接口开放平台获取access_token来做鉴权,只有鉴权通过,才允许正常的访问接口开放平台对应的接口。access_token是通过appid和secret从接口开放平台获取到的一个唯一访问标识,只有在access_token在有效期内才能用做鉴权,否则拒绝访问。It can be seen that when the client sends an API request, it needs to obtain an access_token from the interface open platform for authentication. Only when the authentication passes, can the normal access to the corresponding interface of the interface open platform be allowed. access_token is a unique access identifier obtained from the interface open platform through appid and secret. It can only be used for authentication when the access_token is within the validity period, otherwise access is denied.
参阅图4所示,本发明实施例提供的应用服务器与预设缓存服务器以及接口开放平台服务器的信令交互图。Referring to FIG. 4 , it is a signaling interaction diagram of an application server, a preset cache server, and an interface open platform server provided by an embodiment of the present invention.
步骤401:应用服务器向redis服务器发送获取与appid对应的目标access_token的请求。Step 401: the application server sends a request to the redis server to acquire the target access_token corresponding to the appid.
在本发明实施例中,应用服务器可以接收客户端发送的获取访问令牌的请求,获取访问令牌的请求中携带有appid和app secret,因而应用服务器可以向redis服务器,发送获取与appid对应的目标access_token的请求。In the embodiment of the present invention, the application server can receive the request sent by the client to obtain the access token, and the request to obtain the access token carries the appid and app secret, so the application server can send the request corresponding to the appid to the redis server. The request for the target access_token.
步骤402:redis服务器判断目标access_token是否存在,若存在,则向应用服务器反馈目标access_token;若不存在,则向应用服务器反馈获取失败的信息,且应用服务器执行步骤403。Step 402: the redis server judges whether the target access_token exists, and if so, feeds back the target access_token to the application server;
在本发明实施例中,当应用服务器从redis服务器中获取到目标access_token,还需要判断目标access_token是否过了有效期,若已经过了有效期,则仍需要从接口开放平台服务器中,获取最新的access_token。当目标access_token在有效期内,则客户端可以使用该access_token实现api调用。In the embodiment of the present invention, when the application server obtains the target access_token from the redis server, it also needs to judge whether the target access_token has passed the validity period. If it has passed the validity period, it still needs to obtain the latest access_token from the interface open platform server. When the target access_token is within the validity period, the client can use the access_token to implement api calls.
在本发明实施例中,在定时器任务尚未从接口开放平台服务器中,获取与appid对应的最新access_token的情况下,有新的api请求需要执行,此时是没有access_token的,因此,redis服务器中尚未存在目标access_token。In the embodiment of the present invention, when the timer task has not obtained the latest access_token corresponding to the appid from the interface open platform server, there is a new api request to be executed, and there is no access_token at this time. Therefore, in the redis server Target access_token does not exist yet.
步骤403:应用服务器向redis服务器发送获取redis分布式锁的请求。Step 403: the application server sends a request for acquiring the redis distributed lock to the redis server.
步骤404:redis服务器向应用服务器返回目标分布式锁。Step 404: the redis server returns the target distributed lock to the application server.
步骤405:应用服务器基于客户端发送的获取访问令牌的请求中携带的appid和appsecret,向接口开放平台服务器发送获取与appid对应的新的access_token的请求。Step 405: Based on the appid and appsecret carried in the request for obtaining an access token sent by the client, the application server sends a request for obtaining a new access_token corresponding to the appid to the interface open platform server.
步骤406:接口开放平台服务器向应用服务器,返回与appid对应的新的access_token。Step 406: The interface opening platform server returns a new access_token corresponding to the appid to the application server.
步骤407:应用服务器向redis服务器发送与appid对应的新的access_token,以及释放目标分布式锁。Step 407: the application server sends a new access_token corresponding to the appid to the redis server, and releases the target distributed lock.
这样,通过redis分布式锁,保证access_token只有一个服务器在更新,其他服务器都是从redis缓存中获取access_token,从而保证access_token的唯一性,确保api调用鉴权正常。In this way, through the redis distributed lock, it is guaranteed that only one server is updating the access_token, and other servers obtain the access_token from the redis cache, thereby ensuring the uniqueness of the access_token and ensuring that the api call authentication is normal.
为了更好的说明本发明实施例提供的方案,下面一个具体的实施例进行说明。In order to better illustrate the solutions provided by the embodiments of the present invention, a specific embodiment will be described below.
假设第一客户端、第二客户端以及第三客户端分别发送的是相同的appid1和appsecret1的获取访问令牌的请求,且按照时间从先到后的顺序,第一客户端发送第一获取访问令牌的请求,第二客户端发送第二获取访问令牌的请求,以及第三客户端发送第三获取访问令牌的请求,以及应用服务器1、应用服务器2以及应用服务器3分别接收第一api获取访问令牌的请求、第二api获取访问令牌的请求以及第三api获取访问令牌的请求。Assume that the first client, the second client and the third client respectively send the same appid1 and appsecret1 requests to obtain access tokens, and in the order of time from first to last, the first client sends the first access token request access token request, the second client sends a second request for obtaining an access token, and the third client sends a third request for obtaining an access token, and application server 1, application server 2, and application server 3 respectively receive the first One API obtains a request for an access token, the second API obtains a request for an access token, and the third API obtains a request for an access token.
具体的,应用服务器1可以确定是否从redis服务器中,获取到appid1对应的访问令牌;当未从redis服务器中,获取到appid1对应的访问令牌时,向redis服务器发送获取分布式锁的请求;当接收到redis服务器反馈的目标分布式锁,则基于appid1和appsecret1,向接口开放平台服务器发送获取访问令牌请求,然后,接口开放平台服务器确定appid1和appsecret1是否符合对应的预设格式,当确定appid1和appsecret1符合对应的预设格式时, 则可以确定对appid1和appsecret1验证通过,且当确定appid1和appsecret1验证通过之后,可以向应用服务器2反馈新的访问令牌,从而应用服务器1可以接收接口开放平台服务器反馈的新的访问令牌。Specifically, the application server 1 can determine whether the access token corresponding to appid1 is obtained from the redis server; when the access token corresponding to appid1 is not obtained from the redis server, send a request to the redis server to obtain a distributed lock ; When receiving the target distributed lock fed back by the redis server, based on appid1 and appsecret1, send an access token request to the interface open platform server, and then, the interface open platform server determines whether appid1 and appsecret1 conform to the corresponding preset format, when When it is determined that appid1 and appsecret1 conform to the corresponding preset format, it can be determined that the verification of appid1 and appsecret1 has passed, and when it is determined that appid1 and appsecret1 have passed the verification, a new access token can be fed back to application server 2, so that application server 1 can receive The new access token fed back by the interface open platform server.
进一步地,应用服务器1可以将新的访问令牌发送给第一客户端,然后将新的访问令牌发送给redis服务器,以使redis服务器对appid1对应的访问令牌进行更新,即此刻以后,redis服务器中缓存的是appid1对应的最新的访问令牌。可见,第一客户端获取的是有效的访问令牌。Further, the application server 1 can send the new access token to the first client, and then send the new access token to the redis server, so that the redis server can update the access token corresponding to appid1, that is, after this moment, The latest access token corresponding to appid1 is cached in the redis server. It can be seen that what the first client acquires is a valid access token.
具体的,当应用服务器2可以对appid1和appsecret1进行验证,当确定对appid1和appsecret1验证通过时,确定是否从redis服务器中,获取到appid1对应的访问令牌,当redis服务器保存的是应用服务器1对应更新的访问令牌时,即可以获取到appid1对应的访问令牌,然后对访问令牌进行有效时长验证,具体可以参见前述步骤a-d执行,这里不再赘述。当应用服务器2确定访问令牌有效时长验证通过后,则可以将该访问令牌发送给第二客户端,然后将该访问令牌发送给redis服务器,以使redis服务器对appid1对应的访问令牌进行更新,即此刻以后,redis服务器中缓存的是该访问令牌。可见,第二客户端获取的是有效的访问令牌。Specifically, when application server 2 can verify appid1 and appsecret1, when it is determined that appid1 and appsecret1 have passed the verification, determine whether to obtain the access token corresponding to appid1 from the redis server, when the redis server saves the application server 1 When corresponding to the updated access token, the access token corresponding to appid1 can be obtained, and then the valid duration of the access token can be verified. For details, please refer to the aforementioned steps a-d, and will not repeat them here. When the application server 2 determines that the valid duration of the access token is verified, it can send the access token to the second client, and then send the access token to the redis server, so that the redis server can verify the access token corresponding to appid1 Update, that is, after this moment, the access token is cached in the redis server. It can be seen that what the second client obtains is a valid access token.
此外,当应用服务器2未从redis服务器中,获取到appid1对应的访问令牌时,向redis服务器发送获取分布式锁的请求;当接收到redis服务器反馈的目标分布式锁,则基于appid1和appsecret1,向接口开放平台服务器发送获取访问令牌请求,然后,接口开放平台服务器确定appid1和appsecret1是否符合对应的预设格式,当确定appid1和appsecret1符合对应的预设格式时,则可以确定对appid1和appsecret1验证通过,且当确定appid1和appsecret1验证通过之后,可以向应用服务器2反馈新的访问令牌。In addition, when the application server 2 does not obtain the access token corresponding to appid1 from the redis server, it sends a request to the redis server to obtain a distributed lock; when receiving the target distributed lock fed back by the redis server, it uses appid1 and appsecret1 , and send a request to obtain an access token to the interface open platform server, and then, the interface open platform server determines whether appid1 and appsecret1 conform to the corresponding preset format, and when it is determined that appid1 and appsecret1 conform to the corresponding preset format, then it can determine whether appid1 and appsecret1 conform to the corresponding preset format. Appsecret1 passes the verification, and after it is determined that appid1 and appsecret1 pass the verification, a new access token may be fed back to the application server 2 .
进一步地,应用服务器2可以接收接口开放平台服务器反馈的新的访问令牌,将新的访问令牌发送给第二客户端,然后将新的访问令牌发送给redis服务器,以使redis服务器对appid1对应的访问令牌进行更新,即此刻以后,redis服务器中缓存的是appid1对应的最新的令牌,那么,第二客户端获取的是有效的访问令牌。Further, the application server 2 can receive the new access token fed back by the interface open platform server, send the new access token to the second client, and then send the new access token to the redis server, so that the redis server can The access token corresponding to appid1 is updated, that is, after this moment, the latest token corresponding to appid1 is cached in the redis server, then the second client obtains a valid access token.
具体的,当应用服务器3可以对appid1和appsecret1进行验证,当确定对appid1和appsecret1验证通过时,确定是否从redis服务器中,获取到appid1对应的访问令牌,当redis服务器保存的是应用服务器1或应用服务器2对应更新的访问令牌时,即可以获取到appid1对应的访问令牌,然后对访问令牌进行有效时长验证,具体可以参见前述步骤a-d执行,这里不再赘述。当应用服务器3确定访问令牌有效时长验证通过后,则可以将该访问令牌发送给第三客户端,然后将该访问令牌发送给redis服务器,以使redis服务器对appid1对 应的访问令牌进行更新,即此刻以后,redis服务器中缓存的是该访问令牌。可见,第三客户端获取的是有效的访问令牌。Specifically, when the application server 3 can verify appid1 and appsecret1, when it is determined that the verification of appid1 and appsecret1 is passed, it is determined whether the access token corresponding to appid1 is obtained from the redis server. When the redis server saves the application server 1 Or when the application server 2 corresponds to the updated access token, it can obtain the access token corresponding to appid1, and then verify the valid duration of the access token. For details, please refer to the aforementioned steps a-d, and details will not be repeated here. After the application server 3 determines that the valid duration of the access token is verified, it can send the access token to the third client, and then send the access token to the redis server, so that the redis server can verify the access token corresponding to appid1 Update, that is, after this moment, the access token is cached in the redis server. It can be seen that what the third client acquires is a valid access token.
此外,当应用服务器3未从redis服务器中,获取到appid1对应的访问令牌时,向redis服务器发送获取分布式锁的请求;当接收到redis服务器反馈的目标分布式锁,则基于appid1和appsecret1,向接口开放平台服务器发送获取访问令牌请求,然后,接口开放平台服务器确定appid1和appsecret1是否符合对应的预设格式,当确定appid1和appsecret1符合对应的预设格式时,则可以确定对appid1和appsecret1验证通过,且当确定appid1和appsecret1验证通过之后,可以向应用服务器3反馈新的访问令牌。In addition, when the application server 3 does not obtain the access token corresponding to appid1 from the redis server, it sends a request to the redis server to obtain a distributed lock; when receiving the target distributed lock fed back by the redis server, it uses appid1 and appsecret1 , and send a request to obtain an access token to the interface open platform server, and then, the interface open platform server determines whether appid1 and appsecret1 conform to the corresponding preset format, and when it is determined that appid1 and appsecret1 conform to the corresponding preset format, then it can determine whether appid1 and appsecret1 conform to the corresponding preset format. The appsecret1 is verified, and after appid1 and appsecret1 are determined to pass the verification, a new access token can be fed back to the application server 3 .
进一步地,应用服务器3可以接收接口开放平台服务器反馈的新的访问令牌,将新的访问令牌发送给第三客户端,然后将新的访问令牌发送给redis服务器,以使redis服务器对appid1对应的访问令牌进行更新,即此刻以后,redis服务器中缓存的是appid1对应的最新的令牌,那么,第三客户端获取的是有效的访问令牌。Further, the application server 3 can receive the new access token fed back by the interface open platform server, send the new access token to the third client, and then send the new access token to the redis server, so that the redis server can The access token corresponding to appid1 is updated, that is, after this moment, the latest token corresponding to appid1 is cached in the redis server, then the third client obtains a valid access token.
需要说明的是,若第一客户端、第二客户端以及第三客户端针对的是不同的appid,则均可以按照前述例子中第一客户端的执行方式进行执行,从而获取有效的访问令牌。It should be noted that if the first client, the second client and the third client target different appids, they can all be executed according to the execution method of the first client in the preceding example, so as to obtain a valid access token .
可见,基于本发明实施例提供的方法,可以尽量确保每个客户端对应获取的访问令牌的有效性。It can be seen that based on the method provided by the embodiment of the present invention, the validity of the access token obtained by each client can be ensured as much as possible.
如图5所示,本发明提供一种确定访问令牌的装置,包括:接收单元501,用于接收第一API接口客户端发送的获取访问令牌的请求,所述获取访问令牌的请求中携带有用户凭证和凭证密钥;获取单元502,用于确定是否从预设缓存服务器中获取到所述用户凭证对应的访问令牌;发送单元503,用于当未从所述预设缓存服务器中获取到所述用户凭证对应的访问令牌时,向所述预设缓存服务器发送获取分布式锁的请求;所述分布式锁用于控制应用服务器,使得同一时间仅一个应用服务器进行访问令牌的更新;处理单元504,用于当接收到所述预设缓存服务器反馈的目标分布式锁,则基于所述用户凭证和所述凭证密钥,向接口开放平台服务器发送获取访问令牌请求,接收所述接口开放平台服务器反馈的新的访问令牌,将所述新的访问令牌发送给所述第一API接口客户端。As shown in Figure 5, the present invention provides a device for determining an access token, including: a receiving unit 501, configured to receive a request for obtaining an access token sent by a first API interface client, the request for obtaining an access token carrying the user certificate and certificate key; the obtaining unit 502 is used to determine whether the access token corresponding to the user certificate is obtained from the preset cache server; the sending unit 503 is used to When the access token corresponding to the user credential is obtained in the server, a request for obtaining a distributed lock is sent to the preset cache server; the distributed lock is used to control the application server so that only one application server accesses at the same time Renewal of the token; the processing unit 504 is configured to send an access token to the interface open platform server based on the user credential and the credential key when receiving the target distributed lock fed back by the preset cache server request, receive a new access token fed back by the interface open platform server, and send the new access token to the first API interface client.
可选的,所述装置还包括验证单元,用于:当确定从所述预设缓存服务器中,获取到所述用户凭证对应的访问令牌时,对所述对应的访问令牌进行有效时长验证;当确定所述对应的访问令牌有效时长验证通过时,将所述对应的访问令牌发送给所述第一API接口客户端。Optionally, the device further includes a verification unit, configured to: when it is determined that the access token corresponding to the user credential is obtained from the preset cache server, verify the validity period of the corresponding access token Verifying: sending the corresponding access token to the first API interface client when it is determined that the valid duration of the corresponding access token passes the verification.
可选的,所述验证单元,具体用于:确定所述对应的访问令牌的剩余有效时长;确定所述剩余有效时长是否大于预设时长,其中,所述预设时长基于所述预设缓存服务器的数 据刷新时长和保障时长对应确定;当确定所述剩余有效时长大于所述预设时长时,确定对所述对应的访问令牌的有效时长验证通过。Optionally, the verification unit is specifically configured to: determine the remaining valid duration of the corresponding access token; determine whether the remaining valid duration is greater than a preset duration, wherein the preset duration is based on the preset The data refresh duration and guaranteed duration of the cache server are determined correspondingly; when it is determined that the remaining valid duration is greater than the preset duration, it is determined that the valid duration verification of the corresponding access token is passed.
可选的,所述验证单元,还用于:当确定所述剩余有效时长不大于所述预设时长时,则向所述预设缓存服务器发送获取分布式锁的请求。Optionally, the verification unit is further configured to: send a request for acquiring a distributed lock to the preset cache server when it is determined that the remaining valid duration is not greater than the preset duration.
可选的,向所述预设缓存服务器发送获取分布式锁的请求之后,所述装置还包括判断单元,用于:确定从发送所述获取分布式锁请求的时刻到当前时刻的第一时间间隔,是否达到预设时间间隔;当确定所述第一时间间隔达到所述预设时间间隔,且未接收到所述目标分布式锁,则向所述预设缓存服务器发送获取分布式锁的请求。Optionally, after sending the request for acquiring a distributed lock to the preset cache server, the device further includes a judging unit, configured to: determine the first time from the moment when the request for acquiring a distributed lock is sent to the current moment Interval, whether the preset time interval is reached; when it is determined that the first time interval reaches the preset time interval, and the target distributed lock is not received, send a request to acquire the distributed lock to the preset cache server ask.
可选的,在确定所述第一时间间隔达到所述预设时间间隔之后,向所述预设缓存服务器发送获取分布式锁的请求之前,所述判断单元还用于:针对所述第一API接口客户端,向所述预设缓存服务器发送获取分布式锁的请求的累积次数是否达到预设次数阈值;当确定所述累积次数未达到所述预设次数阈值时,向所述预设缓存服务器发送获取分布式锁的请求。Optionally, after determining that the first time interval reaches the preset time interval, before sending a request for acquiring a distributed lock to the preset cache server, the judging unit is further configured to: for the first time interval The API interface client sends to the preset cache server whether the cumulative number of requests for acquiring distributed locks reaches the preset threshold; when it is determined that the cumulative number of times does not reach the preset threshold, the preset The cache server sends a request to acquire a distributed lock.
可选的,所述预设缓存服务器中的访问令牌,基于所述预设缓存服务器对应的定时器中的定时任务确定的访问令牌对应更新。Optionally, the access token in the preset cache server is correspondingly updated based on the access token determined by the timed task in the timer corresponding to the preset cache server.
本发明实施例提供一种计算机设备,包括程序或指令,当所述程序或指令被执行时,用以执行本发明实施例提供的一种确定访问令牌的方法及任一可选方法。An embodiment of the present invention provides a computer device, including a program or an instruction. When the program or instruction is executed, it is used to execute a method for determining an access token and any optional method provided in the embodiment of the present invention.
本发明实施例提供一种存储介质,包括程序或指令,当所述程序或指令被执行时,用以执行本发明实施例提供的一种确定访问令牌的方法及任一可选方法。An embodiment of the present invention provides a storage medium, including a program or an instruction. When the program or instruction is executed, it is used to execute a method for determining an access token and any optional method provided in the embodiment of the present invention.
最后应说明的是:本领域内的技术人员应明白,本发明的实施例可提供为方法、***、或计算机程序产品。因此,本发明可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、光学存储器等)上实施的计算机程序产品的形式。Finally, it should be noted that: those skilled in the art should understand that the embodiments of the present invention may be provided as methods, systems, or computer program products. Accordingly, the present invention can take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, optical storage, etc.) having computer-usable program code embodied therein.
本发明是参照根据本发明的方法、设备(***)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to the invention. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and a combination of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a An apparatus for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方 式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions The device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.
显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的范围。这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the present invention without departing from the scope of the present invention. Thus, if these modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalent technologies, the present invention also intends to include these modifications and variations.

Claims (10)

  1. 一种确定访问令牌的方法,其特征在于,应用于应用服务器,包括:A method for determining an access token, applied to an application server, comprising:
    接收第一API接口客户端发送的获取访问令牌的请求,所述获取访问令牌的请求中携带有用户凭证和凭证密钥;Receive a request for obtaining an access token sent by the first API interface client, where the request for obtaining the access token carries a user credential and a credential key;
    确定是否从预设缓存服务器中获取到所述用户凭证对应的访问令牌;Determine whether the access token corresponding to the user credential is obtained from the preset cache server;
    当未从所述预设缓存服务器中获取到所述用户凭证对应的访问令牌时,向所述预设缓存服务器发送获取分布式锁的请求;所述分布式锁用于控制应用服务器,使得同一时间仅一个应用服务器进行访问令牌的更新;When the access token corresponding to the user credential is not obtained from the preset cache server, a request for acquiring a distributed lock is sent to the preset cache server; the distributed lock is used to control the application server, so that Only one application server updates the access token at the same time;
    当接收到所述预设缓存服务器反馈的目标分布式锁,则基于所述用户凭证和所述凭证密钥,向接口开放平台服务器发送获取访问令牌请求,接收所述接口开放平台服务器反馈的新的访问令牌,将所述新的访问令牌发送给所述第一API接口客户端。When receiving the target distributed lock fed back by the preset cache server, based on the user credential and the credential key, send an access token request to the interface open platform server, and receive the feedback from the interface open platform server A new access token, sending the new access token to the first API interface client.
  2. 如权利要求1所述的方法,其特征在于,确定是否从预设缓存服务器中,获取到所述用户凭证对应的访问令牌后,所述方法还包括:The method according to claim 1, wherein after determining whether the access token corresponding to the user credential is obtained from a preset cache server, the method further comprises:
    当确定从所述预设缓存服务器中,获取到所述用户凭证对应的访问令牌时,对所述对应的访问令牌进行有效时长验证;When it is determined that the access token corresponding to the user credential is obtained from the preset cache server, verify the valid duration of the corresponding access token;
    当确定所述对应的访问令牌有效时长验证通过时,将所述对应的访问令牌发送给所述第一API接口客户端。When it is determined that the valid duration of the corresponding access token passes the verification, the corresponding access token is sent to the first API interface client.
  3. 如权利要求2所述的方法,其特征在于,对所述对应的访问令牌进行有效时长验证,包括:The method according to claim 2, wherein verifying the valid duration of the corresponding access token comprises:
    确定所述对应的访问令牌的剩余有效时长;determining the remaining validity period of the corresponding access token;
    确定所述剩余有效时长是否大于预设时长,其中,所述预设时长基于所述预设缓存服务器的数据刷新时长和保障时长对应确定;Determine whether the remaining effective duration is greater than a preset duration, wherein the preset duration is determined based on the corresponding data refresh duration and guarantee duration of the preset cache server;
    当确定所述剩余有效时长大于所述预设时长时,确定对所述对应的访问令牌的有效时长验证通过。When it is determined that the remaining valid duration is greater than the preset duration, it is determined that the verification of the corresponding valid duration of the access token is passed.
  4. 如权利要求3所述的方法,其特征在于,确定所述剩余有效时长是否大于预设时长后,所述方法还包括:The method according to claim 3, wherein after determining whether the remaining effective duration is greater than a preset duration, the method further comprises:
    当确定所述剩余有效时长不大于所述预设时长时,则向所述预设缓存服务器发送获取分布式锁的请求。When it is determined that the remaining effective duration is not greater than the preset duration, a request for acquiring a distributed lock is sent to the preset cache server.
  5. 如权利要求1所述的方法,其特征在于,向所述预设缓存服务器发送获取分布式锁的请求之后,所述方法还包括:The method according to claim 1, wherein after sending the request for acquiring a distributed lock to the preset cache server, the method further comprises:
    确定从发送所述获取分布式锁请求的时刻到当前时刻的第一时间间隔,是否达到预设 时间间隔;Determine whether the first time interval from the moment when the request for acquiring a distributed lock is sent to the current moment reaches a preset time interval;
    当确定所述第一时间间隔达到所述预设时间间隔,且未接收到所述目标分布式锁,则向所述预设缓存服务器发送获取分布式锁的请求。When it is determined that the first time interval reaches the preset time interval and the target distributed lock is not received, a request for acquiring a distributed lock is sent to the preset cache server.
  6. 如权利要求5所述的方法,其特征在于,在确定所述第一时间间隔达到所述预设时间间隔之后,向所述预设缓存服务器发送获取分布式锁的请求之前,所述方法还包括:The method according to claim 5, wherein after determining that the first time interval reaches the preset time interval, before sending a request for acquiring a distributed lock to the preset cache server, the method further include:
    针对所述第一API接口客户端,向所述预设缓存服务器发送获取分布式锁的请求的累积次数是否达到预设次数阈值;For the first API interface client, whether the cumulative number of requests for acquiring distributed locks sent to the preset cache server reaches a preset number threshold;
    当确定所述累积次数未达到所述预设次数阈值时,向所述预设缓存服务器发送获取分布式锁的请求。When it is determined that the accumulated number of times does not reach the preset number of times threshold, a request for acquiring a distributed lock is sent to the preset cache server.
  7. 如权利要求1所述的方法,其特征在于,所述预设缓存服务器中的访问令牌,基于所述预设缓存服务器对应的定时器中的定时任务确定的访问令牌对应更新。The method according to claim 1, wherein the access token in the preset cache server is updated correspondingly based on the access token determined by the timed task in the timer corresponding to the preset cache server.
  8. 一种确定访问令牌的装置,其特征在于,应用于应用服务器,包括:A device for determining an access token, characterized in that it is applied to an application server, comprising:
    接收单元,用于接收第一API接口客户端发送的获取访问令牌的请求,所述获取访问令牌的请求中携带有用户凭证和凭证密钥;The receiving unit is configured to receive a request for obtaining an access token sent by the first API interface client, wherein the request for obtaining the access token carries a user certificate and a certificate key;
    获取单元,用于确定是否从预设缓存服务器中,获取到所述用户凭证对应的访问令牌;An acquisition unit, configured to determine whether the access token corresponding to the user credential is acquired from a preset cache server;
    发送单元,用于当未从所述预设缓存服务器中,获取到所述用户凭证对应的访问令牌时,向所述预设缓存服务器发送获取分布式锁的请求;所述分布式锁用于控制应用服务器,使得同一时间仅一个应用服务器进行访问令牌的更新;A sending unit, configured to send a request for acquiring a distributed lock to the preset cache server when the access token corresponding to the user credential is not obtained from the preset cache server; It is used to control the application server so that only one application server updates the access token at the same time;
    处理单元,用于当接收到所述预设缓存服务器反馈的目标分布式锁,则基于所述用户凭证和所述凭证密钥,向接口开放平台服务器发送获取访问令牌请求,接收所述接口开放平台服务器反馈的新的访问令牌,将所述新的访问令牌发送给所述第一API接口客户端。The processing unit is configured to, when receiving the target distributed lock fed back by the preset cache server, based on the user credential and the credential key, send an access token request to the interface open platform server, and receive the interface The new access token fed back by the open platform server is sent to the first API interface client.
  9. 一种计算机设备,其特征在于,包括程序或指令,当所述程序或指令被执行时,如权利要求1至7中任意一项所述的方法被执行。A computer device, characterized by including programs or instructions, when the programs or instructions are executed, the method according to any one of claims 1 to 7 is executed.
  10. 一种存储介质,其特征在于,包括程序或指令,当所述程序或指令被执行时,如权利要求1至7中任意一项所述的方法被执行。A storage medium is characterized by including programs or instructions, and when the programs or instructions are executed, the method according to any one of claims 1 to 7 is executed.
PCT/CN2022/120217 2021-09-24 2022-09-21 Method and apparatus for determining access token WO2023045970A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202111124112.4 2021-09-24
CN202111124112.4A CN113852631A (en) 2021-09-24 2021-09-24 Method and device for determining access token

Publications (1)

Publication Number Publication Date
WO2023045970A1 true WO2023045970A1 (en) 2023-03-30

Family

ID=78979411

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/120217 WO2023045970A1 (en) 2021-09-24 2022-09-21 Method and apparatus for determining access token

Country Status (2)

Country Link
CN (1) CN113852631A (en)
WO (1) WO2023045970A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113852631A (en) * 2021-09-24 2021-12-28 深圳前海微众银行股份有限公司 Method and device for determining access token
CN114844636A (en) * 2022-05-19 2022-08-02 青岛海尔科技有限公司 Method and device for updating access token, storage medium and electronic device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110266703A (en) * 2019-06-25 2019-09-20 广州小鹏汽车科技有限公司 Token method for refreshing, device, storage medium and controlling terminal
CN112491778A (en) * 2019-09-11 2021-03-12 北京京东尚科信息技术有限公司 Authentication method, device, system and medium
CN112486696A (en) * 2020-12-11 2021-03-12 上海悦易网络信息技术有限公司 Method and equipment for acquiring distributed lock
US20210263784A1 (en) * 2020-02-24 2021-08-26 Microsoft Technology Licensing, Llc Efficient and scalable use of shared resources
CN113852631A (en) * 2021-09-24 2021-12-28 深圳前海微众银行股份有限公司 Method and device for determining access token

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110266703A (en) * 2019-06-25 2019-09-20 广州小鹏汽车科技有限公司 Token method for refreshing, device, storage medium and controlling terminal
CN112491778A (en) * 2019-09-11 2021-03-12 北京京东尚科信息技术有限公司 Authentication method, device, system and medium
US20210263784A1 (en) * 2020-02-24 2021-08-26 Microsoft Technology Licensing, Llc Efficient and scalable use of shared resources
CN112486696A (en) * 2020-12-11 2021-03-12 上海悦易网络信息技术有限公司 Method and equipment for acquiring distributed lock
CN113852631A (en) * 2021-09-24 2021-12-28 深圳前海微众银行股份有限公司 Method and device for determining access token

Also Published As

Publication number Publication date
CN113852631A (en) 2021-12-28

Similar Documents

Publication Publication Date Title
WO2023045970A1 (en) Method and apparatus for determining access token
CN110086822B (en) Method and system for implementing micro-service architecture-oriented unified identity authentication strategy
US11658984B2 (en) Authenticating access to computing resources
US11303449B2 (en) User device validation at an application server
CN107483509B (en) A kind of auth method, server and readable storage medium storing program for executing
US11606352B2 (en) Time-based one time password (TOTP) for network authentication
US20170289134A1 (en) Methods and apparatus for assessing authentication risk and implementing single sign on (sso) using a distributed consensus database
US11588806B2 (en) Authentication service
US9621355B1 (en) Securely authorizing client applications on devices to hosted services
US10819701B2 (en) Autonomous secrets management for a managed service identity
US11729169B2 (en) Identity defined secure connect
US20220083643A1 (en) Autonomous secrets renewal and distribution
CN109379192B (en) Login verification processing method, system and device
EP3694144A1 (en) Tiered connection pooling methods, systems and computer readable storage media
US20190286813A1 (en) Autonomous secrets management for a temporary shared access signature service
US11930001B2 (en) Polling service
CN112788031A (en) Envoy architecture-based micro-service interface authentication system, method and device
WO2023093500A1 (en) Access verification method and apparatus
US11050560B2 (en) Secure reusable access tokens
CN114301678B (en) Data access method and device, electronic equipment and storage medium
US11716333B2 (en) System and method for single use, fixed process privilege elevation
CN112003852B (en) Resource access control method, device, equipment and storage medium
CN110301127B (en) Apparatus and method for predictive token validation
CN113312576A (en) Page jump method, system and device
CN116996305A (en) Multi-level security authentication method, system, equipment, storage medium and entry gateway

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22872016

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE