Design and practice of unified security authentication for microservice architecture

When the enterprise application system gradually increases , Each system manages its own user data separately, which is easy to form an information island , Decentralized user management mode hinders the evolution of enterprise application to platform . When the enterprise's Internet business develops to a certain scale , It is necessary to build a unified and standardized account management system , Because it is an important infrastructure of enterprise Internet cloud platform , It can bring unified account management to the platform 、 Identity Authentication 、 Basic capabilities such as user authorization , To bring enterprises such as cross system single sign on 、 Third party authorized login and other basic capabilities , It provides necessary conditions for the construction of open platform and business ecology .

— 1 —

Definition of noun

• Third-party application： Third party applications , Also known as “ client ”（client）.

• HTTP service：HTTP Service provider , Abbreviation in this paper “ Service provider ”.

• Resource Owner： Resource owner , Also known as “ user ”（user）, The login user .

• User Agent： The user agent , Browser in this article .

• Authorization server： Authentication server , That is, the server used by the service provider to handle authentication .

• Resource server： Resource server , The server where the service provider stores the user generated resources . It and authentication server , Can be the same server , It can also be a different server .

— 2 —

R & D background

Under the monomer application system , The application is a whole , Generally, all requests will be checked for their permissions . Requests are generally checked by a permission interceptor , Cache user information to session in , Subsequent access gets user information from the cache .

With Restful API、 The rise of micro Services , be based on Token Authentication for is now becoming more and more common .Token and Session ID Different , It's not just a key.Token It usually contains information about the user , Pass the verification Token You can check your identity .

be based on Token The advantages of certification are as follows ：

• Server stateless ：Token The mechanism does not need storage on the server session Information , because Token It contains the relevant information of all users .

• Good performance , Because it's verifying Token You don't need to access the database or remote services to verify the permissions , Nature can improve a lot of performance .

• Support for mobile devices , Support cross program calls ,Cookie Is not allowed to cross domain access , and Token There is no such problem .

— 3 —

R & D objectives

Through the standard security certification process , Heterogeneous systems or cross services can flexibly integrate specified features or services 、 Unified security authentication .

be based on Token A typical process of authentication is as follows ：

1. The user enters the login information （ Or call Token Interface , Pass in user information ）, Send to the authentication service for authentication （ The identity authentication service can be together with the server , You can also separate , Let's look at the splitting of micro services ）.

2. The authentication service verifies that the login information is correct , Return Interface （ General interface will contain user basic information 、 Scope of authority 、 Effective time and other information ）, Client storage interface , Can be stored in Session Or in the database .

3. The client will Token Put it in HTTP Request header , Launch related API call .

4. Called microservices , verification Token jurisdiction .

5. The server returns relevant resources and data .

Security authentication function point ：

1. Get credentials , Third party application clients use client code / Safety code 、 Resource owner user name / The password and other certificate information are obtained from the authorization server Access Token Resource access credentials .

2. Login authorization , The client carries Access Token Credentials access server resources , Resource server validation Token、 Third party application credential information 、 Resource owner User Legitimacy , adopt Token Read resource owner identity information （user） Load the permission entry of the resource owner to perform login .

3. Access authentication , Third party application client access server resources , The system validates visitors Access Token Legitimacy 、 Permission information , Verification certificate （Access Token） correct , At this point, the resource server will return the resource information .

4. Certificate renewal ,Access token Access certificate expiration requires certificate renewal , Refresh Token Validity of voucher .

— 4 —

Technology selection analysis

• The system is authorized to use OAuth2 Open authorization standard password mode .

• Token use JWT standard .

OAuth Open licensing

OAuth（Open Authorization, Open licensing ） It defines a security for the authorization of user resources 、 Open and simple standards , The third party does not need to know the user's account number and password , The user's authorization information can be obtained .

There are four main authorization methods ：

• Authorization code mode （authorization code） Authorization code used between client and server application .

• Simplified mode （implicit） For mobile app perhaps web app（ these app It's on the user's device , For example, call up wechat on the mobile phone for authentication and authorization ）. Servers that do not pass through third-party applications , Request token directly from authentication server in browser , Skip the “ Authorization code ” This step , Hence the name . All steps in browser , The token is visible to the visitor , And the client does not need authentication .

• Password mode （resource owner password credentials） Applications are directly trusted （ It's all developed by one company ） In password mode , Users provide their own user name and password to the client . Clients use this information , towards “ Service provider ” Asking for authorization . In this mode , The user must give his password to the client , But the client must not store the password .

• Client mode （client credentials） Used in applications API Access client mode （Client Credentials Grant） Client in its own name , Not in the name of the user , towards “ Service provider ” authentication . Strictly speaking , Client mode does not belong to OAuth Problems to be solved by the framework . In this mode , Users register directly with clients , Client requests in its own name “ Service provider ” Provide services , In fact, there is no authorization problem .

Json Web Token（JWT）

Json Web Token（JWT）, Is a kind of implementation based on the JSON Open standards for （RFC 7519）. The Token Designed to be compact and safe , Especially for single sign in of distributed sites （SSO） scene .JWT The declaration of is generally used to pass the authenticated user identity information between the identity provider and the service provider , To get resources from the resource server , You can also add some additional declaration information that other business logic requires , The Token It can also be used directly for authentication , It can also be encrypted .

— 5 —

Authentication process logic

System authorization

Third party application clients use client code / Safety code 、 Resource owner user name / The password and other certificate information are obtained from the authorization server Access Token Resource access credentials .

System authorization is issued to customer applications Access Token.

System authentication

The client carries Access Token Credentials access server resources , Resource server validation Token、 Third-party applications 、 Resource owner User Legitimacy , adopt Token Read resource owner identity information （user） Load the permissions of the resource owner, perform login .

The system validates visitors Access Token Legitimacy 、 Permission information , Verification certificate （Access Token） correct , At this point, the resource server will return the resource information .

Certificate renewal

Access Token Access certificate expiration requires certificate renewal , Refresh Token Validity of voucher .

— 6 —

Interface design

Authorization certificate

Get authorization certificate , Verify client identity information 、 Verify the identity of the resource owner , Send out Token voucher .

Client code / The security code needs to be applied to the system by a third party and generated after it is registered and approved .

Renewal of authorization certificate

Obtain renewal authorization certificate , Verify client identity information 、 check RefreshToken voucher , Send out Token voucher .