There are a lot of open platforms that have been connected recently. The open platforms of e-commerce platforms such as Taobao, Tmall, JD.com, Pinduoduo, Kuaishou, Douyin, etc. have basically been connected to each other. Maybe this is what it is CRUD BODY
! ! !
After these few days of sorting, I probably have a design routine for an open platform interface in my mind, so I organized it into an article so that I can implement my own open platform interface when needed.
Several points of concern about open platforms:
-
Ease of use: The interface design should be simple, and the request parameters should be clearly identifiable by name, so that the service provider can quickly receive them and provide services to users.
-
Security: The open platform interface is exposed to the external network, and the security of user data must be ensured.
-
Stability: The open platform interface is for use by upstream service providers, and must ensure stable provision of services for service provider applications.
-
...
Service provider application
The open platform can be divided into several parts:
-
Access Guide: Help service providers access the open platform
-
Interface documentation: Helps developers of service providers to implement business functions
-
Application: The identity of the service provider's application on the open platform
The first step for a service provider to access the open platform is to create an application. With the service provider application platform, the identity of the service provider can be identified internally, so that current limiting and permission control can be easily performed.
Basic properties
Service provider applications generally have three basic attributes: appid, appsecret ( register for free access ), and authorized callback address:
-
appid: the unique identifier of the service provider's application
-
appsecret: used for key signature and identity verification of service provider applications
-
Authorization callback address: used during authorization
Authorization certification
Authorization is not the authorization of the service provider's application by the open platform, but the authorization of the service provider's application by the customers (users) of the open platform, such as ERP applications, that is, Taobao store merchants authorize the application so that it can be pulled to the store. order to complete order fulfillment.
Taobao authorization page
So authorization requires three roles to complete:
-
open platform
-
Provide an authorization page to guide customers to complete the authorization of service provider applications
-
After the customer completes the authorization, jump to the application provided by the service provider
授权回调地址
and bring the authorization information.
-
-
Customer: Complete the authorization for the service provider's application on the authorization page provided by the open platform
-
Service provider application: receives the authorization information callback from the open platform, completes the binding relationship between the business application and the customer, and saves the authorization information.
Of course, you can also use appid + appsecret to directly authenticate the identity of the service provider's application. This is suitable when there is no third party. The data belongs to the open platform and has nothing to do with the customer, so there is no need for customer authorization.
OAuth2
Authorization mechanism
OAuth2
It is a set of authorization standards. Nowadays, the Internet basically uses it for authorization, such as github
login, 微信公众号授权
etc., which are all based on OAuth2
applications.
Authorization process
Request parameters
Request parameters are divided into two categories: 系统参数
, 业务参数
:
-
System parameters: parameters that must be carried in every API call
-
Business parameters: Parameters provided by the open platform according to different businesses.
Business parameters are determined according to the business. First, the system parameters generally include:
-
appid: The unique identifier of the service provider application
-
appsecret: Service provider application key
-
timestamp: timestamp
-
sign: request signature
System parameters are passed using url parameters
Business parameters
Business parameters are request parameters passed when calling the open platform interface, such as an order query interface. To implement query 订单状态的维度
orders, the order query interface needs to receive status
parameters, and then return the order data after checking the database.
The carrier of business parameters, commonly used ones are: application/json
, application/x-www-form-urlencode
etc.
Business parameters are passed in the form of post request parameters, and they also need to participate in the signature. The signature will be mentioned later.
Request signature
The purpose of signing a request is to prevent data from being tampered with. Common ones md5
can sha
be used as signature algorithms. In theory, it only needs to ensure that both parties can generate signatures and verify signatures. This is used by high-security applications such as Alipay. Both 非对称加密
parties Each generates a pair of private key and public key, and then exchanges the public key for signature verification.
The method of generating signatures can be defined by yourself. Here is a common method of generating signatures:
sign = appsecret + appid + timestamp + business parameters (after sorting) + appsecret
pseudocode
String appid = "abcd";
String appsecret = "12345";
Long timestamp = 948758686
//有序map,按key的值排序
Map<String, Object> requestBody = new TreeMap<>();
requestBody.put("a", 1);
requestBody.put("b",21);
requestBody.put("c", 2);
//转换成json字符串
String jsonBody = JSON.toJSONString(requestBody);
String sign = DigestUtils.md5hex(appsecret + appid + timestamp + jsonBody + appsecret);
Verification
The signature verification steps are similar to the signature generation steps. The imitation code is as follows:
String appid = request.getParameter("appid");
String appsecret = request.getParameter("appsecret");
Long timestamp = request.getParameter("timestamp");
//拿出请求的业务参数,转成TreeMap
Map<String, Object> requestBody = new TreeMap<>(JSON.parseObject("post请求参数"));
//转换成json字符串
String jsonBody = JSON.toJSONString(requestBody);
String sign = DigestUtils.md5hex(appsecret + appid + timestamp + jsonBody + appsecret);
String originSign = request.getParameter("sign");
if(Objects.equals(sign ,originSign )){
//验证签名成功
}else{
//验证签名失败
}
Summarize
The above are some ideas for the interface design of open platforms. In fact, there are more open platforms to connect to. I have compiled some basic routines for connecting to those open platforms. I hope they can be used one day.