2 User Authentication aspect
2.1 Single Sign aspect of
distributed systems to implement single sign-independent authentication system typically extracted, and the user identity information stored in a separate storage medium, such as:
the MySQL , the Redis , considering the performance requirements, is typically stored in Redis in FIG follows:
single sign characterized by:
an authentication system as a separate system.
2 , each of the subsystems Http or other communication protocol with the authentication system, user authentication is completed.
3 , user identity information is stored in Redis cluster.
Java has a lot of user authentication framework can achieve single sign-on:
1 , . The Apache Shiro
2 , CAS
3 , the Spring Security CAS
2.2 Oauth2 certification
2.2.1 Oauth2 certification process
third-party certification is the most important technical solutions to solve common authentication protocol standards, due to the cross-certification system, to follow certain between systems interface protocol.
OAUTH protocol provides a secure authorized user resources, open but simple standard. At the same time, any third party can use OAUTH recognized certification services, any service provider can achieve their own OAUTH certification services, thus OAUTH is open. Industry provides OAUTH more real now as PHP , JavaScript , the Java , Ruby variety of language development package, greatly saving time programmer, so OAUTH is simple. Internet many services such as Open API , many large companies such as Google , Yahoo , in the Microsoft and so provides OAUTH certification services, which are sufficient to show OAUTH standard has become the open source licensed standard.
Oauth agreement has grown to 2.0 version, 1.0 version is too complicated, 2.0 version has been widely used.
Reference: https://baike.baidu.com/item/oAuth/7153134?fr=aladdin
Oauth protocol: https://tools.ietf.org/html/rfc6749
below analyze a Oauth2 example certified programmers dark horse website use micro-channel authentication process:
1 , the client requests a third party authorized
user enters a dark horse program login page, click on the icon to micro-channel micro-channel account login system, the user is the owner of its own information resources in the micro letter.
2 , resource owners agree to the client authorized
the resource owner to scan two-dimensional code indicates the resource owner agreed to give the client authorization, the identity of micro-channel resource owners will be verified, and after the verification, micro letter asks the user whether to authorize Dark horse programmer to access their own micro-data, the user clicks the " confirm Login " express consent, micro-channel authentication server will issue an authorization code and redirect to the website programmers dark horse.
3 , the client obtains the authorization code, the application server requests the authentication token
process invisible to the user, the client application requests the authentication server, the request carries the authorization code.
4 , the authentication server responds to the client token
authentication server to verify the client request an authorization code, if it is a legitimate issue to the client token, token is a client access resources permit.
This interactive process invisible to the user, when the client to get the token, see the user has logged in successfully programmers dark horse.
5 , the client requests a resource server resource
client carries the resource token to access the server's resources.
Dark Horse programmer website carries a token request access to micro-channel server to obtain basic information about the user.
6 , the server returns a resource protected resources
legitimacy of the resource server verification token, if a legitimate resource information content in response to the user.
Note: The resource server and authentication server can be a separate service can also service, if the service is separate server resources typically request authentication server to verify the legitimacy of the token.
Oauth2.0 certification process is as follows:
Quoted from Oauth2.0 agreement rfc6749 https://tools.ietf.org/html/rfc6749
Oauth2 include the following:
1 , the client
itself is not stored resources, the need to request authorization by the owner of the resource resource server resources, such as: studies online Android client, studies in line Web client (browser), micro-channel clients.
2 , resource owners
typically users, applications may also be that the owner of the resource.
3 , the authorization server (also known as authentication server)
is used to authenticate the identity of resources have, access to resources for authorization. To access the client resources required by the resource owner granted by the authentication serverAfter only access rights.
4 , the resource server
storage resources of the server, for example, learn to network user management server stores user information science into the net, learning to network learning server stores the students' information, micro-channel resources to service user information is stored micro letter and so on. The client eventually get access to the resource server resource information.
2.2.2 Oauth2 in the application of this project
Oauth2 is an open standard authorization protocol, the application can use according to their own requirements Oauth2 , this project uses Oauth2 achieve as next goal:
1 resources, studies of online access to third-party systems
2 , the external system access to online learning resources
3 , the front-line studies (clients) to access online learning resources into micro-services.
4 , learn to access resources between the online micro-services, such as: micro-services A visit Micro Services B resources, B visit A resources.
