CN117955698B

CN117955698B - Swagger-based call request authentication method and swagger-based call request authentication device

Info

Publication number: CN117955698B
Application number: CN202311836584.1A
Authority: CN
Inventors: 徐志彬; 王军; 张丁一; 刘嘉蕾; 张琦; 柴晨; 喻文强
Original assignee: China Securities Co Ltd
Current assignee: China Securities Co Ltd
Priority date: 2023-12-28
Filing date: 2023-12-28
Publication date: 2024-09-13
Anticipated expiration: 2043-12-28
Also published as: CN117955698A

Abstract

The embodiment of the invention provides a call request authentication method and device based on swagger, and relates to the technical field of data processing. The specific implementation scheme is as follows: receiving a call request for an interface carrying a channel identifier and request verification information; determining a first authentication channel corresponding to a channel identifier in the existing authentication channels, wherein the authentication channel corresponds to a service provided by an online service platform, and an interface for accessing the service corresponding to the authentication channel is bound to the authentication channel; judging whether the first verification information corresponding to the first authentication channel is matched with the request verification information or not; if the first authentication channel is matched with the second authentication channel, determining that the interface bound by the first authentication channel is an interface which is authorized to be called by the call request. The scheme provided by the embodiment of the invention can improve the convenience of configuring the authentication scheme for the call request of the interface when the interface needing authentication is changed.

Description

A call request authentication method and device based on swagger

技术领域Technical Field

本发明涉及数据处理技术领域，特别是涉及一种基于swagger(一种接口解析框架)的调用请求鉴权方法和装置。The present invention relates to the technical field of data processing, and in particular to a call request authentication method and device based on swagger (an interface parsing framework).

背景技术Background Art

随着网络技术的发展，各种线上业务平台通过其可调用接口向用户提供各种业务。但是通过各种接口向用户提供的各种业务时可能会涉及敏感数据或敏感操作，因此，线上业务平台接收到接口调用请求后需要对调用请求进行鉴权。With the development of network technology, various online business platforms provide various services to users through their callable interfaces. However, the various services provided to users through various interfaces may involve sensitive data or sensitive operations. Therefore, after receiving the interface call request, the online business platform needs to authenticate the call request.

现有技术中，用户使用其客户端向线上业务平台发送的接口调用请求中一般携带有待调用接口的路由，线上业务平台基于本地代码中记录的接口的路由和上述接口调用请求中携带的路由，进行接口鉴权。由上可以看出，为了成功进行接口鉴权，线上业务平台中需要在代码层记录需要鉴权的接口的路由，这样，依赖硬编码才能实现接口鉴权，一旦需要鉴权的接口范围发生改变，需要调整线上业务平台本地的代码，便捷度低。In the prior art, the interface call request sent by the user using the client to the online business platform generally carries the route of the interface to be called, and the online business platform performs interface authentication based on the route of the interface recorded in the local code and the route carried in the above interface call request. As can be seen from the above, in order to successfully perform interface authentication, the online business platform needs to record the route of the interface to be authenticated at the code layer. In this way, interface authentication can only be achieved by relying on hard coding. Once the scope of the interface to be authenticated changes, the local code of the online business platform needs to be adjusted, which is inconvenient.

发明内容Summary of the invention

本发明实施例的目的在于提供一种基于swagger的调用请求鉴权方法和装置，用以在需要鉴权的接口发生变动时，提高针对接口的调用请求配置鉴权方案的便捷度。具体技术方案如下：The purpose of the embodiment of the present invention is to provide a swagger-based call request authentication method and device, which is used to improve the convenience of configuring an authentication scheme for a call request of an interface when the interface to be authenticated changes. The specific technical solution is as follows:

根据本发明实施例的一方面，提供了一种基于swagger的调用请求鉴权方法，应用于基于swagger构建的线上业务平台，所述方法包括：According to one aspect of an embodiment of the present invention, a swagger-based call request authentication method is provided, which is applied to an online business platform built based on swagger, and the method includes:

接收携带渠道标识和请求验证信息的针对接口的调用请求；Receive a call request for an interface carrying a channel identifier and request verification information;

确定已有鉴权渠道中与所述渠道标识对应的第一鉴权渠道，其中，所述鉴权渠道与所述线上业务平台所提供的业务相对应，所述鉴权渠道绑定有访问所述鉴权渠道所对应业务的接口；Determine a first authentication channel corresponding to the channel identifier among the existing authentication channels, wherein the authentication channel corresponds to a service provided by the online service platform, and the authentication channel is bound with an interface for accessing the service corresponding to the authentication channel;

判断所述第一鉴权渠道对应的第一验证信息与所述请求验证信息是否相匹配；Determining whether the first verification information corresponding to the first authentication channel matches the requested verification information;

若匹配，则确定所述第一鉴权渠道绑定的接口为所述调用请求有权调用的接口。If there is a match, it is determined that the interface bound to the first authentication channel is the interface that the call request is authorized to call.

本发明的一个实施例中，所述线上业务平台按照以下方式为所述鉴权渠道绑定接口：In one embodiment of the present invention, the online business platform binds an interface to the authentication channel in the following manner:

获得所述线上业务平台本地代码中记录的接口描述信息；Obtaining interface description information recorded in the local code of the online business platform;

基于所获得的接口描述信息，确定所述线上业务平台所提供业务的对外访问接口的接口信息；Based on the obtained interface description information, determine the interface information of the external access interface of the service provided by the online service platform;

在用户界面展示所确定的接口信息；Displaying the determined interface information on the user interface;

创建所述鉴权渠道，并在所述用户界面展示所述鉴权渠道的信息；Creating the authentication channel, and displaying information of the authentication channel on the user interface;

确定用户基于所展示的接口信息为所述鉴权渠道选择的所对应业务的目标接口；Determining a target interface for the service corresponding to the authentication channel selected by the user based on the displayed interface information;

为所述鉴权渠道和所述目标接口建立绑定关系，并存储所述绑定关系。A binding relationship is established between the authentication channel and the target interface, and the binding relationship is stored.

本发明的一个实施例中，在所述创建所述鉴权渠道之后，还包括：In one embodiment of the present invention, after creating the authentication channel, the method further includes:

为所述鉴权渠道签发秘钥；Issuing a secret key for the authentication channel;

所述判断所述第一鉴权渠道对应的第一验证信息与所述请求验证信息是否相匹配，包括：The determining whether the first verification information corresponding to the first authentication channel matches the request verification information includes:

基于所述第一鉴权渠道对应的秘钥，生成第一验证信息；Generate first verification information based on the secret key corresponding to the first authentication channel;

判断所述第一验证信息与所述请求验证信息是否匹配。Determine whether the first verification information matches the request verification information.

本发明的一个实施例中，所述接口信息包括以下信息中的至少一种：In one embodiment of the present invention, the interface information includes at least one of the following information:

接口类全名称、接口类访问路径、接口类描述信息、接口方法名称、接口方法访问路径、接口方法描述信息、接口请求类型以及接口业务类型。The full name of the interface class, the interface class access path, the interface class description information, the interface method name, the interface method access path, the interface method description information, the interface request type, and the interface service type.

本发明的一个实施例中，所述鉴权渠道的信息包括以下信息中的至少一种：In one embodiment of the present invention, the information of the authentication channel includes at least one of the following information:

渠道标识、渠道名称、渠道秘钥、渠道描述信息以及与所述鉴权渠道绑定的接口的接口信息。Channel identification, channel name, channel key, channel description information and interface information of the interface bound to the authentication channel.

本发明的一个实施例中，在所述获得所述线上业务平台本地代码中记录的接口描述信息之后，还包括：In one embodiment of the present invention, after obtaining the interface description information recorded in the local code of the online service platform, the method further includes:

根据所获得的接口描述信息，确定各接口描述信息所对应接口的接口业务类型；Determine the interface service type of the interface corresponding to each interface description information according to the obtained interface description information;

确定已有鉴权渠道中与所确定接口业务类型相匹配的第二鉴权渠道，并向所述第二鉴权渠道的管理人员使用的客户端发送接口绑定提醒。A second authentication channel that matches the determined interface service type among the existing authentication channels is determined, and an interface binding reminder is sent to a client used by an administrator of the second authentication channel.

本发明的一个实施例中，所述方法还包括：In one embodiment of the present invention, the method further comprises:

若所述线上业务平台出现接口变更，获得所变更接口的接口状态；If an interface change occurs on the online business platform, obtain the interface status of the changed interface;

若所述接口状态表征所述变更接口不为弃用接口，则向所述鉴权渠道的管理人员使用的客户端发送接口变更提醒。If the interface status indicates that the changed interface is not a deprecated interface, an interface change reminder is sent to a client used by the administrator of the authentication channel.

本发明的一个实施例中，在所述确定用户基于所展示的接口信息为所述鉴权渠道选择的所对应业务的目标接口之后，还包括：In one embodiment of the present invention, after determining the target interface of the corresponding service selected by the user for the authentication channel based on the displayed interface information, the method further includes:

触发针对所述目标接口的绑定审核流程；Triggering a binding review process for the target interface;

若通过审核，则执行所述为所述鉴权渠道和所述目标接口建立绑定关系的步骤。If the verification is passed, the step of establishing a binding relationship between the authentication channel and the target interface is executed.

根据本发明实施例的另一方面，提供了一种基于swagger的调用请求鉴权装置，应用于基于swagger构建的线上业务平台，所述装置包括：According to another aspect of an embodiment of the present invention, a swagger-based call request authentication device is provided, which is applied to an online business platform built based on swagger, and the device includes:

调用请求接收模块，用于接收携带渠道标识和请求验证信息的针对接口的调用请求；A call request receiving module, used to receive a call request for an interface carrying a channel identifier and request verification information;

鉴权渠道确定模块，用于确定已有鉴权渠道中与所述渠道标识对应的第一鉴权渠道，其中，所述鉴权渠道与所述线上业务平台所提供的业务相对应，所述鉴权渠道绑定有访问所述鉴权渠道所对应业务的接口；An authentication channel determination module, used to determine a first authentication channel corresponding to the channel identifier among existing authentication channels, wherein the authentication channel corresponds to a service provided by the online service platform, and the authentication channel is bound with an interface for accessing the service corresponding to the authentication channel;

验证信息匹配模块，用于判断所述第一鉴权渠道对应的第一验证信息与所述请求验证信息是否相匹配；若匹配，则触发接口确定模块；A verification information matching module, used to determine whether the first verification information corresponding to the first authentication channel matches the request verification information; if they match, triggering the interface determination module;

所述接口确定模块，用于确定所述第一鉴权渠道绑定的接口为所述调用请求有权调用的接口。The interface determination module is used to determine that the interface bound to the first authentication channel is the interface that the call request is authorized to call.

接口类全名称、接口类访问路径、接口类描述信息、接口装置名称、接口装置访问路径、接口装置描述信息、接口请求类型以及接口业务类型。The full name of the interface class, the interface class access path, the interface class description information, the interface device name, the interface device access path, the interface device description information, the interface request type, and the interface service type.

本发明的一个实施例中，所述线上业务平台在为所述鉴权渠道绑定接口的过程中还包括：In one embodiment of the present invention, the online business platform further comprises:

根据本发明实施例的再一方面，提供了一种电子设备，包括处理器、通信接口、存储器和通信总线，其中，处理器，通信接口，存储器通过通信总线完成相互间的通信；According to another aspect of an embodiment of the present invention, there is provided an electronic device, comprising a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory communicate with each other via the communication bus;

存储器，用于存放计算机程序；Memory, used to store computer programs;

处理器，用于执行存储器上所存放的程序时，实现上述任一基于swagger的调用请求鉴权方法。The processor is used to implement any of the above-mentioned swagger-based call request authentication methods when executing the program stored in the memory.

根据本发明实施例的又一方面，提供了一种计算机可读存储介质，所述计算机可读存储介质内存储有计算机程序，所述计算机程序被处理器执行时实现上述任一基于swagger的调用请求鉴权方法。According to another aspect of an embodiment of the present invention, a computer-readable storage medium is provided, in which a computer program is stored. When the computer program is executed by a processor, any of the above-mentioned swagger-based call request authentication methods is implemented.

根据本发明实施例的又一方面，提供了一种包含指令的计算机程序产品，当其在计算机上运行时，使得计算机执行上述任一基于swagger的调用请求鉴权方法。According to another aspect of an embodiment of the present invention, a computer program product comprising instructions is provided, which, when executed on a computer, enables the computer to execute any of the above-mentioned swagger-based call request authentication methods.

本发明实施例有益效果：Beneficial effects of the embodiments of the present invention:

由以上可见，本发明实施例提供的方案中，基于调用请求携带的渠道标识确定渠道标识对应的第一鉴权渠道，通过第一鉴权渠道的验证信息与请求验证信息是否相匹配来确定调用请求能否访问第一鉴权渠道绑定的接口。在需要鉴权的接口发生改变的情况下，线上业务平台基于swagger能够实现在运行的过程中对接口进行修改和调整，这样能够实现对鉴权渠道绑定的接口进行更改，又因为接口是通过鉴权渠道对应的验证信息进行鉴权的，所以对发生改变的接口与鉴权渠道的绑定关系进行修改，即可以实现对发生改变的需要鉴权的接口的鉴权方式进行修改，不用再采用硬编码的方式去修改与每一发生改变的接口的路由，也不用在线上业务平台代码层中修改拦截规则，只需要将变动后的需要鉴权的接口与该接口所属业务的鉴权渠道绑定。可见，应该本发明实施例提供的方案，能够提高针对接口的调用请求配置鉴权方案的便捷度。As can be seen from the above, in the scheme provided by the embodiment of the present invention, the first authentication channel corresponding to the channel identifier is determined based on the channel identifier carried by the call request, and whether the call request can access the interface bound to the first authentication channel is determined by whether the verification information of the first authentication channel matches the request verification information. In the case that the interface that needs to be authenticated changes, the online business platform can modify and adjust the interface during operation based on swagger, so that the interface bound to the authentication channel can be changed. Because the interface is authenticated by the verification information corresponding to the authentication channel, the binding relationship between the changed interface and the authentication channel is modified, that is, the authentication method of the changed interface that needs to be authenticated can be modified, and there is no need to use hard coding to modify the route with each changed interface, nor to modify the interception rules in the code layer of the online business platform. It only needs to bind the changed interface that needs to be authenticated to the authentication channel of the business to which the interface belongs. It can be seen that the scheme provided by the embodiment of the present invention can improve the convenience of configuring the authentication scheme for the call request of the interface.

当然，实施本发明的任一产品或方法并不一定需要同时达到以上所述的所有优点。Of course, it is not necessary to achieve all of the advantages described above at the same time to implement any product or method of the present invention.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

为了更清楚地说明本发明实施例或现有技术中的技术方案，下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍，显而易见地，下面描述中的附图仅仅是本发明的一些实施例，对于本领域普通技术人员来讲，还可以根据这些附图获得其他的实施例。In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings required for use in the embodiments or the description of the prior art will be briefly introduced below. Obviously, the drawings in the following description are only some embodiments of the present invention. For ordinary technicians in this field, other embodiments can also be obtained based on these drawings.

图1为本发明实施例提供的一种调用请求鉴权方法的流程示意图；FIG1 is a schematic diagram of a flow chart of a method for invoking a request authentication method provided by an embodiment of the present invention;

图2为本发明实施例提供的一种接口绑定方法的流程示意图；FIG2 is a schematic diagram of a flow chart of an interface binding method provided by an embodiment of the present invention;

图3为本发明实施例提供的一种展示接口信息的界面示意图；FIG3 is a schematic diagram of an interface for displaying interface information provided by an embodiment of the present invention;

图4为本发明实施例提供的一种展示鉴权渠道的信息的界面示意图；FIG4 is a schematic diagram of an interface for displaying information of authentication channels provided by an embodiment of the present invention;

图5为本发明实施例提供的一种调用请求鉴权装置的结构示意图；FIG5 is a schematic diagram of the structure of a call request authentication device provided by an embodiment of the present invention;

图6为本发明实施例提供的一种电子设备的结构示意图。FIG6 is a schematic diagram of the structure of an electronic device provided by an embodiment of the present invention.

具体实施方式DETAILED DESCRIPTION

下面将结合本发明实施例中的附图，对本发明实施例中的技术方案进行清楚、完整地描述，显然，所描述的实施例仅仅是本发明一部分实施例，而不是全部的实施例。基于本发明中的实施例，本领域普通技术人员基于本发明所获得的所有其他实施例，都属于本发明保护的范围。The following will be combined with the drawings in the embodiments of the present invention to clearly and completely describe the technical solutions in the embodiments of the present invention. Obviously, the described embodiments are only part of the embodiments of the present invention, not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by ordinary technicians in this field based on the present invention belong to the scope of protection of the present invention.

下面对本发明实施例的现有技术进行说明。The prior art of the embodiments of the present invention is described below.

现有技术中，用户使用其客户端向线上业务平台发送的接口调用请求中一般携带有待调用接口的路由，线上业务平台基于本地代码中记录的接口的路由和上述接口调用请求中携带的路由，进行接口鉴权。线上业务平台可以在代码层中记录需要鉴权的接口的路由，那么，在需要鉴权的接口范围发生改变时，用户需要在线上业务平台的代码层中调整记录的接口的路由。或者，在线上业务平台的代码层中也可以针对每一需要鉴权的接口编写拦截规则，那么，在需要鉴权的接口范围发生改变时，用户需要在上述代码层中调整拦截规则、调整代码逻辑等。另外，用户也需要针对每一变更代码逐个修改拦截规则、调整代码逻辑，这样会增加维护的复杂性和工作量。特别是在大型的线上业务平台中，当需要鉴权的接口的变动频繁或需要鉴权的接口数量较多时，这种针对代码层的手动修改过程会非常繁琐且容易出错，非常不便捷。In the prior art, the interface call request sent by the user using its client to the online business platform generally carries the route of the interface to be called, and the online business platform performs interface authentication based on the route of the interface recorded in the local code and the route carried in the above interface call request. The online business platform can record the route of the interface that needs to be authenticated in the code layer. Then, when the range of interfaces that need to be authenticated changes, the user needs to adjust the route of the recorded interface in the code layer of the online business platform. Alternatively, interception rules can also be written for each interface that needs to be authenticated in the code layer of the online business platform. Then, when the range of interfaces that need to be authenticated changes, the user needs to adjust the interception rules and code logic in the above code layer. In addition, the user also needs to modify the interception rules and adjust the code logic one by one for each changed code, which will increase the complexity and workload of maintenance. Especially in large online business platforms, when the interfaces that need to be authenticated change frequently or the number of interfaces that need to be authenticated is large, this manual modification process for the code layer will be very cumbersome and error-prone, and very inconvenient.

为了在需要鉴权的接口发生变动时，提高针对接口的调用请求配置鉴权方案的便捷度，本发明实施例提供了一种基于swagger的调用请求鉴权方法和装置。In order to improve the convenience of configuring an authentication scheme for a call request of an interface when an interface requiring authentication changes, an embodiment of the present invention provides a call request authentication method and device based on swagger.

下面对本发明实施例涉及的概念进行说明。The concepts involved in the embodiments of the present invention are described below.

一、鉴权渠道1. Authentication Channel

鉴权渠道是与线上业务平台所提供的业务相对应的用于进行调用请求鉴权的渠道。例如，线上业务平台所提供的业务包括设备运维管理业务，那么，线上业务平台中可以设置有与设备运维管理业务相对应的鉴权渠道。线上业务平台所提供的业务包括线上交易业务，那么，线上业务平台中可以设置有与线上交易业务相对应的鉴权渠道。The authentication channel is a channel for performing call request authentication corresponding to the services provided by the online business platform. For example, if the services provided by the online business platform include equipment operation and maintenance management services, then the online business platform can be provided with an authentication channel corresponding to the equipment operation and maintenance management services. If the services provided by the online business platform include online transaction services, then the online business platform can be provided with an authentication channel corresponding to the online transaction services.

鉴权渠道绑定有访问鉴权渠道所对应业务的接口。以与设备运维管理业务相对应的鉴权渠道为例，应当与该鉴权渠道绑定的接口为：访问设备运维管理业务的接口。例如，用于查询设备属性信息的接口、获取设备操作控制信息的接口以及用于修改设备配置信息的接口等等。The authentication channel is bound with an interface for accessing the service corresponding to the authentication channel. Taking the authentication channel corresponding to the equipment operation and maintenance management service as an example, the interface that should be bound to the authentication channel is: the interface for accessing the equipment operation and maintenance management service. For example, the interface for querying equipment attribute information, the interface for obtaining equipment operation control information, and the interface for modifying equipment configuration information, etc.

同理，针对与线上交易业务相对应的鉴权渠道，应当绑定访问线上交易业务的接口。Similarly, for the authentication channel corresponding to the online transaction business, the interface for accessing the online transaction business should be bound.

二、渠道标识2. Channel Identification

渠道标识为线上业务平台中已有鉴权渠道对应的唯一标识。具体的，每一鉴权渠道的渠道标识可以由用户在创建渠道时进行设置，也可以由线上业务平台为该鉴权渠道生成唯一标识。The channel identifier is a unique identifier corresponding to an existing authentication channel in the online business platform. Specifically, the channel identifier of each authentication channel can be set by the user when creating the channel, or the online business platform can generate a unique identifier for the authentication channel.

三、swagger3. Swagger

swagger是一种接口解析框架，swagger能够用于开发、管理和文档化接口。线上业务平台能够基于swagger，实现在线上业务平台运行过程中，对接口进行解析。例如，在线上业务平台能够通过解析基于swagger生成的文档，检测线上业务平台中的接口的变动情况。Swagger is an interface parsing framework that can be used to develop, manage, and document interfaces. Based on swagger, the online business platform can parse interfaces during the operation of the online business platform. For example, the online business platform can detect changes in interfaces in the online business platform by parsing documents generated based on swagger.

下面结合图1对本发明实施例提供的调用请求鉴权方法进行详细说明。The following describes in detail the call request authentication method provided by an embodiment of the present invention in conjunction with FIG. 1 .

本发明的一个实施例中，参见图1提供的一种调用请求鉴权方法的流程示意图，上述方法应用于基于swagger构建的线上业务平台，上述方法包括以下步骤S101-S104。In one embodiment of the present invention, referring to FIG. 1 , a flow chart of a method for calling a request authentication method is provided. The method is applied to an online business platform built based on swagger, and the method includes the following steps S101-S104.

步骤S101：接收携带渠道标识和请求验证信息的针对接口的调用请求。Step S101: receiving a call request for an interface carrying a channel identifier and request verification information.

一种实现方式中，在调用请求中的预设字段中可以添加渠道标识和请求验证信息。在线上业务平台接收到调用请求后读取上述预设字段中的数据，即可获得渠道标识和请求验证信息。In one implementation, a channel identifier and request verification information may be added to a preset field in the call request. After receiving the call request, the online business platform reads the data in the preset field to obtain the channel identifier and request verification information.

例如，调用请求可以是基于超文本传输协议(HTTP，HyperText TransferProtocol)发送的调用请求，调用请求的请求头中设置有渠道标识和请求验证信息。线上业务平台能够在接收到调用请求后读取请求头中的数据，进而获得渠道标识和请求验证信息。For example, the call request may be a call request sent based on the HyperText Transfer Protocol (HTTP), and the request header of the call request may include a channel identifier and request verification information. The online business platform can read the data in the request header after receiving the call request, and then obtain the channel identifier and request verification information.

步骤S102：确定已有鉴权渠道中与渠道标识对应的第一鉴权渠道。Step S102: Determine a first authentication channel corresponding to the channel identifier among the existing authentication channels.

其中，鉴权渠道与线上业务平台所提供的业务相对应，鉴权渠道绑定有访问鉴权渠道所对应业务的接口。The authentication channel corresponds to the services provided by the online service platform, and the authentication channel is bound with an interface for accessing the services corresponding to the authentication channel.

一种实现方式中，线上业务平台在获得渠道标识后，在已有的鉴权渠道中，确定鉴权渠道的渠道标识与调用请求携带的渠道标识相同的鉴权渠道，作为第一鉴权渠道。另外，若调用请求携带的渠道标识为两个及以上，那么线上业务平台可以分别确定上述多个渠道标识对应的多个鉴权渠道为第一鉴权渠道。然后线上业务平台可以针对每一第一鉴权渠道执行步骤S103-S104。In one implementation, after obtaining the channel identifier, the online business platform determines, from the existing authentication channels, an authentication channel whose channel identifier is the same as the channel identifier carried in the call request as the first authentication channel. In addition, if the call request carries two or more channel identifiers, the online business platform can respectively determine multiple authentication channels corresponding to the multiple channel identifiers as the first authentication channels. Then the online business platform can perform steps S103-S104 for each first authentication channel.

步骤S103：判断第一鉴权渠道对应的第一验证信息与请求验证信息是否相匹配。Step S103: Determine whether the first verification information corresponding to the first authentication channel matches the requested verification information.

其中，针对每一鉴权渠道可以设置该鉴权渠道对应的验证信息，并由线上业务平台记录每一鉴权渠道与其对应的验证信息的对应关系。每一鉴权渠道对应的验证信息也不同。鉴权渠道的验证信息用于与请求验证信息进行匹配，进而验证线上业务平台接收到的调用请求是能够调用与该鉴权渠道绑定的接口。例如，鉴权渠道的验证信息可以为一串预设的数字和/或字母的组合，被调用方可以与需要访问该鉴权渠道对应的业务的接口的请求方沟通，告知请求方该鉴权渠道对应的验证信息。这样，请求方可以在发送的调用请求的请求信息中设置能够与该鉴权渠道对应的验证信息相匹配的请求验证信息。Among them, for each authentication channel, verification information corresponding to the authentication channel can be set, and the online business platform records the correspondence between each authentication channel and its corresponding verification information. The verification information corresponding to each authentication channel is also different. The verification information of the authentication channel is used to match the request verification information, and then verify that the call request received by the online business platform is able to call the interface bound to the authentication channel. For example, the verification information of the authentication channel can be a combination of a string of preset numbers and/or letters, and the called party can communicate with the requester who needs to access the interface of the business corresponding to the authentication channel, and inform the requester of the verification information corresponding to the authentication channel. In this way, the requester can set the request verification information that can match the verification information corresponding to the authentication channel in the request information of the sent call request.

一种实现方式中，在线上业务平台确定第一鉴权渠道后，可以从记录的鉴权渠道与其对应验证信息的对应关系中，确定第一鉴权渠道对应的第一验证信息，然后判断第一验证信息与请求验证信息是否相同，若相同，则确定第一验证信息与请求验证信息相匹配，否则确定第一验证信息与请求验证信息不匹配。In one implementation, after the online business platform determines the first authentication channel, it can determine the first verification information corresponding to the first authentication channel from the correspondence between the recorded authentication channel and its corresponding verification information, and then determine whether the first verification information is the same as the requested verification information. If they are the same, it is determined that the first verification information matches the requested verification information; otherwise, it is determined that the first verification information does not match the requested verification information.

另一种实现方式中，鉴权渠道对应的验证信息可以基于鉴权渠道对应的秘钥生成。具体的，线上业务平台可以基于第一验证信息对应的秘钥，生成第一验证信息。并且，被调用方可以与需要访问第一鉴权渠道对应的业务的接口的请求方沟通，告知请求方基于第一验证信息对应的秘钥以及基于秘钥生成第一验证信息的方式，这样，请求方可以采用与生成第一验证信息相同的方式生成请求验证信息并添加到调用请求中。然后，线上业务平台判断生成的第一验证信息与调用请求携带的请求验证信息是否相同，若相同，则确定第一验证信息与请求验证信息相匹配，否则确定第一验证信息与请求验证信息不匹配。In another implementation, the verification information corresponding to the authentication channel can be generated based on the secret key corresponding to the authentication channel. Specifically, the online business platform can generate the first verification information based on the secret key corresponding to the first verification information. In addition, the called party can communicate with the requesting party who needs to access the interface of the business corresponding to the first authentication channel, and inform the requesting party of the secret key corresponding to the first verification information and the method of generating the first verification information based on the secret key. In this way, the requesting party can generate the request verification information in the same way as the first verification information is generated and add it to the call request. Then, the online business platform determines whether the generated first verification information is the same as the request verification information carried by the call request. If they are the same, it is determined that the first verification information matches the request verification information, otherwise it is determined that the first verification information does not match the request verification information.

另外，生成第一验证信息的方式以及秘钥可以由请求方于被调用方协商确定。生成第一验证信息的具体实现方式在下文实施例中进行说明，这里暂不详述。In addition, the method of generating the first verification information and the secret key can be determined by negotiation between the requesting party and the called party. The specific implementation method of generating the first verification information is described in the following embodiments and will not be described in detail here.

步骤S104：若匹配，则确定第一鉴权渠道绑定的接口为调用请求有权调用的接口。Step S104: If there is a match, it is determined that the interface bound to the first authentication channel is the interface that the call request is authorized to call.

具体的，在第一验证信息与请求验证信息相匹配的情况下，线上业务平台则允许调用请求调用与第一鉴权渠道绑定的接口。Specifically, when the first verification information matches the request verification information, the online business platform allows the call request to call the interface bound to the first authentication channel.

另外，由于每一鉴权渠道都可以配置与其对应的验证信息，或者配置与该鉴权渠道对应的验证信息生成方式，因此，可以采用不同的加密解密方式、不同的鉴权方案来生成验证信息，应用本发明实施例提供的方案，可以支持多种不同的加密解密方式、不同的鉴权方案等。这样，也可以减少线上业务平台的运维复杂度。In addition, since each authentication channel can be configured with corresponding verification information, or a verification information generation method corresponding to the authentication channel can be configured, different encryption and decryption methods and different authentication schemes can be used to generate verification information. The solution provided by the embodiment of the present invention can support a variety of different encryption and decryption methods, different authentication schemes, etc. In this way, the operation and maintenance complexity of the online business platform can also be reduced.

本发明的一个实施例中，参见图2提供的一种接口绑定方法的流程示意图。线上业务平台按照以下步骤S201-S206为鉴权渠道绑定接口。In one embodiment of the present invention, a schematic flow diagram of an interface binding method is provided in Figure 2. The online business platform binds the interface to the authentication channel according to the following steps S201-S206.

步骤S201：获得线上业务平台本地代码中记录的接口描述信息。Step S201: Obtain interface description information recorded in the local code of the online business platform.

具体的，开发人员在编写各个接口对应的本地代码时，可以对接口的方法添加注解。这样，线上业务平台可以基于各个接口的方法的注解，获得各个接口的接口描述信息。例如，线上业务平台可以遍历本地代码，读取接口的方法的注解，获得各个接口的接口描述信息。Specifically, when developers write local codes corresponding to each interface, they can add annotations to the interface methods. In this way, the online business platform can obtain the interface description information of each interface based on the annotations of the interface methods. For example, the online business platform can traverse the local code, read the annotations of the interface methods, and obtain the interface description information of each interface.

例如，可以基于swagger对业务平台本地代码中的接口的方法添加注解。然后，在线上业务平台获得接口描述信息时，可以通过扫描本地代码中在添加注解时标注“@Api(接口注解)、@ApiOperation(接口方法注解)以及@ApiImplicitParams(接口参数注解)”等，确定接口描述信息。For example, you can add annotations to the methods of the interfaces in the local code of the business platform based on swagger. Then, when the online business platform obtains the interface description information, you can determine the interface description information by scanning the annotations "@Api (interface annotation), @ApiOperation (interface method annotation) and @ApiImplicitParams (interface parameter annotation)" in the local code.

进一步的，在确定接口描述信息后，还可以基于Springfox(一种用于生成接口文档的开源框架)，针对接口描述信息进行解析并生成接口文档。接口文档更加直观，可以使得用户更直接的观看到各个接口的描述信息。Furthermore, after determining the interface description information, the interface description information can be parsed and an interface document can be generated based on Springfox (an open source framework for generating interface documents). The interface document is more intuitive, allowing users to view the description information of each interface more directly.

步骤S202：基于所获得的接口描述信息，确定线上业务平台所提供业务的对外访问接口的接口信息。Step S202: Based on the obtained interface description information, determine the interface information of the external access interface of the service provided by the online service platform.

具体的，线上业务平台可以基于所获得的接口描述信息，确定接口描述信息注解中标注为对外访问接口的对外接口的接口信息。例如，线上业务平台所提供业务的对外访问接口的注解中可以表征该接口为对外访问接口，线上业务平台可以遍历接口的本地代码，确定对外访问接口，并从上述步骤S201获得的接口描述信息中确定对外访问接口的接口信息。Specifically, the online business platform can determine the interface information of the external interface marked as the external access interface in the interface description information annotation based on the obtained interface description information. For example, the annotation of the external access interface of the service provided by the online business platform can indicate that the interface is an external access interface. The online business platform can traverse the local code of the interface to determine the external access interface, and determine the interface information of the external access interface from the interface description information obtained in the above step S201.

步骤S203：在用户界面展示所确定的接口信息。Step S203: Displaying the determined interface information on the user interface.

其中，接口信息包括以下信息中的至少一种：接口类全名称、接口类访问路径、接口类描述信息、接口方法名称、接口方法访问路径、接口方法描述信息、接口请求类型以及接口业务类型。例如，参见图3提供的一种展示接口信息的界面示意图。其中，图3仅是对展示接口信息的用户界面的示例，图中文字并不对本发明实施例构成限定，也无需关注。The interface information includes at least one of the following information: the full name of the interface class, the interface class access path, the interface class description information, the interface method name, the interface method access path, the interface method description information, the interface request type, and the interface service type. For example, see FIG3 for a schematic diagram of an interface for displaying interface information. FIG3 is only an example of a user interface for displaying interface information, and the text in the figure does not limit the embodiments of the present invention and need not be paid attention to.

其中，接口类全名称用于唯一标识一个接口类。接口类访问路径用于指定接口类的具体位置。接口类描述信息用于对接口类的功能、用途、参数等进行描述，方便用户理解。接口方法名称用于唯一标识一个接口方法。接口方法访问路径用于表示接口方法的具体位置。接口方法访问路用于对接口方法的功能、用途、参数等进行描述，方便用户理解。接口请求类型表示接口方法的请求类型，如GET(获取资源)、POST(提交数据)、PUT(更新资源)以及DELETE(删除资源)等请求类型。接口业务类型用于表示接口方法所属的业务领域，如运维管理业务、交易管理业务、用户管理业务以及订单管理业务等。Among them, the full name of the interface class is used to uniquely identify an interface class. The interface class access path is used to specify the specific location of the interface class. The interface class description information is used to describe the function, purpose, parameters, etc. of the interface class for the convenience of user understanding. The interface method name is used to uniquely identify an interface method. The interface method access path is used to indicate the specific location of the interface method. The interface method access path is used to describe the function, purpose, parameters, etc. of the interface method for the convenience of user understanding. The interface request type indicates the request type of the interface method, such as GET (get resources), POST (submit data), PUT (update resources), and DELETE (delete resources). The interface business type is used to indicate the business field to which the interface method belongs, such as operation and maintenance management business, transaction management business, user management business, and order management business.

可见，尽可能详细的向用户展示接口信息，可以提高用户的体验，使得用户可以更直观的了解各个接口的详细信息，清楚的展示接口信息也可以减少用户的错误操作。It can be seen that displaying interface information to users in as much detail as possible can improve user experience, allowing users to more intuitively understand the detailed information of each interface. Clearly displaying interface information can also reduce user errors.

步骤S204：创建鉴权渠道，并在用户界面展示鉴权渠道的信息。Step S204: Create an authentication channel and display the authentication channel information on the user interface.

一种实现方式中，线上业务平台在接收到用户使用客户端发送的鉴权渠道创建指令后，创建鉴权渠道，并基于鉴权渠道创建指令中携带的渠道名称以及渠道描述信息等信息，可以将创建的鉴权渠道展示在用户界面。并且，线上业务平台也可以获得线上业务平台中记录的已有鉴权渠道的信息，并将鉴权渠道的信息展示在用户界面。In one implementation, after receiving an authentication channel creation instruction sent by a user using a client, the online business platform creates an authentication channel, and based on the channel name and channel description information carried in the authentication channel creation instruction, the created authentication channel can be displayed on the user interface. In addition, the online business platform can also obtain information about existing authentication channels recorded in the online business platform, and display the authentication channel information on the user interface.

进一步的，线上业务平台在接收到用户使用客户端发送的鉴权渠道创建指令后，可以触发鉴权渠道创建审核流程，并向针对鉴权渠道创建审核流程预设的审核人发送鉴权渠道创建审核提醒。在鉴权渠道创建审核通过的情况下，再确定创建鉴权渠道，并记录创建的鉴权渠道的信息。Furthermore, after receiving the authentication channel creation instruction sent by the user using the client, the online business platform can trigger the authentication channel creation review process and send an authentication channel creation review reminder to the reviewer preset for the authentication channel creation review process. If the authentication channel creation review passes, the authentication channel is determined to be created and the information of the created authentication channel is recorded.

其中，鉴权渠道的信息包括以下信息中的至少一种：The authentication channel information includes at least one of the following information:

渠道标识、渠道名称、渠道秘钥、渠道描述信息以及与鉴权渠道绑定的接口的接口信息。例如，参见图4提供的一种展示鉴权渠道的信息的界面示意图。其中，图4仅是对展示鉴权渠道的信息的用户界面的示例，图中文字并不对本发明实施例构成限定，也无需关注。Channel identification, channel name, channel key, channel description information, and interface information of the interface bound to the authentication channel. For example, see FIG4 for a schematic diagram of an interface for displaying information of an authentication channel. FIG4 is only an example of a user interface for displaying information of an authentication channel, and the text in the figure does not limit the embodiments of the present invention and need not be paid attention to.

其中，渠道标识用于唯一标识一个鉴权渠道。渠道名称用于表征鉴权渠道的名称。渠道描述信息用于渠道的业务、用途、参数以及属性等信息进行描述，方便用户理解。鉴权渠道绑定的接口的接口信息可以表征鉴权渠道绑定的接口的数量以及绑定的接口的接口信息。The channel identifier is used to uniquely identify an authentication channel. The channel name is used to represent the name of the authentication channel. The channel description information is used to describe the channel's business, purpose, parameters, and attributes to facilitate user understanding. The interface information of the interface bound to the authentication channel can represent the number of interfaces bound to the authentication channel and the interface information of the bound interfaces.

可见，尽可能详细的向用户展示鉴权渠道信息，可以提高用户的体验，使得用户可以更直观的了解各个鉴权渠道的详细信息，清楚的展示鉴权渠道的信息可以减少用户的错误操作。使得用户可以更直观的针对接口的调用请求配置鉴权方案，提高便捷度。It can be seen that displaying authentication channel information to users in as much detail as possible can improve the user experience, allowing users to more intuitively understand the detailed information of each authentication channel. Clearly displaying authentication channel information can reduce user errors. It allows users to more intuitively configure authentication schemes for interface call requests, improving convenience.

步骤S205：确定用户基于所展示的接口信息为鉴权渠道选择的所对应业务的目标接口。Step S205: Determine the target interface of the service corresponding to the authentication channel selected by the user based on the displayed interface information.

具体的，针对所展示的接口信息，用户界面中可以设置有绑定按钮，用户可以通过点击绑定按钮为鉴权渠道选择的所对应业务的目标接口。在线上业务平台接收到用户使用的客户端发送的针对目标接口和鉴权渠道的绑定指令后，确定用户基于所展示的接口信息为鉴权渠道选择的所对应业务的目标接口。Specifically, for the displayed interface information, a binding button may be provided in the user interface, and the user may select the target interface of the corresponding service for the authentication channel by clicking the binding button. After the online service platform receives the binding instruction for the target interface and the authentication channel sent by the client used by the user, it determines the target interface of the corresponding service selected by the user for the authentication channel based on the displayed interface information.

步骤S206：为鉴权渠道和目标接口建立绑定关系，并存储绑定关系。Step S206: Establish a binding relationship between the authentication channel and the target interface, and store the binding relationship.

具体的，线上业务平台可以将鉴权渠道和目标接口的绑定关系存储在数据库中。Specifically, the online business platform may store the binding relationship between the authentication channel and the target interface in a database.

由以上可见，线上业务平台根据获得的接口描述信息，在用户界面中展示所确定的对外访问接口的接口信息，可以使得用户直观的观看到接口的信息，提高用户的体验。用户可以直观的了解各个接口的详细信息，清楚的展示接口信息也可以减少用户的错误操作。线上业务平台在创建鉴权渠道后，并在用户界面展示鉴权渠道的信息，这样可以使得用户观看到鉴权渠道的信息以及接口的信息，使得用户能够可视化查看以及确定接口与鉴权渠道的绑定关系，这样，用户可以直观的确定为鉴权渠道选择的目标接口。在确定用户基于所展示的接口信息为鉴权渠道选择目标接口后，线上业务平台为鉴权渠道和目标接口建立绑定关系，并存储绑定关系，这样可以使得用户通过绑定鉴权渠道与目标接口来为目标接口的配置鉴权方案，不依赖硬编码和配置文件，进一步提高了针对接口的调用请求配置鉴权方案的便捷度。As can be seen from the above, the online business platform displays the interface information of the determined external access interface in the user interface according to the obtained interface description information, so that the user can intuitively view the interface information and improve the user experience. The user can intuitively understand the detailed information of each interface, and the clear display of interface information can also reduce the user's erroneous operation. After the online business platform creates the authentication channel, it displays the information of the authentication channel in the user interface, so that the user can view the information of the authentication channel and the interface information, so that the user can visually view and determine the binding relationship between the interface and the authentication channel, so that the user can intuitively determine the target interface selected for the authentication channel. After determining that the user selects the target interface for the authentication channel based on the displayed interface information, the online business platform establishes a binding relationship between the authentication channel and the target interface, and stores the binding relationship, so that the user can configure the authentication scheme for the target interface by binding the authentication channel and the target interface, without relying on hard coding and configuration files, further improving the convenience of configuring the authentication scheme for the call request of the interface.

本发明的一个实施例中，在上述步骤S204中，在创建鉴权渠道之后，还包括：为鉴权渠道签发秘钥。In one embodiment of the present invention, in the above step S204, after the authentication channel is created, it also includes: issuing a key for the authentication channel.

一种实现方式中，线上业务平台可以随机生成秘钥并记录秘钥与该鉴权渠道的对应关系。其中，秘钥可以为16位字母。In one implementation, the online business platform can randomly generate a secret key and record the corresponding relationship between the secret key and the authentication channel. The secret key can be a 16-character letter.

另一种实现方式中，秘钥可以是预设的取值。In another implementation, the secret key may be a preset value.

在这种情况下，上述步骤S103判断第一验证信息与请求验证信息是否相匹配的方式可以按照以下步骤实现：基于第一鉴权渠道对应的秘钥，生成第一验证信息；判断第一验证信息与请求验证信息是否匹配。In this case, the method of judging whether the first verification information matches the requested verification information in the above step S103 can be implemented according to the following steps: generating the first verification information based on the secret key corresponding to the first authentication channel; judging whether the first verification information matches the requested verification information.

例如，可以按照以下方式生成第一验证信息：For example, the first verification information may be generated in the following manner:

若调用请求中不携带其它参数，则线上业务平台可以将秘钥和当前日期拼装为字符串，并对字符串进行加密。其中，加密方式可以为md5(一种加密方式)，当前日期可以为8位数字，如20231023。字符串可以为：secret＝<第一鉴权渠道对应的秘钥>&date＝<当前日期>。If the call request does not carry other parameters, the online business platform can assemble the secret key and the current date into a string and encrypt the string. The encryption method can be md5 (an encryption method), and the current date can be an 8-digit number, such as 20231023. The string can be: secret = <secret key corresponding to the first authentication channel> & date = <current date>.

若调用请求中携带请求体参数，则线上业务平台可以将秘钥、请求体参数和当前日期拼装为字符串，并对字符串进行加密。其中，请求体参数可以为进行json(一种轻量级的数据交换格式)格式化后去除空值的数据串。字符串可以为：secret＝<第一鉴权渠道对应的秘钥>&param＝<请求体参数>&date＝<当前日期>。If the call request carries a request body parameter, the online business platform can assemble the secret key, request body parameter and current date into a string and encrypt the string. The request body parameter can be a data string formatted in json (a lightweight data exchange format) with null values removed. The string can be: secret = <secret key corresponding to the first authentication channel> & param = <request body parameter> & date = <current date>.

若调用请求中携带资源定位参数，则线上业务平台可以将秘钥、资源定位参数和当前日期拼装为字符串，并对字符串进行加密。其中，资源定位参数可以为调用请求携带的URL(Uniform Resource Locator，统一资源定位器)参数，资源定位参数也可以，符串可以为：进行json格式化后去除空值的数据串。字符串可以为：secret＝<第一鉴权渠道对应的秘钥>&param＝<params参数>&date＝<当前日期>If the call request carries resource location parameters, the online business platform can assemble the secret key, resource location parameters and current date into a string and encrypt the string. The resource location parameter can be the URL (Uniform Resource Locator) parameter carried in the call request, or the resource location parameter can be a string that is formatted in json and removes null values. The string can be: secret = <secret key corresponding to the first authentication channel> & param = <params parameters> & date = <current date>

若调用请求中携带请求体参数和资源定位参数，则线上业务平台可以将秘钥、请求体参数和当前日期拼装为字符串，并对字符串进行加密。字符串可以为：secret＝<第一鉴权渠道对应的秘钥>&param＝<请求体参数>&date＝<当前日期>。If the call request carries request body parameters and resource location parameters, the online business platform can assemble the secret key, request body parameters and current date into a string and encrypt the string. The string can be: secret = <secret key corresponding to the first authentication channel> & param = <request body parameters> & date = <current date>.

上述生成第一验证信息仅为举例，本发明实施例不对生成第一验证信息的具体方式进行限定。The above-mentioned generation of the first verification information is only an example, and the embodiment of the present invention does not limit the specific method of generating the first verification information.

然后，线上业务平台可以判断第一验证信息与请求验证信息是否相同，若相同，则第一验证信息与请求验证信息相匹配。若不相同，则第一验证信息与请求验证信息不匹配。Then, the online business platform can determine whether the first verification information is the same as the request verification information, if so, the first verification information matches the request verification information, and if not, the first verification information does not match the request verification information.

由以上可见，由于每一鉴权渠道都可以配置与该鉴权渠道对应的验证信息生成方式，因此，可以采用不同的加密解密方式、不同的鉴权方案来生成验证信息，应用本发明实施例提供的方案，可以支持多种不同的加密解密方式、不同的鉴权方案等。这样，用户可以根据不同的接口的鉴权需求、不同的加密解密需求以及不同的鉴权方案，将接口与鉴权渠道进行绑定，进一步提高针对接口的调用请求配置鉴权方案的便捷度。As can be seen from the above, since each authentication channel can be configured with a verification information generation method corresponding to the authentication channel, different encryption and decryption methods and different authentication schemes can be used to generate verification information. The solution provided by the embodiment of the present invention can support a variety of different encryption and decryption methods, different authentication schemes, etc. In this way, users can bind interfaces with authentication channels according to different authentication requirements of interfaces, different encryption and decryption requirements, and different authentication schemes, further improving the convenience of configuring authentication schemes for interface call requests.

本发明的一个实施例中，在步骤S201之后，还包括以下步骤A和步骤B，通过步骤A和步骤B可以提醒管理人员将与管理人员负责的鉴权渠道的业务相匹配的接口进行绑定。In one embodiment of the present invention, after step S201, the following steps A and B are also included. Steps A and B can remind the administrator to bind the interface that matches the business of the authentication channel that the administrator is responsible for.

步骤A：根据所获得的接口描述信息，确定各接口描述信息所对应接口的接口业务类型。Step A: According to the obtained interface description information, the interface service type of the interface corresponding to each interface description information is determined.

其中，如上述实施例中，接口业务类型用于表示接口方法所属的业务领域，如运维管理业务、交易管理业务、用户管理业务以及订单管理业务等。Among them, as in the above embodiment, the interface business type is used to indicate the business field to which the interface method belongs, such as operation and maintenance management business, transaction management business, user management business, and order management business.

一种情况下，可以在线上业务平台启动后，获得接口描述信息，并确定各个接口的描述信息记录的接口业务类型。In one case, after the online service platform is started, the interface description information can be obtained, and the interface service type recorded in the description information of each interface can be determined.

另一种情况下，在线上业务平台确定业务平台出现接口变更后，线上业务平台针对出现接口变更的变更接口，获得上述变更接口的描述信息，并确定各个变更接口的描述信息记录的接口业务类型。In another case, after the online business platform determines that an interface change occurs on the business platform, the online business platform obtains description information of the changed interface for the changed interface, and determines the interface business type recorded in the description information of each changed interface.

步骤B：确定已有鉴权渠道中与所确定接口业务类型相匹配的第二鉴权渠道，并向第二鉴权渠道的管理人员使用的客户端发送接口绑定提醒。Step B: Determine a second authentication channel in the existing authentication channels that matches the determined interface service type, and send an interface binding reminder to a client used by the administrator of the second authentication channel.

具体的，由于鉴权渠道是与线上业务平台所提供的业务相对应的，因此，线上业务平台能够记录各个鉴权渠道所对应的业务。进而，线上业务平台将鉴权渠道所对应的业务与接口业务类型相同的鉴权渠道作为第二鉴权渠道。然后，在线上业务平台中记录的第二鉴权渠道的信息中，确定第二鉴权渠道的管理人员的信息，并向上述管理人员使用的客户端发送接口绑定提醒。这样，可以及时的通知管理人员将可能与该管理人员负责的鉴权渠道相关的接口进行绑定操作，减少用户忘记进行接口绑定的可能，减少用户的错误或者不及时的操作。Specifically, since the authentication channel corresponds to the services provided by the online business platform, the online business platform can record the services corresponding to each authentication channel. Furthermore, the online business platform uses the authentication channel corresponding to the service and the authentication channel with the same interface service type as the second authentication channel. Then, in the information of the second authentication channel recorded in the online business platform, the information of the manager of the second authentication channel is determined, and an interface binding reminder is sent to the client used by the above manager. In this way, the manager can be notified in time to perform binding operations on the interface that may be related to the authentication channel that the manager is responsible for, reducing the possibility of users forgetting to bind the interface and reducing user errors or untimely operations.

本发明的一个实施例中，在上述图2提供的实施例的基础上，上述方法还包括：若线上业务平台出现接口变更，获得所变更接口的接口状态；若接口状态表征变更接口不为弃用接口，则向鉴权渠道的管理人员使用的客户端发送接口变更提醒。In one embodiment of the present invention, based on the embodiment provided in Figure 2 above, the method further includes: if an interface change occurs on the online business platform, obtaining the interface status of the changed interface; if the interface status indicates that the changed interface is not an abandoned interface, sending an interface change reminder to the client used by the administrator of the authentication channel.

下面对确定所变更接口的方式进行说明。The following describes a method for determining the changed interface.

在线上业务平台的接口发生变动时，基于swagger框架构建的线上业务平台可以读取接口的方法的注解，得到接口描述信息。然后线上业务平台可以针对接口描述信息进行解析并生成接口文档。其中，接口文档可以是基于swagger框架生成的swagger文档。在接口发生变动后，线上业务平台可以读取接口变动前对应的接口文档和接口变动后对应的接口文档，对比两接口文档中出现差异的接口，进而确定所变更接口。When the interface of the online business platform changes, the online business platform built based on the swagger framework can read the annotations of the interface methods to obtain the interface description information. Then the online business platform can parse the interface description information and generate an interface document. Among them, the interface document can be a swagger document generated based on the swagger framework. After the interface changes, the online business platform can read the corresponding interface document before the interface change and the corresponding interface document after the interface change, compare the interfaces with differences in the two interface documents, and then determine the changed interface.

下面对获得所变更接口的接口状态的方式进行说明。The following describes a method for obtaining the interface status of the changed interface.

具体的，在线上业务平台确定业务平台出现接口变更后，线上业务平台则针对所变更接口的方法遍历本地代码，读取所变更接口的方法的注解，获得所变更接口的接口描述信息，然后基于得到的接口描述信息，获得所变更接口的接口状态。其中，开发人员在编写各个接口对应的本地代码时，可以对接口的方法添加注解，在注解中标记该接口的接口状态。Specifically, after the online business platform determines that an interface change has occurred on the business platform, the online business platform traverses the local code for the method of the changed interface, reads the annotation of the method of the changed interface, obtains the interface description information of the changed interface, and then obtains the interface status of the changed interface based on the obtained interface description information. When developers write the local code corresponding to each interface, they can add annotations to the interface methods and mark the interface status of the interface in the annotations.

若接口状态表征变更接口为弃用接口，那么请求方不会再调用该接口。若接口状态表征变更接口不为弃用接口，例如，接口状态为新增接口或者变更接口，那么线上业务平台则向鉴权渠道的管理人员使用的客户端发送接口变更提醒。这样，可以及时地提醒鉴权渠道的管理人员对鉴权渠道绑定的接口进行绑定或解绑等操作，减少由于用户操作不及时导致的错误。If the interface status indicates that the changed interface is a deprecated interface, the requester will no longer call the interface. If the interface status indicates that the changed interface is not a deprecated interface, for example, the interface status is a newly added interface or a changed interface, the online business platform sends an interface change reminder to the client used by the authentication channel manager. In this way, the authentication channel manager can be reminded in a timely manner to perform operations such as binding or unbinding the interface bound to the authentication channel, reducing errors caused by untimely user operations.

本发明的一个实施例中，在上述图2提供的实施例的基础上，在上述步骤S205之后，上述接口绑定方法还包括：触发针对目标接口的绑定审核流程；若通过审核，则执行步骤S206。In one embodiment of the present invention, based on the embodiment provided in FIG. 2 , after step S205 , the interface binding method further includes: triggering a binding review process for the target interface; if the review is passed, executing step S206 .

线上业务平台在接收到用户使用客户端发送的针对鉴权渠道和目标接口的接口绑定指令后，可以触发目标接口的绑定审核流程，并向针对目标接口绑定审核流程预设的审核人发送绑定审核提醒，也可以向审核人展示接口绑定指令涉及的鉴权渠道的信息和目标接口的接口信息。在绑定审核流程审核通过的情况下，则执行步骤S206。After receiving the interface binding instruction for the authentication channel and the target interface sent by the user using the client, the online business platform can trigger the binding review process of the target interface, and send a binding review reminder to the reviewer preset for the target interface binding review process, and can also show the reviewer the information of the authentication channel involved in the interface binding instruction and the interface information of the target interface. If the binding review process is reviewed and passed, step S206 is executed.

这样，可以在线上业务平台中结合鉴权和赋权的过程，通过审核流程可以提高鉴权渠道绑定的接口被调用的安全性。In this way, the authentication and authorization processes can be combined in the online business platform, and the security of calling the interface bound to the authentication channel can be improved through the review process.

与上述基于swagger的调用请求鉴权方法相对应，本发明实施例还提供了一种基于swagger的调用请求鉴权装置。Corresponding to the above-mentioned swagger-based call request authentication method, an embodiment of the present invention also provides a swagger-based call request authentication device.

参见图5提供的一种调用请求鉴权装置的结构示意图，上述装置应用于基于swagger构建的线上业务平台，上述装置包括：Referring to FIG. 5 , a schematic diagram of a structure of a call request authentication device is provided. The device is applied to an online business platform built based on swagger. The device includes:

调用请求接收模块501，用于接收携带渠道标识和请求验证信息的针对接口的调用请求；A call request receiving module 501 is used to receive a call request for an interface carrying a channel identifier and request verification information;

鉴权渠道确定模块502，用于确定已有鉴权渠道中与渠道标识对应的第一鉴权渠道，其中，鉴权渠道与线上业务平台所提供的业务相对应，鉴权渠道绑定有访问鉴权渠道所对应业务的接口；An authentication channel determination module 502 is used to determine a first authentication channel corresponding to the channel identifier among the existing authentication channels, wherein the authentication channel corresponds to a service provided by the online service platform, and the authentication channel is bound with an interface for accessing the service corresponding to the authentication channel;

验证信息匹配模块503，用于判断第一鉴权渠道对应的第一验证信息与请求验证信息是否相匹配；若匹配，则触发接口确定模块504；The verification information matching module 503 is used to determine whether the first verification information corresponding to the first authentication channel matches the requested verification information; if they match, the interface determination module 504 is triggered;

接口确定模块504，用于确定第一鉴权渠道绑定的接口为调用请求有权调用的接口。The interface determination module 504 is used to determine that the interface bound to the first authentication channel is the interface that the call request is authorized to call.

本发明的一个实施例中，线上业务平台按照以下方式为鉴权渠道绑定接口：In one embodiment of the present invention, the online business platform binds the interface to the authentication channel in the following manner:

获得线上业务平台本地代码中记录的接口描述信息；Obtain the interface description information recorded in the local code of the online business platform;

基于所获得的接口描述信息，确定线上业务平台所提供业务的对外访问接口的接口信息；Based on the obtained interface description information, determine the interface information of the external access interface of the service provided by the online service platform;

创建鉴权渠道，并在用户界面展示鉴权渠道的信息；Create an authentication channel and display the authentication channel information on the user interface;

确定用户基于所展示的接口信息为鉴权渠道选择的所对应业务的目标接口；Determine the target interface of the service corresponding to the authentication channel selected by the user based on the displayed interface information;

为鉴权渠道和目标接口建立绑定关系，并存储绑定关系。Establish a binding relationship between the authentication channel and the target interface, and store the binding relationship.

本发明的一个实施例中，在创建鉴权渠道之后，还包括：In one embodiment of the present invention, after the authentication channel is created, the method further includes:

为鉴权渠道签发秘钥；Issue keys for authentication channels;

判断第一鉴权渠道对应的第一验证信息与请求验证信息是否相匹配，包括：Determining whether the first verification information corresponding to the first authentication channel matches the requested verification information includes:

基于第一鉴权渠道对应的秘钥，生成第一验证信息；Generate first verification information based on the secret key corresponding to the first authentication channel;

判断第一验证信息与请求验证信息是否匹配。Determine whether the first verification information matches the request verification information.

本发明的一个实施例中，接口信息包括以下信息中的至少一种：In one embodiment of the present invention, the interface information includes at least one of the following information:

本发明的一个实施例中，鉴权渠道的信息包括以下信息中的至少一种：In one embodiment of the present invention, the information of the authentication channel includes at least one of the following information:

渠道标识、渠道名称、渠道秘钥、渠道描述信息以及与鉴权渠道绑定的接口的接口信息。Channel ID, channel name, channel key, channel description information, and interface information of the interface bound to the authentication channel.

本发明的一个实施例中，在获得线上业务平台本地代码中记录的接口描述信息之后，还包括：In one embodiment of the present invention, after obtaining the interface description information recorded in the local code of the online service platform, the method further includes:

确定已有鉴权渠道中与所确定接口业务类型相匹配的第二鉴权渠道，并向第二鉴权渠道的管理人员使用的客户端发送接口绑定提醒。A second authentication channel that matches the determined interface service type among the existing authentication channels is determined, and an interface binding reminder is sent to a client used by a manager of the second authentication channel.

这样，可以及时的通知管理人员将可能与该管理人员负责的鉴权渠道相关的接口进行绑定操作，减少用户忘记进行接口绑定的可能，减少用户的错误或者不及时的操作。In this way, the administrator can be notified in time to perform binding operations on the interfaces that may be related to the authentication channels that the administrator is responsible for, thereby reducing the possibility of users forgetting to bind the interfaces and reducing user errors or untimely operations.

本发明的一个实施例中，线上业务平台在为鉴权渠道绑定接口的过程中还包括：In one embodiment of the present invention, the online business platform further includes:

若线上业务平台出现接口变更，获得所变更接口的接口状态；If an interface change occurs on the online business platform, obtain the interface status of the changed interface;

若接口状态表征变更接口不为弃用接口，则向鉴权渠道的管理人员使用的客户端发送接口变更提醒。If the interface status indicates that the changed interface is not a deprecated interface, an interface change reminder is sent to a client used by the administrator of the authentication channel.

这样，可以及时地提醒鉴权渠道的管理人员对鉴权渠道绑定的接口进行绑定或解绑等操作，减少由于用户操作不及时导致的错误。In this way, the administrator of the authentication channel can be reminded in time to perform operations such as binding or unbinding the interface bound to the authentication channel, thereby reducing errors caused by untimely user operations.

本发明的一个实施例中，在确定用户基于所展示的接口信息为鉴权渠道选择的所对应业务的目标接口之后，还包括：In one embodiment of the present invention, after determining the target interface of the service corresponding to the authentication channel selected by the user based on the displayed interface information, the method further includes:

触发针对目标接口的绑定审核流程；Trigger the binding review process for the target interface;

若通过审核，则执行为鉴权渠道和目标接口建立绑定关系的步骤。If the verification is passed, the steps to establish a binding relationship between the authentication channel and the target interface are executed.

本发明实施例还提供了一种电子设备，如图6所示，包括处理器601、通信接口602、存储器603和通信总线604，其中，处理器601，通信接口602，存储器603通过通信总线604完成相互间的通信，The embodiment of the present invention further provides an electronic device, as shown in FIG6 , including a processor 601, a communication interface 602, a memory 603 and a communication bus 604, wherein the processor 601, the communication interface 602, and the memory 603 communicate with each other through the communication bus 604.

存储器603，用于存放计算机程序；Memory 603, used for storing computer programs;

处理器601，用于执行存储器603上所存放的程序时，实现上述任一基于swagger的调用请求鉴权方法。The processor 601 is used to implement any of the above-mentioned swagger-based call request authentication methods when executing the program stored in the memory 603.

上述电子设备提到的通信总线可以是外设部件互连标准(Peripheral ComponentInterconnect，PCI)总线或扩展工业标准结构(Extended Industry StandardArchitecture，EISA)总线等。该通信总线可以分为地址总线、数据总线、控制总线等。为便于表示，图中仅用一条粗线表示，但并不表示仅有一根总线或一种类型的总线。The communication bus mentioned in the above electronic device can be a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (EISA) bus, etc. The communication bus can be divided into an address bus, a data bus, a control bus, etc. For ease of representation, only one thick line is used in the figure, but it does not mean that there is only one bus or one type of bus.

通信接口用于上述电子设备与其他设备之间的通信。The communication interface is used for communication between the above electronic device and other devices.

存储器可以包括随机存取存储器(Random Access Memory，RAM)，也可以包括非易失性存储器(Non-Volatile Memory，NVM)，例如至少一个磁盘存储器。可选的，存储器还可以是至少一个位于远离前述处理器的存储装置。The memory may include a random access memory (RAM) or a non-volatile memory (NVM), such as at least one disk memory. Optionally, the memory may also be at least one storage device located away from the aforementioned processor.

上述的处理器可以是通用处理器，包括中央处理器(Central Processing Unit，CPU)、网络处理器(Network Processor，NP)等；还可以是数字信号处理器(Digital SignalProcessor，DSP)、专用集成电路(Application Specific Integrated Circuit，ASIC)、现场可编程门阵列(Field-Programmable Gate Array，FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件。The above-mentioned processor can be a general-purpose processor, including a central processing unit (CPU), a network processor (NP), etc.; it can also be a digital signal processor (DSP), an application specific integrated circuit (ASIC), a field programmable gate array (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components.

在本发明提供的又一实施例中，还提供了一种计算机可读存储介质，该计算机可读存储介质内存储有计算机程序，所述计算机程序被处理器执行时实现上述任一基于swagger的调用请求鉴权方法。In another embodiment provided by the present invention, a computer-readable storage medium is also provided, in which a computer program is stored. When the computer program is executed by a processor, any of the above-mentioned swagger-based call request authentication methods is implemented.

在本发明提供的又一实施例中，还提供了一种包含指令的计算机程序产品，当其在计算机上运行时，使得计算机执行上述任一基于swagger的调用请求鉴权方法。In another embodiment provided by the present invention, a computer program product comprising instructions is also provided, which, when executed on a computer, enables the computer to execute any of the above-mentioned swagger-based call request authentication methods.

在上述实施例中，可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时，可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机程序指令时，全部或部分地产生按照本发明实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中，或者从一个计算机可读存储介质向另一个计算机可读存储介质传输，例如，所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质，(例如，软盘、硬盘、磁带)、光介质(例如，DVD)、或者半导体介质(例如固态硬盘Solid State Disk(SSD))等。In the above embodiments, it can be implemented in whole or in part by software, hardware, firmware or any combination thereof. When implemented by software, it can be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, the process or function described in the embodiment of the present invention is generated in whole or in part. The computer can be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device. The computer instructions can be stored in a computer-readable storage medium, or transmitted from one computer-readable storage medium to another computer-readable storage medium. For example, the computer instructions can be transmitted from one website site, computer, server or data center to another website site, computer, server or data center by wired (e.g., coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) mode. The computer-readable storage medium can be any available medium that a computer can access or a data storage device such as a server or data center that includes one or more available media integrated. The available medium can be a magnetic medium (e.g., a floppy disk, a hard disk, a tape), an optical medium (e.g., a DVD), or a semiconductor medium (e.g., a solid-state hard disk Solid State Disk (SSD)), etc.

需要说明的是，在本文中，诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来，而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且，术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含，从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素，而且还包括没有明确列出的其他要素，或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下，由语句“包括一个……”限定的要素，并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同要素。It should be noted that, in this article, relational terms such as first and second, etc. are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Moreover, the terms "include", "comprise" or any other variants thereof are intended to cover non-exclusive inclusion, so that a process, method, article or device including a series of elements includes not only those elements, but also other elements not explicitly listed, or also includes elements inherent to such process, method, article or device. In the absence of further restrictions, the elements defined by the sentence "comprise a ..." do not exclude the presence of other identical elements in the process, method, article or device including the elements.

本说明书中的各个实施例均采用相关的方式描述，各个实施例之间相同相似的部分互相参见即可，每个实施例重点说明的都是与其他实施例的不同之处。尤其，对于装置、电子设备、计算机存储介质以及计算机程序产品实施例而言，由于其基本相似于方法实施例，所以描述的比较简单，相关之处参见方法实施例的部分说明即可。Each embodiment in this specification is described in a related manner, and the same or similar parts between the embodiments can be referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, for the device, electronic device, computer storage medium, and computer program product embodiments, since they are basically similar to the method embodiments, the description is relatively simple, and the relevant parts can be referred to the partial description of the method embodiments.

以上所述仅为本发明的较佳实施例，并非用于限定本发明的保护范围。凡在本发明的精神和原则之内所作的任何修改、等同替换、改进等，均包含在本发明的保护范围内。The above description is only a preferred embodiment of the present invention and is not intended to limit the protection scope of the present invention. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention are included in the protection scope of the present invention.

Claims

1. A call request authentication method based on swagger, characterized in that it is applied to an online business platform built based on swagger, and the method includes:

Receive a call request for an interface carrying a channel identifier and request verification information;

Determine a first authentication channel corresponding to the channel identifier among the existing authentication channels, wherein the authentication channel corresponds to a service provided by the online service platform, and the authentication channel is bound with an interface for accessing the service corresponding to the authentication channel;

Determining whether the first verification information corresponding to the first authentication channel matches the requested verification information;

If they match, determining that the interface bound to the first authentication channel is the interface that the call request is authorized to call;

The online business platform binds an interface to the authentication channel in the following manner:

Obtaining interface description information recorded in the local code of the online business platform;

Based on the obtained interface description information, determine the interface information of the external access interface of the service provided by the online service platform;

Displaying the determined interface information on the user interface;

Creating the authentication channel, and displaying information of the authentication channel on the user interface;

Determining a target interface for the service corresponding to the authentication channel selected by the user based on the displayed interface information;

A binding relationship is established between the authentication channel and the target interface, and the binding relationship is stored.

2. The method according to claim 1, characterized in that after the creation of the authentication channel, it also includes:

Issuing a secret key for the authentication channel;

The determining whether the first verification information corresponding to the first authentication channel matches the request verification information includes:

Generate first verification information based on the secret key corresponding to the first authentication channel;

Determine whether the first verification information matches the request verification information.

3. The method according to claim 1 or 2, characterized in that the interface information includes at least one of the following information:

The full name of the interface class, the interface class access path, the interface class description information, the interface method name, the interface method access path, the interface method description information, the interface request type, and the interface service type.

4. The method according to claim 1 or 2, characterized in that the information of the authentication channel includes at least one of the following information:

Channel identification, channel name, channel key, channel description information and interface information of the interface bound to the authentication channel.

5. The method according to claim 1 or 2, characterized in that after obtaining the interface description information recorded in the local code of the online business platform, it also includes:

Determine the interface service type of the interface corresponding to each interface description information according to the obtained interface description information;

A second authentication channel that matches the determined interface service type among the existing authentication channels is determined, and an interface binding reminder is sent to a client used by an administrator of the second authentication channel.

6. The method according to claim 1 or 2, characterized in that the method further comprises:

If an interface change occurs on the online business platform, obtain the interface status of the changed interface;

If the interface status indicates that the changed interface is not a deprecated interface, an interface change reminder is sent to a client used by the administrator of the authentication channel.

7. The method according to claim 1 or 2, characterized in that after determining the target interface of the corresponding service selected by the user for the authentication channel based on the displayed interface information, it also includes:

Triggering a binding review process for the target interface;

If the verification is passed, the step of establishing a binding relationship between the authentication channel and the target interface is executed.

8. A swagger-based call request authentication device, characterized in that it is applied to an online business platform built based on swagger, and the device includes:

A call request receiving module, used to receive a call request for an interface carrying a channel identifier and request verification information;

An authentication channel determination module, used to determine a first authentication channel corresponding to the channel identifier among existing authentication channels, wherein the authentication channel corresponds to a service provided by the online service platform, and the authentication channel is bound with an interface for accessing the service corresponding to the authentication channel;

A verification information matching module, used to determine whether the first verification information corresponding to the first authentication channel matches the request verification information; if they match, triggering the interface determination module;

The interface determination module is used to determine that the interface bound to the first authentication channel is the interface that the call request is authorized to call;

Displaying the determined interface information on the user interface;

9. An electronic device, characterized in that it comprises a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory communicate with each other via the communication bus;

Memory, used to store computer programs;

A processor, for implementing the method steps described in any one of claims 1 to 7 when executing a program stored in a memory.

10. A computer-readable storage medium, characterized in that a computer program is stored in the computer-readable storage medium, and when the computer program is executed by a processor, the method steps described in any one of claims 1 to 7 are implemented.