[0036] Example
[0037] like Figure 1 to Figure 2 As shown, the third-party security access method in the form of H5 application of the service provider includes the third-party backend, the H5 end of the service provider, the gateway server of the service provider, the authentication end of the service provider, and the backend of the service provider. Include the following steps:
[0038] A. The user of the third-party client clicks an entry request to enter the service application provided by the service provider, and notifies the third-party backend of the message;
[0039] B. The third-party backend initiates a request to the service provider to generate an access key AT (Access Token, referred to as AT) through the service provider gateway server, and the service provider generates the access key AT and passes it through the service provider gateway The server returns to the third-party backend;
[0040] C. After the third-party backend receives the encrypted AT, it decrypts the AT, and reverses the AT to get AK (AppKey, AK for short). AK is the asymmetrically encrypted public key of the service provider's gateway server. Open the URL address of the H5 side of the service provider in the third-party webView, and the H5 side of the service provider temporarily stores AT and AK in the sessionStorage of the browser embedded in the third-party APP;
[0041] D. The service provider H5 sends a request to the service provider to generate a visit key VT (Visit Token, referred to as VT) through the service provider gateway server. The parameters of the request include the access key AT, and the access key AT uses random numbers as keys to encrypt;
[0042] E. After receiving the request for generating the access key VT in the step D, the service provider authentication end in the service provider first decrypts the request for generating the access key VT, decrypts the AT and verifies the authenticity of the AT , when AT is true, generate the access key VT and return to the service provider H5 through the service provider gateway server, and invalidate the function of the AT as the access key;
[0043] F. The H5 terminal of the service provider decrypts the VT with random numbers, opens and renders the H5 product page, and carries out various external services of the H5 product;
[0044] G. The H5 end of the service provider initiates a service message request to the back end of the service provider through the server end of the service provider gateway. The request parameters of the service message request are first encrypted with random numbers, then encrypted with VT, and then encrypted with AK;
[0045] H. After receiving the service message request initiated by the H5 terminal of the service provider, the authentication terminal of the service provider decrypts the service message request, decrypts the original real service message parameters, and uses this service message parameter to the service provider The backend initiates a business request and returns the requested data, and the returned message is encrypted with VT and sent back to the H5 end of the service provider;
[0046] I. The H5 terminal of the service provider receives the returned message and uses VT to decrypt the message and render the returned data.
[0047] In the step B, the third-party backend initiates a request to the service provider to generate the access key AT through the service provider gateway server end, and the transfer parameters of the request include the third party's registered account siteId, service key AT in the service provider. The account appId of the H5 side of the provider, and the third-party account userId of the third-party customer.
[0048] In the step B, the service provider generates the access key AT and sends it back to the third-party backend through the service provider gateway server. Register the account siteId and the account appId on the H5 side of the service provider, and then return the encrypted access key AT. The access key AT is reversible.
[0049] The access key AT in the step B includes the asymmetrically encrypted public key AK of the gateway server of the service provider, and the authentication terminal of the service provider stores the asymmetrically encrypted private key SK (SecretKey, SK for short).
[0050] In the step D, the service provider H5 initiates a request to the service provider to generate the access key VT through the service provider gateway server end, and the request parameters of the request include the asymmetrically encrypted public key AK of the service provider gateway server end and access key AT. After the access key AT in the request parameter is encrypted with a random number as a key, the request is encrypted with the asymmetrically encrypted public key AK of the gateway server of the service provider.
[0051] After receiving the request for generating the access key VT in the step E, the specific process for the service provider authentication terminal in the service provider to decrypt the request for generating the access key VT is: the service provider authentication terminal receives the step D After the request in , use the private key SK corresponding to the asymmetrically encrypted public key AK of the gateway server of the service provider to decrypt the request, and then use the decrypted random number as the key to decrypt the AT.
[0052] In the step E, the authentication terminal of the service provider combines the generated access key VT with the siteId of the third party’s registered account at the service provider, the account appId of the service provider’s H5 end, and the three-party account userId of the third party’s client when the AT request was generated before. Store accordingly.
[0053] The service message request in step G also includes the parameter AK, the third party's registered account siteId at the service provider, the account appId of the service provider H5 end, and the third party account userId of the third party's client.
[0054] After receiving the service message request initiated by the service provider H5 in the step H, the specific process for the service provider authentication terminal to decrypt the service message request is: first use the asymmetrically encrypted public key of the service provider gateway server The private key SK corresponding to AK decrypts the requested business message, and then routes it to the corresponding VT according to the siteId of the third party’s registered account on the service provider, the appId of the account appId on the H5 side of the service provider, and the userId of the third-party account of the third-party customer. Decrypt, and then use the decrypted random number to decrypt the original real service message parameters.
[0055] The present invention overcomes the defects in the aforementioned prior art that data leakage occurs when the service provider accesses a third party, uncontrollable use of data, increased third-party APP size, long access period, complex process, and high development costs , the entire H5 application is developed by the service provider. The third party only needs to initiate a request from the background to get a key to the H5 home page of the service provider. The rest of the process has nothing to do with the third party, and the data will not be leaked to any third party. Because it is an H5 application, there is no problem of increasing the size of the third-party APP and needing to republish the version. It only needs to configure a jump in the third-party background, and the entire development cost is controllable. A set of H5 can be developed to access IOS, For Android and H5 terminals, all access parties are synchronized at the same time for each modification, no perceptual update, fast online speed, strong reusability, and flow control. Requesters can be classified and rejected according to the key.
[0056] In terms of security, refer to the mechanism of oauth2.0. First, there is the access key, and then there is the access key. Adding random numbers, hashes, AES encryption algorithms, public key and private key encryption and decryption to increase complexity, each request encryption Signature, decryption key does not go to the request, even if it is useless to capture the packet, you can’t get the VT, you need to crack the third-party APP after reinforcement and shelling, and export the activity of the webview of the third-party Android APP, under the IOS platform, you can only reverse Compiling the entire APP, rewriting all modules, compressing and obfuscating JS files on the H5 side of the service provider, separating the front and back ends, and HTTPS encryption at the network level and preventing CSRF attacks, the whole method is very expensive to crack.
[0057] In the present invention, AT is consumed at one time, and becomes invalid after VT is generated; all data cached in the sessionStorage of the webview of the third-party APP by the service provider H5 end is encrypted with AT as the key and then cached. The service method of the service provider is to deploy front-end and back-end separation, isolate the front-end and back-end, the front-end products are output in the form of SPA, and the separate server uses PM2 for server core load balancing to achieve high response and fast rendering. Frequently changing and public static resource CDN deployment makes user experience faster and smoother.
[0058] Compared with the prior art, the present invention is used when the entire H5 application is developed by the service provider, the data will not be leaked to any third party, and there is no problem of increasing the size of the third-party APP and needing to republish it. The three-party backend can be configured with one jump, and the entire development cost is controllable. The present invention modifies and synchronizes all access parties together, without perceptual update, fast online speed, strong reusability, flow control, and current limiting and rejection according to key classification of requesting parties. The present invention has the access key first, and then the access key, adding random numbers, hashes, AES encryption algorithms, public key and private key encryption and decryption to increase the complexity, the cracking cost of the whole method is very high, and the security of encryption is improved sex.
