<p class="shortdesc">aksk插件可以快速实现接口的AccessKey/SecretKey认证功能。</p> <section class="section" id="aksk__section_yr4_r5c_fsb"><h2 class="doc-tairway">对接步骤</h2> <ol class="ol" id="aksk__ol_r3m_v5c_fsb"> <li class="li">定义需要验证的参数列表（参数类型有query/header/body，三种）。</li> <li class="li">定义加密用的AccessKey（用于获取SecretKey）和SecretKey（客户端和Kong端各自保存，用于HS256加密）。需要客户端和Kong端保持一致。</li> <li class="li">开发接口、配置插件。</li> <li class="li">客户端开发调用逻辑（PAFA-Cloud框架提供快捷接入方案）。</li> </ol> </section> <section class="section" id="aksk__section_l4r_x5c_fsb"><h2 class="doc-tairway">验证流程说明</h2> <ol class="ol" id="aksk__ol_y14_y5c_fsb"> <li class="li"><strong class="ph b">验证请求合法性</strong><p class="p">传入参数说明</p><table class="table" id="aksk__table_xwh_z5c_fsb"><caption></caption><colgroup><col style="width:252"><col style="width:159"><col style="width:922"></colgroup><thead class="thead"> <tr class="row"> <th class="entry align-left" id="aksk__table_xwh_z5c_fsb__entry__1">参数名</th> <th class="entry align-left" id="aksk__table_xwh_z5c_fsb__entry__2">类型</th> <th class="entry align-left" id="aksk__table_xwh_z5c_fsb__entry__3">参数说明</th> </tr> </thead><tbody class="tbody"> <tr class="row"> <td class="entry align-left" headers="aksk__table_xwh_z5c_fsb__entry__1 ">X-PAFA-OPENAPI-SIGN</td> <td class="entry align-left" headers="aksk__table_xwh_z5c_fsb__entry__2 ">header</td> <td class="entry align-left" headers="aksk__table_xwh_z5c_fsb__entry__3 ">客户端的加密数据</td> </tr> <tr class="row"> <td class="entry align-left" headers="aksk__table_xwh_z5c_fsb__entry__1 ">X-PAFA-OPENAPI-AK</td> <td class="entry align-left" headers="aksk__table_xwh_z5c_fsb__entry__2 ">header</td> <td class="entry align-left" headers="aksk__table_xwh_z5c_fsb__entry__3 ">AKSK密钥对的AccessKey，用于获取匹配的SecretKey。AKSK密钥对需要在客户端/kong保持一致。</td> </tr> <tr class="row"> <td class="entry align-left" headers="aksk__table_xwh_z5c_fsb__entry__1 ">x-pafa-openapi-timestamp</td> <td class="entry align-left" headers="aksk__table_xwh_z5c_fsb__entry__2 ">header</td> <td class="entry align-left" headers="aksk__table_xwh_z5c_fsb__entry__3 ">防重放功能必须传，时间戳，用于验证请求是否已过期。秒级别</td> </tr> <tr class="row"> <td class="entry align-left" headers="aksk__table_xwh_z5c_fsb__entry__1 ">x-pafa-openapi-nonce</td> <td class="entry align-left" headers="aksk__table_xwh_z5c_fsb__entry__2 ">header</td> <td class="entry align-left" headers="aksk__table_xwh_z5c_fsb__entry__3 ">防重放功能必须传，随机数(长度<=32)，用于验证请求是否已经被处理<strong class="ph b">为了防止防重放的高并发问题，请保证该值的高并发下唯一性。可以考虑时间戳+UUID</strong></td> </tr> </tbody></table><p class="p">注意：如果body参数有配置，则Content-Type=application/json。并且body数据必须是json格式。</p></li> <li class="li"><strong class="ph b">防重放验证</strong><p class="p">如上参数中的x-pafa-openapi-timestamp和x-pafa-openapi-nonce必须传入。</p><ol class="ol" type="a" id="aksk__ol_kdf_cvc_fsb"> <li class="li">每次请求的随机数不能相同，相同则判定为已处理的请求。</li> <li class="li">时间戳如果与当前时间比超过60S则判定为是已处理的请求。</li> </ol></li> <li class="li"> <p class="p">根据配置的query/header/body获取参数，并根据参数名从小到大排序（防重放的2个header也参与排序），组成验证数据后HS256加密生成验签数据。与header中的X-PAFA-OPENAPI-SIGN值比对。如果相同则请求通过。</p> <ul class="ul" id="aksk__ul_sbh_hvc_fsb"> <li class="li">请求中必须传入的header（不参与验签加密）。</li> <li class="li">X-PAFA-OPENAPI-SIGN 客户端加密后的数据。</li> <li class="li">X-PAFA-OPENAPI-AK AKSK密钥对，用于获取SK，AKSK密钥对需要在客户端/kong保持一致。</li> </ul> <div class="p">示例：如果获取的参数为<pre class="pre codeblock" id="aksk__codeblock_ovn_lvc_fsb"><code>query1=abcde QUERY2=abcde header1=abcde HEADER2=abcde body1=abcde BODY2=abcde</code></pre></div> <p class="p">字段名按小写字母升序排列，各个字段以分号【;】隔开。最后生成用于加密的原始数据为：<code class="ph codeph">body1=abcde;body2=abcde;header1=abcde;header2=abcde;query1=abcde;query2=abcde;x-pafa-openapi-nonce=5f152f4e335df05b243e22614c805b05;x-pafa-openapi-timestamp=1589347682;</code></p> <p class="p">用SecretKey，通过HS256加密，最后生成的加密后的数据为：<code class="ph codeph">16ad29f72ad76488f217bd4753fa947fda513c409b82907c4beaf9bac9207973</code></p> </li> </ol> </section> <section class="section" id="aksk__section_cjx_pvc_fsb"><h2 class="doc-tairway">配置参数说明</h2> <div class="p"> <table class="table" id="aksk__table_qnd_rvc_fsb"><caption></caption><colgroup><col><col><col><col><col></colgroup><thead class="thead"> <tr class="row"> <th class="entry align-left" id="aksk__table_qnd_rvc_fsb__entry__1">参数名</th> <th class="entry align-left" id="aksk__table_qnd_rvc_fsb__entry__2">参数类型</th> <th class="entry align-left" id="aksk__table_qnd_rvc_fsb__entry__3">是否必须</th> <th class="entry align-left" id="aksk__table_qnd_rvc_fsb__entry__4">默认值</th> <th class="entry align-left" id="aksk__table_qnd_rvc_fsb__entry__5">参数说明</th> </tr> </thead><tbody class="tbody"> <tr class="row"> <td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__1 ">aksk_info</td> <td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__2 ">string</td> <td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__3 ">Y</td> <td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__4 ">{}</td> <td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__5 ">密钥对，客户端与Kong端需要保持一致</td> </tr> <tr class="row"> <td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__1 ">query</td> <td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__2 ">boolean</td> <td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__3 ">N</td> <td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__4 ">[]</td> <td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__5 ">url中的参数名</td> </tr> <tr class="row"> <td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__1 ">header</td> <td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__2 ">boolean</td> <td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__3 ">N</td> <td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__4 ">[]</td> <td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__5 ">header中的参数名</td> </tr> <tr class="row"> <td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__1 ">body</td> <td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__2 ">boolean</td> <td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__3 ">N</td> <td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__4 ">[]]</td> <td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__5 ">body中的参数名，body必须是json格式，并且Content-Type必须包括application/json</td> </tr> <tr class="row"> <td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__1 ">norepeat</td> <td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__2 ">boolean</td> <td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__3 ">Y</td> <td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__4 ">true</td> <td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__5 ">是否开启防重放验证</td> </tr> </tbody></table> </div> </section> <section class="section" id="aksk__section_unp_rvc_fsb"><h2 class="doc-tairway">配置示例</h2> <p class="p"><img class="image" id="aksk__image_yxz_bwc_fsb" src="https://obs-cn-shanghai.fincloud.pinganyun.com/pacloud/20220910180811-1b683974955a.png" width="800"></p> </section>