aksk
<p class="shortdesc">aksk插件可以快速实现接口的AccessKey/SecretKey认证功能。</p>
<section class="section" id="aksk__section_yr4_r5c_fsb"><h2 class="doc-tairway">对接步骤</h2>
<ol class="ol" id="aksk__ol_r3m_v5c_fsb">
<li class="li">定义需要验证的参数列表(参数类型有query/header/body,三种)。</li>
<li class="li">定义加密用的AccessKey(用于获取SecretKey)和SecretKey(客户端和Kong端各自保存,用于HS256加密)。需要客户端和Kong端保持一致。</li>
<li class="li">开发接口、配置插件。</li>
<li class="li">客户端开发调用逻辑(PAFA-Cloud框架提供快捷接入方案)。</li>
</ol>
</section>
<section class="section" id="aksk__section_l4r_x5c_fsb"><h2 class="doc-tairway">验证流程说明</h2>
<ol class="ol" id="aksk__ol_y14_y5c_fsb">
<li class="li"><strong class="ph b">验证请求合法性</strong><p class="p">传入参数说明</p><table class="table" id="aksk__table_xwh_z5c_fsb"><caption></caption><colgroup><col style="width:252"><col style="width:159"><col style="width:922"></colgroup><thead class="thead">
<tr class="row">
<th class="entry align-left" id="aksk__table_xwh_z5c_fsb__entry__1">参数名</th>
<th class="entry align-left" id="aksk__table_xwh_z5c_fsb__entry__2">类型</th>
<th class="entry align-left" id="aksk__table_xwh_z5c_fsb__entry__3">参数说明</th>
</tr>
</thead><tbody class="tbody">
<tr class="row">
<td class="entry align-left" headers="aksk__table_xwh_z5c_fsb__entry__1 ">X-PAFA-OPENAPI-SIGN</td>
<td class="entry align-left" headers="aksk__table_xwh_z5c_fsb__entry__2 ">header</td>
<td class="entry align-left" headers="aksk__table_xwh_z5c_fsb__entry__3 ">客户端的加密数据</td>
</tr>
<tr class="row">
<td class="entry align-left" headers="aksk__table_xwh_z5c_fsb__entry__1 ">X-PAFA-OPENAPI-AK</td>
<td class="entry align-left" headers="aksk__table_xwh_z5c_fsb__entry__2 ">header</td>
<td class="entry align-left" headers="aksk__table_xwh_z5c_fsb__entry__3 ">AKSK密钥对的AccessKey,用于获取匹配的SecretKey。AKSK密钥对需要在客户端/kong保持一致。</td>
</tr>
<tr class="row">
<td class="entry align-left" headers="aksk__table_xwh_z5c_fsb__entry__1 ">x-pafa-openapi-timestamp</td>
<td class="entry align-left" headers="aksk__table_xwh_z5c_fsb__entry__2 ">header</td>
<td class="entry align-left" headers="aksk__table_xwh_z5c_fsb__entry__3 ">防重放功能必须传,时间戳,用于验证请求是否已过期。秒级别</td>
</tr>
<tr class="row">
<td class="entry align-left" headers="aksk__table_xwh_z5c_fsb__entry__1 ">x-pafa-openapi-nonce</td>
<td class="entry align-left" headers="aksk__table_xwh_z5c_fsb__entry__2 ">header</td>
<td class="entry align-left" headers="aksk__table_xwh_z5c_fsb__entry__3 ">防重放功能必须传,随机数(长度<=32),用于验证请求是否已经被处理<strong class="ph b">为了防止防重放的高并发问题,请保证该值的高并发下唯一性。可以考虑时间戳+UUID</strong></td>
</tr>
</tbody></table><p class="p">注意:如果body参数有配置,则Content-Type=application/json。并且body数据必须是json格式。</p></li>
<li class="li"><strong class="ph b">防重放验证</strong><p class="p">如上参数中的x-pafa-openapi-timestamp和x-pafa-openapi-nonce必须传入。</p><ol class="ol" type="a" id="aksk__ol_kdf_cvc_fsb">
<li class="li">每次请求的随机数不能相同,相同则判定为已处理的请求。</li>
<li class="li">时间戳如果与当前时间比超过60S则判定为是已处理的请求。</li>
</ol></li>
<li class="li">
<p class="p">根据配置的query/header/body获取参数,并根据参数名从小到大排序(防重放的2个header也参与排序),组成验证数据后HS256加密生成验签数据。与header中的X-PAFA-OPENAPI-SIGN值比对。如果相同则请求通过。</p>
<ul class="ul" id="aksk__ul_sbh_hvc_fsb">
<li class="li">请求中必须传入的header(不参与验签加密)。</li>
<li class="li">X-PAFA-OPENAPI-SIGN 客户端加密后的数据。</li>
<li class="li">X-PAFA-OPENAPI-AK AKSK密钥对,用于获取SK,AKSK密钥对需要在客户端/kong保持一致。</li>
</ul>
<div class="p">示例:如果获取的参数为<pre class="pre codeblock" id="aksk__codeblock_ovn_lvc_fsb"><code>query1=abcde
QUERY2=abcde
header1=abcde
HEADER2=abcde
body1=abcde
BODY2=abcde</code></pre></div>
<p class="p">字段名按小写字母升序排列,各个字段以分号【;】隔开。最后生成用于加密的原始数据为:<code class="ph codeph">body1=abcde;body2=abcde;header1=abcde;header2=abcde;query1=abcde;query2=abcde;x-pafa-openapi-nonce=5f152f4e335df05b243e22614c805b05;x-pafa-openapi-timestamp=1589347682;</code></p>
<p class="p">用SecretKey,通过HS256加密,最后生成的加密后的数据为:<code class="ph codeph">16ad29f72ad76488f217bd4753fa947fda513c409b82907c4beaf9bac9207973</code></p>
</li>
</ol>
</section>
<section class="section" id="aksk__section_cjx_pvc_fsb"><h2 class="doc-tairway">配置参数说明</h2>
<div class="p">
<table class="table" id="aksk__table_qnd_rvc_fsb"><caption></caption><colgroup><col><col><col><col><col></colgroup><thead class="thead">
<tr class="row">
<th class="entry align-left" id="aksk__table_qnd_rvc_fsb__entry__1">参数名</th>
<th class="entry align-left" id="aksk__table_qnd_rvc_fsb__entry__2">参数类型</th>
<th class="entry align-left" id="aksk__table_qnd_rvc_fsb__entry__3">是否必须</th>
<th class="entry align-left" id="aksk__table_qnd_rvc_fsb__entry__4">默认值</th>
<th class="entry align-left" id="aksk__table_qnd_rvc_fsb__entry__5">参数说明</th>
</tr>
</thead><tbody class="tbody">
<tr class="row">
<td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__1 ">aksk_info</td>
<td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__2 ">string</td>
<td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__3 ">Y</td>
<td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__4 ">{}</td>
<td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__5 ">密钥对,客户端与Kong端需要保持一致</td>
</tr>
<tr class="row">
<td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__1 ">query</td>
<td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__2 ">boolean</td>
<td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__3 ">N</td>
<td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__4 ">[]</td>
<td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__5 ">url中的参数名</td>
</tr>
<tr class="row">
<td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__1 ">header</td>
<td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__2 ">boolean</td>
<td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__3 ">N</td>
<td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__4 ">[]</td>
<td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__5 ">header中的参数名</td>
</tr>
<tr class="row">
<td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__1 ">body</td>
<td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__2 ">boolean</td>
<td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__3 ">N</td>
<td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__4 ">[]]</td>
<td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__5 ">body中的参数名,body必须是json格式,并且Content-Type必须包括application/json</td>
</tr>
<tr class="row">
<td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__1 ">norepeat</td>
<td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__2 ">boolean</td>
<td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__3 ">Y</td>
<td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__4 ">true</td>
<td class="entry align-left" headers="aksk__table_qnd_rvc_fsb__entry__5 ">是否开启防重放验证</td>
</tr>
</tbody></table>
</div>
</section>
<section class="section" id="aksk__section_unp_rvc_fsb"><h2 class="doc-tairway">配置示例</h2>
<p class="p"><img class="image" id="aksk__image_yxz_bwc_fsb" src="https://obs-cn-shanghai.fincloud.pinganyun.com/pacloud/20220910180811-1b683974955a.png" width="800"></p>
</section>
提交成功!非常感谢您的反馈,我们会继续努力做到更好!