TABLE OF CONTENTS

Notes:
GO 提供两种API认证与授权机制(二选一):访问令牌和JWT鉴权
① 默认机制为访问令牌,请参阅文章:访问令牌(Access Token)
② 可选机制为JWT鉴权,详情请参阅下文。想了解更多,请联系您的客户经理或者GO Help

介绍

德比 GO API 鉴权是基于 OAuth 2.0 和其扩展协议 OpenID Connect 而设计。用于渠道与德比 GO 之间的接口交互时的鉴权,确保双方接口调用与数据访问的安全性。


基本流程

1. 渠道访问德比服务,获取公钥集

2. 渠道将公钥集缓存到本地

3. 德比携带令牌发送业务请求给渠道服务器

4. 渠道解析请求,并验证请求中的令牌是否由德比颁发

5. 如果验证成功则响应业务请求;如果验证失败则忽略请求消息



渠道如何获取公钥

1. 渠道访问 GO Console,获取 JWK 地址

2. 渠道发送请求至 JWK 地址,获取公钥集

请求参数示例:

GET https://xxxxxx/id/84A26B2FA77BCD1FF5130636F04C30C5/keys HTTP/1.1  
Content-Type: application/json;charset=utf-8


成功响应示例:

{
    "keys": [
        {
            "alg": "RS256",
            "e": "AQAB",
            "kid": "1d9ead9856fa33d753eaa9d97e0cdb0e02c5694e",
            "kty": "RSA",
            "n": "hNIFX5GQDCpFOty1EnrCk-iA8czIjG7pGSxgKrE-saYt8HORPLquoQqv55cBZjEj2GSMnimEpRHckyNn-oUrLOyrpsvWIdanSE4hGBSe5bensc0RpoCOi0rbzkBiE6Yg28ANwrnJnShv236muIKmpyoMW_ZfkPojsJUm0KURR7JQ1-HsIdWXQN_-c-wDmsAPRHnqY33QVotlhALyQSNSpTj_snDkkz8_-y7bZHSJKgmhXFzKhb5ls7gRYTkKmMl3LoVmTacC-mT4bHtQ0xiztO-Fit1ag1EXWLXF3Z-jvow4vaFwhAibtMc7sAES0okqUCtR_RFZBHHb65hmvVyC7w",
            "use": "sig"
        },
        {
            "alg": "RS256",
            "e": "AQAB",
            "kid": "4033a0101d68472defe88f625833eb93384842b5",
            "kty": "RSA",
            "n": "0n6355e8v8-PUAgyMZO63uJbtddfh509Z31qJU_iVMJRLTYnD7E3j29hh6twE4nYXludf2cAwUX79BnXKl-XK4zkn_tUOvdbBJPT2LmKs_5ZCN8vJFH4QAoqIXWWGK9S42Q-KsFB3ADKP3I7YnPyXC8_j03dk0irPS2B21Eqjr4p6lBydGzyn2wmA_ZZnMYWiA-aFzdBj6h2_V2lru21PGDtpa9HQZn7a2jPwHLmdLatAbxS9x5oGzlFJ_oq4mNsePe4R78RZhu3LW94v68KWlIWW8eCo9O5OT7wt310pXtQx2PnW9-77FeL_DTVVNFs9j77FLpI9TitoNFi3qbo2Q",
            "use": "sig"
        }
    ]
}


失败响应示例:

HTTP/1.1 404 Found
Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=xyz


德比携带令牌访问渠道系统

令牌(JWT)示例:

eyJraWQiOiIzOTRiNTZjM2VhNTI0ZWU1OTAxNWY5YTdlODg2NjMxMiIsImFsZyI6IlJTMjU2In0.eyJpc3MiOiJodHRwczovL2lkLzg0QTI2QjJGQTc3QkNEMUZGNTEzMDYzNkYwNEMzMEM1Ly53ZWxsLWtub3duL29wZW5pZC1jb25maWd1cmF0aW9uIiwiYXVkIjoiWktUIiwiZXhwIjoxNzAzNTYwMDkwLCJqdGkiOiJRWGNxem5ldVZCYlJQbjE5NGtzOUFRIiwiaWF0IjoxNzAzNTU5NzkwLCJuYmYiOjE3MDM1NTk2NzAsInN1YiI6ImRzLWdvLW1vZHVsZSJ9.mNmpBZMm1lPFMvea75PSY1tn64l2XjeN5Y21KkaHyY9HHNzh5JUaG-XCn97WQwPgw7uTKs8zn5zWGgng9mZ8mie312qY0DILxCebZ2c_7Qt3drssa7EnRJf5kbFRHIay9S6lmuG9BE9o9lkAlnfFqOa7qHpzEFt35yKRS8ummlH3k_RjrBRBke7wb5VePRDryPb9LTd0hfu7e7guWOSEkR21rS6drHrd89dHHKwB28-SCs4KYeWPaUZFbBHG9vVaYn99ELoKs7cAKfBS_SX9-Ag9Z7e_wLoD-mgG9Bi8e8Mf0bfV4YdfusLTScxKnHeZwjGZkDDZN70aWZKVIaqimQ


渠道系统解码验签

渠道用 base64 解码后:

HEADER:
{
  "kid": "394b56c3ea524ee59015f9a7e8866312",
  "alg": "RS256"
}

PAYLOAD:
{
  "iss": "https://id/84A26B2FA77BCD1FF5130636F04C30C5/.well-known/openid-configuration",
  "aud": "xxx",//令牌的目标受众
  "exp": 1703560090,//令牌失效时间
  "jti": "QXcqzneuVBbRPn194ks9AQ",
  "iat": 1703559790, //令牌颁发时间
  "nbf": 1703559670,
  "sub": "ds-go-module" //令牌颁发主体
}

SIGNATURE:
xxxxxx //签名


渠道从公钥集中找到对应公钥后,对 JWT 令牌验签

{
    "alg": "RS256",
    "e": "AQAB",
    "kid": "1",
    "kty": "RSA",
    "n": "rJzRIhtaVCJDg13QJearCXgiYQjXExd6xC8oD6hjRlyc-rACKIEedLTEkWskYMPEyK5ev7uSdQ8VLHVvrwL4GI_9NKex0MndePewaLL06LPHIK4enMGtMNUczWJ7HHT1_kYXiy259eh0xqOjDKkypGkU3Kq--M7qdIOfjMSXFHR-aBXz80qABbP7nUPJpLLHoNonr_VLDhYszQHL8k71pWsKYQO2Io4P3jT-pGdADp5OHAboizPwsZsasiGEw4UFq1A47R1XNKjeWqUwBqqVzhryWSQ606iPWEAle2cGBz7coiLWG59uhT39aDlUB6gRgi0vGxJn92sWGUmfnk698w"
}


渠道验证该令牌是否有效,令牌的颁发主体是否是德比,且目标受众是渠道本身。

如果验证成功,则返回成功;验证失败,则忽略请求内容。