Several security authentication mechanisms between app and background interaction

1, HTTP Simple Basic authentication method

This is the early interaction with a more than one way, mainly using the user name and password to interact, because in each interaction, the user name and password will be exposed to the third party, then this is not advisable, the risk is very large, so this authentication method has not spread

2. OAuth (OAUTH2)

This is the concept of open platform, just like you can use QQ or login when you log in to a third party website or app, then third party can access your personal information after login, this is the concept of open authorization, the idea is realized through token.

This token can be used by you to limit the time, third parties to obtain the information you specify, thus achieving a security certification effect.

3. Cookies

This is a more common way, a lot of small sites are in use, the user after landing, the generated user information stored in a cookie, this cookie and the server to match the session, the general control cookie in the browser is closed when the failure.

4. Token mechanism

When a user logs in, the message is credited to the session or Redis, and a cookie is generated to save to the browser, and if it is on the phone, it is stored in another medium. Survival time and session (the session here refers to a single application session or distributed session, can be) consistent, if the user needs to overwrite tokens after the other client login, so that the unique login can be done, It is important to note that token is stored in the headers in the interaction and needs to be verified in the service-side interceptor. This can be cross-domain, and cookies cannot cross domains, so they can only be applied to some small sites.

5. JSON Web token (JWT)

? The mechanism of JWT is similar to the previous one, except that it encapsulates a lot, and the security has been improved somewhat.

, the user initiates a restful login request, the server creates an encrypted JWT information, which is returned to the client as token, and the JWT information is put into the headers in subsequent interactive requests, the service side decrypts and verifies the user information, and the success is verified by Decryption failure indicates that token is invalid or has expired.

The JWT is the safest of these types of authentication and can protect against certain attacks. Therefore, it is more recommended.

Several security authentication mechanisms between app and background interaction