OSS-based app development

Last Updated: Dec 07, 2017

Development architecture

The following are the four components in typical OSS-based app development:

  • OSS: Provides functions such as upload, download, and upload callback.

  • Developer’s mobile client (app or webpage application), called the client for short: Indirectly accesses OSS through the service provided by the developer.

  • Application server: This server is used for the developer’s service and it also interacts with the client.

  • Alibaba Cloud STS: Issues temporary credentials.

Service development process

Note:The client cannot store the developer’s AccessKey, but may only obtain a signed URL or the temporary credentials issued by the STS (the STS AccessKey and token) from the application server.

Temporary credential upload authorization

The following procedure is used for temporary credential upload authorization:

  1. The client sends a request to the application server asking to upload an object to OSS.

  2. The application server must send a request to the STS server to obtain temporary credentials.

  3. The application server replies to the client, returning the temporary credentials.

  4. The client obtains authorization to upload to OSS (the STS AccessKey and token) and calls the mobile client SDK provided by OSS to upload data.

  5. The client successfully uploads data to OSS. If callback is not set, the process is complete. If the callback function is set, then OSS calls the relevant interface.

Note:

  • The client does not have to request authorization from the application server for each upload. After initial authorization, the client caches temporary credentials returned by the STS until they expire.
  • STS provides powerful access control functions that can restrict client access permission at the object level. This completely isolates the objects uploaded to OSS by different clients. This greatly enhances application security.

For more information, see Authorized third-party upload.

Signed URL authorization for uploads and form uploads

  1. The client sends a request to the application server asking to upload an object to OSS.

  2. The application server replies to the client, returning credentials (signed URL or form).

  3. The client obtains authorization to upload to OSS (the signed URL or form) and calls the mobile client SDK provided by OSS to upload data or directly uploads a form.

  4. The client successfully uploads data to OSS. If callback is not set, the process is complete. If the callback function is set, then OSS calls the relevant interface.

For more information, see Authorized third-party upload.

Temporary credential download authorization

This process is similar to temporary credential upload authorization:

  1. The client sends a request to the application server to download the object from OSS.

  2. The application server must send a request to the STS server to obtain temporary credentials.

  3. The application server replies to the client, returning the temporary credentials.

  4. The client obtains authorization to download from OSS (the STS AccessKey and token) and calls the mobile client SDK provided by OSS to download data.

  5. The client successfully downloads the object from OSS.

Note:

  • For uploads, the client caches temporary credentials to increase access speed.
  • Along with the upload permission control, STS offers a precise object download permission control. This helps to isolate the OSS storage space of each mobile client.

Signed URL authorization for downloads

The following process is similar to the signed URL authorization for uploads:

  1. The client sends a request to the application server for downloading an object from OSS.

  2. The application server replies to the client returning the signed URL.

  3. The client obtains authorization to download from OSS (the signed URL) and calls the mobile client SDK provided by OSS to download the data.

  4. The client successfully downloads the object from OSS.

Reference

Thank you! We've received your feedback.