OSS-based app development

Last Updated: May 16, 2017

Development architecture

There are four components in typical OSS-based app development:

  • OSS: Provides functions such as upload, download, and upload callback.
  • Developer’s mobile client (app or webpage application), called the client for short: Indirectly accesses the OSS though the service provided by the developer.
  • Application server: The server that interacts with the client. This is also the server for the developer’s service.
  • Alibaba Cloud STS: Issues temporary credentials.

Service development process

Temporary credential upload authorization

  1. The client sends a request to the application server asking to upload an object to OSS.
  2. The application server must send a request to the STS server to obtain temporary credentials.
  3. The application server replies to the client, returning the temporary credentials.
  4. The client obtains authorization to upload to OSS (the STS AccessKey and token) and calls the mobile client SDK provided by OSS to upload data.
  5. The client successfully uploads data to the OSS. If callback is not set, the process is complete. If the callback function is set, the OSS will call the relevant interface.

Here are several key points:

  • The client does not have to request authorization from the application server for each upload. After the first authorization, the client will cache the temporary credentials returned by the STS until they expire.
  • STS provides powerful access control functions that can restrict client access permission at the object level. This completely isolates the objects uploaded to the OSS by different clients, greatly enhancing the security of applications.

For more information, refer to Authorized Third-Party Uploads

Signed URL authorization for uploads and form uploads

  1. The client sends a request to the application server asking to upload an object to OSS.
  2. The application server replies to the client, returning credentials (signed URL or form).
  3. The client obtains authorization to upload to OSS (the signed URL or form) and calls the mobile client SDK provided by OSS to upload data or directly uploads a form.
  4. The client successfully uploads data to the OSS. If callback is not set, the process is complete. If the callback function is set, the OSS will call the relevant interface.

For more information, refer to Authorized Third-Party Uploads

Temporary credential download authorization

The process is similar to temporary credential upload authorization:

  1. The client sends a request to the application server for downloading an object from OSS.
  2. The application server must send a request to the STS server to obtain temporary credentials.
  3. The application server replies to the client, returning the temporary credentials.
  4. The client obtains authorization to download from OSS (the STS AccessKey and token) and calls the mobile client SDK provided by OSS to download data.
  5. The client successfully downloads an object from OSS.

Here are several key points:

  • Just as for uploads, the client will cache the temporary credentials to increase access speed.
  • The STS likewise provides precise object download permission control, which, together with upload permission control, serves to completely isolate the OSS storage space of each mobile client.

Signed URL authorization for downloads

This is similar to signed URL authorization for uploads:

  1. The client sends a request to the application server for downloading an object from OSS.
  2. The application server replies to the client, returning the signed URL.
  3. The client obtains authorization to download from OSS (the signed URL) and calls the mobile client SDK provided by OSS to download data.
  4. The client successfully downloads an object from OSS.

Special note

The client cannot store the developer’s AccessKey, but may only obtain a signed URL or the temporary credentials issued by the STS (the STS AccessKey and token) from the application server.

Reference for using the function

Thank you! We've received your feedback.