CN106330813A - Method, device and system for processing authorization - Google Patents
Method, device and system for processing authorization Download PDFInfo
- Publication number
- CN106330813A CN106330813A CN201510333657.4A CN201510333657A CN106330813A CN 106330813 A CN106330813 A CN 106330813A CN 201510333657 A CN201510333657 A CN 201510333657A CN 106330813 A CN106330813 A CN 106330813A
- Authority
- CN
- China
- Prior art keywords
- group
- user
- resource
- client
- mandate
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/104—Grouping of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0884—Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a method, a device and a system for processing authorization. The method of processing authorization comprises steps: an authorization request sent by a first user through a first client is received, wherein the authorization request comprises a user identity (ID) of the first user and the identity of a resource requested to be accessed; according to the user ID of the first user, information of a group to which the first user belongs is determined; according to a saved authorization record, the group is determined to already acquire the authorization from the resource owner corresponding to the identity of the resource; and a first access token is generated, and the first access token is sent to the first client. The method provided by the invention effectively solves the technical problem that when multiple users access the resource, the resource owner needs to perform multiple times of authorization.
Description
Technical field
The present invention relates to communication technical field, particularly relate to a kind of method, apparatus and system processing mandate.
Background technology
Along with the fast development of the Internet, various national one throw the net, the theory thrown the net in the whole world one is popularized rapidly,
Each province of operator, each base stand alone as the situation of war and can not meet user's request, and various Competence Centers should
Transport and give birth to.As China Mobile's customer center is managed collectively all user profile, other application needs to obtain user
By accessing the interface that customer center provides during information, it is achieved user profile centralized management, by user resources
Concentrate, the bigger value playing its big data.Competence Center is concentrating the resource data that this ability is relevant
After, in addition it is also necessary to these data openings are accessed to third party's client (hereinafter referred: client).Opening
Putting in access, the safety of data is most important.OAuth2.0 is as simple, safe, open recognizing
Card authorized agreement, can be introduced by Competence Center and be used for solving the open safety problem of data.
The resource of Competence Center is the most all shielded, and in OAuth agreement, client is not directly to make
Access locked resource with the privately owned certificate of resource owner, but obtain an access token one
Represent a certain specific function territory (scope of authority), persistent period and the character string of other attribute.Access token
Generated under the suggestion of resource owner by certificate server and be distributed to client.Client uses and accesses order
Board accesses by the locked resource of Resource Server trustship.
Concrete, when user is by client-access resource, flow process is as follows:
1, client authorizes to certificate server request;
2, the request of client is directed to Resource Owner by certificate server, and request Resource Owner authorize;
3, after Resource Owner audits request message, agree to authorize;
4, after certificate server receives the message agreeing to authorize that Resource Owner returns, generate and to client
End provides access token;
5, client is carried access token and is asked access resource information to Resource Server;
6, Resource Server returns resource information to client.
During it will be seen that each user asks to access resource, for the sake of security, it is required for being directed to
Resource Owner authorizes, and this considerably increases the mandate workload of Resource Owner.
Summary of the invention
The invention provides a kind of method, apparatus and system processing mandate, access solving multiple user
During resource information, need the technical problem of the many sub-authorizations of the Resource Owner belonging to resource information.
First aspect, the present invention provides a kind of authorization method, including: receive first user by the first client
The authorization requests that end sends, described authorization requests includes that ID ID of described first user and request access
The mark of resource;According to the ID of described first user, determine the group of group belonging to described first user
Group information;According to the authority record preserved, determine that described group has obtained the mark correspondence of described resource
The mandate of Resource Owner;Generate the first access token, and described first access token is sent to described
One client.
In conjunction with first aspect, in the first possible implementation of first aspect, described according to described
The ID of one user, determines the group information of group belonging to described first user, particularly as follows: take to group
Business device sends group's query messages of the ID comprising described first user;Receive described cluster server to return
The group returned confirms message, and described group confirms that message includes the group information belonging to described first user, its
In, described group information includes the group identification of the group belonging to described first user.
In conjunction with first aspect, in the implementation that the second of first aspect is possible, described according to described
The ID of one user, determines the group information of group belonging to described first user, particularly as follows: inquiry this locality
The group data storehouse preserved, described group data storehouse includes group identification and the corresponding group member letter preserved
Breath;According to the ID of described first user, determine the group identification of group belonging to described first user.
Can in conjunction with the first possible implementation of first aspect or first aspect or the second of first aspect
The implementation of energy, in the third possible implementation of first aspect, at described reception first user
By before the authorization requests that the first client sends, described method also includes: receive the second user by the
The authorization requests that two clients send, described authorization requests includes the ID of described second user and described money
The mark in source;According to the ID of described second user, determine that described second user belongs to described group;Really
Fixed described group does not obtains the mandate of described Resource Owner;Certification request is sent to described Resource Owner,
Described certification request includes described group information;Receive the authentication response that described Resource Owner returns, described
Authentication response includes that described Resource Owner agrees to the instruction information authorizing described group;Preserve described group
Obtain the authority record of the access rights of the resource of the mark correspondence of described resource;Generate the second access token,
And described second access token is sent to described second client.
In conjunction with the first of first aspect or first aspect to the third possible implementation, in first party
In the 4th kind of possible implementation in face, the described ID according to described first user, determine described
Before the group information of group belonging to one user, described method also comprises determining that described Resource Owner does not has
To described first user mandate.
Second aspect, it is provided that a kind of certificate server, including: receiver module, it is used for receiving first user
The authorization requests sent by the first client, described authorization requests includes the ID of described first user
The mark of the resource that ID and request access;Determine module, be used for first received according to described receiver module
The ID of user, determines the group information of group belonging to described first user;According to the authority record preserved,
Determine that described group has obtained the mandate of the Resource Owner of the mark correspondence of described resource;Sending module,
For generating the first access token, described first access token is sent to described first client.
In conjunction with second aspect, in the first possible implementation of second aspect, described determine that module is used
In the ID according to described first user, determine the group information of group belonging to described first user, specifically
For: group's query messages of the ID comprising described first user is sent to cluster server;Receive described
The group that cluster server returns confirms message, and described group confirms that message includes belonging to described first user
Group information, wherein, described group information includes the group identification of the group belonging to described first user.
In conjunction with second aspect, in the implementation that the second of second aspect is possible, described determine that module is used
In the ID according to described first user, determine the group information of group belonging to described first user, specifically
For: inquiring about the group data storehouse that this locality preserves, described group data storehouse includes group identification and the correspondence preserved
Group member information;According to the ID of described first user, determine the group of group belonging to described first user
Group mark.
Can in conjunction with the first possible implementation of second aspect or second aspect or the second of second aspect
The implementation of energy, in the third possible implementation of second aspect, described certificate server also wraps
Include: described receiver module, be additionally operable to receive the authorization requests that the second user is sent by the second client, institute
State authorization requests and include ID and the mark of described resource of described second user;Described determine module, also
The ID of the second user for receiving according to described receiver module, determines that described second user belongs to described
Group;Determine that described group does not obtains the mandate of described Resource Owner;Described sending module, be additionally operable to
Described Resource Owner sends certification request, and described certification request includes described group information;Described reception mould
Block, is additionally operable to receive the authentication response that described Resource Owner returns, and described authentication response includes described resource
The owner agrees to the instruction information authorizing described group;Preserve module, be used for preserving described group and obtain institute
State the authority record of the access rights of the resource of the mark correspondence of resource;Described sending module, is additionally operable to generate
Second access token, is sent to described second client by described second access token.
In conjunction with the first of second aspect or second aspect to the third possible implementation, in second party
In the 4th kind of possible implementation in face, determine module described, for the use according to described first user
Family ID, before determining the group information of group belonging to described first user, described determines that module is additionally operable to, really
Fixed described Resource Owner is not to described first user mandate.
The third aspect, additionally provides a kind of system processing mandate, including the first client, for certification
Server sends authorization requests, and described authorization requests includes ID ID of first user and asks access
The mark of resource;Certificate server, for receiving the authorization requests that first user is sent by the first client,
Described authorization requests includes ID ID of described first user and the mark of the resource of request access;According to
The ID of described first user, determines the group information of group belonging to described first user;According to preserve
Authority record, determines that described group has obtained the mandate of the Resource Owner of the mark correspondence of described resource;
Generate the first access token, and described first access token is sent to described first client.
In conjunction with the third aspect, in the first possible implementation of the third aspect, described system also includes:
Second client, for sending authorization requests to certificate server, described authorization requests includes the second user's
ID ID and the mark of described resource;Described certificate server, is additionally operable to receive the second user by the
The authorization requests that two clients send, described authorization requests includes the ID of described second user and described money
The mark in source;According to the ID of described second user, determine that described second user belongs to described group;Really
Fixed described group does not obtains the mandate of described Resource Owner;Certification request is sent to described Resource Owner,
Described certification request includes described group information;Receive the authentication response that described Resource Owner returns, described
Authentication response includes that described Resource Owner agrees to the instruction information authorizing described group;Preserve described group
Obtain the authority record of the access rights of the resource of the mark correspondence of described resource;Generate the second access token,
And described second access token is sent to described second client.
The technical scheme provided according to the present invention, owing to group is authorized by Resource Owner, and
And certificate server saves the authority record of group and this resource, so when other groups composition in this group
When member is for this resource request mandate, certificate server needs not continue to Resource Owner's application license, directly
Connect and return to client according to corresponding authority record generation access token, thus effectively alleviate resource institute
The mandate burden of the person of having.
Accompanying drawing explanation
A kind of system block diagram processing mandate that Fig. 1 is provided by one embodiment of the invention;
The flow chart of a kind of method processing mandate that Fig. 2 is provided by one embodiment of the invention;
A kind of method exemplary signaling diagram processing mandate that Fig. 3 is provided by one embodiment of the invention;
The method exemplary signaling diagram that another process that Fig. 4 is provided by one embodiment of the invention authorizes;
The structural representation of a kind of certificate server that Fig. 5 is provided by one embodiment of the invention;
The another kind of structural representation of a kind of certificate server that Fig. 6 is provided by one embodiment of the invention;
A kind of system structure schematic diagram processing mandate that Fig. 7 is provided by one embodiment of the invention.
Detailed description of the invention
For making the object, technical solutions and advantages of the present invention clearer, below in conjunction with the accompanying drawings to the present invention
Specific embodiment is described in further detail.In order to understand the present invention, in the following detailed description comprehensively
Refer to numerous detail.It will be appreciated by those skilled in the art that the present invention can be without these
Detail realizes.In other instances, it is not described in detail known method, process, assembly and circuit
Deng, in order to avoid causing embodiment unnecessarily to obscure.Obviously, embodiments described below is the present invention one
Section Example rather than whole embodiments.Based on the embodiment in the present invention, the common skill in this area
The every other embodiment that art personnel are obtained under not making creative work premise, broadly falls into this
The scope of bright protection.
It should be noted that the embodiment of the present invention when described in certificate server, cluster server and
The correlation function of Resource Server can be realized by the difference in functionality module of same equipment, it is also possible to by not
Same equipment realizes respectively, and this is not construed as limiting by the present invention.
Additionally, in some flow processs being described below, contain the multiple behaviour occurred according to particular order
Make, but it should be clearly understood that these operations can not perform according to its order occurred in this article
Or executed in parallel, the sequence number of operation such as 101,102 etc., it is only used for distinguishing each different behaviour
Making, sequence number itself does not represent any execution sequence.It addition, these flow processs can include more or less
Operation, and these operations can perform or executed in parallel in order.It should be noted that herein
" first ", " second " etc. describe, be for distinguishing different message, equipment, module etc., no
Representing sequencing, not limiting " first " and " second " is different types.
Fig. 1 is based on the system block diagram processing mandate that one embodiment of the invention is provided.This system comprises many
Individual communication equipment, is in communication with each other by wired or cordless communication network.Wherein,
Client 102: generally refer to be supplied to user for obtaining the money authorizing and accessing on Resource Server
The application of source information.
Resource Server 104: be used for storing resource information (such as picture, video, consumption information etc.), and carry
For the server accessed.When user accesses the resource information on Resource Server by client request, must
Must provide and set up, with self, the access token having the certificate server of trusting relationship to provide, Resource Server is verified
By rear, return, to user, the resource information that request accesses.
Certificate server 106: service provider is specifically used to process user authentication, accesses for client granting
The server of token.Can close with Resource Server and set, it is also possible to solely set.
Cluster server 108: be used for storing the relation of user and group.Concrete, can be system administration
Member, Resource Owner or other there is the user accessing cluster server authority to arrange user and group
Relation.Such as, user A logs in cluster server, and arranges group X, and group X on cluster server
Including user A, user B and user C, then just store user A, user B, user C on cluster server
Relation with group X.After group creating is good, the founder of group can authorize other users to this establishment
Group be managed.It should be noted that the concrete mode creating and managing group is not done by the present invention
Limit.
Resource Owner 110: the owner of resource information (such as picture, video, consumption information etc.), its
When its user accesses the resource information being stored on Resource Server, need to first pass through Resource Owner's license,
On the premise of Resource Owner agrees to authorize, certificate server just understands the License Info according to Resource Owner,
Access token is generated for client.
Authorization method, the realization of Apparatus and system that the application relates to is described in detail below in conjunction with accompanying drawing.
The flow chart of a kind of authorization method that Fig. 2 provides for the present invention.In this embodiment, it is provided that Yong Hutong
Cross the licensing process of resource information on client-access Resource Server.During implementing, at this
The method that reason authorizes can be performed by certificate server.Described certificate server is for permitting Resource Owner
In the case of, provide access token for client.Client makes by showing described access to Resource Server
Board accesses shielded resource.This certificate server can close with Resource Server and set, it is also possible to as one
Individual single equipment exists.After certificate server receives the authorization requests that client sends, according to mandate
ID in request, first determines the group belonging to user.If this group has obtained mandate, then recognize
Card server directly sends access token to user, without again to Resource Owner's application license;As
Really this group of this group also there is no the license of Resource Owner, then certificate server is first to Resource Owner
Described group is permitted by application, if Resource Owner agrees to authorize described group, then and authentication service
Device preserves the authority record of the resource that described group accesses with request, and generates access token, returns to client
End.Concrete, described method includes:
Step 202: receive the authorization requests that first user is sent, described authorization requests bag by the first client
Include ID ID of described first user and the mark of the resource of request access;
Concrete, described client can be the application software developed of third party or browser plug-in.User
Send authorization requests by client to certificate server, and in this authorization requests, carry ID and ask
Seeking the mark of the resource of access, wherein asking the mark of the resource accessed can be unified money corresponding to this resource
Source mark (URI, Uniform Resource Identifier).Certificate server is according to the request in authorization requests
The mark of the resource accessed may determine that the Resource Owner that this resource is corresponding, and the user corresponding when ID goes back
During the access rights of the resource that the mark of the resource that the request that do not obtains accesses is corresponding, certificate server will be to
Resource Owner applies for authorization, and only when Resource Owner agrees to authorize user, certification takes
Business device just can generate access token, and is sent to client, and otherwise user applies for that the request authorized will be refused
Absolutely, thus user cannot access the resource desired access to.
Step 204: according to the ID of described first user, determines the group of group belonging to described first user
Group information;
Optionally, preserving a group data storehouse on certificate server, this group data storehouse have recorded group
Group information, described group information includes the group member information that group name and this group comprise.Described group
Group membership's information can be specifically group member mark or the description information of other group member feature.Described
According to the ID of described first user, determine the group information of group belonging to described first user, particularly as follows:
Inquire about described group data storehouse, it is thus achieved that group member comprises the group information of the ID of described first user.
Optionally, in authoring system, separately setting a cluster server, described cluster server have recorded group
Group information.The described ID according to described first user, determines the group of group belonging to described first user
Information, particularly as follows: send group's query messages of the ID comprising described first user to cluster server;
Receiving group's confirmation message that described cluster server returns, described group confirms that message includes that described first uses
Group information belonging to family.It should be noted that in implementing, cluster server returns to certification clothes
The group information of business device can only include the group identification of the group belonging to described first user, it is also possible to enters one
Step also includes the group member mark of the group belonging to described first user.Optionally, when receiving group's letter
When breath includes group identification and group member mark, the group information received can be preserved by certificate server
To local data base, when certificate server receives authorization requests next time, need inquiry group belonging to ID
During group information, preferentially inquire about local data base, if local data base does not record, take to group the most again
Business device sends group's query messages.
Optionally, before the step 204, described authorization method also includes: certificate server determines that request is visited
Resource Owner corresponding to the resource asked be not to described first user mandate.In the scheme that the present invention provides,
When certificate server receives the authorization requests that user is sent by client, can first judge that resource has
Whether person carried out mandate to this user, if this user access resources is authorized by resource owner,
The most directly perform step 214.If this user access resources is not authorized by resource owner, then need
Determine whether whether this Resource Owner is authorized certain group comprising this user.When resource institute
The person of having accesses resource to group X and is authorized, then the group member as this group X accesses this resource
Time, then without applying for the mandate of Resource Owner again.
Wherein, certificate server determines whether Resource Owner corresponding to resource that request accesses is carried out user
Crossing the method authorized and belong to prior art, the present invention repeats no more.
Step 206: according to the authority record preserved, determines that described group has obtained the mark of described resource right
The mandate of the Resource Owner answered;
The authority record of group's gain access, institute is preserved in authenticator this locality or remote data storehouse
Stating authority record can be with the form being following mapping table, it is also possible to being other any forms, the present invention is to mandate
The concrete form of record does not limits.
Group name | Access resource |
Group A | Resource 1 |
Group B | Resource 2 |
When, after the group that certificate server determines belonging to first user, inquiring about authority record, when in authority record
When there is the mandate relation between the resource of the group belonging to first user and request access, it is determined that first uses
Group belonging to first user is authorized by the Resource Owner that the resource of family request access is corresponding.
Step 208: generate the first access token, and described first access token is sent to described first client
End.
Concrete, after determining the mandate that the group belonging to first user has obtained Resource Owner, certification
Server can directly generate access token, and the access token of generation is returned to the first client, in order to
In first user by the first client-access resource.
Optionally, certificate server receive first user by first client send authorization requests before,
Other group members in the group that described first user is corresponding, such as the second user, also request accesses this resource
Time, described authorization method also includes: receive the authorization requests that the second user is sent, institute by the second client
State authorization requests and include the ID of described second user and the mark of the resource of described request access;According to institute
State the ID of the second user, determine that described second user belongs to described group;Mandate according to described preservation
Record, determines that described group does not obtains the mandate of described Resource Owner;Send to described Resource Owner and recognize
Card request, described certification request includes described group information;Receive the certification sound that described Resource Owner returns
Should, described authentication response includes that described Resource Owner agrees to the instruction information authorizing described group;Preserve
Described group obtains the authority record of the access rights of the resource of the mark correspondence of described resource;Generate the second visit
Ask token, and described second access token is sent to described second client.It should be noted that first
Client and the second client can be same client can also be different clients, the present invention is to this
It is not construed as limiting.Concrete, when determining the mandate that described group does not obtains Resource Owner, certificate server
Sending certification request to Resource Owner, request Resource Owner authorize the group belonging to first user.
Determine the scope of authorization object for the ease of Resource Owner, the group information in certification request is except including group
Group name, it is also possible to farther include group member mark.
Indicate the owner of described resource to disagree described group is awarded when described authentication response message comprises
During the instruction information weighed, the authorization requests that described authorisation device is rejected, authorization flow terminates.When recognizing
Card server receive Resource Owner return agreement described group is authorized instruction information time, recognize
Card server preserves described group and obtains the authority record of resource access rights.Step can be used in implementing
The form of mapping table in rapid 206.
In the authorization method that the present embodiment provides, owing to group is authorized by Resource Owner,
And certificate server saves the authority record of group and this resource, so when other groups in this group
When member is for this resource request mandate, certificate server needs not continue to Resource Owner's application license,
Directly generate access token according to corresponding authority record and return to client, thus effectively alleviate resource
Possessory mandate is born.
Fig. 3 is a kind of method exemplary signaling diagram processing mandate that one embodiment of the invention is provided.At this
In embodiment, the resource that user is stored on Resource Server by client-access.Client can be passed through
At least one in account number cipher, biological characteristic authentication or other identification authentication mode, enters the identity of user
Row certification.The authentication information of each user of client maintenance, and each user have one unique
ID.
When multiple users access the resource on Resource Server, bear to alleviate the mandate of Resource Owner
Load, can be set up group for the plurality of user by system manager in embodiments of the present invention on cluster server
Group.Resource Owner has only to group is carried out a sub-authorization, and the member in group just can obtain access
The authority of resource.Such as, in same project team, project data is uploaded onto the server by certain group member X
On, then this group member X is exactly Resource Owner.System manager can be this project team on cluster server
Setting up group, group member includes all members of this project team, it is assumed that have A, B and C tri-in this group
Individual member, it should be noted that can include Resource Owner X, it is also possible to no in the group member of this group
Including, the present invention does not limits, and the most described method includes:
Step 301: user A sends authorization requests, described authorization requests by client to certificate server
The universal resource identifier URI of the resource desired access to including user A and ID A;
Step 302: certificate server sends group relation inquiry request to cluster server, described group closes
It is that inquiry request includes described ID A;
Step 303: cluster server returns group relation inquiry response to certificate server, described group closes
It it is the inquiry response group information that includes belonging to described user A;
Concrete, cluster server, according to ID, determines the group belonging to described user.A kind of possible
Implementation in, cluster server is preserved the corresponding relation of group name and group member list,
Cluster server, according to receiving ID, travels through described corresponding relation, determines that described ID belongs to
Group member list and the group name of correspondence.Described group information includes group name, optionally,
Described group information further comprises the group member list that this group name is corresponding.
Step 304: certificate server determines this group's with no authorized record belonging to user A;
Concrete, certificate server can be inquired about the group of local preservation and close with the mandate asking the resource accessed
Being mapping table, described mandate relation mapping table have recorded the group of acquisition mandate and the right of the resource of request access
Should be related to.When group's also with no authorized record belonging to certificate server determines this user, show this user
Being the user of first application this resource of access in group, now certificate server is providing token for this user
Before, need first to obtain the authorization of Resource Owner.
Step 305: certificate server sends certification request to Resource Owner, described certification request includes institute
State group information;
Step 306-step 307: Resource Owner, according to group information, determines the scope of authority, and to certification
Server return authentication responds;
Concrete, Resource Owner, according to group information, determines that agreement authorizes, and returns to certificate server
Authentication response, described authentication response includes authentication information and the authorization letter of described Resource Owner
Breath.
Optionally, if also including group member list in described group information, then Resource Owner can obtain
Know the member that group includes, in the case of determining that member that group includes is the most believable, agree to described group
Authorize.
Step 308: certificate server preserves group's authority record, and generates access token;
Concrete, the authentication comprised in the authentication response that certificate server returns according to Resource Owner is believed
Breath determines that the identity of described Resource Owner is legal, and according to described authorization information, determines that resource owns
Person agrees to authorize this group, then preserve group's authority record, and generate access token.
Step 309: certificate server is to client backward reference token;
Step 310-step 311: client please by sending the resource carrying access token to Resource Server
Seek message, obtain resource information.
Concrete, user A carries the resource request of access token by client to Resource Server transmission,
After Resource Server authentication-access token is legal, the resource of user's request can be returned to client, and pass through
Client represents the resource of request to user A.
Further, Fig. 4 is a kind of exemplary letter of method processing mandate that one embodiment of the invention is provided
Order figure.When user B or C in the group of embodiment described in Fig. 3 also accesses the resource on Resource Server
Time, certificate server determines the group belonging to user B or C, and determines that Resource Owner is to this group
Authorized, so certificate server will directly generate access token, and the access token generated is sent
To client.Concrete,
Step 401-step 403 is identical with step 301-step 303, and related content refers to described in Fig. 3 real
Execute the associated description of example, repeat no more here.
Step 404: determine the existing authority record of this group.
Concrete, certificate server can inquire about awarding of group's gain access of this locality or far-end preservation
Power record, described authority record can be with the form being mapping table described in step 206.When certificate server is true
When determining the group's also with no authorized record belonging to this user, show that this user is that in group, first application accesses
The user of this resource, now certificate server is before providing token for this user, needs first to obtain resource institute
The authorization of the person of having.In the embodiment described in figure 3, applied for accessing due to the user A in group
This resource, so that group obtains the mandate of resource owner, and certificate server saves group
Authority record.
Step 405: generate access token;
Step 406-step 408 is identical with step 309-step 311, and related content refers to described in Fig. 3 real
Execute the associated description of example, repeat no more here.
In the embodiment of the present invention, certificate server saves awarding of group's gain access at local or far-end
Power record, when the mandate relation existed in authority record between group G and resource S, shows that resource owns
This group G is authorized by person, when the member in this group G applies for accessing the access order of resource S
During board, certificate server directly generates access token, without again going to apply for the mandate of Resource Owner.
Based on this authorization method, Resource Owner has only to carry out a sub-authorization, and multiple user can be allowed to access
Resource, thus alleviate the mandate burden of Resource Owner greatly.
It should be noted that for aforesaid each method embodiment, in order to be briefly described, therefore by its all table
Stating as a series of combination of actions, but those skilled in the art should know, the present invention is by being retouched
The restriction of the sequence of movement stated because according to the present invention, some step can use other orders or with
Shi Jinhang.Secondly, those skilled in the art also should know, embodiment described in this description all belongs to
In preferred embodiment, necessary to involved action and the module not necessarily present invention.
The following equipment that embodiment of the present invention offer is provided again and system.
Fig. 5 is the structural representation of a kind of certificate server that one embodiment of the invention is provided.Such as Fig. 5
Shown in, authorisation device includes receiver module 502, determines module 504 and sending module 506.
Receiver module 502, for receiving the authorization requests that first user is sent by the first client, described
Authorization requests includes ID ID of described first user and the mark of the resource of request access.
Determine module 504, the ID of the first user for receiving according to described receiver module 502,
Determine the group information of group belonging to described first user;According to the authority record preserved, determine described group
Obtain the mandate of the Resource Owner of the mark correspondence of described resource;
Wherein, described determine that module 504, for the ID according to described first user, determines described first
The group information of group belonging to user, particularly as follows: send the use comprising described first user to cluster server
Group's query messages of family ID;Receiving group's confirmation message that described cluster server returns, described group is true
Recognizing message and include the group information belonging to described first user, wherein, described group information includes described first
The group identification of the group belonging to user;Or, the group data storehouse that inquiry this locality preserves, described group data
Storehouse includes group identification and the group member information of correspondence preserved;According to the ID of described first user,
Determine the group identification of group belonging to described first user.
During realizing, determine that module 504 is specifically for realizing embodiment step 204-step described in Fig. 2
Method described in rapid 206, related content can refer to embodiment associated description described in Fig. 2, the most superfluous
State.
Sending module 506, for generating the first access token, is sent to described by described first access token
First client.
During implementing, receiving first user by the first client transmission at receiver module 502
Authorization requests before, other group members in the group that described first user is corresponding, such as the second user,
Also, when request accesses this resource, described receiver module 502 is additionally operable to receive the second user by the second client
The authorization requests sent, described authorization requests includes what the ID of described second user and described request accessed
The mark of resource;Described determine module 504, be additionally operable to the second user received according to described receiver module 502
ID, determine that described second user belongs to described group;Determine that described group does not obtains described resource institute
The mandate of the person of having;Described sending module 506 is additionally operable to send certification request to described Resource Owner, described
Certification request includes described group information;Described receiver module 502 is additionally operable to receive described Resource Owner and returns
The authentication response returned, described authentication response includes that described Resource Owner agrees to the instruction authorizing described group
Information;Described certificate server also includes preserving module 508, obtains described resource for preserving described group
The authority record of the access rights of the resource that mark is corresponding;Described sending module, is additionally operable to generate the second access
Token, and described second access token is sent to described second client.It should be noted that the first visitor
Family end and the second client can be same client can also be different clients, the present invention is to this not
It is construed as limiting.Concrete, when determining the mandate that described group does not obtains Resource Owner, certificate server to
Resource Owner sends certification request, and request Resource Owner authorize the group belonging to first user.
Determine the scope of authorization object for the ease of Resource Owner, the group information in certification request is except including group
Group name, it is also possible to farther include group member mark.
The authentication response message received when described receiver module 502 comprises and indicates the owner of described resource not
When agreeing to the instruction information that described group is authorized, the authorization requests that described authorisation device is rejected,
Authorization flow terminates.When described receiver module 502 receives the agreement of Resource Owner's return to described group
When carrying out the instruction information authorized, preserve module 508 and preserve the mandate of described group acquisition resource access rights
Record.Implementing can be to use the form of mapping table in step 206.
In the authorization method that the present embodiment provides, owing to group is authorized by Resource Owner,
And certificate server saves the authority record of group and this resource, so when other groups in this group
When member is for this resource request mandate, certificate server needs not continue to Resource Owner's application license,
Directly generate access token according to corresponding authority record and return to client, thus effectively alleviate resource
Possessory mandate is born.
Shown in Fig. 6 is the another kind of structural representation of a kind of certificate server that one embodiment of the invention provides,
Using general-purpose computing system structure, the program code performing the present invention program preserves in memory, and by
Processor controls to perform.Process the equipment authorized and include bus, processor (602), memorizer (604),
Communication interface (606).
Bus can include a path, transmits information between computer all parts.
Processor 602 can be a general central processor (CPU), microprocessor, application-specific collection
Become circuit application-specific integrated circuit (ASIC), or one or more for controlling this
The integrated circuit that bright scheme processes performs.One or more memorizeies that computer system includes, Ke Yishi
Read only memory read-only memory (ROM) maybe can store the other kinds of quiet of static information and instruction
State storage device, random access memory random access memory (RAM) or can store information and
The other kinds of dynamic memory of instruction, it is also possible to be disk memory.These memorizeies pass through bus
It is connected with processor.
Communication interface 606, it is possible to use the device of any transceiver one class, in order to other equipment or communication network
Network communicates, such as Ethernet, wireless access network (RAN), WLAN (WLAN) etc.
Memorizer 604, such as RAM, preserves operating system and performs the program of the present invention program.Operation system
System is for controlling the operation of other programs, the program of management system resource.Perform the program generation of the present invention program
Code preserves in memory, and is controlled to perform by processor.
A kind of method that in memorizer 604, the program of storage performs mandate for instruction processing unit, including: connect
Receiving the authorization requests that first user is sent by the first client, described authorization requests includes described first user
ID ID and the mark of resource that accesses of request;According to the ID of described first user, determine institute
State the group information of group belonging to first user;According to the authority record preserved, determine that described group has obtained
Obtain the mandate of the Resource Owner of the mark correspondence of described resource;Generate the first access token, and by described
One access token is sent to described first client.
It is understood that a kind of equipment processing mandate of the present embodiment can be used for the method described in Fig. 2 that realizes
All functions in embodiment, it implements process and is referred to the associated description of said method embodiment,
Here is omitted.
Fig. 7 is a kind of system structure schematic diagram processing mandate that one embodiment of the invention is provided.Such as figure
Shown in 6, this system includes the first client 702 and certificate server 704.
First client 702, for sending authorization requests to certificate server, described authorization requests includes first
The mark of the resource that ID ID of user and request access;
Certificate server 704, for receiving the authorization requests that first user is sent by the first client, described
Authorization requests includes ID ID of described first user and the mark of the resource of request access;According to described
The ID of first user, determines the group information of group belonging to described first user;According to the mandate preserved
Record, determines that described group has obtained the mandate of the Resource Owner of the mark correspondence of described resource;Generate
First access token, and described first access token is sent to described first client.
Optionally, described system also includes: the second client 706, asks for sending to authorize to certificate server
Asking, described authorization requests includes ID ID and the mark of described resource of the second user;
Described certificate server 704, being additionally operable to receive the second user please by the mandate that the second client sends
Asking, described authorization requests includes ID and the mark of described resource of described second user;According to described
The ID of two users, determines that described second user belongs to described group;Determine that described group does not obtains described
The mandate of Resource Owner;Sending certification request to described Resource Owner, described certification request includes described
Group information;Receiving the authentication response that described Resource Owner returns, described authentication response includes described resource
The owner agrees to the instruction information authorizing described group;The mark preserving the described group described resource of acquisition is right
The authority record of the access rights of the resource answered;Generate the second access token, and by described second access token
It is sent to described second client.
It should be noted that the first client 702 and the second client 706 can be same client also
Can be different clients, this be not construed as limiting by the present invention.
About the more detailed description of certificate server 704, refer to the authentication service shown in Figure 5
The description of device, related content does not repeats them here.
The contents such as the information between the said equipment and intrasystem each module is mutual, execution process, due to this
Inventive method embodiment is based on same design, and particular content can be found in the narration in the inventive method embodiment,
Here is omitted.
One of ordinary skill in the art will appreciate that all or part of flow process realizing in above-described embodiment method,
Can be by computer program and complete to instruct relevant hardware, above-mentioned program can be stored in a calculating
In machine read/write memory medium, this program is upon execution, it may include such as the flow process of the embodiment of above-mentioned each method.
Wherein, above-mentioned storage medium can be magnetic disc, CD, read-only store-memory body (ROM:Read-Only
Or random store-memory body (RAM:Random Access Memory) etc. Memory).
Principle and the embodiment of the present invention are set forth by specific case used herein, above enforcement
The explanation of example is only intended to help to understand method and the thought thereof of the present invention;General simultaneously for this area
Technical staff, according to the thought of the present invention, the most all will change,
In sum, this specification content should not be construed as limitation of the present invention.
Claims (12)
1. an authorization method, it is characterised in that including:
Receiving the authorization requests that first user is sent by the first client, described authorization requests includes institute
State ID ID of first user and the mark of the resource of request access;
According to the ID of described first user, determine the group information of group belonging to described first user;
According to the authority record preserved, determine that described group has obtained the mark correspondence of described resource
The mandate of Resource Owner;
Generate the first access token, and described first access token is sent to described first client.
2. the method for claim 1, it is characterised in that the described user according to described first user
ID, determines the group information of group belonging to described first user, particularly as follows:
Group's query messages of the ID comprising described first user is sent to cluster server;
Receiving group's confirmation message that described cluster server returns, described group confirms that message includes institute
Stating the group information belonging to first user, wherein, described group information includes belonging to described first user
The group identification of group.
3. the method for claim 1, it is characterised in that the described user according to described first user
ID, determines the group information of group belonging to described first user, particularly as follows:
Inquiry this locality preserve group data storehouse, described group data storehouse include preserve group identification and
Corresponding group member information;
According to the ID of described first user, determine that the group of the group belonging to described first user marks
Know.
4. the method as described in claim 1-3 is arbitrary, it is characterised in that lead at described reception first user
Before crossing the authorization requests that the first client sends, described method also includes:
Receiving the authorization requests that the second user is sent by the second client, described authorization requests includes institute
State ID and the mark of described resource of the second user;
According to the ID of described second user, determine that described second user belongs to described group;
Determine that described group does not obtains the mandate of described Resource Owner;
Sending certification request to described Resource Owner, described certification request includes described group information;
Receiving the authentication response that described Resource Owner returns, described authentication response includes described resource institute
The person of having agrees to the instruction information authorizing described group;
Preserve the mandate note that described group obtains the access rights identifying corresponding resource of described resource
Record;
Generate the second access token, and described second access token is sent to described second client.
5. the method as described in claim 1-4 is arbitrary, it is characterised in that use according to described first described
The ID at family, before determining the group information of group belonging to described first user, described method is also wrapped
Include:
Determine that described Resource Owner is not to described first user mandate.
6. a certificate server, for being authorized user by client-access resource, its feature exists
In, including:
Receiver module, for receiving the authorization requests that first user is sent, described mandate by the first client
Request includes ID ID of described first user and the mark of the resource of request access;
Determine module, the ID of the first user for receiving according to described receiver module, determine described
The group information of group belonging to first user;According to the authority record preserved, determine that described group has obtained
The mandate of the Resource Owner of the mark correspondence of described resource;
Sending module, for generating the first access token, is sent to described first by described first access token
Client.
7. certificate server as claimed in claim 6, it is characterised in that described determine that module is for basis
The ID of described first user, determines the group information of group belonging to described first user, particularly as follows:
Group's query messages of the ID comprising described first user is sent to cluster server;
Receiving the group that described cluster server returns and confirm message, described group confirms that message includes described the
Group information belonging to one user, wherein, described group information includes the group belonging to described first user
Group identification.
8. certificate server as claimed in claim 6, it is characterised in that described determine that module is for basis
The ID of described first user, determines the group information of group belonging to described first user, particularly as follows:
Inquiring about the group data storehouse that this locality preserves, described group data storehouse includes group identification and the correspondence preserved
Group member information;
According to the ID of described first user, determine the group identification of group belonging to described first user.
9. the certificate server as described in claim 6-8 is arbitrary, it is characterised in that described certificate server
Also include:
Described receiver module, is additionally operable to receive the authorization requests that the second user is sent, institute by the second client
State authorization requests and include ID and the mark of described resource of described second user;
Described determine module, be additionally operable to the ID of the second user received according to described receiver module, determine
Described second user belongs to described group;Determine that described group does not obtains the mandate of described Resource Owner;
Described sending module, is additionally operable to send certification request, described certification request bag to described Resource Owner
Include described group information;
Described receiver module, is additionally operable to receive the authentication response that described Resource Owner returns, and described certification rings
Should include that described Resource Owner agrees to the instruction information authorizing described group;
Preserve module, obtain the access rights identifying corresponding resource of described resource for preserving described group
Authority record;
Described sending module, is additionally operable to generate the second access token, and described second access token is sent to institute
State the second client.
10. the certificate server as described in claim 6-9 is arbitrary, it is characterised in that determine module described,
For the ID according to described first user, before determining the group information of group belonging to described first user,
Described determine that module is additionally operable to, determine that described Resource Owner is not to described first user mandate.
11. 1 kinds of systems processing mandate, it is characterised in that including:
First client, for sending authorization requests to certificate server, described authorization requests includes the first use
The mark of the resource that ID ID at family and request access;
Certificate server, for receive first user by first client send authorization requests, described in award
Power request includes ID ID of described first user and the mark of the resource of request access;According to described
The ID of one user, determines the group information of group belonging to described first user;According to the mandate note preserved
Record, determines that described group has obtained the mandate of the Resource Owner of the mark correspondence of described resource;Generate the
One access token, and described first access token is sent to described first client.
12. systems as claimed in claim 11, it is characterised in that described system also includes:
Second client, for sending authorization requests to certificate server, described authorization requests includes the second use
ID ID at family and the mark of described resource;
Described certificate server, is additionally operable to receive the authorization requests that the second user is sent by the second client,
Described authorization requests includes ID and the mark of described resource of described second user;Use according to described second
The ID at family, determines that described second user belongs to described group;Determine that described group does not obtains described resource
Possessory mandate;Sending certification request to described Resource Owner, described certification request includes described group
Information;Receiving the authentication response that described Resource Owner returns, described authentication response includes that described resource owns
Person agrees to the instruction information authorizing described group;Preserve the mark correspondence of the described group described resource of acquisition
The authority record of the access rights of resource;Generate the second access token, and described second access token is sent
To described second client.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510333657.4A CN106330813A (en) | 2015-06-16 | 2015-06-16 | Method, device and system for processing authorization |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510333657.4A CN106330813A (en) | 2015-06-16 | 2015-06-16 | Method, device and system for processing authorization |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106330813A true CN106330813A (en) | 2017-01-11 |
Family
ID=57732341
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510333657.4A Pending CN106330813A (en) | 2015-06-16 | 2015-06-16 | Method, device and system for processing authorization |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106330813A (en) |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107911352A (en) * | 2017-11-06 | 2018-04-13 | 湖南红手指信息技术有限公司 | A kind of authorization method of cloud mobile phone |
WO2018129699A1 (en) * | 2017-01-13 | 2018-07-19 | Qualcomm Incorporated | Logical channel prioritization and mapping to different numerologies |
CN109150815A (en) * | 2017-06-28 | 2019-01-04 | 阿里巴巴集团控股有限公司 | Method for processing resource, device and machine readable media |
CN110197075A (en) * | 2018-04-11 | 2019-09-03 | 腾讯科技(深圳)有限公司 | Resource access method, calculates equipment and storage medium at device |
CN110222495A (en) * | 2019-06-10 | 2019-09-10 | 苏州随身玩信息技术有限公司 | Identity-based identification carries out the method for explanation triggering, explanation purview certification method |
CN110430202A (en) * | 2019-08-09 | 2019-11-08 | 百度在线网络技术(北京)有限公司 | Authentication method and device |
CN110710178A (en) * | 2017-06-01 | 2020-01-17 | 诺基亚通信公司 | User authentication in a wireless access network |
WO2020042791A1 (en) * | 2018-08-31 | 2020-03-05 | 阿里巴巴集团控股有限公司 | Method and device for acquiring and feeding back user resource, and electronic apparatus |
CN111784263A (en) * | 2020-07-28 | 2020-10-16 | 支付宝(杭州)信息技术有限公司 | Authorization processing method and device and logistics object processing method and device |
CN112688910A (en) * | 2019-10-17 | 2021-04-20 | 富士通株式会社 | Communication program, authorization apparatus, and communication system |
CN115277273A (en) * | 2022-07-25 | 2022-11-01 | 维沃移动通信有限公司 | Resource sharing method and resource sharing device |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101771677A (en) * | 2008-12-31 | 2010-07-07 | 华为技术有限公司 | Method for providing resource for access user, server and system thereof |
CN102405630A (en) * | 2009-04-20 | 2012-04-04 | 交互数字专利控股公司 | System of multiple domains and domain ownership |
CN103716326A (en) * | 2013-12-31 | 2014-04-09 | 华为技术有限公司 | Resource access method and URG |
-
2015
- 2015-06-16 CN CN201510333657.4A patent/CN106330813A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101771677A (en) * | 2008-12-31 | 2010-07-07 | 华为技术有限公司 | Method for providing resource for access user, server and system thereof |
CN102405630A (en) * | 2009-04-20 | 2012-04-04 | 交互数字专利控股公司 | System of multiple domains and domain ownership |
CN103716326A (en) * | 2013-12-31 | 2014-04-09 | 华为技术有限公司 | Resource access method and URG |
Cited By (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2018129699A1 (en) * | 2017-01-13 | 2018-07-19 | Qualcomm Incorporated | Logical channel prioritization and mapping to different numerologies |
US11696331B2 (en) | 2017-01-13 | 2023-07-04 | Qualcomm Incorporated | Logical channel prioritization and mapping to different numerologies |
CN110710178A (en) * | 2017-06-01 | 2020-01-17 | 诺基亚通信公司 | User authentication in a wireless access network |
CN110710178B (en) * | 2017-06-01 | 2021-07-06 | 诺基亚通信公司 | User authentication in a wireless access network |
CN109150815A (en) * | 2017-06-28 | 2019-01-04 | 阿里巴巴集团控股有限公司 | Method for processing resource, device and machine readable media |
CN107911352A (en) * | 2017-11-06 | 2018-04-13 | 湖南红手指信息技术有限公司 | A kind of authorization method of cloud mobile phone |
CN110197075A (en) * | 2018-04-11 | 2019-09-03 | 腾讯科技(深圳)有限公司 | Resource access method, calculates equipment and storage medium at device |
WO2020042791A1 (en) * | 2018-08-31 | 2020-03-05 | 阿里巴巴集团控股有限公司 | Method and device for acquiring and feeding back user resource, and electronic apparatus |
CN110222495A (en) * | 2019-06-10 | 2019-09-10 | 苏州随身玩信息技术有限公司 | Identity-based identification carries out the method for explanation triggering, explanation purview certification method |
CN110430202A (en) * | 2019-08-09 | 2019-11-08 | 百度在线网络技术(北京)有限公司 | Authentication method and device |
CN112688910A (en) * | 2019-10-17 | 2021-04-20 | 富士通株式会社 | Communication program, authorization apparatus, and communication system |
CN111784263A (en) * | 2020-07-28 | 2020-10-16 | 支付宝(杭州)信息技术有限公司 | Authorization processing method and device and logistics object processing method and device |
CN111784263B (en) * | 2020-07-28 | 2024-05-24 | 支付宝(杭州)信息技术有限公司 | Authorization processing method and device and logistics object processing method and device |
CN115277273A (en) * | 2022-07-25 | 2022-11-01 | 维沃移动通信有限公司 | Resource sharing method and resource sharing device |
CN115277273B (en) * | 2022-07-25 | 2024-03-22 | 维沃移动通信有限公司 | Resource sharing method and resource sharing device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106330813A (en) | Method, device and system for processing authorization | |
CN105074685B (en) | The multi-tenant that the social business of enterprise is calculated supports method, computer-readable medium and system | |
CN111556006B (en) | Third-party application system login method, device, terminal and SSO service platform | |
CN103051631B (en) | Unified security authentication method for PaaS (Platform as a Service) platform and SaaS (Software as a Service) application system | |
CN102761549B (en) | Processing method and system of resource sharing and service platforms | |
CN105763514B (en) | A kind of method, apparatus and system of processing authorization | |
CN107948203A (en) | A kind of container login method, application server, system and storage medium | |
CN107948201A (en) | The purview certification method and system in Docker mirror images warehouse | |
CN106096343A (en) | Message access control method and equipment | |
CN105812350B (en) | Cross-platform single sign-on system | |
US9332433B1 (en) | Distributing access and identification tokens in a mobile environment | |
CN107172054A (en) | A kind of purview certification method based on CAS, apparatus and system | |
CN102422298A (en) | Access control of distributed computing resources system and method | |
CN103384237A (en) | Method for sharing IaaS cloud account, shared platform and network device | |
CN106936772A (en) | A kind of access method, the apparatus and system of cloud platform resource | |
CN105871914A (en) | Customer-relationship-management-system access control method | |
CN107846414A (en) | A kind of single-point logging method and system, Centralized Authentication System | |
CN106127888B (en) | Intelligent lock operation method and smart lock operating system | |
US20210042748A1 (en) | Blockchain-based secure resource management | |
CN106067119A (en) | Client relation management method based on privately owned cloud | |
CN105612731B (en) | It may have access to application state across accredited and untrusted platform roaming internet | |
CN106559389A (en) | A kind of Service Source issue, call method, device, system and cloud service platform | |
CN109150800A (en) | Login access method, system and storage medium | |
CN106096976A (en) | Small business's client relation management method | |
CN110636057A (en) | Application access method and device and computer readable storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20170111 |