CN110881047A - Safe and reliable third party authentication scheme - Google Patents
Safe and reliable third party authentication scheme Download PDFInfo
- Publication number
- CN110881047A CN110881047A CN201911266524.4A CN201911266524A CN110881047A CN 110881047 A CN110881047 A CN 110881047A CN 201911266524 A CN201911266524 A CN 201911266524A CN 110881047 A CN110881047 A CN 110881047A
- Authority
- CN
- China
- Prior art keywords
- party application
- application server
- party
- request
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
- G06F21/6263—Protecting personal data, e.g. for financial or medical purposes during internet communication, e.g. revealing personal data from cookies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Abstract
The invention discloses a safe and reliable third-party authentication scheme, which is used for checking the uniqueness and the safety of a third-party application server, making up the limitation of token authentication, and combining various authentication methods to carry out comprehensive authentication so as to protect a network and prevent illegal operation. The invention can greatly improve the safety, and carry out multiple tests on the third party while not influencing the data interaction with the third party, thereby ensuring the safety and reliability of communication.
Description
Technical Field
The invention relates to the field of internet security, in particular to a safe and reliable third party authentication scheme.
Background
With the advent of the mobile internet era, a link for communication in the information era is indispensable, so that the mobile communication application is provided. The technical industry has special attack, and other third-party applications are often needed to be docked to make up for the defects of the functions of the third-party applications. However, when the third party application is docked, data interaction with the third party is inevitably required, and necessary authentication needs to be performed on the third party before data interaction in order to ensure communication safety.
In the prior art, Token-based authentication methods are generally used, and the general flow is as follows: the client requests login by using the user name and the password, and the server receives the request to verify the user name and the password. After the verification is successful, the server side can issue a Token, and then the Token is sent to the client side, and the client side can store the Token after receiving the Token. The client needs to take Token issued by the server when requesting resources from the server. And the server receives the request, then verifies the Token carried in the request of the client, and returns the requested data to the client if the verification is successful.
In general, after a client logs in for the first time, when a server receives an http request again, only a token is recognized, the server intercepts all requests as long as the token is taken every time, then the legitimacy of the token is verified, the token is legal and is released, and if the token is illegal, authentication failure is returned.
However, only the token is used for the authentication of the third party, and because the token is used as a unique authentication identifier, only the legal token is needed for each third party request, and the third party request is easily copied maliciously by other illegal persons and used for logging in, and the security of the third party request cannot be guaranteed.
Disclosure of Invention
The purpose of the invention is as follows: aiming at the defects, the invention provides a safe and reliable third-party authentication scheme, which is used for checking the uniqueness and the safety of a third-party application server, making up the limitation of token authentication, and combining various authentication methods to carry out comprehensive authentication so as to protect a network and prevent illegal operation.
The technical scheme is as follows:
a secure and reliable third party authentication scheme, comprising the steps of:
(1) the background server calls a third party API interface or integrates the SDK provided by the third party to access the third party application server; adding all the accessed ip of the third-party application server into a background white list; distributing a unique third party application identifier ApAccess and a key secret for each access third party;
(2) the mobile terminal initiates a communication request to a third-party application server, the third-party application server forwards the communication request of the mobile terminal to a background server, the background server compares the third-party application server ip requesting communication with the third-party application server ip in a background white list, and if the white list contains the third-party application server ip, the step (3) is carried out; otherwise, the IP is regarded as illegal ip and directly filtered;
(3) the third-party application server acquires a token of the background server through a front-end bridging file of the mobile terminal, and the mobile terminal registers through the token and stores the user information into a database of the background server;
(4) the third party application server takes the token to initiate a data request to the background server, and the background server verifies the token for the third party application server and verifies the third party application identifier ApAccess and the secret key secret of the third party application server.
In the step (4), after the third-party application identifier access and the key secret of the third-party application server are verified by the background server, the background server communicates with the third-party application server, and the third-party application server presents the data to the H5 application through encrypted data transmission.
The token verifies the authentication mode using the session-cookie in the step (4), and the specific flow is as follows:
(41) the third party application server establishes and stores a session at the third party application server end when receiving the first access of the mobile end, and generates a unique identification character string for the session;
(42) seeding the unique identification character string generated in the next step (41) in a response header of the mobile terminal request response;
(43) when receiving the request response of the mobile terminal, the third-party application server analyzes a response head of the request response of the mobile terminal and then stores the sid in a local cookie; the browser can bring cookie information under the domain name in a request header of a next http request;
(44) and when the third-party application server receives the request of the mobile terminal, analyzing the sid in the cookie in the request header of the request of the mobile terminal, searching the session of the mobile terminal stored by the third-party application server according to the sid, and judging whether the request is legal or not according to the session.
Has the advantages that: the invention can greatly improve the safety, and carry out multiple tests on the third party while not influencing the data interaction with the third party, thereby ensuring the safety and reliability of communication.
Drawings
FIG. 1 is an architectural diagram of the present invention.
Detailed Description
The invention is further elucidated with reference to the drawings and the embodiments.
FIG. 1 is an architectural diagram of the present invention. As shown in fig. 1, the third party authentication scheme of the present invention comprises the following steps:
(1) the background server calls a third party API interface or integrates the SDK provided by the third party to access the third party application server; adding all the accessed ip of the third-party application server into a background white list; distributing a unique third party application identifier ApAccess and a key secret for each access third party, and performing identity verification; the identification and the secret key are used for authentication and verification of identity and limit specified application when data interaction is carried out with a third party; the background white list is used for verifying whether the ip of the third-party server has the authority or not and is used for limiting the appointed third-party server;
(2) the mobile terminal initiates a communication request to a third-party application server, the third-party application server forwards the communication request of the mobile terminal to a background server, the background server compares the third-party application server ip requesting communication with the third-party application server ip in a background white list, and if the white list contains the third-party application server ip, the step (3) is carried out; otherwise, the server is regarded as an illegal ip and directly filtered, so that the uniqueness of the third-party server can be limited;
(3) the third-party application server acquires a token of the background server through a front-end bridging file of the mobile terminal so as to acquire interface communication qualification, and the token is also a necessary parameter for acquiring user information of the mobile terminal; the mobile terminal registers through the token and stores the user information into a database of the background server;
(4) the third party application server takes the token to initiate a data request to the background server, the background server verifies the third party application identifier ApAccess and the key secret of the third party application server, if the third party application identifier ApAccess and the key secret pass through, corresponding logic processing is carried out according to other parameters, such as simplest addition, deletion, modification and check, and a processing result is returned; the third party application server presents the data to the H5 application by encrypted data transfer.
For token verification, a session-cookie authentication mode can be used, and the specific flow is as follows:
the third party application server creates and stores a session at the third party application server end when receiving the first access of the mobile end, then generates a unique identification character string for the session, and then sorts the unique identification character string in a response head of the mobile end communication request response. And the server analyzes the response head when receiving the request response, then stores the sid in a local cookie, and the browser carries the cookie information under the domain name in the request head of the next http request. When the server receives the request of the client, the server analyzes the sid in the request header cookie, then finds the session of the client stored by the server according to the sid, and then judges whether the request is legal.
The invention checks the uniqueness and the safety of the third-party application server, makes up the limitation of token verification, combines various authentication methods to carry out comprehensive verification so as to protect the network and prevent illegal operation, can greatly improve the safety, and carries out multiple checks on the third party while not influencing the data interaction with the third party, thereby ensuring the safety and the reliability of communication.
Although the preferred embodiments of the present invention have been described in detail, the present invention is not limited to the details of the foregoing embodiments, and various equivalent changes (such as number, shape, position, etc.) may be made to the technical solution of the present invention within the technical spirit of the present invention, and the equivalents are protected by the present invention.
Claims (3)
1. A secure and reliable third party authentication scheme, characterized by: the method comprises the following steps:
(1) the background server calls a third party API interface or integrates the SDK provided by the third party to access the third party application server; adding all the accessed ip of the third-party application server into a background white list; distributing a unique third party application identifier ApAccess and a key secret for each access third party;
(2) the mobile terminal initiates a communication request to a third-party application server, the third-party application server forwards the communication request of the mobile terminal to a background server, the background server compares the third-party application server ip requesting communication with the third-party application server ip in a background white list, and if the white list contains the third-party application server ip, the step (3) is carried out; otherwise, the IP is regarded as illegal ip and directly filtered;
(3) the third-party application server acquires a token of the background server through a front-end bridging file of the mobile terminal, and the mobile terminal registers through the token and stores the user information into a database of the background server;
(4) the third party application server takes the token to initiate a data request to the background server, and the background server verifies the token for the third party application server and verifies the third party application identifier ApAccess and the secret key secret of the third party application server.
2. A third party authentication scheme according to claim 1, characterized in that: in the step (4), after the third-party application identifier access and the key secret of the third-party application server are verified by the background server, the background server communicates with the third-party application server, and the third-party application server presents the data to the H5 application through encrypted data transmission.
3. A third party authentication scheme according to claim 1, characterized in that: the token verifies the authentication mode using the session-cookie in the step (4), and the specific flow is as follows:
(41) the third party application server establishes and stores a session at the third party application server end when receiving the first access of the mobile end, and generates a unique identification character string for the session;
(42) seeding the unique identification character string generated in the next step (41) in a response header of the mobile terminal request response;
(43) when receiving the request response of the mobile terminal, the third-party application server analyzes a response head of the request response of the mobile terminal and then stores the sid in a local cookie; the browser can bring cookie information under the domain name in a request header of a next http request;
(44) and when the third-party application server receives the request of the mobile terminal, analyzing the sid in the cookie in the request header of the request of the mobile terminal, searching the session of the mobile terminal stored by the third-party application server according to the sid, and judging whether the request is legal or not according to the session.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911266524.4A CN110881047A (en) | 2019-12-11 | 2019-12-11 | Safe and reliable third party authentication scheme |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911266524.4A CN110881047A (en) | 2019-12-11 | 2019-12-11 | Safe and reliable third party authentication scheme |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110881047A true CN110881047A (en) | 2020-03-13 |
Family
ID=69731383
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911266524.4A Pending CN110881047A (en) | 2019-12-11 | 2019-12-11 | Safe and reliable third party authentication scheme |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110881047A (en) |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101990183A (en) * | 2009-07-31 | 2011-03-23 | 国际商业机器公司 | Method, device and system for protecting user information |
| CN102724204A (en) * | 2012-06-28 | 2012-10-10 | 电子科技大学 | Secure and trusted capability opening platform |
| CN102801694A (en) * | 2011-05-27 | 2012-11-28 | 阿尔卡特朗讯公司 | Method and system for implementing third-party authentication based on grey list |
| CN103067381A (en) * | 2012-12-26 | 2013-04-24 | 百度在线网络技术(北京)有限公司 | Third-party service login method, login system and login device by means of platform-party account |
| US20140075188A1 (en) * | 2012-09-11 | 2014-03-13 | Verizon Patent And Licensing Inc. | Trusted third party client authentication |
| CN104283841A (en) * | 2013-07-02 | 2015-01-14 | 阿里巴巴集团控股有限公司 | Method, device and system for carrying out service access control on third-party application |
| KR101581663B1 (en) * | 2014-12-05 | 2016-01-04 | 유한회사 실릭스 | Authentication and non-repudiation method and system using trusted third party |
| CN106357699A (en) * | 2016-11-18 | 2017-01-25 | 上海爱数信息技术股份有限公司 | Network system, service platform and login method and system of service platform |
| CN107786571A (en) * | 2017-11-07 | 2018-03-09 | 昆山云景商务服务有限公司 | A kind of method of user's unified certification |
| CN109408250A (en) * | 2018-09-27 | 2019-03-01 | 天津字节跳动科技有限公司 | Call application programming interface API approach, device, electronic equipment |
-
2019
- 2019-12-11 CN CN201911266524.4A patent/CN110881047A/en active Pending
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101990183A (en) * | 2009-07-31 | 2011-03-23 | 国际商业机器公司 | Method, device and system for protecting user information |
| CN102801694A (en) * | 2011-05-27 | 2012-11-28 | 阿尔卡特朗讯公司 | Method and system for implementing third-party authentication based on grey list |
| CN102724204A (en) * | 2012-06-28 | 2012-10-10 | 电子科技大学 | Secure and trusted capability opening platform |
| US20140075188A1 (en) * | 2012-09-11 | 2014-03-13 | Verizon Patent And Licensing Inc. | Trusted third party client authentication |
| CN103067381A (en) * | 2012-12-26 | 2013-04-24 | 百度在线网络技术(北京)有限公司 | Third-party service login method, login system and login device by means of platform-party account |
| CN104283841A (en) * | 2013-07-02 | 2015-01-14 | 阿里巴巴集团控股有限公司 | Method, device and system for carrying out service access control on third-party application |
| KR101581663B1 (en) * | 2014-12-05 | 2016-01-04 | 유한회사 실릭스 | Authentication and non-repudiation method and system using trusted third party |
| CN106357699A (en) * | 2016-11-18 | 2017-01-25 | 上海爱数信息技术股份有限公司 | Network system, service platform and login method and system of service platform |
| CN107786571A (en) * | 2017-11-07 | 2018-03-09 | 昆山云景商务服务有限公司 | A kind of method of user's unified certification |
| CN109408250A (en) * | 2018-09-27 | 2019-03-01 | 天津字节跳动科技有限公司 | Call application programming interface API approach, device, electronic equipment |
Non-Patent Citations (3)
| Title |
|---|
| PRAJAKTA SOLAPURKAR: "Building secure healthcare services using OAuth 2.0 and JSON web token in IOT cloud scenario", 《2016 2ND INTERNATIONAL CONFERENCE ON CONTEMPORARY COMPUTING AND INFORMATICS (IC3I)》 * |
| 刘大红等: "第三方应用与开放平台OAuth认证互连技术研究", 《电脑知识与技术》 * |
| 祝金伟等: "行业应用软件第三方开发平台的研究与实践", 《计算机工程与设计》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107948204B (en) | One-key login method and system, related equipment and computer readable storage medium | |
| US7886339B2 (en) | Radius security origin check | |
| US6092196A (en) | HTTP distributed remote user authentication system | |
| CN107122674B (en) | Access method of oracle database applied to operation and maintenance auditing system | |
| CN107579991B (en) | Method for performing cloud protection authentication on client, server and client | |
| US8869258B2 (en) | Facilitating token request troubleshooting | |
| US20140223178A1 (en) | Securing Communication over a Network Using User Identity Verification | |
| CN108322416B (en) | Security authentication implementation method, device and system | |
| CN110266642A (en) | Identity identifying method and server, electronic equipment | |
| KR102137122B1 (en) | Security check method, device, terminal and server | |
| CN104580553B (en) | Method and device for identifying network address translation equipment | |
| CN113536250B (en) | Token generation method, login verification method and related equipment | |
| CN106209727B (en) | Session access method and device | |
| CN111800378A (en) | Login authentication method, device, system and storage medium | |
| US7917941B2 (en) | System and method for providing physical web security using IP addresses | |
| CN110795174A (en) | Application program interface calling method, device, equipment and readable storage medium | |
| CN111147447A (en) | Data protection method and system | |
| CN105187417B (en) | Authority acquiring method and apparatus | |
| CN117155716B (en) | Access verification method and device, storage medium and electronic equipment | |
| CN110166471A (en) | A kind of portal authentication method and device | |
| CN113596839A (en) | Safe and reliable flow authentication method free of directional access flow | |
| CN109495458A (en) | A kind of method, system and the associated component of data transmission | |
| CN102624724B (en) | Security gateway and method for securely logging in server by gateway | |
| CN109587134B (en) | Method, apparatus, device and medium for secure authentication of interface bus | |
| CN114079569A (en) | Open authorization method and device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200313 |
|
| RJ01 | Rejection of invention patent application after publication |