CN111949959A - Authorization authentication method and device in Oauth protocol - Google Patents

Authorization authentication method and device in Oauth protocol Download PDF

Info

Publication number
CN111949959A
CN111949959A CN202010817992.2A CN202010817992A CN111949959A CN 111949959 A CN111949959 A CN 111949959A CN 202010817992 A CN202010817992 A CN 202010817992A CN 111949959 A CN111949959 A CN 111949959A
Authority
CN
China
Prior art keywords
authorization
party server
information
server
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010817992.2A
Other languages
Chinese (zh)
Other versions
CN111949959B (en
Inventor
冯宇东
马思雨
李伟仁
李瑾
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202010817992.2A priority Critical patent/CN111949959B/en
Publication of CN111949959A publication Critical patent/CN111949959A/en
Application granted granted Critical
Publication of CN111949959B publication Critical patent/CN111949959B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2115Third party
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Automation & Control Theory (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention provides an authorization authentication method and device in an Oauth protocol, wherein the method comprises the following steps: performing identity authentication on the current third-party server according to the server information of the third-party server initiating the access request; when the identity authentication is passed, returning pre-authorization signature information to the third-party server; and receiving an authorization authentication request with pre-authorization signature information initiated by a third-party server, and performing authorization authentication processing in the Oauth protocol. The authorization authentication method and the authorization authentication device in the Oauth protocol can be used in the field of information security and can also be used in the information security technology in the financial field.

Description

Authorization authentication method and device in Oauth protocol
Technical Field
The invention relates to the technical field of information security, in particular to an authorization authentication method and device in an Oauth protocol.
Background
The unified pass has a huge user system and a wide access channel, and is very suitable for being used as an authentication platform for connecting a third-party application and a bank head office user system. On the other hand, the construction of the API open platform of the bank is mature, and the API open platform cooperates with a plurality of institutions and merchants, so that the unified pass realizes the butt joint and communication with the third-party application by using the API open platform according to the OAuth2.0 protocol standard, and establishes the OAuth authorization authentication platform facing the third-party application of the bank.
The current industry reference protocol for authorized login is the oauth2.0 protocol. The bank also designs an authorized login system suitable for the bank on the basis of the agreement at present. For the third party APP, the API open platform of the bank can be used as a uniform access point for authorization and data access in the OAuth protocol, and the uniform pass provides specific processes and mechanisms for user login and authentication and provides protected user information for the third party application.
The prior art authorization login system does not fully consider the security and reliability in the authorization information transmission process, and may be attacked by hackers in the authorization login process.
Disclosure of Invention
In order to solve the security problem existing in the authorization login in the Oauth2.0 protocol in the prior art and improve the security in the authorization authentication process, the invention provides an authorization authentication method in the Oauth protocol, which comprises the following steps:
performing identity authentication on the current third-party server according to the server information of the third-party server initiating the access request;
if the identity authentication is passed, returning pre-authorization signature information to the third-party server;
and receiving an authorization authentication request with the pre-authorization signature information, which is initiated by the third-party server, and performing authorization authentication processing in the Oauth protocol.
In the embodiment of the present invention, the performing identity verification on the current third-party server according to the server information of the third-party server initiating the access request includes:
receiving an access request initiated by a third-party server by using an API gateway and acquiring server information of the third-party server;
and performing identity authentication on the current third-party server according to the acquired server information of the third-party server.
In the embodiment of the present invention, the performing identity verification on the current third-party server according to the server information of the third-party server initiating the access request includes:
pre-storing information of a third-party server allowing access;
and performing identity verification on the current third-party server according to the stored information of the third-party server allowing access and the server information of the third-party server initiating the access request.
In this embodiment of the present invention, the receiving an authorization and authentication request with the pre-authorization signature information, which is initiated by the third-party server, and performing authorization and authentication processing in the Oauth protocol includes:
receiving an authorization authentication request with the pre-authorization signature information, which is initiated by the third-party server;
and carrying out signature verification processing on the pre-authorized signature information, wherein if the signature verification passes the authorization authentication processing in the Oauth protocol, the verification processing is carried out.
Meanwhile, the invention also provides an authorization authentication device in the Oauth protocol, which comprises:
the server information verification module is used for carrying out identity verification on the current third-party server according to the server information of the third-party server initiating the access request;
the pre-authorization signature module is used for returning pre-authorization signature information to the third-party server when the identity authentication passes;
and the authentication module is used for receiving an authorization authentication request which is initiated by the third-party server and has the pre-authorization signature information, and performing authorization authentication processing in the Oauth protocol.
In the embodiment of the present invention, the server information checking module includes:
the server information acquisition unit is used for receiving an access request initiated by a third-party server by utilizing the API gateway and acquiring the server information of the third-party server;
and the verification unit is used for verifying the identity of the current third-party server according to the acquired server information of the third-party server.
In this embodiment of the present invention, the server information checking module further includes:
a storage unit for storing in advance third-party server information permitted to access;
and the verification unit verifies the identity of the current third-party server according to the stored information of the third-party server allowing access and the server information of the third-party server initiating the access request.
In the embodiment of the present invention, the authentication module includes:
a request receiving unit, configured to receive an authorization authentication request with the pre-authorization signature information, which is initiated by the third-party server;
and the signature verification unit is used for verifying the signature of the pre-authorized signature information, and if the signature verification passes the authorization authentication processing in the Oauth protocol, the signature verification unit verifies the signature.
Meanwhile, the invention also provides computer equipment which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein the processor realizes the method when executing the computer program.
Meanwhile, the invention also provides a computer readable storage medium, and a computer program for executing the method is stored in the computer readable storage medium.
The invention can further ensure the legality and reliability of the third party APP by aiming at the safety problem in the current authorized login system and introducing a pre-authorized signature mechanism, and can ensure the safety of the current information transmission link before the information authentication of the user, thereby effectively rejecting the tampering attack of hackers.
In order to make the aforementioned and other objects, features and advantages of the invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a flowchart of an authorization authentication method in the Oauth protocol according to the present invention;
fig. 2 is a detailed flowchart of the operation of the authorization code mode according to the embodiment of the present invention;
FIG. 3 is a schematic diagram of an authentication platform interaction architecture for third party applications in accordance with an embodiment of the present invention;
FIG. 4 is a block diagram of an authorization and authentication device in the Oauth protocol provided by the present invention;
fig. 5 is a schematic diagram of an electronic device provided in an embodiment of the invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
As shown in fig. 1, the present invention provides an authorization authentication method in Oauth protocol, including:
step S101, performing identity authentication on the current third-party server according to the server information of the third-party server initiating the access request;
step S102, when the identity authentication is passed, pre-authorization signature information is returned to the third-party server;
step S103, receiving an authorization authentication request with the pre-authorization signature information initiated by the third-party server, and performing authorization authentication processing in the Oauth protocol.
Before authorization authentication, the method uses server information of a third-party server to perform identity verification on the third-party server initiating an access request so as to judge whether the current third-party server is the third-party server allowing access or not, judges whether the current third-party server is the third-party server not allowing access or not, directly refuses the access of an illegal third-party server to the authorization authentication server, determines that the current third-party server is the third-party server allowing access to the authorization authentication server, returns pre-authorization signature information to the third-party server, and uses the pre-authorization signature information to perform signature processing on the authorization authentication request initiated by the third-party server, namely, by introducing a pre-authorization signature mechanism, further ensures the validity and reliability of terminals such as the third-party server, APP and the like, before the information authorization authentication is carried out by the user, the safety of the current information transmission link is guaranteed, and the tampering attack of hackers can be effectively refused.
In the embodiment of the invention, an API gateway is utilized to receive an access request initiated by a third-party server and obtain the server information of the third-party server; and performing identity authentication on the current third-party server according to the acquired server information of the third-party server. The method comprises the steps that pre-authorization of a third-party server is executed by setting an API gateway, the third-party server accesses the API gateway to obtain a pre-authorization signature, the API gateway returns the pre-authorization signature after checking that basic information of the third-party server is legal, pre-authorization processing of the third-party server is executed by using the API gateway, the third-party server which is not authorized to access an authorization authentication server directly is prevented, attack of a hacker is further prevented, and therefore safety of the authorization authentication server is further improved.
The authentication of the current third-party server according to the server information of the third-party server initiating the access request comprises the following steps:
pre-storing information of a third-party server allowing access;
and performing identity verification on the current third-party server according to the stored information of the third-party server allowing access and the server information of the third-party server initiating the access request.
In an embodiment of the present invention, after receiving server information of a current server initiating an access request, by pre-storing server information allowing access, it is determined whether the pre-stored server information includes current third-party information, and if so, it is determined that the current third-party server is a server allowing access, and then the subsequent authorization and authentication operation in the Oauth protocol is allowed to be performed.
In one embodiment of the present invention, according to receiving an authorization authentication request with the pre-authorization signature information, which is initiated by the third-party server;
and carrying out signature verification processing on the pre-authorized signature information, wherein if the signature verification passes the authorization authentication processing in the Oauth protocol, the verification processing is carried out.
In the embodiment of the invention, the pre-authorization signature is transmitted to the pass certificate authentication server through the third-party application, and the pass certificate authentication server verifies the signature string. If the signature string is verified successfully, the fact that the pre-authorization signature is not tampered in the process of transferring the third-party server application to the pass authentication server is shown, and a network link from the third-party application to the pass authentication server is safe and reliable.
The technical solution of the present invention is further described in detail with reference to the following specific examples, wherein the terms related to the examples of the present invention are explained as follows:
the OAuth2.0 protocol, the second generation Open Authorization (OAuth) protocol. The protocol allows a user to have a third party application access to his own private resources (e.g., photos, videos, contacts, etc. information) stored on a certain website without having to provide the third party application with a username and password.
Resource owner (resource owner): one entity, which may be a person, called an end user, that can authorize access to the protected resource;
resource server (resource server): storing protected resources, requesting the resources by a client through an authorization Token (Access Token), and responding the protected resources to the client by a resource server;
authentication server (authorization server): after successfully verifying the resource owner and obtaining the authorization, the authentication server issues an authorization Token (Access Token) to the client.
Client (client): third party applications such as Sina microblog client, Jingdong app and the like; the resource owner does not store the resource, but uses the authorization token to access the protected resource after the authorization of the resource owner is passed, and then the client displays or submits the corresponding data to the server.
Personal pass (epass): the bank personal electronic bank unified pass (hereinafter referred to as "unified pass").
Authorization Code: authorization code parameter in authorization code mode of Oauth2.0 protocol is the most key parameter in authorization and authentication process.
In the embodiment of the invention, the OAuth2.0 authorization protocol has 4 authorization modes:
authorization code mode, Implicit mode, Resource owner password mode, Client password mode. The authorization code mode is the mode with the most perfect function and the most strict flow in OAuth2.0 at present, and is widely used. The Authorization mode adopted in this embodiment is also an Authorization code (Authorization code) mode. The specific work flow of the authorization code mode is shown in fig. 2, and specifically follows:
(A) the user accesses the client, which directs the user to the authentication server.
(B) The user determines to give the client authorization.
(C) The authentication server directs the user to the redirect URL specified by the client, and attaches an Authorization Code (Authcode for short).
(D) The client receives the authorization code, attaches the redirection URL, and applies for a Token (Access Token) from the authentication server. The operation is finished in a background server of the client, and the user feels no.
(E) After the authentication server checks the authorization code, the authentication server confirms the correctness, issues or updates a token to the client, and transmits the user identifier.
In the oauth2.0 protocol in the prior art, the most important information of interaction between end-to-end is the authorization code. In the authorization code mode, the authorization code is the Authcode that the personal pass application server obtains from the API open platform. This Authcode is associated with user identity information, and specifically, the Authcode is data obtained by encrypting and transforming a user ID of a user, and is important information that can identify the user identity.
Aiming at the safety problem in the OAuth2.0 protocol authorization login system in the prior art, the invention can further ensure the legality and reliability of the third party APP by introducing a pre-authorization signature mechanism, ensure the safety of the current information transmission link before the information authentication of the user, and effectively reject the tampering attack of hackers.
The improved system architecture in the embodiment of the present invention is shown in fig. 3, and is an OAuth authorization and authentication platform architecture oriented to third-party applications.
The specific implementation of this embodiment is divided into the following two parts:
a first part: and the end is in butt joint with the end to finish the acquisition of the authorization code. The method comprises the following specific steps:
1. a third-party back end (a third-party server, APP) acquires a pre-authorized signature;
the third-party server accesses the API gateway to obtain the pre-authorized signature, and the API gateway returns the pre-authorized signature after checking that the basic information of the third-party server is legal.
2. The pre-authorization signature is carried to call an authorization authentication server;
the third party APP carries the pre-authorization signature and transmits the pre-authorization signature to the unified pass certificate authentication server;
3. and decrypting and verifying the pre-authorized signature, displaying a login page after the uniform pass authentication server verifies the pre-authorized signature, and verifying whether the user name and the password are correct or not.
4. User authorization; and after the user name and password are verified, an authorization page is called, the related information of the third-party application is displayed, and the user operation is waited on the authorization page.
5. Returning an authorization code; and the user determines authorization, the unified pass authentication server acquires the authorization code from the API platform and returns the authorization code to the third-party application according to the redirection URL.
A second part: the third party application requests the user information allowed to be obtained within the authorization scope. The method comprises the following specific steps:
6. applying for a token using the authorization code; and the background server of the third-party application requests the token from the API gateway by using the authorization code and judges whether to call the API interface to refresh the token according to the validity period of the token.
7. And the third party application requests the user information from the API gateway according to the token.
8. Calling an API (application program interface) to acquire user data, checking the legality of the uploading parameter by the OAuth management cluster of the API gateway, and returning the current user information after checking without errors. The third party application gets the user information exposed through the API gateway.
Meanwhile, as shown in fig. 4, the present invention further provides an authorization authentication apparatus in the Oauth protocol, including:
the server information verification module 401 is configured to perform identity verification on a current third-party server according to server information of the third-party server initiating the access request;
a pre-authorization signature module 402, configured to return pre-authorization signature information to the third-party server when the identity authentication passes;
an authentication module 403, configured to receive an authorization authentication request with the pre-authorization signature information, which is initiated by the third-party server, and perform authorization authentication processing in the Oauth protocol.
In the embodiment of the present invention, the server information checking module includes:
the server information acquisition unit is used for receiving an access request initiated by a third-party server by utilizing the API gateway and acquiring the server information of the third-party server;
and the verification unit is used for verifying the identity of the current third-party server according to the acquired server information of the third-party server.
In this embodiment of the present invention, the server information checking module further includes:
a storage unit for storing in advance third-party server information permitted to access;
and the verification unit verifies the identity of the current third-party server according to the stored information of the third-party server allowing access and the server information of the third-party server initiating the access request.
In the embodiment of the present invention, the authentication module includes:
a request receiving unit, configured to receive an authorization authentication request with the pre-authorization signature information, which is initiated by the third-party server;
and the signature verification unit is used for verifying the signature of the pre-authorized signature information, and if the signature verification passes the authorization authentication processing in the Oauth protocol, the signature verification unit verifies the signature.
Through the foregoing description of the embodiments, it is clear to those skilled in the art that the implementation of the authorization and authentication apparatus in the Oauth protocol of the present application is not described herein again.
It should be noted that the authorization authentication method and apparatus in the Oauth protocol disclosed in the present application can be used in the information security field, can also be used in the information security technology in the financial field, and can also be used in any field other than the financial field.
In the authorization code transmission process in the Oauth2.0 protocol, if the authorization code is not signed, mechanisms such as face brushing, short message checking and the like can be added in the user identity verification process, and characteristic security verification can be added according to different authorized parties. However, as will be appreciated by those skilled in the art, this increases the operation steps and operation difficulty of the user, which is not favorable for improving the user experience. The invention effectively improves the safety and reliability in the authorization and authentication process by introducing a mechanism of pre-authorization signature.
First, a pre-authorization signature needs to be obtained from the API open platform before the third party server or application interacts with the authentication server of the personal pass. If the pre-authorization signature can be successfully acquired, the third-party application is proved to pass the basic information verification of the API gateway, and the capability of calling the API platform interface is provided.
Secondly, the third party server or application transmits the pre-authorization signature to the pass certificate authentication server, and the pass certificate authentication server verifies the signature string. If the signature string is verified successfully, the fact that the pre-authorization signature is not tampered in the process of transferring the third-party application to the pass authentication server is indicated, and a network link from the third-party application to the pass authentication server is safe and reliable.
The present embodiment also provides an electronic device, which may be a desktop computer, a tablet computer, a mobile terminal, and the like, but is not limited thereto. In this embodiment, the electronic device may refer to the embodiments of the method and the apparatus, and the contents thereof are incorporated herein, and repeated descriptions are omitted.
Fig. 5 is a schematic block diagram of a system configuration of an electronic apparatus 600 according to an embodiment of the present invention. As shown in fig. 5, the electronic device 600 may include a central processor 100 and a memory 140; the memory 140 is coupled to the central processor 100. Notably, this diagram is exemplary; other types of structures may also be used in addition to or in place of the structure to implement telecommunications or other functions.
In one embodiment, the authorization authentication method function in the Oauth protocol may be integrated into the central processor 100. The central processor 100 may be configured to control as follows:
performing identity authentication on the current third-party server according to the server information of the third-party server initiating the access request;
if the identity authentication is passed, returning pre-authorization signature information to the third-party server;
and receiving an authorization authentication request with the pre-authorization signature information, which is initiated by the third-party server, and performing authorization authentication processing in the Oauth protocol.
In the embodiment of the present invention, the performing identity verification on the current third-party server according to the server information of the third-party server initiating the access request includes:
receiving an access request initiated by a third-party server by using an API gateway and acquiring server information of the third-party server;
and performing identity authentication on the current third-party server according to the acquired server information of the third-party server.
In the embodiment of the present invention, the performing identity verification on the current third-party server according to the server information of the third-party server initiating the access request includes:
pre-storing information of a third-party server allowing access;
and performing identity verification on the current third-party server according to the stored information of the third-party server allowing access and the server information of the third-party server initiating the access request.
In this embodiment of the present invention, the receiving an authorization and authentication request with the pre-authorization signature information, which is initiated by the third-party server, and performing authorization and authentication processing in the Oauth protocol includes:
receiving an authorization authentication request with the pre-authorization signature information, which is initiated by the third-party server;
and carrying out signature verification processing on the pre-authorized signature information, wherein if the signature verification passes the authorization authentication processing in the Oauth protocol, the verification processing is carried out.
In another embodiment, the authorization authentication device in the Oauth protocol may be configured separately from the central processor 100, for example, the authorization authentication device in the Oauth protocol may be configured as a chip connected to the central processor 100, and the authorization authentication function in the Oauth protocol is implemented by the control of the central processor.
As shown in fig. 5, the electronic device 600 may further include: communication module 110, input unit 120, audio processing unit 130, display 160, power supply 170. It is noted that the electronic device 600 does not necessarily include all of the components shown in fig. 5; furthermore, the electronic device 600 may also comprise components not shown in fig. 5, which may be referred to in the prior art.
As shown in fig. 5, the central processor 100, sometimes referred to as a controller or operational control, may include a microprocessor or other processor device and/or logic device, the central processor 100 receiving input and controlling the operation of the various components of the electronic device 600.
The memory 140 may be, for example, one or more of a buffer, a flash memory, a hard drive, a removable media, a volatile memory, a non-volatile memory, or other suitable device. The information relating to the failure may be stored, and a program for executing the information may be stored. And the central processing unit 100 may execute the program stored in the memory 140 to realize information storage or processing, etc.
The input unit 120 provides input to the cpu 100. The input unit 120 is, for example, a key or a touch input device. The power supply 170 is used to provide power to the electronic device 600. The display 160 is used to display an object to be displayed, such as an image or a character. The display may be, for example, an LCD display, but is not limited thereto.
The memory 140 may be a solid state memory such as Read Only Memory (ROM), Random Access Memory (RAM), a SIM card, or the like. There may also be a memory that holds information even when power is off, can be selectively erased, and is provided with more data, an example of which is sometimes called an EPROM or the like. The memory 140 may also be some other type of device. Memory 140 includes buffer memory 141 (sometimes referred to as a buffer). The memory 140 may include an application/function storage section 142, and the application/function storage section 142 is used to store application programs and function programs or a flow for executing the operation of the electronic device 600 by the central processing unit 100.
The memory 140 may also include a data store 143, the data store 143 for storing data, such as contacts, digital data, pictures, sounds, and/or any other data used by the electronic device. The driver storage portion 144 of the memory 140 may include various drivers of the electronic device for communication functions and/or for performing other functions of the electronic device (e.g., messaging application, address book application, etc.).
The communication module 110 is a transmitter/receiver 110 that transmits and receives signals via an antenna 111. The communication module (transmitter/receiver) 110 is coupled to the central processor 100 to provide an input signal and receive an output signal, which may be the same as in the case of a conventional mobile communication terminal.
Based on different communication technologies, a plurality of communication modules 110, such as a cellular network module, a bluetooth module, and/or a wireless local area network module, may be provided in the same electronic device. The communication module (transmitter/receiver) 110 is also coupled to a speaker 131 and a microphone 132 via an audio processor 130 to provide audio output via the speaker 131 and receive audio input from the microphone 132 to implement general telecommunications functions. Audio processor 130 may include any suitable buffers, decoders, amplifiers and so forth. In addition, an audio processor 130 is also coupled to the central processor 100, so that recording on the local can be enabled through a microphone 132, and so that sound stored on the local can be played through a speaker 131.
An embodiment of the present invention further provides a computer-readable program, where when the program is executed in an electronic device, the program causes a computer to execute, in the electronic device, the authorization authentication method in the Oauth protocol as described in the above embodiment.
An embodiment of the present invention further provides a storage medium storing a computer-readable program, where the computer-readable program enables a computer to execute authorization authentication in the Oauth protocol described in the above embodiment in an electronic device.
The preferred embodiments of the present invention have been described above with reference to the accompanying drawings. The many features and advantages of the embodiments are apparent from the detailed specification, and thus, it is intended by the appended claims to cover all such features and advantages of the embodiments that fall within the true spirit and scope thereof. Further, since numerous modifications and changes will readily occur to those skilled in the art, it is not desired to limit the embodiments of the invention to the exact construction and operation illustrated and described, and accordingly, all suitable modifications and equivalents may be resorted to, falling within the scope thereof.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The principle and the implementation mode of the invention are explained by applying specific embodiments in the invention, and the description of the embodiments is only used for helping to understand the method and the core idea of the invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.

Claims (10)

1. An authorization authentication method in an Oauth protocol, the method comprising:
performing identity authentication on the current third-party server according to the server information of the third-party server initiating the access request;
when the identity authentication passes, returning pre-authorization signature information to the third-party server;
and receiving an authorization authentication request with the pre-authorization signature information, which is initiated by the third-party server, and performing authorization authentication processing in the Oauth protocol.
2. The authorization authentication method in the Oauth protocol according to claim 1, wherein the authentication of the current third-party server according to the server information of the third-party server that initiated the access request comprises:
receiving an access request initiated by a third-party server by using an API gateway and acquiring server information of the third-party server;
and performing identity authentication on the current third-party server according to the acquired server information of the third-party server.
3. The authorization authentication method in the Oauth protocol according to claim 2, wherein the authentication of the current third-party server according to the server information of the third-party server that initiated the access request comprises:
pre-storing information of a third-party server allowing access;
and performing identity verification on the current third-party server according to the stored information of the third-party server allowing access and the server information of the third-party server initiating the access request.
4. The authorization authentication method in Oauth protocol according to claim 1, wherein the receiving of the authorization authentication request with the pre-authorization signature information initiated by the third-party server, performing authorization authentication processing in Oauth protocol includes:
receiving an authorization authentication request with the pre-authorization signature information, which is initiated by the third-party server;
and carrying out signature verification processing on the pre-authorized signature information, wherein if the signature verification passes the authorization authentication processing in the Oauth protocol, the verification processing is carried out.
5. An authorization authentication device in the Oauth protocol, the device comprising:
the server information verification module is used for carrying out identity verification on the current third-party server according to the server information of the third-party server initiating the access request;
the pre-authorization signature module is used for returning pre-authorization signature information to the third-party server when the identity authentication passes;
and the authentication module is used for receiving an authorization authentication request which is initiated by the third-party server and has the pre-authorization signature information, and performing authorization authentication processing in the Oauth protocol.
6. The apparatus of claim 5, wherein the server information checking module comprises:
the server information acquisition unit is used for receiving an access request initiated by a third-party server by utilizing the API gateway and acquiring the server information of the third-party server;
and the verification unit is used for verifying the identity of the current third-party server according to the acquired server information of the third-party server.
7. The apparatus for authorization authentication in Oauth protocol according to claim 6, wherein said server information checking module further comprises:
a storage unit for storing in advance third-party server information permitted to access;
and the verification unit verifies the identity of the current third-party server according to the stored information of the third-party server allowing access and the server information of the third-party server initiating the access request.
8. An authorization and authentication device in the Oauth protocol according to claim 5, wherein said authentication module comprises:
a request receiving unit, configured to receive an authorization authentication request with the pre-authorization signature information, which is initiated by the third-party server;
and the signature verification unit is used for verifying the signature of the pre-authorized signature information, and if the signature verification passes the authorization authentication processing in the Oauth protocol, the signature verification unit verifies the signature.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method of any of claims 1 to 4 when executing the computer program.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program for executing the method of any one of claims 1 to 4.
CN202010817992.2A 2020-08-14 2020-08-14 Authorization authentication method and device in Oauth protocol Active CN111949959B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010817992.2A CN111949959B (en) 2020-08-14 2020-08-14 Authorization authentication method and device in Oauth protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010817992.2A CN111949959B (en) 2020-08-14 2020-08-14 Authorization authentication method and device in Oauth protocol

Publications (2)

Publication Number Publication Date
CN111949959A true CN111949959A (en) 2020-11-17
CN111949959B CN111949959B (en) 2023-09-15

Family

ID=73343755

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010817992.2A Active CN111949959B (en) 2020-08-14 2020-08-14 Authorization authentication method and device in Oauth protocol

Country Status (1)

Country Link
CN (1) CN111949959B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113079175A (en) * 2021-04-14 2021-07-06 上海浦东发展银行股份有限公司 Authorization system and method based on oauth2 protocol enhancement
CN114124407A (en) * 2021-11-25 2022-03-01 中国银行股份有限公司 Backend authorization authentication method and system based on Oauth2.0 protocol
CN114598490A (en) * 2021-04-09 2022-06-07 亚信科技(南京)有限公司 Method, device and equipment for redirecting page based on API gateway and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014032543A1 (en) * 2012-08-30 2014-03-06 中兴通讯股份有限公司 Authentication and authorization processing method and apparatus
WO2016088087A1 (en) * 2014-12-04 2016-06-09 Visa Cape Town (Pty) Ltd Third party access to a financial account
CN105976171A (en) * 2016-05-23 2016-09-28 胡纪文 Bank card consumption cycled pre-authorization method and pre-authorization system
CN106341234A (en) * 2015-07-17 2017-01-18 华为技术有限公司 Authorization method and device
CN106714075A (en) * 2015-08-10 2017-05-24 华为技术有限公司 Authorization processing method and equipment
CN108322416A (en) * 2017-01-16 2018-07-24 腾讯科技(深圳)有限公司 A kind of safety certification implementation method, apparatus and system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014032543A1 (en) * 2012-08-30 2014-03-06 中兴通讯股份有限公司 Authentication and authorization processing method and apparatus
WO2016088087A1 (en) * 2014-12-04 2016-06-09 Visa Cape Town (Pty) Ltd Third party access to a financial account
CN106341234A (en) * 2015-07-17 2017-01-18 华为技术有限公司 Authorization method and device
CN106714075A (en) * 2015-08-10 2017-05-24 华为技术有限公司 Authorization processing method and equipment
CN105976171A (en) * 2016-05-23 2016-09-28 胡纪文 Bank card consumption cycled pre-authorization method and pre-authorization system
CN108322416A (en) * 2017-01-16 2018-07-24 腾讯科技(深圳)有限公司 A kind of safety certification implementation method, apparatus and system

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114598490A (en) * 2021-04-09 2022-06-07 亚信科技(南京)有限公司 Method, device and equipment for redirecting page based on API gateway and storage medium
CN114598490B (en) * 2021-04-09 2024-03-29 亚信科技(南京)有限公司 Method, device, equipment and storage medium for redirecting page based on API gateway
CN113079175A (en) * 2021-04-14 2021-07-06 上海浦东发展银行股份有限公司 Authorization system and method based on oauth2 protocol enhancement
CN114124407A (en) * 2021-11-25 2022-03-01 中国银行股份有限公司 Backend authorization authentication method and system based on Oauth2.0 protocol

Also Published As

Publication number Publication date
CN111949959B (en) 2023-09-15

Similar Documents

Publication Publication Date Title
US11431501B2 (en) Coordinating access authorization across multiple systems at different mutual trust levels
US10805085B1 (en) PKI-based user authentication for web services using blockchain
US9722984B2 (en) Proximity-based authentication
WO2018036314A1 (en) Single-sign-on authentication method and apparatus, and storage medium
US9038138B2 (en) Device token protocol for authorization and persistent authentication shared across applications
US9191382B1 (en) User authentication using swappable user authentication services
EP3641261A1 (en) Entrusted login method, related device and computer readable storage medium
CN111949959B (en) Authorization authentication method and device in Oauth protocol
CN110177124B (en) Identity authentication method based on block chain and related equipment
US10834067B2 (en) Method of access by a telecommunications terminal to a database hosted by a service platform that is accessible via a telecommunications network
US11363007B2 (en) Methods and systems for accessing a resource
CN111949958B (en) Authorization authentication method and device in Oauth protocol
US10805083B1 (en) Systems and methods for authenticated communication sessions
US9270666B2 (en) Verification of user communication addresses
CN106161475B (en) Method and device for realizing user authentication
AU2020435105B2 (en) Meeting room reservation system and related techniques
CN112235294B (en) Block chain cooperative authority control method and device
CN112491778A (en) Authentication method, device, system and medium
US11777942B2 (en) Transfer of trust between authentication devices
CN112039878A (en) Equipment registration method and device, computer equipment and storage medium
CN115189885A (en) Method for authenticating equipment login, storage medium and electronic equipment
US11575667B1 (en) System and method for secure communications
CN109995821A (en) Method and system, the client, server, object storage system of file upload
CN105656856A (en) Resource management method and device
CN114549206A (en) Transaction anti-repudiation method, system, electronic equipment and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant