CN112235285B - Method and system for user authentication mode and service based on non-session - Google Patents

Abstract

The invention discloses a method and a system for a non-session-based user authentication mode and service, which belong to the technical field of user authentication, and solve the technical problem of how to realize an authentication system supporting a multi-client mode and a micro-service mode, and adopt the technical scheme that: the method provides Java SDK through a unified authentication center, provides a Restful API interface at the same time, ensures the diversity and cross-programming language of butt joint, realizes the authentication and authorization process based on a Java Web filter in the Java SDK, and butt joint with the service of the authentication center; the unified user authentication service is realized by java based on OAuth2.0 protocol standard, and adopts Json Web Token type to package and integrate user, role and menu authority functions, thereby realizing external user authentication and authorization functions. The invention also provides a system for the non-session-based user authentication mode and service.

Description

Method and system for user authentication mode and service based on non-session

Technical Field

The invention relates to the technical field of user authentication, in particular to a method and a system for a non-session-based user authentication mode and service.

Background

In the era of big data and cloud computing, technical middleboxes, business middleboxes and large and small application systems are developed, a large website is really composed of split individual services or application systems behind, in order to improve user experience, the requirement that the whole website service can be accessed only by logging in once is provided, and therefore the technical concept of single sign-on is also provided.

Meanwhile, if each system in a large enterprise develops a set of user authentication service, huge repetitive labor and time waste can be caused, a large number of complicated application systems are not convenient for the management of a user system, and huge maintenance cost is caused for operators.

With the progress of technology, clients such as a mobile terminal and a browser terminal become more and more complicated, and it is necessary to unify authentication modes for different clients. The CAS mode based on conversation in the prior art is increasingly incapable of supporting fine-grained, clustered and distributed micro-service background modes. Therefore, how to implement an authentication system supporting a multi-client mode and a micro-service mode is a technical problem to be solved urgently at present.

Disclosure of Invention

The technical task of the invention is to provide a method and a system for a non-session-based user authentication mode and service, so as to solve the problem of how to realize an authentication system supporting a multi-client mode and a micro-service mode.

The technical task of the invention is realized according to the following mode, a method based on user authentication mode and service of non-conversation, said method provides Java SDK through unifying the authentication center, provide Restful API interface at the same time, guarantee the diversity and cross programming language nature of the butt joint, realize the course of authentication, authentication on the basis of Java Web filter in Java SDK, and butt joint with the service of the authentication center;

the unified user authentication service is realized by java based on OAuth2.0 protocol standard, and adopts Json Web Token type to package and integrate user, role and menu authority functions, thereby realizing external user authentication and authorization functions.

Preferably, the OAuth2.0 protocol standard is based on the realization of a plurality of token obtaining modes of the OAuth2.0 protocol by a unified authentication center, and meanwhile, the expansion mode of obtaining the token through a short message verification code of a mobile phone is realized by connecting a short message platform.

Preferably, when the expansion mode for obtaining the token is applied in the development process, the expansion mode is selected according to the scene of the expansion mode, and the specific steps are as follows:

using a default login page, enabling the front end and the rear end not to be separated, and enabling the rear end to acquire a scene of a token;

secondly, a default login page is used, the front end and the back end are separated, and the front end acquires a scene of the token;

thirdly, customizing a login page and acquiring a scene of the token through a background;

and (IV) acquiring a token scene by the short message verification code.

Preferably, the default login page is used, the front end and the back end are not separated, and the process of the back end acquiring the scene of the token is as follows:

(1) the application client requests the authentication server to acquire the code according to the client _ id and the redirect _ url;

(2) the authentication server is redirected to the client _ url and carries the code to the application client;

(3) the application client exchanges token for the authentication server according to the code;

(4) and the authentication server responds to the application client token.

Preferably, the default login page is used, the front end and the back end are separated, and the process of the front end acquiring the scene of the token is as follows:

(1) the application client calls an interface of the hidden acquisition token: http:// ip: port/oauth/authorize? response _ type = token & client _ id = xxxxxx & scope = all & redirect _ uri = CALLBACK _ URL, the page will automatically jump to the login page provided by the authentication server;

(2) after the user inputs the account password to log in, the page automatically jumps to CALLBACK _ URL, and carries the # access _ token authentication server to redirect _ URL, and the anchor access _ token is sent to the application client; the CALLBACK _ URL is an address of the application client front end, the application client front end needs to acquire an access _ token, and the requests carry the token;

(3) and the application client background needs to add a filter, and checks the token transmitted by the application client front end (token check interface).

Preferably, the process of customizing the login page and obtaining the scene of the token through the background specifically comprises the following steps:

(1) the application client calls an interface of a password type acquisition token to acquire an access _ token according to a user name and a password of a user in a background of the application client through a user-defined login page;

(2) writing the obtained token into a cookie at the front end of the application client, and carrying out access on the application client background by the obtained token;

preferably, the process of obtaining the scene of the token by the short message verification code is as follows:

(1) the application client requests the authentication server to acquire a verification code according to the mobile phone number;

(2) the application client acquires a token from the authentication server according to the short message verification code;

(3) the authentication server responds to the application client token.

Preferably, the Token type of the Json Web Token is jwt, wherein jwt is a Token in Json format, and payload carries non-sensitive information and information of Token timeout time and signature verification, so that a non-session and stateless Token form is realized.

A system for non-session based user authentication patterns and services, the system comprising,

the browser is used for accessing the resources of the resource server and redirecting the accessed resources, and is also used for logging in and authorizing the authentication server;

the resource server is used for verifying the token and carrying the token authentication SDK, and is also used for responding resources to the browser;

the authentication SDK is used for redirecting an authentication center login page to a browser, writing the token into a set-cookie, redirecting the token to a target resource, allowing the resource of the resource server to be accessed, checking the token, acquiring the token according to the code and carrying token authentication;

and the authentication server is used for calling back the code of the authentication SDK and responding to token.

Preferably, the working process of the system is as follows:

s1, a browser accesses resources of a resource server;

s2, verifying a token of the resource server by the authentication SDK;

s3, the authentication server verifies the token of the authentication SDK;

s4, when the verification fails, the authentication SDK is redirected to an authentication center login page of the browser;

s5, the browser logs in and authorizes the authentication server;

s6, the authentication server calls back the code to the authentication SDK;

s7, the authentication SDK acquires a token from the authentication server according to the code;

s8, authenticating a corresponding token of the server;

s9, the authentication SDK writes the token into the set-cookie and redirects the token to the target resource of the browser;

s10, the browser redirects to access resources of the resource server;

s11, the resource server carries token to authenticate to an authentication SDK;

s12, carrying token authentication to an authentication server by the authentication SDK;

s13, the authentication server successfully authenticates and feeds back the authentication result to the authentication SDK;

s14, authenticating the SDK to allow the resource of the resource server to be accessed;

and S15, the resource server responds to the resources of the browser.

The method and the system for the non-session-based user authentication mode and service have the following advantages:

the invention is researched and developed based on the Oauth2.0 standard, the framework is relatively mature and stable, and the development difficulty is also reduced;

secondly, the developed service supports various databases in a plug-in mode, hot plug of the service is realized, and the risk of restarting is reduced;

the invention provides support for a plurality of development language systems, and the application is more flexible;

the client side realizes a non-session and stateless token through JWT, and the server side does not need to store, so that the space utilization rate is greatly improved;

the invention supports authentication, authorization and the like, has strong and flexible functions, and simultaneously realizes the unified management of a user system, the unified management of user authority and the unified management of tenant information; the method also provides tenant allocation, isolation modes of users under the tenant, role-authority control based on RBAC, an interface for obtaining a menu tree data structure, and authentication interfaces for obtaining various tokens such as an authorization code formula, a hidden type, a password formula and the like;

the invention encapsulates and integrates the functions of user, role and menu authority, thus realizing the unified user authentication center of external user authentication function.

Drawings

The invention is further described below with reference to the accompanying drawings.

FIG. 1 is a block diagram of a service project;

FIG. 2 is an interaction flow diagram of a system based on non-session based user authentication patterns and services;

FIG. 3 is a flow chart of a scenario in which a default login page is used, the front end and the back end are not separated, and the back end acquires a token;

FIG. 4 is a flow chart of a scenario in which a default login page is used, the front end and the back end are separated, and the front end acquires a token;

FIG. 5 is a flow diagram of a scenario in which a user-defined login page is obtained through a background;

FIG. 6 is a flow chart of a scenario in which a token is obtained from a short message authentication code;

fig. 7 is a schematic diagram of a business application interfacing to a unified authentication cloud service;

figure 8 is a schematic diagram of a tenant hierarchy.

Detailed Description

The non-session based user authentication mode and service method and system of the present invention will be described in detail below with reference to the accompanying drawings and specific embodiments.

Example 1:

the invention relates to a method for user authentication mode and service based on non-conversation, which provides Java SDK through a unified authentication center and provides a Restful API interface at the same time, ensures the diversity and cross-programming language of butt joint, realizes the authentication and authentication process based on a JavaWeb filter in the Java SDK and butt joint with the service of the authentication center;

the unified user authentication service is realized by java, based on OAuth2.0 protocol standard, and adopts Json Web Token type to package and integrate user, role and menu authority functions, thereby realizing external user authentication and authorization functions.

The invention realizes the unified management of the user system, the unified management of the user authority and the unified management of the tenant information; meanwhile, the system also provides interfaces for tenant allocation, isolation modes of users under the tenants, role-authority control based on RBAC (role-based access control) and acquisition of a menu tree data structure, and provides authentication and authorization interfaces for various acquisition tokens such as an authorization code type, a hidden type and a password type, as shown in figure 1.

The OAuth2.0 protocol standard is based on the realization of various token obtaining modes of the OAuth2.0 protocol by a unified authentication center, and meanwhile, the expansion mode of obtaining the token through a short message verification code of a mobile phone is realized by connecting a short message platform. When the expansion mode for obtaining the token is applied to the development process, the selection is carried out according to the scene of the token, and the specific steps are as follows:

using a default login page, enabling the front end and the rear end not to be separated, and enabling the rear end to acquire a scene of a token; as shown in fig. 3, the following is detailed:

(1) the application client requests the authentication server to acquire the code according to the client _ id and the redirect _ url;

(2) the authentication server redirects to the client _ url and carries the code to the application client;

(3) the application client exchanges token for the authentication server according to the code;

(4) and the authentication server responds to the application client token.

Secondly, a default login page is used, the front end and the back end are separated, and the front end acquires a scene of the token; as shown in fig. 4, the following is detailed:

(1) the application client calls an interface of the hidden acquisition token: http:// ip: port/oauth/authorize? response _ type = token & client _ id = xxxxxx & scope = all & redirect _ uri = CALLBACK _ URL, the page will automatically jump to the login page provided by the authentication server;

(2) after the user inputs the account password to log in, the page automatically jumps to CALLBACK _ URL, and carries the # access _ token authentication server to redirect _ URL, and the anchor access _ token is sent to the application client; the CALLBACK _ URL is an address of the application client front end, the application client front end needs to acquire an access _ token, and the requests carry the token;

(3) and the application client background needs to add a filter, and checks the token transmitted by the application client front end (token check interface).

Thirdly, customizing a login page and acquiring a scene of the token through a background; as shown in fig. 5, the following is detailed:

(1) the application client calls an interface of the password type token acquisition to acquire access _ token according to the user name and the password of the user in the background of the application client through the user-defined login page;

(2) writing the obtained token into a cookie at the front end of the application client, and carrying out access on the application client background by the obtained token;

(IV) a scene of obtaining the token by the short message verification code is shown in the attached figure 6, and the scene is as follows:

(1) the application client requests the authentication server to acquire a verification code according to the mobile phone number;

(2) the application client acquires a token from the authentication server according to the short message verification code;

(3) the authentication server responds to the application client token.

The Token type of the Json Web Token is described as follows:

the http protocol is a stateless protocol, and this means that if a user provides a user name and a password to our application for user authentication, the user needs to perform user authentication again when making a next request, because it is unknown which user makes the request according to the http protocol, in order to make the application recognize which user makes the request, only one piece of user login information can be stored in the server, and this login information is transferred to the browser in response to tell it to be stored as a cookie, so that the application can recognize which user the request comes from when making the next request, which is the traditional session-based authentication. Jwt is a token in json format, carries non-sensitive information and token timeout time information in payload, and also carries signature verification, so that a non-session and stateless token form is realized.

The role-right control based on RBAC is explained as follows:

in RBAC, permissions are associated with roles, and users gain the permissions of the appropriate roles by becoming members of those roles. This greatly simplifies the management of rights. Therefore, management is hierarchical and interdependent, the authority is given to the role, and the role is given to the user, so that the authority design is clear and management is convenient.

The multi-tenant cloud model is illustrated as follows:

and providing a cloud tenant mode, opening a tenant application API interface, and butting the business application to the unified authentication cloud service by applying for the tenant, as shown in fig. 7.

A completely isolated tenant environment is provided, and the tenant manages users, roles, menus, organizations and the like under its own system, as shown in fig. 8.

Example 2:

the invention relates to a system based on non-session user authentication mode and service, which comprises,

the browser is used for accessing the resources of the resource server, redirecting the accessed resources and logging in and authorizing the authentication server;

the resource server is used for verifying the token and carrying the token authentication and certification SDK, and is also used for responding the resource to the browser;

the authentication SDK is used for redirecting an authentication center login page to the browser, writing the token into a set _ cookie, redirecting the token to a target resource, allowing the resource of the resource server to be accessed, checking the token, acquiring the token according to the code and carrying token authentication;

and the authentication server is used for calling back the code of the authentication SDK and responding to token.

As shown in fig. 2, the working process of the system is as follows:

s1, a browser accesses resources of a resource server;

s2, verifying a token of the resource server by the authentication SDK;

s3, the authentication server verifies the token of the authentication SDK;

s4, when the verification fails, the authentication SDK is redirected to an authentication center login page of the browser;

s5, the browser logs in and authorizes the authentication server;

s6, the authentication server calls back the code to the authentication SDK;

s7, the authentication SDK acquires a token from the authentication server according to the code;

s8, authenticating a corresponding token of the server;

s9, writing the token into the set-cookie by the authentication SDK, and redirecting to a target resource of the browser;

s10, the browser redirects to access resources of the resource server;

s11, the resource server carries token to authenticate to the authentication SDK;

s12, carrying token authentication to an authentication server by the authentication SDK;

s13, the authentication server successfully authenticates and feeds back the authentication result to the authentication SDK;

s14, authenticating the SDK to allow the resource of the resource server to be accessed;

and S15, the resource server responds to the resources of the browser.

Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and these modifications or substitutions do not depart from the spirit of the corresponding technical solutions of the embodiments of the present invention.

Claims (3)

1. A method based on user authentication mode and service of non-conversation, characterized by that, this method provides Java SDK through the unified authentication center, provide Restful API interface at the same time, guarantee diversity and cross programming language nature of the butt joint, realize the course of authenticating, authorizing in Java SDK on the basis of the filter of JavaWeb, and butt joint with the service of the authentication center;

the unified user authentication service is realized by java based on OAuth2.0 protocol standard, and adopts Json Web Token type to package and integrate user, role and menu authority functions, thereby realizing external user authentication and authorization functions; the Json Web Token is in a Token type of jwt, wherein jwt is a Token in a Json format, and carries non-sensitive information and Token timeout time information in payload and signature verification, so that a non-session and stateless Token form is realized;

when the expansion mode for obtaining the token is applied to the development process, the expansion mode is selected according to the scene of the expansion mode, and the expansion mode is specifically as follows:

using a default login page, enabling the front end and the rear end not to be separated, and enabling the rear end to acquire a scene of a token; the method comprises the following specific steps:

(1) the application client requests the authentication server to acquire the code according to the client _ id and the redirect _ url;

(2) the authentication server is redirected to the client _ url and carries the code to the application client;

(3) the application client exchanges the token for the authentication server according to the code;

(4) the authentication server responds to the application client token;

secondly, a default login page is used, the front end and the back end are separated, and the front end acquires the scene of the token; the method comprises the following specific steps:

(1) the application client calls an interface for obtaining the hidden token: http:// ip: port/oauth/aut horize? response _ type = token & client _ id = xxxxxx & scope = all & redirect _ uri = CALLBACK _ URL, the page will automatically jump to the login page provided by the authentication server;

(2) after the user inputs the account password to log in, the page automatically jumps to CALLBACK _ URL, and carries the # access _ token authentication server to redirect _ URL, and the anchor access _ token is sent to the application client; the CALLBACK _ URL is an address of the application client front end, the application client front end needs to acquire an access _ token, and the requests carry the token;

(3) the application client background needs to add a filter, and the token transmitted by the application client front end is verified;

thirdly, customizing a login page and acquiring a scene of the token through a background; the method comprises the following specific steps:

(1) the application client calls an interface of a password type acquisition token to acquire an access _ token according to a user name and a password of a user in a background of the application client through a user-defined login page;

(2) writing the obtained token into a cookie at the front end of the application client, and carrying out access on the application client background by the obtained token;

fourthly, obtaining a scene of the token by the short message verification code; the method comprises the following specific steps:

(1) the application client requests the authentication server to acquire a verification code according to the mobile phone number;

(2) the application client acquires a token from the authentication server according to the short message verification code;

(3) the authentication server responds to the application client token.

2. The method of claim 1, wherein the oauth2.0 protocol standard is based on that a unified authentication center implements a plurality of token acquisition modes of oauth2.0 protocol, and meanwhile, a short message platform is connected to implement a development mode of acquiring tokens through a mobile phone short message verification code.

3. A system for non-session based user authentication mode and services, the system comprising,

the browser is used for accessing the resources of the resource server and redirecting the accessed resources, and is also used for logging in and authorizing the authentication server;

the resource server is used for verifying the token and carrying the token authentication SDK, and is also used for responding resources to the browser;

the authentication SDK is used for redirecting an authentication center login page to the browser, writing the token into a set _ cookie, redirecting the token to a target resource, allowing the resource of the resource server to be accessed, checking the token, acquiring the token according to the code and carrying token authentication;

the authentication server is used for calling back the code of the authentication SDK and responding to token;

the working process of the system is as follows:

s1, a browser accesses resources of a resource server;

s2, verifying a token of the resource server by the authentication SDK;

s3, the authentication server verifies the token of the authentication SDK;

s4, when the verification fails, the authentication SDK is redirected to an authentication center login page of the browser;

s5, the browser logs in and authorizes the authentication server;

s6, the authentication server calls back the code to the authentication SDK;

s7, the authentication SDK acquires a token from the authentication server according to the code;

s8, authenticating a corresponding token of the server;

s9, writing the token into the set-cookie by the authentication SDK, and redirecting to a target resource of the browser;

s10, the browser redirects to access resources of the resource server;

s11, the resource server carries token to authenticate to an authentication SDK;

s12, carrying token authentication to an authentication server by the authentication SDK;

s13, the authentication server successfully authenticates and feeds back the authentication result to the authentication SDK;

s14, authenticating the SDK to allow the resource of the resource server to be accessed;

and S15, the resource server responds to the resources of the browser.

Images