CN116346486A - Combined login method, device, equipment and storage medium - Google Patents
Combined login method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN116346486A CN116346486A CN202310370873.0A CN202310370873A CN116346486A CN 116346486 A CN116346486 A CN 116346486A CN 202310370873 A CN202310370873 A CN 202310370873A CN 116346486 A CN116346486 A CN 116346486A
- Authority
- CN
- China
- Prior art keywords
- application program
- information
- target user
- key factor
- application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 71
- 238000012795 verification Methods 0.000 claims abstract description 94
- 230000003993 interaction Effects 0.000 claims description 33
- 238000012545 processing Methods 0.000 claims description 19
- 238000004590 computer program Methods 0.000 claims description 18
- 230000004044 response Effects 0.000 claims description 10
- 238000004891 communication Methods 0.000 abstract description 8
- 238000010586 diagram Methods 0.000 description 15
- 230000015654 memory Effects 0.000 description 10
- 230000005540 biological transmission Effects 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 3
- 238000013507 mapping Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- 230000014509 gene expression Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000002452 interceptive effect Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Abstract
The disclosure provides a joint login method, a device, equipment and a storage medium, which can be applied to the technical field of computer communication and the technical field of finance. The method comprises the following steps: acquiring identity token information of a first application program; encrypting the identity token information by using a private key of the second application program to obtain digital signature information; under the condition that the server side of the first application program passes the verification of the digital signature information, receiving the encryption key factor data sent by the server side of the first application program, and decrypting the encryption key factor data by utilizing the private key of the second application program to obtain a key factor; decrypting the encrypted attribute information of the target user by using the key factor to obtain the decrypted attribute information of the target user; and under the condition that the target user has access rights to the second application program, displaying the access page of the second application program.
Description
Technical Field
The present disclosure relates to the field of computer communication technology and the field of financial technology, and in particular, to a joint login method, apparatus, device, medium, and program product.
Background
Along with popularization of Internet technology application, the more the enterprise information digitization needs, the number of service systems used is increased, but repeated login is needed for accessing different service systems, and the other service systems can be accessed after one login is difficult to realize.
In the related art, the joint login is generally realized by accessing a third party system, and various login technical schemes of business systems of different companies are required to be integrated in the mode.
Disclosure of Invention
In view of the foregoing, the present disclosure provides federated login methods, apparatus, devices, media, and program products.
According to a first aspect of the present disclosure, there is provided a joint login method, applied to a server of a second application program, including:
the method comprises the steps of obtaining identity token information of a first application program, wherein the identity token information is obtained by conducting encryption processing on login information of a target user for logging in the first application program by utilizing a server side of the first application program in response to selection operation executed on a page of the first application program and identifying an access page of a second application program. And encrypting the identity token information by using the private key of the second application program to obtain digital signature information. And under the condition that the server side of the first application program passes the verification of the digital signature information, receiving the encryption key factor data sent by the server side of the first application program, and decrypting the encryption key factor data by utilizing the private key of the second application program to obtain the key factor. And decrypting the encrypted attribute information of the target user by using the key factor to obtain the decrypted attribute information of the target user. And under the condition that the target user has access rights to the second application program, displaying the access page of the second application program.
According to an embodiment of the present disclosure, encrypting the identity token information by using a private key of the second application program to obtain digital signature information includes:
and decrypting the identity token information to obtain domain name information of the first application program, identification information of the first application program and timestamp information of the target user logging in the first application program. And encrypting the domain name information of the first application program, the identification information of the first application program and the timestamp information of the target user logging in the first application program by using the private key of the second application program to obtain digital signature information.
According to an embodiment of the present disclosure, decrypting the encrypted attribute information of the target user using the key factor to obtain the decrypted attribute information of the target user includes:
and verifying the encrypted attribute information of the target user by using the public key of the first application program to obtain a verification result. And under the condition that the verification result is that the verification is passed, decrypting the encrypted attribute information of the target user by utilizing the key factor to obtain the attribute information of the target user.
According to an embodiment of the present disclosure, verifying, with a public key of a first application, attribute information of an encrypted target user to obtain a verification result includes:
And decrypting the encrypted attribute information of the target user by using the public key of the first application program to obtain the attribute information of the target user and the timestamp information of the target user logging in the first application program. And determining the first information interaction duration according to the timestamp information and the current time information. And under the condition that the first information interaction time length meets a preset threshold value and the attribute information of the target user is verified, determining that the verification result is verification passing.
According to an embodiment of the present disclosure, the above method further includes:
and decrypting the encrypted key factor data by using the private key of the second application program to obtain the key factor and the random number. And storing the random number and the key factor in an associated mode. And receiving the random number sent by the server of the first application program, and determining the key factor according to the random number.
According to a second aspect of the present disclosure, there is provided a joint login method, applied to a server of a first application program, including:
and in response to the selection operation executed on the page of the first application program and for the identification of the access page of the second application program, encrypting the login information of the target user for logging in the first application program to obtain identity token information, and sending the identity token information to the server side of the second application program. And receiving digital signature information obtained by encrypting the identity token information by the server of the second application program by using the private key of the second application program, and verifying the digital signature information by using the public key of the second application program to obtain a verification result. And under the condition that the verification result is that the verification is passed, the public key of the second application program is utilized to encrypt the randomly generated key factor, so as to obtain encrypted key factor data, and the encrypted key factor data is sent to the server side of the second application program. Encrypting the attribute information of the target user by using the key factor to generate the encrypted attribute information of the target user; and sending the encrypted attribute information of the target user to the server side of the second application program.
According to an embodiment of the present disclosure, verifying the digital signature information by using the public key of the second application program, to obtain a verification result, includes:
and decrypting the digital signature information by using the public key of the second application program to obtain the identity token information and the timestamp information of the target user logging in the first application program. Determining a second information interaction duration according to the timestamp information and the current time information; and under the condition that the second information interaction time length meets a preset threshold value and the identity token information is verified, determining that the verification result is verification passing.
According to an embodiment of the present disclosure, the above method further includes:
and under the condition that the verification result is that the verification is passed, randomly generating a random number and a key factor, and encrypting the key factor by using a public key of the second application program to obtain encrypted key factor data. And sending the encryption key factor data and the random number to a server of the second application program.
A third aspect of the present disclosure provides a federated login device applied to a server of a second application, comprising: the system comprises an acquisition module, a first encryption module, a first decryption module and a second decryption module.
And the acquisition module is used for acquiring the identity token information of the first application program. The identity token information is obtained by encrypting login information of a target user for logging in the first application program by utilizing a server side of the first application program in response to a selection operation executed on a page of the first application program and identifying an access page of the second application program. And the first encryption module is used for encrypting the identity token information by using the private key of the second application program to obtain digital signature information. The first decryption module is used for receiving the encryption key factor data sent by the server of the first application program under the condition that the server of the first application program verifies the digital signature information, and decrypting the encryption key factor data by utilizing the private key of the second application program to obtain the key factor. And the second decryption module is used for decrypting the encrypted attribute information of the target user by utilizing the key factor to obtain the decrypted attribute information of the target user. And the display module is used for displaying the access page of the second application program under the condition that the target user has the access right to the second application program.
According to an embodiment of the present disclosure, the first encryption module includes a first decryption unit and an encryption unit. The first decryption unit is used for decrypting the identity token information to obtain domain name information of the first application program, identification information of the first application program and timestamp information of a target user logging in the first application program. The encryption unit is used for encrypting the domain name information of the first application program, the identification information of the first application program and the timestamp information of the target user logging in the first application program by utilizing the private key of the second application program to obtain digital signature information.
According to an embodiment of the present disclosure, the second decryption module includes a first authentication unit and a second decryption unit. The first verification unit is used for verifying the encrypted attribute information of the target user by using the public key of the first application program to obtain a verification result. And the second decryption unit is used for decrypting the encrypted attribute information of the target user by utilizing the key factor to obtain the attribute information of the target user under the condition that the verification result is that the verification is passed.
According to an embodiment of the present disclosure, the first verification unit comprises a decryption subunit, a first determination subunit, and a second determination subunit. And the decryption subunit decrypts the encrypted attribute information of the target user by using the public key of the first application program to obtain the attribute information of the target user and the timestamp information of the target user logging in the first application program. And the first determining subunit is used for determining the first information interaction duration according to the timestamp information and the current time information. And the second determining subunit is used for determining that the verification result is verification passing under the condition that the first information interaction duration meets a preset threshold value and the attribute information of the target user is verified.
According to an embodiment of the present disclosure, the above apparatus further includes: the device comprises a third decryption module, an association storage module and a determination module. And the third decryption module is used for decrypting the encrypted key factor data by using the private key of the second application program to obtain the key factor and the random number. And the association storage module is used for carrying out association storage on the random number and the key factor. And the determining module is used for receiving the random number sent by the server of the first application program and determining the key factor according to the random number.
A fourth aspect of the present disclosure provides a federated login device applied to a server of a first application, including: the system comprises a second encryption module, a third encryption module, a fourth encryption module and a fifth encryption module.
The second encryption module is used for responding to the selection operation executed on the page of the first application program and the identification of the access page of the second application program, carrying out encryption processing on login information of a target user for logging in the first application program to obtain identity token information, and sending the identity token information to the server side of the second application program. And the third encryption module is used for receiving digital signature information obtained by encrypting the identity token information by the server of the second application program by utilizing the private key of the second application program, and verifying the digital signature information by utilizing the public key of the second application program to obtain a verification result. And the fourth encryption module is used for encrypting the randomly generated key factors by using the public key of the second application program to obtain encryption key factor data and sending the encryption key factor data to the server side of the second application program when the verification result is that the verification is passed. The fifth encryption module is used for encrypting the attribute information of the target user by utilizing the key factors to generate the encrypted attribute information of the target user; and sending the encrypted attribute information of the target user to the server side of the second application program.
According to an embodiment of the present disclosure, the third encryption module includes a third decryption unit, a first determination unit, and a second determination unit. And the third decryption unit is used for decrypting the digital signature information by using the public key of the second application program to obtain the identity token information and the timestamp information of the target user logging in the first application program. And the first determining unit is used for determining the second information interaction duration according to the timestamp information and the current time information. And the second determining unit is used for determining that the verification result is verification passing under the condition that the second information interaction time length meets a preset threshold value and the identity token information is verified to pass.
According to an embodiment of the present disclosure, the above apparatus further includes: and a sixth encryption module and a transmission module.
The sixth encryption module is used for randomly generating a random number and a key factor under the condition that the verification result is that verification is passed, and carrying out encryption processing on the key factor by utilizing a public key of the second application program to obtain encrypted key factor data;
and the sending module is used for sending the encryption key factor data and the random number to a server side of the second application program.
A fifth aspect of the present disclosure provides an electronic device, comprising: one or more processors; and a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method described above.
A fourth aspect of the present disclosure also provides a computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to perform the above-described method.
A fifth aspect of the present disclosure also provides a computer program product comprising a computer program which, when executed by a processor, implements the above method.
According to the joint login method, the device, the equipment, the medium and the program product, the second application system encrypts the identity token information by utilizing the private key of the second application program by acquiring the identity token information of the first application program, so as to obtain digital signature information. And under the condition that the server side of the first application program passes the verification of the digital signature information, receiving the encryption key factor data sent by the server side of the first application program, and decrypting the encryption key factor data by utilizing the private key of the second application program to obtain the key factor. And then decrypting the encrypted attribute information of the target user by utilizing the key factor to obtain the decrypted attribute information of the target user. And finally, under the condition that the target user has access rights to the second application program, displaying the access page of the second application program. Because the information interaction is carried out between the first application program and the second application program through the public key encryption algorithm, the second application program can obtain the attribute information of the target user from the first application program so as to determine whether the target user has the authority to log in the second application program. The original login authentication flow of the second application program is not required to be modified, the joint login of the first application program and the second application program can be realized, the safety between joint login systems is improved, and the data processing capacity of the server is reduced.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be more apparent from the following description of embodiments of the disclosure with reference to the accompanying drawings, in which:
FIG. 1 schematically illustrates an application scenario diagram of a federated login method, apparatus, device, medium, and program product in accordance with an embodiment of the present disclosure;
FIG. 2 schematically illustrates a server-side flowchart of a federated login method applied to a second application in accordance with an embodiment of the present disclosure;
FIG. 3 schematically illustrates a server-side flowchart of a federated login method applied to a first application in accordance with an embodiment of the present disclosure;
FIG. 4 schematically illustrates a schematic diagram of a federated login method, in accordance with an embodiment of the present disclosure;
FIG. 5 schematically illustrates a block diagram of a configuration of a server device to which a federated login method is applied to a second application in accordance with an embodiment of the present disclosure;
FIG. 6 schematically illustrates a block diagram of a server device to which a federated login method is applied to a first application in accordance with an embodiment of the present disclosure; and
fig. 7 schematically illustrates a block diagram of an electronic device adapted to implement a federated login method, in accordance with an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is only exemplary and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the present disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It should be noted that the terms used herein should be construed to have meanings consistent with the context of the present specification and should not be construed in an idealized or overly formal manner.
Where expressions like at least one of "A, B and C, etc. are used, the expressions should generally be interpreted in accordance with the meaning as commonly understood by those skilled in the art (e.g.," a system having at least one of A, B and C "shall include, but not be limited to, a system having a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
In the technical scheme of the disclosure, the related data (such as including but not limited to personal information of a user) are collected, stored, used, processed, transmitted, provided, disclosed, applied and the like, all conform to the regulations of related laws and regulations, necessary security measures are adopted, and the public welcome is not violated.
The traditional method for logging in the third party system adopts a unified login authentication technical scheme, and realizes unified authentication login management of enterprise users by modifying modules such as user registration, authority management, login authentication and the like. The technical scheme discards the original login flow, so that the unified authentication login system integrates all business systems to a high degree. The technical scheme needs to carry out deep secondary development on each service system, and the private system of the enterprise needs to be independently deployed and operated and maintained. With more and more business systems required by enterprises, new business demands are continuously generated, and the unified login authentication technical scheme causes difficult development and maintenance operation, large workload of a server, road congestion for receiving verification information, low safety efficiency and poor user experience.
In view of this, an embodiment of the present disclosure provides a joint login method, which is applied to a server of a second application program and includes: the method comprises the steps of obtaining identity token information of a first application program, wherein the identity token information is obtained by conducting encryption processing on login information of a target user for logging in the first application program by utilizing a server side of the first application program in response to selection operation executed on a page of the first application program and identifying an access page of a second application program. And encrypting the identity token information by using the private key of the second application program to obtain digital signature information. And under the condition that the server side of the first application program passes the verification of the digital signature information, receiving the encryption key factor data sent by the server side of the first application program, and decrypting the encryption key factor data by utilizing the private key of the second application program to obtain the key factor. And decrypting the encrypted attribute information of the target user by using the key factor to obtain the decrypted attribute information of the target user. And under the condition that the target user has access rights to the second application program, displaying the access page of the second application program.
Fig. 1 schematically illustrates an application scenario diagram of a federated login method, apparatus, device, medium, and program product according to an embodiment of the present disclosure.
As shown in fig. 1, an application scenario 100 according to this embodiment may include a first terminal device 101, a second terminal device 102, a first application server 103, a first application database 104, a second application server 105, and a second application database 106.
The first application server 103 is configured to provide functional services such as user login, login authentication key distribution, login authentication callback, and second application portal.
The first application database 104 is configured to store information such as first application user information and a key.
The second application server 105 is configured to provide a function service such as a joint login access service, joint login authentication, user search, login success page, and the like.
The second application database 106 is used for storing second application user information, keys, and the like.
The user may access the first application server 103 by using the first terminal device 101 and the second terminal device 102, and then access the second application server 105 by using the joint login method provided by the embodiment of the present disclosure. The encrypted information generated by the interaction of the first application server 103 with the second application server is stored in the first application database 104 and the second application database 106.
Various communication client applications may be installed on the first terminal device 101, the second terminal device 102, such as a knowledge reading class application, a web browser application, a search class application, an instant messaging tool, a mailbox client and/or social platform software, to name a few.
The first terminal device 101, the second terminal device 102 may be various electronic devices having a display screen and supporting web browsing, including but not limited to tablet computers, laptop computers, desktop computers, smartphones, and the like. The first application server 103 and the second application server 105 may be servers providing various services, such as a background management server (for example only) providing support for content browsed by the user using the first terminal device 101 and the second terminal device 102. The background management server may analyze and process the received data such as the user request, and feed back the processing result (e.g., the web page, information, or data obtained or generated according to the user request) to the terminal device.
It should be noted that, the joint login method provided in the embodiments of the present disclosure may be generally performed by the first application server 103 and the second application server 105.
The federated login method provided by embodiments of the present disclosure may also be generally performed by the first application server 103 and the second application server 105. Accordingly, the federated login devices provided by embodiments of the present disclosure may be generally located in the first application server 103 and the second application server 105. The joint login method provided by the embodiments of the present disclosure may also be performed by a server or a server cluster that is different from the first application server 103 and the second application server 105 and is capable of communicating with the first terminal device 101, the second terminal device 102, and/or the first application server 103, the second application server 105. Accordingly, the federated login apparatus provided by the embodiments of the present disclosure may also be provided in a server or a server cluster that is different from the first application server 103, the second application server 105 and is capable of communicating with the first terminal device 101, the second terminal device 102 and/or the first application server 103, the second application server 105.
For example, when a user logs in to a first application, the first terminal device 101 and the second terminal device 102 may access the first application server 103, then access information carrying the first application to the second application server 105, and the second application server 105 processes the information content. The encrypted information of the interaction process between the first application server 103 and the second application server 105 is saved in the first application database and the second application database.
It should be understood that the number of first terminal devices, second terminal devices, servers and databases in fig. 1 is merely illustrative. There may be any number of terminal devices, databases and servers as practical.
The joint login method of the disclosed embodiment will be described in detail below with reference to fig. 2 to 6 based on the scenario described in fig. 1.
Fig. 2 schematically illustrates a flowchart of a federated login method applied to a server of a first application in accordance with an embodiment of the present disclosure.
As shown in fig. 2, the joint login method of this embodiment is applied to the server side of the second application program, and includes operations S210 to S250.
In operation S210, identity token information of a first application is acquired.
In operation S220, the identity token information is encrypted using the private key of the second application program, to obtain digital signature information.
In operation S230, in the case that the digital signature information is verified by the server of the first application, the encryption key factor data sent by the server of the first application is received, and the encryption key factor data is decrypted by using the private key of the second application, so as to obtain the key factor.
In operation S240, the encrypted attribute information of the target user is decrypted using the key factor, to obtain the decrypted attribute information of the target user.
In operation S250, in case that the target user has access right to the second application, an access page of the second application is presented.
According to the embodiment of the disclosure, the identity token information is obtained by performing encryption processing on login information of a target user for logging in a first application program by using a server side of the first application program in response to a selection operation performed on a page of the first application program on an identification of an access page of a second application program.
According to an embodiment of the present disclosure, the digital signature information refers to digital signature data generated by signing data such as a domain name of a first application, an identification of the first application, a time stamp, and the like using a second application.
According to an embodiment of the present disclosure, the key factor data refers to data information that encrypts the key factor using the second application public key.
According to an embodiment of the present disclosure, the attribute information of the target user includes a user identification, a certificate type, a certificate number, and the like. For example: the user identification may be an enterprise a, the credential type may be a work card, and the credential number may be 9301.
According to an embodiment of the present disclosure, the first application and the second application both generate asymmetric keys, and both exchange public keys.
For example: the first application generates an asymmetric key pair of public key 1 and private key 1, and the second application generates an asymmetric key pair of public key 2 and private key 2. The two parties exchange public keys, namely public key 1 is handed to the second application server for storage, private key 1 is stored by the first application server, public key 2 is handed to the first application server for storage, and private key 2 is stored by the second application server. According to an embodiment of the present disclosure, the first application may exchange a public key not only with the second application but also with the third application or the fourth application, etc. I.e. multiple applications can be logged in jointly by the first application.
According to the embodiment of the disclosure, after the second application server obtains the identity token information of the first application, the second application server uses the private key 2 of the second application to encrypt the identity token information such as the domain name of the first application, the first application identifier, the timestamp and the like, so as to generate digital signature information.
According to the embodiment of the disclosure, under the condition that the server side of the first application program passes the verification of the digital signature information, the data of the encryption key factor sent by the server side of the first application program and encrypted by the public key 2 are received, and the second application program server side is utilized to decrypt the data of the encryption key factor by using the private key 2, so that the key factor is obtained.
According to the embodiment of the disclosure, a random number sent by a first application server is used for inquiring a database to obtain a corresponding key factor, and the key factor is used for decrypting the attribute information of the target user to obtain the attribute information of the decrypted target user.
According to the embodiment of the disclosure, according to the joint login method, the device, the equipment, the medium and the program product provided by the disclosure, the second application system encrypts the identity token information by utilizing the private key of the second application program by acquiring the identity token information of the first application program to obtain digital signature information. And under the condition that the server side of the first application program passes the verification of the digital signature information, receiving the encryption key factor data sent by the server side of the first application program, and decrypting the encryption key factor data by utilizing the private key of the second application program to obtain the key factor. And then decrypting the encrypted attribute information of the target user by utilizing the key factor to obtain the decrypted attribute information of the target user. And finally, under the condition that the target user has access rights to the second application program, displaying the access page of the second application program. Because the information interaction is carried out between the first application program and the second application program through the public key encryption algorithm, the second application program can obtain the attribute information of the target user from the first application program so as to determine whether the target user has the authority to log in the second application program. The original login authentication flow of the second application program is not required to be modified, the joint login of the first application program and the second application program can be realized, the safety between joint login systems is improved, and the data processing capacity of the server is reduced.
According to an embodiment of the present disclosure, encrypting the identity token information by using a private key of the second application program to obtain digital signature information includes:
and decrypting the identity token information to obtain domain name information of the first application program, identification information of the first application program and timestamp information of the target user logging in the first application program. And encrypting the domain name information of the first application program, the identification information of the first application program and the timestamp information of the target user logging in the first application program by using the private key of the second application program to obtain digital signature information.
According to the embodiment of the disclosure, the second application server decrypts the first application identity token information to obtain the domain name of the first application, the first application identifier and the timestamp information of the target user logging in the first application. For example: the first application identity token is encrypted by the private key 1 of the first application, and then the second application server uses the public key 1 of the first application to perform decryption processing. And then, the domain name information of the first application program, the identification information of the first application program and the timestamp information of the target user logging in the first application program are encrypted by using the private key 2 of the second application program, so that digital signature information is obtained. According to the embodiment of the disclosure, the asymmetric key exchange is performed by the first application program and the second application program, so that the interaction process between the application programs is more convenient and safer.
According to an embodiment of the present disclosure, decrypting the encrypted attribute information of the target user using the key factor to obtain the decrypted attribute information of the target user includes:
and verifying the encrypted attribute information of the target user by using the public key of the first application program to obtain a verification result. And under the condition that the verification result is that the verification is passed, decrypting the encrypted attribute information of the target user by utilizing the key factor to obtain the attribute information of the target user.
According to an embodiment of the present disclosure, the second application server verifies the signature data using the public key 1 of the first application. For example: the verification condition is that the first interactive information duration of the first application program and the second application program is within 5 minutes of validity period. If the first interaction information duration of the first application program and the second application program is within the 5-minute validity period, verification is passed, a random number is used for inquiring a database to obtain a key factor, and the key factor is used for decrypting the attribute information of the target user to obtain the attribute information of the target user.
According to the embodiment of the disclosure, the attribute information of the user obtained by encrypting the key factor does not cause information leakage problem when logging in the second application program.
According to an embodiment of the present disclosure, verifying, with a public key of a first application, attribute information of an encrypted target user to obtain a verification result includes:
and decrypting the encrypted attribute information of the target user by using the public key of the first application program to obtain the attribute information of the target user and the timestamp information of the target user logging in the first application program. And determining the first information interaction duration according to the timestamp information and the current time information. And under the condition that the first information interaction time length meets a preset threshold value and the attribute information of the target user is verified, determining that the verification result is verification passing.
According to the embodiment of the disclosure, the second application server uses the public key 1 of the first application to decrypt the encrypted attribute information of the target user, so as to obtain the attribute information of the target user and the timestamp information of the target user logging in the first application. For example: the timestamp information is Beijing time 8:35, the current time is Beijing time 8:40, then the first information interaction is often 1 minute. Since 1 minute satisfies the preset threshold for 5 minutes, the verification is passed, and the verification result is determined as verification passed. Otherwise, the verification result is determined to be that the verification is not passed within 5 minutes when the preset threshold is not met. According to the embodiment of the disclosure, information interaction is performed between the first application program and the second application program through the public key encryption algorithm, and verification is performed by using the first information interaction time length between the programs, so that joint login of the first application program and the second application program is realized, and timeliness of the joint login can be improved.
According to an embodiment of the present disclosure, the above method further includes:
and decrypting the encrypted key factor data by using the private key of the second application program to obtain the key factor and the random number. And storing the random number and the key factor in an associated mode. And receiving the random number sent by the server of the first application program, and determining the key factor according to the random number.
According to the embodiment of the disclosure, the encryption key factor data is decrypted by using the private key 2 of the second application program to obtain the key factor and the random number. For example: the key factor is a key factor a and the random number is a random number a1. The random number a1 and the key factor a are stored in association.
For example: the association relationship may be a mapping relationship. Then the mapping of the random number a1 is the key factor a. The subsequent second application server receives the random number a1 sent by the server of the first application, and determines that the key factor is the key factor a according to the fact that the mapping of the random number a1 is the key factor a.
According to the embodiment of the disclosure, the second application program can query the key factor according to the random number by storing the random number and the key factor in an associated mode, so that the security of data transmission is improved.
Fig. 3 schematically illustrates a flowchart of a federated login method applied to a server of a first application in accordance with an embodiment of the present disclosure.
As shown in fig. 3, the joint login method of the embodiment is applied to a server side of a first application program, and includes operations S310 to S340.
In operation S310, in response to a selection operation performed on the page of the first application program for identifying the access page of the second application program, the login information of the target user for logging in the first application program is encrypted to obtain identity token information, and the identity token information is sent to the server side of the second application program.
In operation S320, the digital signature information obtained by the server of the second application program by encrypting the identity token information with the private key of the second application program is received, and the digital signature information is verified with the public key of the second application program, so as to obtain a verification result.
In operation S330, if the verification result is that the verification is passed, the randomly generated key factor is encrypted by using the public key of the second application program to obtain encrypted key factor data, and the encrypted key factor data is sent to the server of the second application program.
In operation S340, the attribute information of the target user is encrypted by using the key factor, and the encrypted attribute information of the target user is generated; and sending the encrypted attribute information of the target user to the server side of the second application program.
According to an embodiment of the present disclosure, login information when the target user logs in to the first application program includes login time, IP address, browsing information, and the like. The first application program server side encrypts login information by using a private key 1 of the first application program to obtain an identity token, and sends the identity token information to the second application program server side.
According to the embodiment of the disclosure, the first application server receives digital signature information obtained by encrypting the identity token information by the server of the second application by using the private key 2 of the second application. And then the first application program server verifies the digital signature information by using the public key 2 of the second application program to obtain a verification result.
According to the embodiment of the disclosure, under the condition that verification is passed, the first application server encrypts the randomly generated key factor by using the public key 2 of the second application to obtain encrypted key factor data, and then the first application server sends the encrypted key factor data to the second application server.
According to the embodiment of the disclosure, the first application program server encrypts the attribute information of the target user in the json format by using the key factor, and generates the encrypted attribute information of the target user. The user data is in json format and can be customized according to the requirements of the second application program. And the server side of the first application program sends the encrypted attribute information of the target user to the server side of the second application program.
According to the embodiment of the disclosure, since information interaction is performed between the first application program and the second application program through the public key encryption algorithm, the second application program can obtain the attribute information of the target user from the first application program so as to determine whether the target user has the authority to log in the second application program. The original login authentication flow of the second application program is not required to be modified, the joint login of the first application program and the second application program can be realized, the safety between joint login systems is improved, and the data processing capacity of the server is reduced.
According to an embodiment of the present disclosure, verifying the digital signature information by using the public key of the second application program, to obtain a verification result, includes:
and decrypting the digital signature information by using the public key of the second application program to obtain the identity token information and the timestamp information of the target user logging in the first application program. Determining a second information interaction duration according to the timestamp information and the current time information; and under the condition that the second information interaction time length meets a preset threshold value and the identity token information is verified, determining that the verification result is verification passing.
According to the embodiment of the disclosure, the first application server decrypts the digital signature information by using the public key 2 of the second application to obtain the identity token information and the timestamp information of the target user logging in the first application.
For example: the preset threshold duration is 5 minutes. The second information interaction duration is less than 5 minutes to enable verification to pass. The timestamp information of the target user logging in the first application program is Beijing time 10:00 and the current Beijing time 10:03, the second information interaction time is 3 minutes, the second information interaction time is less than 5 minutes, and the verification result is verification passing.
According to the embodiment of the disclosure, when verifying the digital signature information, the time stamp verification process is added, so that timeliness of information transmission can be ensured.
According to an embodiment of the present disclosure, the above method further includes:
and under the condition that the verification result is that the verification is passed, randomly generating a random number and a key factor, and encrypting the randomly generated key factor by using a public key of the second application program to obtain encrypted key factor data. And sending the encryption key factor data and the random number to a server of the second application program.
According to the embodiment of the disclosure, the first application server randomly generates a key factor and a random number when the digital signature information is verified by using the public key 2 of the second application. The first application program server side encrypts the key factor by using the public key 2 of the second application program to obtain encrypted key factor data. And then the first application program server side sends the encryption key factor data and the random number to the second application program server side.
According to the embodiment of the disclosure, the random number is added in the data transmission process, so that the security of the data transmission can be improved.
Fig. 4 schematically illustrates a schematic diagram of a federated login method, in accordance with an embodiment of the present disclosure.
As shown in fig. 4, the schematic diagram of the joint login method of this embodiment includes steps S401 to S415.
In step 401, a user logs in a first application program by using elements such as a user name and a password, and when accessing a second application program, the user accesses an access address of the second application program by carrying identity token information of the first application program.
In step 402, the data, such as the first application domain name |first application identifier|timestamp, is signed using the second application private key to generate digital signature information.
In step 403, the callback first application logs in to the authentication key distribution address, and the upload parameters include: the first application identification, digital signature information, a timestamp, an identity token.
At step 404, the first application verifies the digital signature information using the second application public key, verifies the identity token, and verifies whether the timestamp is within 5 minutes of validity.
After the verification is passed, a random number, a key factor is generated and encrypted using the second application public key, step 405.
At step 406, the random number, the encrypted key factor data, the identity token are returned to the second application.
In step 407, the second application decrypts the encrypted key factor data using the second application private key to obtain the key factor. And storing the random number and the key factor into a database of the second application program.
In step 408, the second application initiates a request to the first application login authentication callback address, uploading parameters: a first application identification, digital signature information, a timestamp, an identity token, a random number, a second application redirection address.
At step 409, the digital signature information is verified using the second application public key, verifying the identity token, verifying whether the timestamp is within 5 minutes of validity.
After verification is passed, the first application uses the key factor to verify the json formatted user data at step 410: and encrypting the user identification, the certificate type, the certificate number and the like to obtain the attribute information of the target user.
In step 411, the attribute information of the target user is signed using the first application private key, generating digital signature information.
At step 412, the callback second application redirects the address, and the upload parameters include: attribute information of the target user, digital signature information, a time stamp, and a random number.
In step 413, the second application verifies the digital signature information using the first application public key, verifying if the timestamp is within 5 minutes of validity.
After the verification is passed, the encryption factor is obtained by querying the database with a random number, and the attribute information of the target user is decrypted with the encryption factor to obtain the user information in step 414.
In step 415, the user information is looked up and redirected to the second application login success page.
According to an embodiment of the present disclosure, the json format is a form of data in pure strings that does not itself provide any means for transmission in a network.
Based on the joint login method, the disclosure also provides a joint login device. The device will be described in detail below in connection with fig. 5 and 6.
Fig. 5 schematically illustrates a block diagram of a configuration of a server device to which the federated login method is applied to a second application according to an embodiment of the present disclosure.
As shown in fig. 5, the server device 500 of the embodiment of the joint login method applied to the second application program includes an acquisition module 510, a first encryption module 520, a first decryption module 530, a second decryption module 540, and a presentation module 550.
An obtaining module 510 is configured to obtain identity token information of the first application program. The identity token information is obtained by performing encryption processing on login information of a target user for logging in the first application program by utilizing a server side of the first application program in response to a selection operation performed on an identification of an access page of the second application program on a page of the first application program. In an embodiment, the obtaining module 510 may be configured to perform the operation S210 described above, which is not described herein.
The first encryption module 520 is configured to encrypt the identity token information by using the private key of the second application program, so as to obtain digital signature information. In an embodiment, the first encryption module 520 may be used to perform the operation S220 described above, which is not described herein.
The first decryption module 530 is configured to receive the encryption key factor data sent by the server of the first application program when the server of the first application program verifies the digital signature information, and decrypt the encryption key factor data by using the private key of the second application program to obtain a key factor. In an embodiment, the first decryption module 530 may be used to perform the operation S230 described above, which is not described herein.
The second decryption module 540 is configured to decrypt the encrypted attribute information of the target user by using the key factor, to obtain the decrypted attribute information of the target user. In an embodiment, the second decryption module 540 may be used to perform the operation S240 described above, which is not described herein.
And the display module 550 is configured to display the access page of the second application program if the target user has access rights to the second application program. In an embodiment, the presentation module 550 may be configured to perform the operation S250 described above, which is not described herein.
According to an embodiment of the present disclosure, the first encryption module includes a first decryption unit and an encryption unit. The first decryption unit is used for decrypting the identity token information to obtain domain name information of the first application program, identification information of the first application program and timestamp information of a target user logging in the first application program. The encryption unit is used for encrypting the domain name information of the first application program, the identification information of the first application program and the timestamp information of the target user logging in the first application program by utilizing the private key of the second application program to obtain digital signature information.
According to an embodiment of the present disclosure, the first verification unit comprises a decryption subunit, a first determination subunit, and a second determination subunit. And the decryption subunit decrypts the encrypted attribute information of the target user by using the public key of the first application program to obtain the attribute information of the target user and the timestamp information of the target user logging in the first application program. And the first determining subunit is used for determining the first information interaction duration according to the timestamp information and the current time information. And the second determining subunit is used for determining that the verification result is verification passing under the condition that the first information interaction duration meets a preset threshold value and the attribute information of the target user is verified.
According to an embodiment of the present disclosure, the above apparatus further includes: the device comprises a third decryption module, an association storage module and a determination module. And the third decryption module is used for decrypting the encrypted key factor data by using the private key of the second application program to obtain the key factor and the random number. And the association storage module is used for carrying out association storage on the random number and the key factor. And the determining module is used for receiving the random number sent by the server of the first application program and determining the key factor according to the random number.
Fig. 6 schematically illustrates a block diagram of a structure of a server device to which a federated login method according to an embodiment of the present disclosure is applied to a first application.
As shown in fig. 6, the server device 600 of the embodiment of the joint login method applied to the first application program includes a second encryption module 610, a third encryption module 620, a fourth encryption module 630, and a fifth encryption module 640.
The second encryption module 610 is configured to perform encryption processing on login information of the target user for logging in the first application program to obtain identity token information in response to a selection operation performed on the page of the first application program and on the identifier of the access page of the second application program, and send the identity token information to the server side of the second application program. In an embodiment, the second encryption module 610 may be used to perform the operation S310 described above, which is not described herein.
The third encryption module 620 is configured to receive digital signature information obtained by encrypting the identity token information by using a private key of the second application program, and verify the digital signature information by using a public key of the second application program, so as to obtain a verification result. In an embodiment, the third encryption module 620 may be used to perform the operation S320 described above, which is not described herein.
And the fourth encryption module 630 is configured to encrypt the randomly generated key factor with the public key of the second application program to obtain encrypted key factor data, and send the encrypted key factor data to the server of the second application program when the verification result indicates that the verification result is that the verification result passes. In an embodiment, the fourth encryption module 630 may be used to perform the operation S330 described above, which is not described herein.
A fifth encryption module 640, configured to encrypt attribute information of the target user using the key factor, and generate encrypted attribute information of the target user; and sending the encrypted attribute information of the target user to the server side of the second application program. In an embodiment, the fifth encryption module 640 may be used to perform the operation S340 described above, which is not described herein.
According to an embodiment of the present disclosure, the third encryption module includes a third decryption unit, a first determination unit, and a second determination unit. And the third decryption unit is used for decrypting the digital signature information by using the public key of the second application program to obtain the identity token information and the timestamp information of the target user logging in the first application program. And the first determining unit is used for determining the second information interaction duration according to the timestamp information and the current time information. And the second determining unit is used for determining that the verification result is verification passing under the condition that the second information interaction time length meets a preset threshold value and the identity token information is verified to pass.
According to an embodiment of the present disclosure, the above apparatus further includes: and a sixth encryption module and a transmission module. The sixth encryption module is used for randomly generating a random number and a key factor under the condition that the verification result is that verification is passed, and carrying out encryption processing on the key factor by utilizing a public key of the second application program to obtain encrypted key factor data; and the sending module is used for sending the encryption key factor data and the random number to a server side of the second application program.
Fig. 7 schematically illustrates a block diagram of an electronic device adapted to implement a federated login method, in accordance with an embodiment of the present disclosure.
As shown in fig. 7, an electronic device 700 according to an embodiment of the present disclosure includes a processor 701 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 702 or a program loaded from a storage section 708 into a Random Access Memory (RAM) 703. The processor 701 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. The processor 701 may also include on-board memory for caching purposes. The processor 701 may comprise a single processing unit or a plurality of processing units for performing different actions of the method flows according to embodiments of the disclosure.
In the RAM 703, various programs and data necessary for the operation of the electronic apparatus 700 are stored. The processor 701, the ROM 702, and the RAM 703 are connected to each other through a bus 704. The processor 701 performs various operations of the method flow according to the embodiments of the present disclosure by executing programs in the ROM 702 and/or the RAM 703. Note that the program may be stored in one or more memories other than the ROM 702 and the RAM 703. The processor 701 may also perform various operations of the method flow according to embodiments of the present disclosure by executing programs stored in the one or more memories.
According to an embodiment of the present disclosure, the electronic device 700 may further include an input/output (I/O) interface 705, the input/output (I/O) interface 705 also being connected to the bus 704. The electronic device 700 may also include one or more of the following components connected to an input/output (I/O) interface 705: an input section 706 including a keyboard, a mouse, and the like; an output portion 707 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, a speaker, and the like; a storage section 708 including a hard disk or the like; and a communication section 709 including a network interface card such as a LAN card, a modem, or the like. The communication section 709 performs communication processing via a network such as the internet. The drive 710 is also connected to an input/output (I/O) interface 705 as needed. A removable medium 711 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 710 as necessary, so that a computer program read therefrom is mounted into the storage section 708 as necessary.
The present disclosure also provides a computer-readable storage medium that may be embodied in the apparatus/device/system described in the above embodiments; or may exist alone without being assembled into the apparatus/device/system. The computer-readable storage medium carries one or more programs which, when executed, implement methods in accordance with embodiments of the present disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example, but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, the computer-readable storage medium may include ROM 702 and/or RAM 703 and/or one or more memories other than ROM 702 and RAM 703 described above.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the methods shown in the flowcharts. The program code, when executed in a computer system, causes the computer system to implement the item recommendation method provided by embodiments of the present disclosure.
The above-described functions defined in the system/apparatus of the embodiments of the present disclosure are performed when the computer program is executed by the processor 701. The systems, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
In one embodiment, the computer program may be based on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted, distributed over a network medium in the form of signals, downloaded and installed via the communication section 709, and/or installed from the removable medium 711. The computer program may include program code that may be transmitted using any appropriate network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In such an embodiment, the computer program may be downloaded and installed from a network via the communication portion 709, and/or installed from the removable medium 711. The above-described functions defined in the system of the embodiments of the present disclosure are performed when the computer program is executed by the processor 701. The systems, devices, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
According to embodiments of the present disclosure, program code for performing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, such computer programs may be implemented in high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. Programming languages include, but are not limited to, such as Java, c++, python, "C" or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that the features recited in the various embodiments of the disclosure and/or in the claims may be provided in a variety of combinations and/or combinations, even if such combinations or combinations are not explicitly recited in the disclosure. In particular, the features recited in the various embodiments of the present disclosure and/or the claims may be variously combined and/or combined without departing from the spirit and teachings of the present disclosure. All such combinations and/or combinations fall within the scope of the present disclosure.
The embodiments of the present disclosure are described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described above separately, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be made by those skilled in the art without departing from the scope of the disclosure, and such alternatives and modifications are intended to fall within the scope of the disclosure.
Claims (13)
1. A joint login method is applied to a server side of a second application program and comprises the following steps:
acquiring identity token information of the first application program, wherein the identity token information is obtained by performing encryption processing on login information of a target user for logging in the first application program by utilizing a server side of the first application program in response to a selection operation performed on an identification of an access page of a second application program on a page of the first application program;
encrypting the identity token information by using a private key of a second application program to obtain digital signature information;
under the condition that the server side of the first application program verifies the digital signature information, receiving encryption key factor data sent by the server side of the first application program, and decrypting the encryption key factor data by utilizing a private key of the second application program to obtain a key factor;
Decrypting the encrypted attribute information of the target user by using the key factor to obtain the decrypted attribute information of the target user;
and under the condition that the target user has access rights to the second application program, displaying an access page of the second application program.
2. The method of claim 1, wherein the encrypting the identity token information with the private key of the second application to obtain digital signature information comprises:
decrypting the identity token information to obtain domain name information of the first application program, identification information of the first application program and timestamp information of the target user logging in the first application program;
and encrypting domain name information of the first application program, identification information of the first application program and timestamp information of the target user logging in the first application program by using a private key of the second application program to obtain the digital signature information.
3. The method of claim 1, wherein the decrypting the encrypted attribute information of the target user using the key factor to obtain the decrypted attribute information of the target user includes:
Verifying the encrypted attribute information of the target user by using a public key of a first application program to obtain a verification result;
and under the condition that the verification result is that verification is passed, decrypting the encrypted attribute information of the target user by using the key factor to obtain the attribute information of the target user.
4. The method of claim 3, wherein verifying the encrypted attribute information of the target user with the public key of the first application to obtain the verification result includes:
decrypting the encrypted attribute information of the target user by using the public key of the first application program to obtain the attribute information of the target user and the timestamp information of the target user logging in the first application program;
determining a first information interaction duration according to the timestamp information and the current time information;
and under the condition that the first information interaction duration meets a preset threshold value and the attribute information of the target user is verified, determining that the verification result is verification passing.
5. The method of claim 1, further comprising:
Decrypting the encrypted key factor data by using the private key of the second application program to obtain the key factor and the random number;
storing the random number and the key factor in an associated manner;
and receiving a random number sent by the server of the first application program, and determining the key factor according to the random number.
6. A joint login method is applied to a server side of a first application program and comprises the following steps:
responding to a selection operation executed on a page of a first application program and for identifying an access page of a second application program, encrypting login information of a target user for logging in the first application program to obtain identity token information, and sending the identity token information to a server side of the second application program;
receiving digital signature information obtained by encrypting the identity token information by a server of the second application program by using a private key of the second application program, and verifying the digital signature information by using a public key of the second application program to obtain a verification result;
when the verification result is that verification is passed, the public key of the second application program is utilized to encrypt the randomly generated key factor, so as to obtain encrypted key factor data, and the encrypted key factor data is sent to the server side of the second application program;
Encrypting the attribute information of the target user by using the key factor to generate the encrypted attribute information of the target user; and sending the encrypted attribute information of the target user to a server side of the second application program.
7. The method of claim 6, wherein verifying the digital signature information using the public key of the second application to obtain a verification result comprises:
decrypting the digital signature information by using the public key of the second application program to obtain the identity token information and the timestamp information of the target user logging in the first application program;
determining a second information interaction duration according to the timestamp information and the current time information;
and under the condition that the second information interaction time length meets a preset threshold value and the identity token information is verified, determining that the verification result is verification passing.
8. The method of claim 1, further comprising:
under the condition that the verification result is that verification is passed, randomly generating a random number and a key factor, and encrypting the key factor by using a public key of the second application program to obtain encrypted key factor data;
And sending the encryption key factor data and the random number to a server side of the second application program.
9. A federated login device for a server of a second application, comprising:
the system comprises an acquisition module, a first application program and a second application program, wherein the acquisition module is used for acquiring identity token information of the first application program, the identity token information is obtained by performing encryption processing on login information of a target user for logging in the first application program by utilizing a server side of the first application program in response to a selection operation performed on a page of the first application program on an identification of an access page of the second application program;
the first encryption module is used for encrypting the identity token information by using a private key of the second application program to obtain digital signature information;
the first decryption module is used for receiving the encryption key factor data sent by the server of the first application program and decrypting the encryption key factor data by utilizing the private key of the second application program under the condition that the server of the first application program verifies the digital signature information, so as to obtain a key factor;
the second decryption module is used for decrypting the encrypted attribute information of the target user by utilizing the key factor to obtain the decrypted attribute information of the target user;
And the display module is used for displaying the access page of the second application program under the condition that the target user has the access right to the second application program.
10. A federated login device applied to a server of a first application, comprising:
the second encryption module is used for responding to the selection operation executed on the page of the first application program and identifying the access page of the second application program, carrying out encryption processing on login information of a target user for logging in the first application program to obtain identity token information, and sending the identity token information to a server side of the second application program;
the third encryption module is used for receiving digital signature information obtained by encrypting the identity token information by the server side of the second application program by utilizing the private key of the second application program, and verifying the digital signature information by utilizing the public key of the second application program to obtain a verification result;
the fourth encryption module is used for encrypting the randomly generated key factors by utilizing the public key of the second application program to obtain encryption key factor data and sending the encryption key factor data to the server side of the second application program when the verification result is that the verification is passed;
A fifth encryption module, configured to encrypt attribute information of the target user using the key factor, and generate encrypted attribute information of the target user; and sending the encrypted attribute information of the target user to a server side of the second application program.
11. An electronic device, comprising:
one or more processors;
storage means for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-5 or 6-8.
12. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method according to any of claims 1-5 or 6-8.
13. A computer program product comprising a computer program which, when executed by a processor, implements the method according to any one of claims 1 to 5 or 6 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310370873.0A CN116346486A (en) | 2023-04-07 | 2023-04-07 | Combined login method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310370873.0A CN116346486A (en) | 2023-04-07 | 2023-04-07 | Combined login method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116346486A true CN116346486A (en) | 2023-06-27 |
Family
ID=86882270
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310370873.0A Pending CN116346486A (en) | 2023-04-07 | 2023-04-07 | Combined login method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116346486A (en) |
-
2023
- 2023-04-07 CN CN202310370873.0A patent/CN116346486A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20230275884A1 (en) | Blockchain systems and methods for user authentication | |
| US10091230B1 (en) | Aggregating identity data from multiple sources for user controlled distribution to trusted risk engines | |
| US7890643B2 (en) | System and method for providing program credentials | |
| US10021108B2 (en) | Anomaly detection for access control events | |
| CN110048848B (en) | Method, system and storage medium for sending session token through passive client | |
| US20230014599A1 (en) | Data processing method and apparatus for blockchain system | |
| US11196561B2 (en) | Authorized data sharing using smart contracts | |
| US10951396B2 (en) | Tamper-proof management of audit logs | |
| US11829502B2 (en) | Data sharing via distributed ledgers | |
| CN109450633B (en) | Information encryption transmission method and device, electronic equipment and storage medium | |
| US11757640B2 (en) | Non-fungible token authentication | |
| CN110611657A (en) | File stream processing method, device and system based on block chain | |
| CN113486122A (en) | Data sharing method and electronic equipment | |
| CN111049789B (en) | Domain name access method and device | |
| CN114584381A (en) | Security authentication method and device based on gateway, electronic equipment and storage medium | |
| CN113129008B (en) | Data processing method, device, computer readable medium and electronic equipment | |
| CN112905990A (en) | Access method, client, server and access system | |
| CN110602075A (en) | File stream processing method, device and system for encryption access control | |
| CN116346486A (en) | Combined login method, device, equipment and storage medium | |
| CN114553570B (en) | Method, device, electronic equipment and storage medium for generating token | |
| CN113420331B (en) | Method and device for managing file downloading permission | |
| CN114640524B (en) | Method, apparatus, device and medium for processing transaction replay attack | |
| CN110602074B (en) | Service identity using method, device and system based on master-slave association | |
| CN117614629A (en) | Certificate management method, device, equipment and storage medium | |
| CN116708413A (en) | File transmission method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |