CN116582298A - Cross-domain login method, server and readable storage medium - Google Patents

Cross-domain login method, server and readable storage medium Download PDF

Info

Publication number
CN116582298A
CN116582298A CN202310380294.4A CN202310380294A CN116582298A CN 116582298 A CN116582298 A CN 116582298A CN 202310380294 A CN202310380294 A CN 202310380294A CN 116582298 A CN116582298 A CN 116582298A
Authority
CN
China
Prior art keywords
domain name
name service
login
user
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310380294.4A
Other languages
Chinese (zh)
Inventor
张建禹
冯时
黄诗强
沈鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Shuidi Technology Group Co ltd
Original Assignee
Beijing Shuidi Technology Group Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Shuidi Technology Group Co ltd filed Critical Beijing Shuidi Technology Group Co ltd
Priority to CN202310380294.4A priority Critical patent/CN116582298A/en
Publication of CN116582298A publication Critical patent/CN116582298A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The application provides a cross-domain login method, a server and a readable storage medium, and relates to the technical field of communication. The method comprises the following steps: acquiring a jump request from a first domain name service to a second domain name service, wherein the first domain name service is logged in by a user; responding to the jump request, generating credential information according to a login token and a first equipment identifier corresponding to a first domain name service, wherein the login token is generated when a user logs in the first domain name service; transmitting the credential information to a first domain name service for the first domain name service to transmit the credential information to a second domain name service when jumping to the second domain name service; acquiring credential information from a second domain name service, analyzing the credential information to obtain a first equipment identifier, and comparing the first equipment identifier with a second equipment identifier corresponding to the second domain name service; and if the login token and the user identity information of the user are consistent, sending the login token and the user identity information of the user to the second domain name service so as to realize the login of the user to the second domain name service.

Description

Cross-domain login method, server and readable storage medium
Technical Field
The present application relates to the field of communications technologies, and in particular, to a cross-domain login method, a server, and a readable storage medium.
Background
Currently, when a user accesses different domain name services, the different domain name services cannot set cookie information across domains because of the homologous limitation of a browser, so that the different domain name services need multiple login operations.
In order to solve the problem, in the related art, when the domain name a service jumps to the domain name B service of a domain name different from the domain name a service, a login token or user information is carried to a server for verification through the query parameter in a manner of carrying the query parameter by using a URL (Uniform Resource Locator, uniform resource location system), the user information is returned after the verification is valid, and the domain name B service obtains the user identity to realize login.
However, in this method, the carried login token is equivalent to exposure to plaintext, and when the user forwards the link or is accessed by the crawler, the login token is easy to leak and crack, and there is a great security risk.
Disclosure of Invention
In view of the above, the present application provides a cross-domain login method, a server and a readable storage medium, which solve the problem of low security of cross-domain login in the related art.
In a first aspect, an embodiment of the present application provides a cross-domain login method, which is applied to a server, and the method includes:
obtaining a jump request from a first domain name service to a second domain name service, wherein the first domain name service is logged in by a user;
responding to the jump request, generating credential information according to a login token and a first equipment identifier corresponding to a first domain name service, wherein the login token is generated when a user logs in the first domain name service;
transmitting the credential information to a first domain name service for the first domain name service to transmit the credential information to a second domain name service when jumping to the second domain name service;
acquiring credential information from a second domain name service, analyzing the credential information to obtain a first equipment identifier, and comparing the first equipment identifier with a second equipment identifier corresponding to the second domain name service;
and if the first equipment identifier is consistent with the second equipment identifier, sending the login token and the user identity information of the user to the second domain name service so as to realize the login of the user to the second domain name service.
The method according to the embodiment of the application can also have the following additional technical characteristics:
in the above technical solution, optionally, before acquiring the jump request from the first domain name service to the second domain name service, the method further includes: acquiring a login request from a first domain name service, wherein the login request carries user identity information of a user; responding to the login request, and generating a login token according to the user identity information; and sending the login token to the first domain name service to realize the login of the user to the first domain name service.
In any of the above solutions, optionally, analyzing the credential information to obtain the first device identifier includes: and analyzing the credential information according to the user identity information and the service type of the first domain name service to obtain a first equipment identifier.
In any of the above solutions, optionally, the method further includes: a traffic type of the first domain name service is determined and/or a traffic type of the second domain name service is determined.
In any of the above solutions, optionally, the method further includes: and acquiring a first equipment identifier corresponding to the first domain name service and a second equipment identifier corresponding to the second domain name service through a preset interface.
In any of the above technical solutions, optionally, the server includes a middle module and a processing module; the middle platform module is used for acquiring a jump request and responding to the jump request and sending a login token and a first equipment identifier corresponding to a first domain name service to the processing module; the processing module is used for generating credential information according to the login token and the first equipment identifier; the middle platform module is also used for sending the credential information to the first domain name service, acquiring the credential information from the second domain name service and sending the credential information and the second equipment identifier of the second domain name service to the processing module; the processing module is also used for analyzing the credential information to obtain a first equipment identifier, comparing the first equipment identifier with a second equipment identifier corresponding to a second domain name service, and if the first equipment identifier is consistent with the second equipment identifier, transmitting the login token and user identity information of the user to the middle module; the middle platform module is also used for sending the login token and the user identity information of the user to the second domain name service so as to realize the login of the user to the second domain name service.
In any of the above technical solutions, optionally, the middle platform module is further configured to obtain a login request from the first domain name service, where the login request carries user identity information of a user, and send the user identity information to the processing module in response to the login request; the processing module is also used for generating a login token according to the user identity information; the middle platform module is also used for sending the login token to the first domain name service so as to realize the login of the user to the first domain name service.
In any of the above solutions, optionally, the first device identifier and/or the second device identifier are generated according to device information, where the device information includes at least one of the following: client name, client model, client screen parameters, client operating system type, client operating system version.
In a second aspect, an embodiment of the present application provides a server, where the server includes a middle platform module and a processing module;
the middle platform module is used for acquiring a jump request of a first domain name service to a second domain name service, and responding to the jump request, and sending a login token and a first equipment identifier corresponding to the first domain name service to the processing module, wherein the first domain name service is that a user is logged in, and the login token is generated when the user logs in the first domain name service;
the processing module is used for generating credential information according to the login token and the first equipment identifier;
the middle platform module is also used for sending the credential information to the first domain name service, so that the first domain name service can send the credential information to the second domain name service when jumping to the second domain name service, acquiring the credential information from the second domain name service, and sending the credential information and a second equipment identifier of the second domain name service to the processing module;
the processing module is also used for analyzing the credential information to obtain a first equipment identifier, comparing the first equipment identifier with a second equipment identifier, and if the first equipment identifier is consistent with the second equipment identifier, transmitting the login token and the user identity information of the user to the middle station module;
the middle platform module is also used for sending the login token and the user identity information of the user to the second domain name service so as to realize the login of the user to the second domain name service.
In a third aspect, embodiments of the present application provide a readable storage medium having stored thereon a program or instructions which when executed by a processor perform the steps of the method as in the first aspect.
According to the embodiment of the application, on one hand, the user can realize service access in a cross-domain login-free manner, namely, the user can realize non-sensitive cross-domain access without secondary login, so that the login operation of the user is reduced. On the other hand, the login token is encrypted through the equipment identifier of the user client, and even if the access link is shared or intercepted to other clients, the other clients cannot decrypt the login token encrypted through the equipment identifier of the user client because the other clients are different from the equipment identifier of the user client, so that the risk of leakage and cracking of the login token is reduced, and the safety is improved. In still another aspect, by comparing the first device identifier corresponding to the first domain name service with the second device identifier corresponding to the second domain name service, it can be determined whether the second domain name service and the first domain name service are registered on the same client, so that the security of the registration is further improved.
The foregoing description is only an overview of the present application, and is intended to be implemented in accordance with the teachings of the present application in order that the same may be more clearly understood and to make the same and other objects, features and advantages of the present application more readily apparent.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute a limitation on the application. In the drawings:
FIG. 1 shows one of the flow diagrams of a cross-domain login method according to an embodiment of the present application;
FIG. 2 shows an interactive schematic of an embodiment of the present application;
FIG. 3 shows a block diagram of a server according to an embodiment of the application;
fig. 4 shows a schematic structural diagram of a cross-domain login system according to an embodiment of the present application.
Detailed Description
The technical solutions of the embodiments of the present application will be clearly described below with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which are obtained by a person skilled in the art based on the embodiments of the present application, fall within the scope of protection of the present application.
The terms first, second and the like in the description and in the claims, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged, as appropriate, such that embodiments of the present application may be implemented in sequences other than those illustrated or described herein, and that the objects identified by "first," "second," etc. are generally of a type, and are not limited to the number of objects, such as the first object may be one or more. Furthermore, in the description and claims, "and/or" means at least one of the connected objects, and the character "/", generally means that the associated object is an "or" relationship.
The cross-domain login method, the server and the readable storage medium provided by the embodiment of the application are described in detail below through specific embodiments and application scenes thereof with reference to the accompanying drawings.
The embodiment of the application provides a cross-domain login method which is applied to a server, wherein the server is in communication connection with a client, the client is provided with a first domain name service and a second domain name service, and the business types of the first domain name service and the second domain name service comprise insurance service, real estate service, automobile service, course service, payment service and the like.
It should be noted that the first domain name service and the second domain name service may be different services in the same company, for example, the first domain name service is insurance service of company a, and the second domain name service is property service of company a; the first domain name service and the second domain name service may also be services between different companies, for example, the first domain name service is a browser of company B and the second domain name service is a shopping website of company C.
As shown in fig. 1, the method includes:
step 101, obtaining a jump request from a first domain name service to a second domain name service, wherein the first domain name service is logged in by a user;
step 102, responding to a jump request, and generating credential information according to a login token and a first device identifier corresponding to a first domain name service, wherein the login token is generated when a user logs in the first domain name service;
step 103, the voucher information is sent to the first domain name service, so that the first domain name service can send the voucher information to the second domain name service when jumping to the second domain name service;
104, acquiring credential information from the second domain name service, analyzing the credential information to obtain a first equipment identifier, and comparing the first equipment identifier with a second equipment identifier corresponding to the second domain name service;
and step 105, if the first equipment identifier is consistent with the second equipment identifier, the login token and the user identity information of the user are sent to the second domain name service so as to realize the login of the user to the second domain name service.
In this embodiment, the client has implemented the user to log into the first domain name service by a request to the server. After the user logs in the first domain name service, the need of jumping from the first domain name service to the second domain name service occurs, and then the client sends a jumping request to the server.
After receiving a jump request of a second domain name service from a first domain name service, a server acquires a first equipment identifier corresponding to the first domain name service, generates temporary certificate information according to a login token generated by a user when logging in the first domain name service and the first equipment identifier corresponding to the first domain name service, namely, encrypts the login token through the first equipment identifier corresponding to the first domain name service, and then sends the certificate information to the first domain name service.
It should be noted that the generated credential information is a temporary credential, which has timeliness and becomes invalid after exceeding a preset time, so that the security is improved.
And at the client, the first domain name service jumps to the second domain name service, and the second domain name service acquires the credential information from the first domain name service and sends the credential information to the server. After receiving the credential information, the server analyzes the credential information, that is, decrypts the credential information, and decrypts the first device identifier. And obtaining a second equipment identifier corresponding to the second domain name service, comparing the decrypted first equipment identifier with the second equipment identifier, and if the decrypted first equipment identifier and the decrypted first equipment identifier are the same, indicating that the login of the first domain name service and the login of the second domain name service are the same client, transmitting a login token and user identity information of a user to the second domain name service so as to realize automatic login of the user on the second domain name service.
It should be noted that, the above device identifier (the first device identifier or the second device identifier) is an identity identifier of the client, where the device identifier is generated by using device information, and each client has its own device information, and the device information includes, but is not limited to, a client name, a client model, a client screen parameter, a client operating system type, a client operating system version, and the like.
In the embodiment of the application, on one hand, the user can realize service access without logging in a cross-domain manner, namely, the user can realize noninductive cross-domain access without logging in for the second time, so that the login operation of the user is reduced. On the other hand, the login token is encrypted through the equipment identifier of the user client, and even if the access link is shared or intercepted to other clients, the other clients cannot decrypt the login token encrypted through the equipment identifier of the user client because the other clients are different from the equipment identifier of the user client, so that the risk of leakage and cracking of the login token is reduced, and the safety is improved. In still another aspect, by comparing the first device identifier corresponding to the first domain name service with the second device identifier corresponding to the second domain name service, it can be determined whether the second domain name service and the first domain name service are registered on the same client, so that the security of the registration is further improved.
In one embodiment of the present application, before acquiring the jump request from the first domain name service to the second domain name service, the method further comprises: acquiring a login request from a first domain name service, wherein the login request carries user identity information of a user; responding to the login request, and generating a login token according to the user identity information; and sending the login token to the first domain name service to realize the login of the user to the first domain name service.
In this embodiment, the first domain name service is to enable the user to log in before the first domain name service hops to the second domain name service. Specifically, the server receives a login request of a first domain name service, wherein the login request carries user identity information of a user, and a login token is generated according to the user identity information; and sending the login token to the first domain name service to realize the login of the user to the first domain name service.
By the method, a login request is carried out for one time so as to realize login on the first domain name service, and user identity information acquired by the login and the generated login token are stored, so that a basis is provided for subsequent automatic login on the second domain name service.
In one embodiment of the present application, resolving credential information to obtain a first device identification includes: and analyzing the credential information according to the user identity information and the service type of the first domain name service to obtain a first equipment identifier.
In this embodiment, after receiving the credential information sent by the second domain name service, the credential information is decrypted. Specifically, if the service of the service type is determined to be allowed to jump to other domain name services according to the service type of the first domain name service, decryption of the credential information is realized according to the user identity information. For example, if the traffic type of the first domain name service is a payment service, in order to secure its payment information, a jump from the first domain name service to other domain name services is not allowed, whereas if the traffic type of the first domain name service is an automobile service, a jump from the first domain name service to other domain name services is allowed.
The security of jump login is further ensured through the mode.
In one embodiment of the application, the method further comprises: a traffic type of the first domain name service is determined and/or a traffic type of the second domain name service is determined.
In this embodiment, the server distributes traffic types for each domain name service so that each domain name service has an explicit traffic type, thereby providing a basis for its login authentication.
In one embodiment of the application, the method further comprises: and acquiring a first equipment identifier corresponding to the first domain name service and a second equipment identifier corresponding to the second domain name service through a preset interface.
In this embodiment, the server makes the call to the pre-packaged device identification by setting a preset interface, i.e. API (Application Programming Interface ).
When the credential information needs to be generated, the first equipment identifier is acquired through a preset interface, so that the login token is encrypted by the first equipment identifier, and temporary credential information is generated. Compared with the scheme that only a single temporary credential is generated by using the login token to avoid the login token from being directly exposed, the encryption complexity of the login token can be improved, the probability of revealing user information due to cracking of the login token is reduced, and the safety is improved.
In one embodiment of the application, a server comprises a middle station module and a processing module; the middle platform module is used for acquiring a jump request and responding to the jump request and sending a login token and a first equipment identifier corresponding to a first domain name service to the processing module; the processing module is used for generating credential information according to the login token and the first equipment identifier; the middle platform module is also used for sending the credential information to the first domain name service, acquiring the credential information from the second domain name service and sending the credential information and the second equipment identifier of the second domain name service to the processing module; the processing module is also used for analyzing the credential information to obtain a first equipment identifier, comparing the first equipment identifier with a second equipment identifier corresponding to a second domain name service, and if the first equipment identifier is consistent with the second equipment identifier, transmitting the login token and user identity information of the user to the middle module; the middle platform module is also used for sending the login token and the user identity information of the user to the second domain name service so as to realize the login of the user to the second domain name service.
In one embodiment, the middle platform module is further configured to obtain a login request from the first domain name service, where the login request carries user identity information of a user, and send the user identity information to the processing module in response to the login request; the processing module is also used for generating a login token according to the user identity information; the middle platform module is also used for sending the login token to the first domain name service so as to realize the login of the user to the first domain name service.
In one embodiment, the processing module is further configured to parse the credential information according to the user identity information and the service type of the first domain name service to obtain the first device identifier.
In an embodiment, the processing module is further configured to determine a traffic type of the first domain name service and/or determine a traffic type of the second domain name service.
In one embodiment, the middle station module is further configured to obtain, through a preset interface, a first device identifier corresponding to the first domain name service and a second device identifier corresponding to the second domain name service.
In the real-time, the server is provided with a middle platform module, and the middle platform module provides SDK (Software Development Kit ) capability, so that information transfer can be realized, information transmission is more efficient, and domain name service access is more convenient and quick.
Compared with the scheme of performing interface conversion, encryption and decryption among a plurality of servers so as to perform skip login among different domain name services, the embodiment of the application forms a platform-level solution by arranging the middle platform module, is convenient for each service in a company to use, has higher reusability, can realize unified management, reduces development cost, and truly forms a system solution for opening a box.
In a specific embodiment of the present application, fig. 2 shows an interaction schematic diagram of an embodiment of the present application, and as shown in fig. 2, the method includes:
1001. the SDK capability of requesting login, which is provided by the domain name A service access center module, transmits user identity information of a user to be logged in currently;
1002. the middle platform module transmits the user identity information to the processing module, and the processing module generates a token (namely a login token);
1003. the processing module returns a token to the middle platform module;
1004. after the middle platform module acquires the token, the token and the user identity information are sent to the domain name A service, namely the user successfully logs in the domain name A service to realize first login;
1005. the domain name A service logic triggers the jump domain name B service;
1006. the SDK capability provided by the middle station module for acquiring the equipment identifier, namely the capability for calling the API, is accessed by the domain name A service before the jump;
1007. the middle platform module acquires a device identifier finger print A of the domain name A service by calling an API, and transmits a token and the finger print A to the processing module, and the processing module generates a token;
1008. the processing module returns the ticket to the middle station module;
1009. the middle platform module returns the ticket to the domain name A service;
1010. the domain name A service jumps to the domain name B service and carries a ticket through the URL;
1011. the domain name B service transmits the ticket to the middle station module;
1012. the middle platform module transmits the ticket and the finger print B to the processing module;
1013. the processing module analyzes the ticket, analyzes the finger print A and then compares the finger print A with the finger print B, and returns to the middle module token if the finger print A is consistent with the finger print B;
1014. the middle platform module sends the token and the user identity information to a domain name B service;
1015. the domain name B service performs service access, and the domain name B service stores user identity information, token and other setting cookies.
According to the embodiment of the application, when the user accesses different domain name services in the company, the user can realize the non-perceived cross-site access, so that the secondary login is avoided, and the user experience is improved. Meanwhile, login-free access is realized through services under different domain names, so that the service conversion rate is improved, and the realization technology enables services.
And the safety risk problem is solved through equipment identification and comparison, the multiplexing of service login processing is realized through the middle platform, and the problem of non-uniform management is solved.
The embodiment of the application also provides a server, as shown in fig. 3, the server 300 comprises a middle station module 301 and a processing module 302.
The middle platform module 301 is configured to obtain a jump request from a first domain name service to a second domain name service, and send a login token and a first device identifier corresponding to the first domain name service to the processing module 302 in response to the jump request, where the first domain name service is that a user has logged in, and the login token is generated when the user logs in the first domain name service;
the processing module 302 is configured to generate credential information according to the login token and the first device identifier;
the middle stage module 301 is further configured to send the credential information to the first domain name service, so that the first domain name service sends the credential information to the second domain name service when skipping to the second domain name service, obtains the credential information from the second domain name service, and sends the credential information and the second device identifier of the second domain name service to the processing module 302;
the processing module 302 is further configured to parse the credential information to obtain a first device identifier, compare the first device identifier with a second device identifier, and if the first device identifier is consistent with the second device identifier, send the login token and user identity information of the user to the middle module 301;
the middle platform module 301 is further configured to send the login token and user identity information of the user to the second domain name service, so as to implement login of the user to the second domain name service.
In this embodiment, the client has implemented the user to log into the first domain name service by a request to the server. After the user logs in the first domain name service, the need of jumping from the first domain name service to the second domain name service occurs, and then the client sends a jumping request to the server.
After receiving a jump request of a second domain name service from a first domain name service, a server acquires a first equipment identifier corresponding to the first domain name service, generates temporary certificate information according to a login token generated by a user when logging in the first domain name service and the first equipment identifier corresponding to the first domain name service, namely, encrypts the login token through the first equipment identifier corresponding to the first domain name service, and then sends the certificate information to the first domain name service.
And at the client, the first domain name service jumps to the second domain name service, and the second domain name service acquires the credential information from the first domain name service and sends the credential information to the server. After receiving the credential information, the server analyzes the credential information, that is, decrypts the credential information, and decrypts the first device identifier. And obtaining a second equipment identifier corresponding to the second domain name service, comparing the decrypted first equipment identifier with the second equipment identifier, and if the decrypted first equipment identifier and the decrypted first equipment identifier are the same, indicating that the login of the first domain name service and the login of the second domain name service are the same client, transmitting a login token and user identity information of a user to the second domain name service so as to realize automatic login of the user on the second domain name service.
In the embodiment of the application, on one hand, the user can realize service access without logging in a cross-domain manner, namely, the user can realize noninductive cross-domain access without logging in for the second time, so that the login operation of the user is reduced. On the other hand, the login token is encrypted through the equipment identifier of the user client, and even if the access link is shared or intercepted to other clients, the other clients cannot decrypt the login token encrypted through the equipment identifier of the user client because the other clients are different from the equipment identifier of the user client, so that the risk of leakage and cracking of the login token is reduced, and the safety is improved. In still another aspect, by comparing the first device identifier corresponding to the first domain name service with the second device identifier corresponding to the second domain name service, it can be determined whether the second domain name service and the first domain name service are registered on the same client, so that the security of the registration is further improved.
In one embodiment, the middle station module 301 is further configured to obtain a login request from the first domain name service, where the login request carries user identity information of a user, and send the user identity information to the processing module 302 in response to the login request; the processing module 302 is further configured to generate a login token according to the user identity information; the middle stage module 301 is further configured to send the login token to the first domain name service, so as to implement login of the user to the first domain name service.
In one embodiment, the processing module 302 is further configured to parse the credential information according to the user identity information and the service type of the first domain name service to obtain the first device identifier.
In one embodiment, the processing module 302 is further configured to determine a traffic type of the first domain name service and/or determine a traffic type of the second domain name service.
In one embodiment, the middle station module 301 is further configured to obtain, through a preset interface, a first device identifier corresponding to the first domain name service and a second device identifier corresponding to the second domain name service.
In one embodiment, the first device identification and/or the second device identification are generated from device information comprising at least one of: client name, client model, client screen parameters, client operating system type, client operating system version.
The embodiment of the application also provides a cross-domain login system, as shown in fig. 4, which comprises a client, a middle platform module, a processing module and a storage layer, wherein the client is a view layer and has a first domain name service and a second domain name service, and the cross-domain login system can be realized through technologies such as vue and reaction; the middle platform module is a middle layer and can be used as an information transfer module through node, javaScript and other technologies; the processing module is a service layer and can process information and can be realized by Java, PHP and other technologies; the storage layer is used for storing information and can be realized through mysql and other technologies.
The specific working logic of the client, the middle platform module and the processing module are as described in the above embodiments, and the same technical effects can be achieved, so that repetition is avoided, and details are not repeated here.
The embodiment of the application also provides a readable storage medium, and the readable storage medium stores a program or an instruction, which when executed by a processor, implements each process of the above embodiment of the cross-domain login method, and can achieve the same technical effect, so that repetition is avoided, and no further description is given here.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element. Furthermore, it should be noted that the scope of the methods and apparatus in the embodiments of the present application is not limited to performing the functions in the order shown or discussed, but may also include performing the functions in a substantially simultaneous manner or in an opposite order depending on the functions involved, e.g., the described methods may be performed in an order different from that described, and various steps may be added, omitted, or combined. Additionally, features described with reference to certain examples may be combined in other examples.
The embodiments of the present application have been described above with reference to the accompanying drawings, but the present application is not limited to the above-described embodiments, which are merely illustrative and not restrictive, and many forms may be made by those having ordinary skill in the art without departing from the spirit of the present application and the scope of the claims, which are to be protected by the present application.

Claims (10)

1. A cross-domain login method, applied to a server, comprising:
obtaining a jump request from a first domain name service to a second domain name service, wherein the first domain name service is that a user is logged in;
responding to the jump request, and generating credential information according to a login token and a first equipment identifier corresponding to the first domain name service, wherein the login token is generated when the user logs in the first domain name service;
transmitting the credential information to the first domain name service, so that the first domain name service transmits the credential information to the second domain name service when jumping to the second domain name service;
acquiring the credential information from the second domain name service, analyzing the credential information to obtain the first equipment identifier, and comparing the first equipment identifier with a second equipment identifier corresponding to the second domain name service;
and if the first equipment identifier is consistent with the second equipment identifier, sending the login token and the user identity information of the user to the second domain name service so as to realize the login of the user to the second domain name service.
2. The method of claim 1, further comprising, prior to the obtaining the jump request from the first domain name service to the second domain name service:
acquiring a login request from the first domain name service, wherein the login request carries user identity information of the user;
responding to the login request, and generating the login token according to the user identity information;
and sending the login token to the first domain name service to realize the login of the user to the first domain name service.
3. The method of claim 1, wherein said parsing the credential information to obtain the first device identification comprises:
and analyzing the credential information according to the user identity information and the service type of the first domain name service to obtain the first equipment identifier.
4. A method according to claim 3, further comprising:
and determining the service type of the first domain name service and/or determining the service type of the second domain name service.
5. The method as recited in claim 1, further comprising:
and acquiring a first equipment identifier corresponding to the first domain name service and a second equipment identifier corresponding to the second domain name service through a preset interface.
6. The method of claim 2, wherein the server comprises a middle station module and a processing module;
the middle platform module is used for acquiring the jump request and responding to the jump request and sending the login token and a first equipment identifier corresponding to the first domain name service to the processing module;
the processing module is used for generating credential information according to the login token and the first equipment identifier;
the middle platform module is further used for sending the credential information to the first domain name service, acquiring the credential information from the second domain name service and sending the credential information and a second equipment identifier of the second domain name service to the processing module;
the processing module is further configured to parse the credential information to obtain the first device identifier, compare the first device identifier with a second device identifier corresponding to the second domain name service, and if the first device identifier is consistent with the second device identifier, send the login token and user identity information of the user to the middle module;
the middle platform module is further configured to send the login token and user identity information of the user to the second domain name service, so as to implement login of the user to the second domain name service.
7. The method of claim 6, wherein the step of providing the first layer comprises,
the middle platform module is further used for acquiring a login request from the first domain name service, wherein the login request carries user identity information of the user, and sending the user identity information to the processing module in response to the login request;
the processing module is further used for generating the login token according to the user identity information;
the middle station module is further configured to send the login token to the first domain name service, so as to implement login of the user to the first domain name service.
8. The method according to any one of claims 1 to 7, wherein,
the first device identification and/or the second device identification are generated according to device information, wherein the device information comprises at least one of the following: client name, client model, client screen parameters, client operating system type, client operating system version.
9. A server, characterized in that the server comprises a middle station module and a processing module;
the middle platform module is used for acquiring a jump request of a first domain name service to a second domain name service, and responding to the jump request, and sending a login token and a first equipment identifier corresponding to the first domain name service to the processing module, wherein the first domain name service is that a user is logged in, and the login token is generated when the user logs in the first domain name service;
the processing module is used for generating credential information according to the login token and the first equipment identifier;
the middle platform module is further configured to send the credential information to the first domain name service, so that the first domain name service sends the credential information to the second domain name service when skipping to the second domain name service, obtain the credential information from the second domain name service, and send the credential information and a second device identifier of the second domain name service to the processing module;
the processing module is further configured to parse the credential information to obtain the first device identifier, compare the first device identifier with the second device identifier, and if the first device identifier is consistent with the second device identifier, send the login token and the user identity information of the user to the middle station module;
the middle platform module is further configured to send the login token and user identity information of the user to the second domain name service, so as to implement login of the user to the second domain name service.
10. A readable storage medium having stored thereon a program or instructions which when executed by a processor realizes the steps of the cross-domain login method according to any one of claims 1 to 8.
CN202310380294.4A 2023-04-11 2023-04-11 Cross-domain login method, server and readable storage medium Pending CN116582298A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310380294.4A CN116582298A (en) 2023-04-11 2023-04-11 Cross-domain login method, server and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310380294.4A CN116582298A (en) 2023-04-11 2023-04-11 Cross-domain login method, server and readable storage medium

Publications (1)

Publication Number Publication Date
CN116582298A true CN116582298A (en) 2023-08-11

Family

ID=87534885

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310380294.4A Pending CN116582298A (en) 2023-04-11 2023-04-11 Cross-domain login method, server and readable storage medium

Country Status (1)

Country Link
CN (1) CN116582298A (en)

Similar Documents

Publication Publication Date Title
US8887292B2 (en) Method for encrypting and embedding information in a URL for content delivery
CN105027493B (en) Safety moving application connection bus
CN105812341B (en) A kind of method and device of identity user identity
CN106209726B (en) Mobile application single sign-on method and device
CN102457509B (en) Cloud computing resources safety access method, Apparatus and system
US20130268676A1 (en) Application programming interface routing system and method of operating the same
CN102638454A (en) Plug-in type SSO (single signon) integration method oriented to HTTP (hypertext transfer protocol) identity authentication protocol
CN103716326A (en) Resource access method and URG
JP2007184892A (en) Proxy terminal, server device, proxy terminal communication path setting method, and server device communication path setting method
JPH103420A (en) Access control system and method
CN109150800B (en) Login access method, system and storage medium
CN106559405B (en) Portal authentication method and equipment
CN105191208B (en) Method for activating the application program on user apparatus
CN109067739A (en) Encryption of communicated data method and apparatus
CN108965311A (en) Encryption of communicated data method and apparatus
EP3909221A1 (en) Method for securely providing a personalized electronic identity on a terminal
CN111600900B (en) Single sign-on method, server and system based on block chain
CN111800426A (en) Method, device, equipment and medium for accessing native code interface in application program
CN114390524B (en) Method and device for realizing one-key login service
JP2004220120A (en) Network security system, access control method, authentication mechanism, firewall mechanism, authentication mechanism program, firewall mechanism program, and recording medium
CN103716280A (en) Data transmission method, server and system
CN112491955B (en) Method and system for realizing iframe system data exchange based on proxy server
Fonseca et al. A security framework for SOA applications in mobile environment
CN109587134B (en) Method, apparatus, device and medium for secure authentication of interface bus
CN114158046B (en) Method and device for realizing one-key login service

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination