CN117411660A - Resource authorization method and device, storage medium and electronic equipment - Google Patents
Resource authorization method and device, storage medium and electronic equipment Download PDFInfo
- Publication number
- CN117411660A CN117411660A CN202310516682.0A CN202310516682A CN117411660A CN 117411660 A CN117411660 A CN 117411660A CN 202310516682 A CN202310516682 A CN 202310516682A CN 117411660 A CN117411660 A CN 117411660A
- Authority
- CN
- China
- Prior art keywords
- authorization
- party
- client
- credential
- code
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000013475 authorization Methods 0.000 title claims abstract description 445
- 238000000034 method Methods 0.000 title claims abstract description 46
- 230000004044 response Effects 0.000 claims abstract description 11
- 238000004590 computer program Methods 0.000 claims description 14
- 238000001514 detection method Methods 0.000 claims description 12
- 230000005540 biological transmission Effects 0.000 claims description 4
- 230000006870 function Effects 0.000 description 9
- 238000010586 diagram Methods 0.000 description 6
- 238000012545 processing Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000007599 discharging Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The application discloses a resource authorization method, a device, a storage medium and electronic equipment, which relate to the technical field of computers, wherein an authorization party client can: playing authorization prompt information in response to a preset resource authorization operation; according to the authorization instruction, a proxy authorization request carrying third party information and authorization party information is sent to an authorization server, and the proxy authorization request also comprises a user login state credential corresponding to the authorization party client; receiving an authorization code sent by an authorization server, wherein the authorization code is generated and sent after the authorization server verifies an authorization relationship and verifies the existence of a user in a user login state credential based on third party information and authorization party information; transmitting the authorization code to the third party client through the authorization access credential carrying the third party client, so that the third party client requests the resource access credential from the authorization server by using the authorization code. The resource authorization convenience can be effectively improved, and the user experience is improved.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method and apparatus for resource authorization, a storage medium, and an electronic device.
Background
When some information sharing needs to be performed with the third party platform, a user-level resource access certificate (access token) is usually issued to the third party client, a certain resource authority is granted, one of the most widely used modes at present is that user authorization is performed by using an authorization code mode of the oauth2.0 protocol, and a user is usually required to log in an authorizer client and the third party client to perform authorization operations respectively, and particularly, the user is required to perform the authorization operation in the third party client every time.
In the current mode, in one mode, each authorization in the third party client side needs the user to input an account password/verification code, in another mode, the account of the user is directly displayed in the third party client side, and the user confirms the authorization. The first approach is cumbersome for the user; the second method has a certain requirement on the authorizer, and the authorizer needs to acquire the user login state of the authorizer application on the current user equipment, so that the processing is complex.
Therefore, in the current resource authorization scheme, the user needs to go to the third party client for authorization operation every time, and the authorization operation is very inconvenient, so that the resource authorization convenience is poor, and the user experience is poor.
Disclosure of Invention
The embodiment of the application provides a scheme, which can effectively improve the convenience of resource authorization and improve the user experience.
The embodiment of the application provides the following technical scheme:
according to one embodiment of the application, a resource authorization method is applied to an authorizer client, and the method comprises the following steps: responding to a preset resource authorization operation, and playing authorization prompt information, wherein the authorization prompt information is used for inquiring whether to authorize a third party client; according to an authorization instruction, a proxy authorization request carrying third party information and authorization party information is sent to an authorization server, wherein the authorization instruction is generated in response to an agreeing operation corresponding to the authorization prompt information, and the proxy authorization request also comprises a user login state credential corresponding to the authorization party client; receiving an authorization code sent by the authorization server, wherein the authorization code is generated and sent after the authorization server verifies an authorization relationship based on the third party information and the authorization party information and confirms the existence of a user in the user login state credential; transmitting the authorization code to the third party client through carrying the authorization access credential of the third party client, so that the third party client uses the authorization code to request the resource access credential from the authorization server.
In some embodiments of the present application, the proxy authorization request further includes a first callback address, the authorization server further verifies whether the first callback address is consistent with a second callback address before generating the authorization code, the authorization server generates the authorization code after verifying that the first callback address is consistent with the second callback address, and the second callback address is the callback address when the third party client registers.
In some embodiments of the present application, the proxy authorization request further includes an authorization scope of the third party client, and the resource access credential generated by the authorization server includes the authorization scope.
In some embodiments of the present application, the authorization code has a predetermined age, and the transmitting the authorization code to the third party client through carrying an authorized access credential of the third party client includes: detecting whether the preset time of the authorization code is reached or not to obtain a detection result; and transmitting the authorization code to the third party client through carrying the authorization access certificate of the third party client according to the detection result.
According to one embodiment of the present application, a resource authorization device is applied to an authorizer client, the device includes: the prompt module is used for responding to the preset resource authorization operation and playing authorization prompt information, wherein the authorization prompt information is used for inquiring whether the third party client is authorized or not; the proxy module is used for sending a proxy authorization request carrying third party information and authority information to an authorization server according to an authorization instruction, wherein the authorization instruction is generated in response to an agreement operation corresponding to the authorization prompt information, and the proxy authorization request also comprises a user login state credential corresponding to the authority client; the receiving module is used for receiving an authorization code sent by the authorization server, wherein the authorization code is generated and sent after the authorization server verifies the authorization relation and verifies the existence of the user in the user login state credential based on the third party information and the authorization party information; and the transmission module is used for transmitting the authorization code to the third party client through carrying the authorization access credential of the third party client, so that the third party client uses the authorization code to request the resource access credential from the authorization server.
In some embodiments of the present application, the proxy authorization request further includes a first callback address, the authorization server further verifies whether the first callback address is consistent with a second callback address before generating the authorization code, the authorization server generates the authorization code after verifying that the first callback address is consistent with the second callback address, and the second callback address is the callback address when the third party client registers.
In some embodiments of the present application, the proxy authorization request further includes an authorization scope of the third party client, and the resource access credential generated by the authorization server includes the authorization scope.
In some embodiments of the present application, the authorization code has a predetermined age, and the transmitting module is configured to: detecting whether the preset time of the authorization code is reached or not to obtain a detection result; and transmitting the authorization code to the third party client through carrying the authorization access certificate of the third party client according to the detection result.
According to one embodiment of the application, a resource authorization method is applied to a third party client, and the method comprises the following steps: receiving an authorization code sent by an authorizer client, wherein the authorization code is sent by the authorizer client according to the method in any one of the embodiment of fig. 1 and other embodiments in the embodiment of fig. 1; sending a credential acquisition request to the authorization server, the credential acquisition request carrying the authorization code; and receiving the resource access credential sent by the authorization server, wherein the resource access credential is generated and sent after the authorization server verifies the authorization code.
In some embodiments of the present application, the credential obtaining request further carries a client key corresponding to the third party client, the authorization server verifies an identity of the third party client according to the client key before generating the resource access credential, and the authorization server generates the resource access credential after verifying that the identity passes.
In some embodiments of the present application, the credential obtaining request further carries a third callback address corresponding to the third party client, the proxy authorization request further includes a first callback address, the authorization server further verifies whether the third callback address is identical to the first callback address before generating the resource access credential, and the authorization server generates the resource access credential after verifying that the third callback address is identical to the first callback address.
According to one embodiment of the application, a resource authorization device is applied to a third party client, and the device comprises: the code obtaining module is used for receiving an authorization code sent by the client of the authorizer, wherein the authorization code is sent by the client of the authorizer according to the method in any one of the embodiment of fig. 1 and other embodiments in the embodiment of fig. 1; the request module is used for sending a credential acquisition request to the authorization server, wherein the credential acquisition request carries the authorization code; and the certification module is used for receiving the resource access certificate sent by the authorization server, and the resource access certificate is generated and sent after the authorization server verifies the authorization code.
In some embodiments of the present application, the credential obtaining request further carries a client key corresponding to the third party client, the authorization server verifies an identity of the third party client according to the client key before generating the resource access credential, and the authorization server generates the resource access credential after verifying that the identity passes.
In some embodiments of the present application, the credential obtaining request further carries a third callback address corresponding to the third party client, the proxy authorization request further includes a first callback address, the authorization server further verifies whether the third callback address is identical to the first callback address before generating the resource access credential, and the authorization server generates the resource access credential after verifying that the third callback address is identical to the first callback address.
According to another embodiment of the present application, a storage medium has stored thereon a computer program which, when executed by a processor of a computer, causes the computer to perform the method described in the embodiments of the present application.
According to another embodiment of the present application, an electronic device may include: a memory storing a computer program; and the processor reads the computer program stored in the memory to execute the method according to the embodiment of the application.
According to another embodiment of the present application, a computer program product or computer program includes computer instructions stored in a computer readable storage medium. The computer instructions are read from the computer-readable storage medium by a processor of a computer device, and executed by the processor, cause the computer device to perform the methods provided in the various alternative implementations described in the embodiments of the present application.
In this embodiment of the present application, the client of the authorizer may: responding to a preset resource authorization operation, and playing authorization prompt information, wherein the authorization prompt information is used for inquiring whether to authorize a third party client; according to an authorization instruction, a proxy authorization request carrying third party information and authorization party information is sent to an authorization server, wherein the authorization instruction is generated in response to an agreeing operation corresponding to the authorization prompt information, and the proxy authorization request also comprises a user login state credential corresponding to the authorization party client; receiving an authorization code sent by the authorization server, wherein the authorization code is generated and sent after the authorization server verifies an authorization relationship based on the third party information and the authorization party information and confirms the existence of a user in the user login state credential; transmitting the authorization code to the third party client through carrying the authorization access credential of the third party client, so that the third party client uses the authorization code to request the resource access credential from the authorization server.
In this way, the agent authorization is actively initiated in the client of the authorizer to the third party, the user does not need to authorize the client of the third party every time, further, after the user agrees to the agent authorization through agreeing to the operation, the client of the authorizer can conveniently obtain the third party information, the information of the authorizer and the user login state credentials and send the credentials to the authorization server through being carried in the agent authorization request, the authorization code can be simply and conveniently obtained for the client of the third party to apply for the resource access credentials, the user is prevented from operating and inputting the operations of multiple clients to obtain the authorization, the convenience of resource authorization is effectively improved, and the user experience is improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly introduced below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 shows a flow chart of a resource authorization method according to one embodiment of the present application.
Fig. 2 shows a flow chart of a resource authorization method according to another embodiment of the present application.
Fig. 3 shows a block diagram of a resource authorization device according to one embodiment of the present application.
Fig. 4 shows a block diagram of a resource authorization device according to another embodiment of the present application.
Fig. 5 shows a block diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments herein without making any inventive effort, are intended to be within the scope of the present application.
Fig. 1 schematically shows a flow chart of a resource authorization method according to one embodiment of the present application. The execution main body of the resource authorization method can be any device with processing capability, such as a television, a computer, a mobile phone, a smart watch, a household appliance and the like, and an authorization party client can be operated in the device serving as the execution main body.
As shown in fig. 1, the authorizer client may perform a resource authorization method, which may include steps S110 to S140:
step S110, responding to a preset resource authorization operation, playing authorization prompt information, wherein the authorization prompt information is used for inquiring whether to authorize a third party client; step S120, a proxy authorization request carrying third party information and authority information is sent to an authorization server according to an authorization instruction, wherein the authorization instruction is generated in response to an agreement operation corresponding to the authorization prompt information, and the proxy authorization request also comprises a user login state credential corresponding to the authority client; step S130, receiving an authorization code sent by the authorization server, wherein the authorization code is generated and sent after the authorization server verifies the authorization relationship based on the third party information and the authorization party information and confirms the existence of the user in the user login state credential; and step S140, transmitting the authorization code to the third party client through carrying the authorization access credential of the third party client, so that the third party client uses the authorization code to request the resource access credential from the authorization server.
The related user can perform a predetermined resource authorization operation in the client of the authorizing party, wherein the predetermined resource authorization operation can be any operation only by triggering the playing of the authorization prompt information, and the predetermined resource authorization operation is, for example, an operation of selecting a third party client and clicking a preset authorization button.
The playing mode of the authorization prompt information can be specifically a mode of displaying information such as images and/or texts in a client interface, and in some modes, voice information can be played while the information is displayed, and the authorization prompt information is used for inquiring whether the information is authorized to a third party client. The user can further perform the consent operation of clicking the consent control or voice response and the like, and further trigger the generation of the authorization instruction.
The authorization party client detects the authorization instruction and can acquire the third party information, the authorization party information and the user login state credentials corresponding to the authorization party client. Wherein, the third party information can be a unique identification (client_id) of the third party client; the authorizer information may be a unique identification (client_id) of the authorizer client; the user login credentials (SSO (Single Sign On) token) are credentials that a user can access a mutually trusted subsystem only by logging in once, and can be used for trusted access to an authorization server. The client of the authorizing party can further send a proxy authorization request to the authorizing server, wherein the proxy authorization request carries third party information, information of the authorizing party and user login credentials corresponding to the client of the authorizing party.
After receiving the proxy authorization request, the authorization server can verify the authorization relationship according to the relationship table storing the client of the authorized party and the client of the third party capable of performing proxy authorization, and verify the authorization relationship by the third party information and the information of the authorized party if the relationship table has the association relationship between the information of the third party and the information of the authorized party; further, the authorization server may confirm whether the user in the user login credentials is present, and if so, generate an authorization code (code).
The authorization server sends the authorization code to the client of the authorization party, the client of the authorization party further transmits the authorization code to the client of the third party through carrying the authorization access certificate of the client of the third party, and then the client of the third party can directly use the authorization code to further legally request the resource access certificate from the authorization server, wherein the resource access certificate can be used for accessing resources in the resource server, and the resource server can be the authorization server or other servers.
In this way, based on steps S110 to S140, the proxy authorization is actively initiated in the client of the authorizer to the third party, the user does not need to authorize the client of the third party every time, further, after the user agrees to the proxy authorization through agreeing to the operation, the client of the authorizer can conveniently obtain the third party information, the information of the authorizer and the user login state credentials and send the credentials to the authorization server through carrying the credentials in the proxy authorization request, the authorization code can be simply and conveniently obtained for the client of the third party to apply for the resource access credentials, the user is not required to obtain the authorization through multi-client operation and input operation, the convenience of resource authorization is effectively improved, and the user experience is improved.
Further alternative embodiments of the steps performed when resource authorization is performed under the embodiment of fig. 1 are described below.
In one embodiment, the proxy authorization request further includes a first callback address, the authorization server verifies whether the first callback address is consistent with a second callback address before generating the authorization code, the authorization server generates the authorization code after verifying that the first callback address is consistent with the second callback address, and the second callback address is the callback address when the third party client registers.
The proxy authorization request also includes a first callback address, which may be a callback address (redirect_uri) of a third party client obtained by the authorizer client. Wherein, the third party client registers with the authorization server historically and can store the corresponding callback address (redirect_uri), namely the second callback address. The authorization server further verifies whether the first callback address is consistent with the second callback address before generating the authorization code, and the authorization server generates the authorization code after verifying the consistency, so that the reliability of proxy authorization is further improved.
In one embodiment, the proxy authorization request further includes an authorization scope of the third party client, and the resource access credential generated by the authorization server includes the authorization scope. The scope of authority (scope) may be set by the relevant user in the client of the authority or automatically set by the client of the authority according to the type or source of the client of the third party, and the resource access credential is included in the resource access credential when the authorization server generates the resource access credential, and the client of the third party only can access the resource in the scope of authority based on the resource access credential.
In some embodiments, the authorization server generates the resource access credential when the resource access credential includes an authorization validity period, the resource access credential being valid only within the authorization validity period; further, in some embodiments, the resource access credential includes an authorization valid period and an authorization scope (scope).
In one embodiment, the authorization code has a predetermined time period, and the transmitting the authorization code to the third party client through carrying the authorized access credential of the third party client includes: detecting whether the preset time of the authorization code is reached or not to obtain a detection result; and transmitting the authorization code to the third party client through carrying the authorization access certificate of the third party client according to the detection result.
The authorization code issued by the authorization server may have a predetermined time period (for example, 10 minutes), the client of the authorized party may detect whether the predetermined time period of the authorization code arrives, and if the detection result is that the predetermined time period does not arrive, the authorization code is transmitted to the client of the third party in a manner of carrying an authorization access credential of the client of the third party, so as to avoid invalid transmission. The authorization party client specifically can process the authorization code and an authorized access credential (access_token) authorized by the third party through an encryption signing mode agreed with the third party client and then transmit the processed authorization code and the authorized access credential to the third party client.
Referring to fig. 2, the resource authorization scheme of the present application is further described below from the perspective of a third party client.
Specifically, the resource authorization method is applied to a third party client, and the third party client can execute: step S210, receiving an authorization code sent by an authorizer client, where the authorization code is sent by the authorizer client according to the method in any one of the embodiment of fig. 1 and other embodiments in the embodiment of fig. 1; step S220, a credential acquisition request is sent to the authorization server, wherein the credential acquisition request carries the authorization code; step S230, receiving the resource access credential sent by the authorization server, where the resource access credential is generated and sent after the authorization server verifies the authorization code.
After the third party client receives the authorization code sent by the authorizing party client, the third party client can send a credential acquisition request carrying the authorization code to an authorization server corresponding to the authorizing party client, and after the authorization server acquires the authorization code in the credential acquisition request, if the authorization code is granted before and is within the validity period, the resource access credential can be generated and sent to the third party client.
In a further embodiment, the credential obtaining request further carries a client key corresponding to the third party client, the authorization server verifies an identity of the third party client according to the client key before generating the resource access credential, and the authorization server generates the resource access credential after verifying that the identity passes.
The client key (client secret) may be generated by a third party client when the authorization server registers the application, only the third party client and the authorization server having key information. The authorization server may also verify the identity of the third party client by comparing whether the client key in the credential acquisition request is consistent with the client key stored in the authorization server before generating the resource access credential, and if so, verifying that the identity passes. In this embodiment, the authorization server generates the resource access credential after further verifying the identity, i.e. the authorization server generates the resource access credential after verifying the authorization code and after further verifying the identity.
Further, in an embodiment, the credential obtaining request further carries a third callback address corresponding to the third party client, the proxy authorization request further includes a first callback address, the authorization server verifies whether the third callback address is identical to the first callback address before generating the resource access credential, and the authorization server generates the resource access credential after verifying that the third callback address is identical to the first callback address.
The proxy authorization request also includes a first callback address, which may be a callback address (redirect_uri) of a third party client obtained by the authorizer client. The certificate acquisition request also carries a third callback address corresponding to the third party client, and the third callback address is a callback address (redirect_uri) of the third party client acquired by the third party client.
In this embodiment, the authorization server further verifies whether the third callback address is identical to the first callback address before generating the resource access credential, and the authorization server generates the resource access credential after verifying that the third callback address is identical to the first callback address. For example, after the authorization server verifies that the authorization code passes, and further verifies that the identity passes, and then verifies that the third callback address is the same as the first callback address, the resource access credential is generated; for another example, the authorization server verifies that the third callback address is the same as the first callback address after the authorization code passes, and then generates the resource access credential.
Further, the resource access credential in the foregoing embodiments of the present application may be an access token: the access token is an authorization credential issued by the authorization server to the client under the authorization permission of the user, and can be expressed as "how much time range the user grants the APP to allow access to the related services", so the access token can be controlled in two dimensions of the time range and the authority range, in addition, the access token is non-transparent to the client, the appearance is a character string, the client cannot know the user information hidden behind the character string, and therefore the user login credential is not worry about leakage.
Further, in some aspects, the resource access credential may further include a refresh token (refresh token) based on the access token: the refreshing token has the effect of updating the access token, the validity period of the access token can be shorter, but the frequent calling of the authorization interface is also a pressure on the authorization server, so that the refreshing token can be issued while the access token is issued, the validity period of the refreshing token can be obviously longer than that of the access token, and the refreshing token can be utilized to authorize the server to exchange a new access token when the access token fails.
In order to facilitate better implementation of the resource authorization method provided by the embodiment of the application, the embodiment of the application also provides a resource authorization device based on the resource authorization method. Where the meaning of a noun is the same as in the resource authorization method described above, specific implementation details may be referred to the description in the method embodiment. Fig. 3 shows a block diagram of a resource authorization device according to one embodiment of the present application. Fig. 4 shows a block diagram of a resource authorization device according to another embodiment of the present application.
As shown in fig. 3, the resource authorization device 300 is applied to an authorizer client, and the resource authorization device 300 may include: prompt module 310 may be configured to play, in response to a predetermined resource authorization operation, authorization prompt information for querying whether to authorize a third party client; the proxy module 320 may be configured to send a proxy authorization request carrying third party information and authority information to an authorization server according to an authorization instruction, where the authorization instruction is generated in response to an agreeing operation corresponding to the authorization prompt information, and the proxy authorization request further includes a user login credential corresponding to the authority client; the receiving module 330 may be configured to receive an authorization code sent by the authorization server, where the authorization code is generated and sent by the authorization server after verifying an authorization relationship and verifying that a user exists in the user login credential based on the third party information and the authorization party information; the transmission module 340 may be configured to transmit the authorization code to the third party client through carrying the authorized access credential of the third party client, so that the third party client uses the authorization code to request a resource access credential from the authorization server.
In some embodiments of the present application, the proxy authorization request further includes a first callback address, the authorization server further verifies whether the first callback address is consistent with a second callback address before generating the authorization code, the authorization server generates the authorization code after verifying that the first callback address is consistent with the second callback address, and the second callback address is the callback address when the third party client registers.
In some embodiments of the present application, the proxy authorization request further includes an authorization scope of the third party client, and the resource access credential generated by the authorization server includes the authorization scope.
In some embodiments of the present application, the authorization code has a predetermined age, and the transmitting module is configured to: detecting whether the preset time of the authorization code is reached or not to obtain a detection result; and transmitting the authorization code to the third party client through carrying the authorization access certificate of the third party client according to the detection result.
Further, as shown in fig. 4, the resource authorization device 400 is applied to a third party client, and the resource authorization device 400 includes: the code obtaining module 410 may be configured to receive an authorization code sent by an authorizer client, where the authorization code is sent by the authorizer client according to the method in any one of the embodiments of fig. 1 and other embodiments of the embodiment of fig. 1; the request module 420 may be configured to send a credential acquisition request to the authorization server, where the credential acquisition request carries the authorization code; the certification module 430 may be configured to receive the resource access credential sent by the authorization server, where the resource access credential is generated and sent after the authorization server verifies the authorization code.
In some embodiments of the present application, the credential obtaining request further carries a client key corresponding to the third party client, the authorization server verifies an identity of the third party client according to the client key before generating the resource access credential, and the authorization server generates the resource access credential after verifying that the identity passes.
In some embodiments of the present application, the credential obtaining request further carries a third callback address corresponding to the third party client, the proxy authorization request further includes a first callback address, the authorization server further verifies whether the third callback address is identical to the first callback address before generating the resource access credential, and the authorization server generates the resource access credential after verifying that the third callback address is identical to the first callback address.
It should be noted that although in the above detailed description several modules or units of a device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functions of two or more modules or units described above may be embodied in one module or unit, in accordance with embodiments of the present application. Conversely, the features and functions of one module or unit described above may be further divided into a plurality of modules or units to be embodied.
In addition, the embodiment of the application further provides an electronic device, which may be a terminal or a server, as shown in fig. 5, which shows a schematic structural diagram of the electronic device according to the embodiment of the application, specifically:
the electronic device may include one or more processing cores 'processors 501, one or more computer-readable storage media's memory 502, a power supply 503, and an input unit 504, among other components. It will be appreciated by those skilled in the art that the electronic device structure shown in fig. 5 is not limiting of the electronic device and may include more or fewer components than shown, or may combine certain components, or a different arrangement of components.
Wherein:
the processor 501 is a control center of the electronic device, and connects various parts of the entire computer device using various interfaces and lines, and performs various functions of the computer device and processes data by running or executing software programs and/or modules stored in the memory 502, and calling data stored in the memory 502, thereby performing overall monitoring of the electronic device. Optionally, processor 501 may include one or more processing cores; preferably, the processor 501 may integrate an application processor and a modem processor, wherein the application processor primarily handles operating systems, user pages, applications, etc., and the modem processor primarily handles wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 501.
The memory 502 may be used to store software programs and modules, and the processor 501 executes various functional applications and data processing by executing the software programs and modules stored in the memory 502. The memory 502 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program (such as a sound playing function, an image playing function, etc.) required for at least one function, and the like; the storage data area may store data created according to the use of the computer device, etc. In addition, memory 502 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid-state storage device. Accordingly, the memory 502 may also include a memory controller to provide access to the memory 502 by the processor 501.
The electronic device further comprises a power supply 503 for powering the various components, preferably the power supply 503 is logically connected to the processor 501 via a power management system, whereby the functions of managing charging, discharging, and power consumption are performed by the power management system. The power supply 503 may also include one or more of any of a direct current or alternating current power supply, a recharging system, a power failure detection circuit, a power converter or inverter, a power status indicator, and the like.
The electronic device may further comprise an input unit 504, which input unit 504 may be used for receiving input digital or character information and for generating keyboard, mouse, joystick, optical or trackball signal inputs in connection with user settings and function control.
Although not shown, the electronic device may further include a display unit or the like, which is not described herein. In particular, in this embodiment, the processor 501 in the electronic device loads executable files corresponding to the processes of one or more computer programs into the memory 502 according to the following instructions, and the processor 501 executes the computer programs stored in the memory 502, so as to implement the functions in the foregoing embodiments of the present application.
The processor 501 may perform the following steps: responding to a preset resource authorization operation, and playing authorization prompt information, wherein the authorization prompt information is used for inquiring whether to authorize a third party client; according to an authorization instruction, a proxy authorization request carrying third party information and authorization party information is sent to an authorization server, wherein the authorization instruction is generated in response to an agreeing operation corresponding to the authorization prompt information, and the proxy authorization request also comprises a user login state credential corresponding to the authorization party client; receiving an authorization code sent by the authorization server, wherein the authorization code is generated and sent after the authorization server verifies an authorization relationship based on the third party information and the authorization party information and confirms the existence of a user in the user login state credential; transmitting the authorization code to the third party client through carrying the authorization access credential of the third party client, so that the third party client uses the authorization code to request the resource access credential from the authorization server.
As another example, the processor 501 may perform the following steps: receiving an authorization code sent by an authorizer client, wherein the authorization code is sent by the authorizer client according to the method in any one of the embodiment of fig. 1 and other embodiments in the embodiment of fig. 1; sending a credential acquisition request to the authorization server, the credential acquisition request carrying the authorization code; and receiving the resource access credential sent by the authorization server, wherein the resource access credential is generated and sent after the authorization server verifies the authorization code.
It will be appreciated by those of ordinary skill in the art that all or part of the steps of the various methods of the above embodiments may be performed by a computer program, or by computer program control related hardware, which may be stored in a computer readable storage medium and loaded and executed by a processor.
To this end, the present embodiments also provide a storage medium having stored therein a computer program that can be loaded by a processor to perform the steps of any of the methods provided by the embodiments of the present application.
Wherein the storage medium may include: read Only Memory (ROM), random access Memory (RAM, random Access Memory), magnetic or optical disk, and the like.
Since the computer program stored in the storage medium may perform any of the steps in the method provided in the embodiment of the present application, the beneficial effects that can be achieved by the method provided in the embodiment of the present application may be achieved, which are detailed in the previous embodiments and are not described herein.
Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the embodiments disclosed herein. This application is intended to cover any variations, uses, or adaptations of the application following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the application pertains.
It will be understood that the present application is not limited to the embodiments that have been described above and shown in the drawings, but that various modifications and changes can be made without departing from the scope thereof.
Claims (10)
1. A method for authorizing a resource, applied to an authorizer client, the method comprising:
responding to a preset resource authorization operation, and playing authorization prompt information, wherein the authorization prompt information is used for inquiring whether to authorize a third party client;
according to an authorization instruction, a proxy authorization request carrying third party information and authorization party information is sent to an authorization server, wherein the authorization instruction is generated in response to an agreeing operation corresponding to the authorization prompt information, and the proxy authorization request also comprises a user login state credential corresponding to the authorization party client;
receiving an authorization code sent by the authorization server, wherein the authorization code is generated and sent after the authorization server verifies an authorization relationship and verifies the existence of a user in the user login state credential based on the third party information and the authorization party information;
transmitting the authorization code to the third party client through carrying the authorization access credential of the third party client, so that the third party client uses the authorization code to request the resource access credential from the authorization server.
2. The method of claim 1, wherein the proxy authorization request further comprises a first callback address, wherein the authorization server further verifies whether the first callback address is consistent with a second callback address before generating the authorization code, wherein the authorization server generates the authorization code after verifying that the first callback address is consistent with the second callback address when the third party client is registered.
3. The method of claim 1, wherein the proxy authorization request further includes an authorization scope for the third party client, the resource access credential generated by the authorization server including the authorization scope.
4. The method of claim 1, wherein the authorization code has a predetermined age, and wherein the transmitting the authorization code to the third party client by carrying an authorized access credential for the third party client comprises:
detecting whether the preset time of the authorization code is reached or not to obtain a detection result;
and transmitting the authorization code to the third party client through carrying the authorization access certificate of the third party client according to the detection result.
5. A method for authorizing resources, applied to a third party client, the method comprising:
receiving an authorization code sent by an authorizer client, wherein the authorization code is sent by the authorizer client according to the method of any one of claims 1 to 4;
sending a credential acquisition request to the authorization server, the credential acquisition request carrying the authorization code;
and receiving the resource access credential sent by the authorization server, wherein the resource access credential is generated and sent after the authorization server verifies the authorization code.
6. The method of claim 5, wherein the credential acquisition request further carries a client key corresponding to the third party client, the authorization server further verifies an identity of the third party client based on the client key before generating the resource access credential, and the authorization server generates the resource access credential after verifying the identity.
7. The method of claim 5 or 6, wherein the credential acquisition request further carries a third callback address corresponding to the third party client, wherein the proxy authorization request further comprises a first callback address, wherein the authorization server further verifies whether the third callback address is identical to the first callback address before generating the resource access credential, and wherein the authorization server generates the resource access credential after verifying the identity.
8. A resource authorization device for application to an authorizer client, the device comprising:
the prompt module is used for responding to the preset resource authorization operation and playing authorization prompt information, wherein the authorization prompt information is used for inquiring whether the third party client is authorized or not;
the request module is used for sending a proxy authorization request carrying third party information and authority information to an authorization server according to an authorization instruction, wherein the authorization instruction is generated in response to an agreement operation corresponding to the authorization prompt information, and the proxy authorization request also comprises a user login state credential corresponding to the authority client;
the receiving module is used for receiving an authorization code sent by the authorization server, wherein the authorization code is generated and sent after the authorization server verifies the authorization relation and verifies the existence of the user in the user login state credential based on the third party information and the authorization party information;
and the transmission module is used for transmitting the authorization code to the third party client through carrying the authorization access credential of the third party client, so that the third party client uses the authorization code to request the resource access credential from the authorization server.
9. A storage medium having stored thereon a computer program which, when executed by a processor of a computer, causes the computer to perform the method of any of claims 1 to 7.
10. An electronic device, comprising: a memory storing a computer program; a processor reading a computer program stored in a memory to perform the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310516682.0A CN117411660A (en) | 2023-05-09 | 2023-05-09 | Resource authorization method and device, storage medium and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310516682.0A CN117411660A (en) | 2023-05-09 | 2023-05-09 | Resource authorization method and device, storage medium and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117411660A true CN117411660A (en) | 2024-01-16 |
Family
ID=89495045
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310516682.0A Pending CN117411660A (en) | 2023-05-09 | 2023-05-09 | Resource authorization method and device, storage medium and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117411660A (en) |
-
2023
- 2023-05-09 CN CN202310516682.0A patent/CN117411660A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11431501B2 (en) | Coordinating access authorization across multiple systems at different mutual trust levels | |
| US11736469B2 (en) | Single sign-on enabled OAuth token | |
| CN109309683B (en) | Token-based client identity authentication method and system | |
| CN111556006B (en) | Third-party application system login method, device, terminal and SSO service platform | |
| US9626137B2 (en) | Image forming apparatus, server device, information processing method, and computer-readable storage medium | |
| KR101850677B1 (en) | Method and system for determining whether a terminal logging into a website is a mobile terminal | |
| US20230370265A1 (en) | Method, Apparatus and Device for Constructing Token for Cloud Platform Resource Access Control | |
| CN109815684B (en) | Identity authentication method, system, server and storage medium | |
| CN108234124B (en) | Identity verification method, device and system | |
| CN111669351B (en) | Authentication method, service server, client and computer readable storage medium | |
| WO2018108062A1 (en) | Method and device for identity verification, and storage medium | |
| WO2013079037A1 (en) | Method for allowing user access, client, server, and system | |
| CN111865882A (en) | Micro-service authentication method and system | |
| KR20100013207A (en) | The method for authenticating device and service and the system thereof | |
| US20230164131A1 (en) | Accessing cloud data providers with user-impersonation | |
| CN111585954A (en) | Authentication method, authentication device, computer equipment and storage medium | |
| US8875244B1 (en) | Method and apparatus for authenticating a user using dynamic client-side storage values | |
| CN111241523B (en) | Authentication processing method, device, equipment and storage medium | |
| JP6081857B2 (en) | Authentication system and authentication method | |
| CN108234113B (en) | Identity verification method, device and system | |
| US20230239288A1 (en) | Integrated system and integrated method between multi-cloud applications | |
| CN117411660A (en) | Resource authorization method and device, storage medium and electronic equipment | |
| CN114764507A (en) | Method and device for realizing resource access, electronic equipment and storage medium | |
| US20170012979A1 (en) | Non-transitory computer-readable recording medium storing information processing program, information processing apparatus, and information processing method | |
| JP5908131B1 (en) | COMMUNICATION SYSTEM, COMMUNICATION METHOD, TERMINAL DEVICE, AND TERMINAL PROGRAM |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |