KR101746745B1 - User agent, client and method for authorization to support single sing-on - Google Patents

User agent, client and method for authorization to support single sing-on Download PDF

Info

Publication number
KR101746745B1
KR101746745B1 KR1020160001250A KR20160001250A KR101746745B1 KR 101746745 B1 KR101746745 B1 KR 101746745B1 KR 1020160001250 A KR1020160001250 A KR 1020160001250A KR 20160001250 A KR20160001250 A KR 20160001250A KR 101746745 B1 KR101746745 B1 KR 101746745B1
Authority
KR
South Korea
Prior art keywords
authorization code
authorization
client
user
server
Prior art date
Application number
KR1020160001250A
Other languages
Korean (ko)
Inventor
홍성일
강대진
이형찬
Original Assignee
(주)유비앤티스랩
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by (주)유비앤티스랩 filed Critical (주)유비앤티스랩
Priority to KR1020160001250A priority Critical patent/KR101746745B1/en
Application granted granted Critical
Publication of KR101746745B1 publication Critical patent/KR101746745B1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

A method of authorizing authorization to support user agents, clients, and a single login is disclosed. A method of authorizing a single login according to the present invention is characterized in that the user agent requests issuance of an authorization code and user authentication corresponding to the client to an authorization server, And transmitting the received authorization code to the client, the client transmitting the authorization code and the return URI value to the authorization server to request generation of an access token, Receiving the access token, the client transmitting the access token to a resource server to inquire a user identification value, and when the user identification value is stored in the resource server, Token to protect from the resource server And receiving the resource.

Description

{USER AGENT, CLIENT AND METHOD FOR AUTHORIZATION TO SUPPORT SINGLE SING-ON}

The present invention relates to a single sign-on technology for electronic services, and more particularly to a single sign-on technology for electronic services operating in a web browser or app in a mobile environment.

A single sign-on (SSO) means a technique of allowing a plurality of web services or application programs running on a user's PC or portable terminal device to be accessed without a separate login, in a single authentication process. A single sign-on technology can reduce password fatigue caused by a combination of different identities and passwords, and save time for re-entering passwords each time the same identity is entered.

The OAuth 2.0 protocol is a typical technique used to implement a single login. In the OAuth 2.0 protocol, a resource server is a server that hosts and hosts user-owned information protected by OAuth technology. A user is an owner of individual user data hosted on a resource server. Allow.

Then, the client requests an operation of the protected resource using an API provided by the resource server as an application program or an electronic service using user information. Here, the authorization server issues an access token to the client after obtaining consent from the user, in order to access the protected resource at the resource server. A user agent is generally an application program having a web browser or equivalent function, and the client is used as a medium for obtaining the agreement from the user.

The OAuth 2.0 protocol is roughly classified into a process in which a client issues an authorization code from an authorization server, a process in which an access token is issued, and a process in which a user receives protected user data from a resource server.

The OAuth 2.0 protocol is divided into a browser method and a web view method according to a user agent implementation method in a mobile environment. The browser method uses a browser installed in the mobile as a user agent. In the web view method, a separate application program to be used as a user agent is installed in a mobile terminal, and a web view having the same function as a web browser is driven And is used as a user agent.

Many apps use web view as a user agent, and OAuth 2.0 protocol is mainly used for single login process between app and app. For example, when a client application is authorized with a web view of a user agent application, an application (eg, a portal application) used for network communication with an authorized server corresponds to a user agent, and an application ex mail application) corresponds to a client.

When the user launches the mail app and attempts to log in, the portal app provides the client information and the return URI value. At this time, the portal application generates a web view to perform the user authentication process, and when the authentication process is performed, receives the authorization code from the authorized server and transfers the authorization code to the mail application. The mail app receives the access token from the authorization server using the authorization code received from the portal application and receives the user's protected resource from the resource server using the access token.

In such a case, the client application requests permission from the user agent application, and in a practical use environment, a portal application that has already been authenticated by the user can request permission to use the mail application. When using the OAuth 2.0 protocol, the portal app calls the mail app, and the mail app calls the portal app again to request the issuance of the authorization code. The portal app acquires the authorization code and sends it to the mail application. The mail application acquires the access code from the received authorization code, and reads the user's mail using the access code.

However, when the OAuth 2.0 protocol is activated in a mobile environment, a transition occurs between the client and the user agent in the mobile terminal of the user. For example, if you grant permission to the mail app in a portal app, there will be three transitions.

Also, when calling a client app based on a web view from a web browser, when the web browser (user agent) of the mobile device is used to login to a web service supporting the OAuth 2.0 protocol, the web browser , A screen transition occurs that causes the web browser to switch to the app. The executed app performs the authorization code acquisition process through web view. Even though the application is logged in with the web browser, the user has to re-login to the web view.

As described above, the conventional OAuth 2.0 protocol has a low usability because the screen is switched several times in the mobile environment and re-login is performed. Therefore, there is an urgent need for a technique for supporting a single login while complementing the screen switching and re-login operations.

Korean Patent Laid-Open No. 10-2010-0071752, June 29, 2010 (Name: Service linking device for single login and logout and method thereof)

It is an object of the present invention to solve a plurality of screen switching problems that occur when using the OAuth 2.0 protocol in a mobile environment so that a user can use a single login service quickly and conveniently.

It is also an object of the present invention to solve the problem of re-login occurring when using the conventional OAuth 2.0 protocol, thereby increasing the usability of a single login service.

It is another object of the present invention to provide a single login service in parallel with an existing authorization protocol while defending Cross Site Scripting Forgery (CSRF), a hacking threat.

According to another aspect of the present invention, there is provided a method for authorizing a single login performed by a user terminal including a user agent and a client according to the present invention, the method comprising: Issuing and authenticating the user, the user agent receiving the authorization code from the authorization server and transferring the authorization code to the client, the client receiving the authorization code and the return URI value from the authorization server, Requesting generation of an access token by transmitting to the server, the client receiving the access token from the authorization server, the client transmitting the access token to the resource server, And the client sends the resource If the user is the identification value stored in a server, and a step of receiving the protected resource from the resource server using the access token.

In this case, the step of the user agent requesting the authorization server to issue an authorization code and authenticate the user to the authorization server may include receiving the authorization code from the user agent, The corresponding transmission module may be selected as the valid transmission module and the issuance of the authorization code may be requested to the authorization server using the valid transmission module.

In this case, the step of the user agent issuing the authorization code and the user authentication corresponding to the client to the authorization server may include the step of, when the authorization code reception history does not exist, It can determine whether an application agent exists or not and request the issuance of the authorization code to the authorization server using the transmission module corresponding to the presence of the designated application agent.

The client may further include determining whether the received authorization code is an authorization code requested by the client, using the status value received and the return URI value together with the authorization code can do.

If the authorization code is not the authorization code requested by the client, the step of determining whether the user identification value is stored is performed. If the authorization identification code is not stored in the authorization code, The method may further comprise performing a code request.

The client includes an authorization code receiving unit for receiving an authorization code from an authorization server through a user agent, an access token issuing unit for receiving the access token from the authorization server using the authorization code, And a resource receiver for receiving the protected resource from the resource server using the access token when the user identification value is stored in the resource server.

In this case, the inquiry and authentication unit may determine whether the received authorization code is an authorization code requested by the client, and may store the user authorization value if the authorization code is the authorization code requested by the client.

At this time, the inquiry and authentication unit may determine whether the received authorization code is the authorization code requested by the client, using the status value received and the return URI value together with the authorization code have.

In this case, if the authorization code is not the authorization code requested by the client, the inquiry and authentication unit can determine whether the user identification value that has been stored is stored, and determine whether it is safe from a security threat .

At this time, if the user identification value is not stored, the client-based authorization code can be requested.

Also, the user agent may include a transmitter for transmitting the identifier of the client and the return URI value to the authorization server, requesting issuance of the authorization code, and transmitting the information received from the user to the authorization server to perform user authentication, And a communication unit for transmitting the received authorization code to a client, wherein the transmission unit includes a browser transmission module for requesting issuance of the authorization code to the authorization server using a browser, And a transmission module selection unit for setting a transmission unit for requesting issuance of the authorization code from the browser transmission unit and the web view transmission unit.

At this time, as a result of inquiring of the authorization code reception history, the transmission unit selects the transmission module corresponding to the reception module that has most recently received the authorization code as the effective transmission module, and transmits the authorization code to the authorization server It may request issuance of the authorization code.

In this case, when the application code receiving history does not exist, it is determined whether or not a designated application agent corresponding to the running application exists, and if the specified application agent exists, the application server It may request issuance of the authorization code.

If the designated application agent does not exist, it is determined whether or not the user has performed a login. If the designated user agent is in the logged-in state, the application server issues the authorization code to the authorization server .

In this case, if the login is not performed, the user may request the user authentication using the web view transmission module, and then request the issuance of the authorization code to the authorization server using the web view transmission module have.

According to the present invention, a plurality of screen switching problems occurring when using the OAuth 2.0 protocol in a mobile environment are solved, so that a user can quickly and conveniently use a single login service.

In addition, according to the present invention, the problem of re-login occurring when using the conventional OAuth 2.0 protocol is solved, and the usability of a single login service can be increased.

Also, according to the present invention, a single login service can be used in parallel with the existing authorization application protocol while defending the Cross Site Scripting Forgery (CSRF), which is a hacking threat.

1 is a diagram illustrating a configuration of a single login system using an OAuth 2.0 protocol according to an embodiment of the present invention.
2 is a block diagram illustrating a configuration of a user agent supporting a single login according to an exemplary embodiment of the present invention.
3 is a block diagram illustrating a configuration of a client supporting a single login according to an exemplary embodiment of the present invention.
FIG. 4 is a flowchart illustrating a method of authorizing authorization to support a single login according to an embodiment of the present invention.
5 is a view for explaining a single login system according to an embodiment of the present invention.
6 is a diagram illustrating a user agent application SSO module according to an embodiment of the present invention.
7 is a diagram illustrating a client application SSO module according to an embodiment of the present invention.

The present invention will now be described in detail with reference to the accompanying drawings. Hereinafter, a repeated description, a known function that may obscure the gist of the present invention, and a detailed description of the configuration will be omitted. Embodiments of the present invention are provided to more fully describe the present invention to those skilled in the art. Accordingly, the shapes and sizes of the elements in the drawings and the like can be exaggerated for clarity.

Hereinafter, preferred embodiments according to the present invention will be described in detail with reference to the accompanying drawings.

1 is a diagram illustrating a configuration of a single login system using an OAuth 2.0 protocol according to an embodiment of the present invention.

1, a single login system includes a user terminal 100, an authorization server 400, and a resource server 500, and the user terminal 100 includes a user agent 200 and a client 300 . At this time, the web browser of the user terminal 100 corresponds to the user agent 200, and the application installed in the user terminal 100 corresponds to the client 300. [

The user agent 200 requests issuance of the authorization code to the authorization server 400 and transmits the authorization code received from the authorization server 400 to the client 300.

The client 300 transmits the authorization code received from the user agent 200 to the authorization server 400, requests the issuance of the access token, and receives the access token from the authorization server 400. Also, the client 300 inquires the resource server 500 of the user identification value using the access token, and receives the protected resource from the resource server 400.

Next, the authorization server 400 issues an authorization code when receiving an authorization code issuance request from the user agent 200, and generates an access token using the authorization code received from the client 300.

Finally, the resource server 400 inquires the user identification value using the access token received from the client 300, and when the user identification value corresponding to the access token exists, transmits the protected resource to the client 300 do.

2 is a block diagram illustrating a configuration of a user agent supporting a single login according to an exemplary embodiment of the present invention.

2, the user agent 200 includes a transmitting unit 210, a receiving unit 220, and a communication unit 230.

First, the transmitting unit 210 transmits the identifier of the client and the return URI value to the authorization server, requests issuance of the authorization code, and transmits the information received from the user to the authorization server to perform the user authentication.

The transmitting unit 210 includes a browser transmitting module for requesting the issuing of an authorization code to the authorization server using a browser, a web view transmission module for requesting issuance of an authorization code to the authorization server using the web view, And a transmission module selection unit for setting a transmission unit for requesting issuance of an authorization code among the view transmission units.

As a result of inquiring the history of the authorization code reception result, the transmission unit 210 selects the transmission module corresponding to the reception module that has most recently received the authorization code as the valid transmission module, and transmits the authorization code Request issuance.

When there is no application code reception history, the transmission unit 210 determines whether a designated application agent corresponding to the running application exists or not. If the application agent exists, the transmission unit 210 transmits Request issuance of authorization code.

If the designated application agent does not exist, the transmitting unit 210 determines whether the user has performed the login, and if the specified application agent is in the logged-in state, requests the issuance of the authorization code to the authorized server using the web view transmitting module.

If the login is not performed, the transmitting unit 210 requests the user to authenticate the user using the web view transmitting module, and then requests issuance of the authorization code to the authorized server using the web view transmitting module.

Next, the receiving unit 220 receives an authorization code from the authorization server.

Finally, the communication unit 230 transmits the received authorization code to the client.

3 is a block diagram illustrating a configuration of a client supporting a single login according to an exemplary embodiment of the present invention.

3, the client 300 includes an authorization code receiving unit 310, an access token issuing unit 320, an inquiry and authentication unit 330, and a resource receiving unit 340.

First, the authorization code receiving unit 310 receives the authorization code from the authorization server through the user agent.

The access token issuing unit 320 receives the access token from the authorization server using the authorization code.

Next, the inquiry and authentication unit 330 transmits the access token to the resource server, and inquires the user identification value.

In addition, the inquiry and authentication unit 330 determines whether the received authorization code is the authorization code requested by the client, and stores the user authorization value if the authorization code is the authorization code requested by the client.

The inquiry and authentication unit 330 determines whether the received authorization code is the authorization code requested by the client, by using the authorization code and whether the received status value and the returned URI value are stored in advance.

If the authorization code is not the authorization code requested by the client, the inquiry and authentication unit 330 determines whether the user identification value stored in the authentication is stored, and determines whether or not it is safe from the security threat. If the user identification value is not stored, the inquiry and authentication unit 330 requests the client-based authorization code.

Finally, when the user identification value is stored in the resource server, the resource receiver 340 receives the protected resource from the resource server using the access token.

Hereinafter, a method of authorizing a single login performed by a user terminal including a user agent and a client according to an embodiment of the present invention will be described in detail with reference to FIG.

FIG. 4 is a flowchart illustrating a method of authorizing authorization to support a single login according to an embodiment of the present invention.

First, the user agent 200 requests the authorization server 400 to issue an authorization code and authenticate a user (S410).

Unlike the conventional technique in which a client requests issuance of an authorization code, a authorization method for supporting a single login according to an embodiment of the present invention is a method in which a user agent 200 transmits an authorization code .

The user agent 200 transmits the identifier of the client and the return URI value to the authorization server 400 according to the standard document RFC 6749. Then, the user agent 200 performs a user authentication process with the authorization server 400 using the information input by the user, and when a user authentication is successful, a session between the user agent 200 and the authorization server 400 .

The return URI value is a URI of the client receiving the authorization code. The return URI value is paired with the client to allow the authorization server 400, / RTI >

Next, the authorization server 400 transmits an authorization code to the user agent 200 (S420).

Here, the authorization code is a secret value temporarily used before issuing the access token, and is used to identify the user and securely issue the direct access token to the client 300. [

The authorization server 400 authorizes the client 300 to access the resource server 500 and issues an authorization code. Then, the authorization server 400 transmits the return URI value together with the authorization code to the user agent 200.

At this time, the user agent 200 can perform the process of confirming the destination of the received authorization code. The user agent 200 determines whether the return URI value received with the authorization code is the same as the return URI value assigned to the user agent 200. [ If the received return URI value is equal to the return URI value assigned to the user agent 200, the user agent 200 issues an access token using the received authorization code. On the other hand, if the received return URI value is not equal to the return URI value assigned to the user agent 200, the user agent 200 performs step S430 described later.

The user agent 200 having received the authorization code transfers the authorization code to the client 300 (S430).

At this time, the user agent 200 delivers the authorization code to the client 300 corresponding to the return URI value received in step S420.

Here, as the communication method between the client and the user agent, in case of Android, Google's operating system, the Inter UC (Inter Process Communication) technology including the Custom URI Scheme and the Intent can be used. In case of Apple's operating system, iOS, the Custom URI Scheme, XPC IPC technology may be used, including but not limited to.

The client 300 having received the authorization code requests the authorization server 400 to issue an access token (S440).

The client 300 transmits the authorization code and the return URI value received from the user agent 200 to the authorization server 400 in step S430, and requests the access token. Here, the access token is a value required when the client 300 requests the resource server 400 for the user's protected resource.

Then, the authorization server 400 issues an access token to the client 300 (S450).

At this time, the authorization server 400 verifies the authorization code and return URI value received from the client 300, issues an access token, and transmits the access token to the client 300.

Next, the client 300 receiving the access token inquires the resource server 500 for the user identification value (S460).

The client 300 transmits the access token to the resource server 500 and inquires the user identification value. The client 300 checks whether the received authorization code is the authorization code requested by the client 300 itself.

The client 300 determines whether the received state value and return URI value pair are stored together with the authorization code to check whether the received authorization code is the authorization code requested by the received authorization code. If the state value and the return URI value pair are stored, the client 300 judges that the received authorization code is the authorization code requested, stores the inquired user identity value, and ends the access code issuance process.

Here, the state value is a random number value included in the issuance of the authorization code, and when the client 300 receives the authorization code issued by the client 300, the state value (state) is used for checking whether the client 300 is the authorization code requested by the client 300 Is used.

On the other hand, when the received authorization code is not the authorization code requested by the client 300, the client 300 determines whether the user identification value inquired in step S640 is stored. If the corresponding user identification value is stored, the client 300 determines that it is safe from the CSRF attack.

On the other hand, if the user identification value is not stored, the client 300 performs a client-based authorization code request. At this time, the client-based authorization code request means a process in which the client 300 requests the authorization code through the user agent 200 in the conventional OAuth 2.0 protocol.

Finally, the resource server 500 transmits the protected resource to the client 300 (S470).

5 is a view for explaining a single login system according to an embodiment of the present invention.

As shown in FIG. 5, a single login system can be represented by a communication protocol between a resource server, a user, a client, an authorization server, and a user agent, which are components of OAuth 2.0.

First, the user agent sends the identifier of the client and the return URI value to the authorization server to request issuance of the authorization code (A). Thus, the authorization code issuance process is initiated at the user agent, where the user agent knows the identifier of the client and the return URI value.

However, when the authorization code issuance process starts from the user agent as shown in (A), the clients can not trust the status value included in the authorization code issuance request. As a result, a malicious attacker may log in as a client by CSRF attack.

Accordingly, the client determines whether the authorization code received in step (G) to be described later is generated by the CSRF attack. If it is determined that the authorization code is vulnerable to the CSRF attack, the client performs the client-based authorization code request.

Also, the user agent transmits the information received from the user to the authorization server to perform user authentication (B).

The authorization server that has performed the user authentication issues an authorization code to the user agent and transmits it. At this time, the user agent transmits the authorization code received from the authorization server to the client (C).

Next, the client sends the authorization code and the return URI value to the authorization server to request the access token (D), and the authorization server issues the access token to the client (E).

The client having received the access token transmits the access token to the resource server (F), inquires the user identification value (G), transmits the access token to the resource server (H), and receives the protected resource from the resource server (I).

(G), the client regards the received authorization code as an authorization code generated by an attacker who is potentially malicious due to a CSRF attack, and discards the authorization code if the user identification value is a value that has not been received previously do. The client then returns to the OAuth 2.0 client-based authorization request process.

On the other hand, if the user identification value is a value that has been previously received, the client determines that the authorization code is a normal authorization code and performs step (H).

That is, as shown in FIG. 5, in order to issue an authorization code, a single login system according to an embodiment of the present invention requests a user agent, not a client, to issue an authorization code. In order to compensate for the vulnerability of the CSRF attack, it is necessary to verify the authorization code by querying the user identification value.

Hereinafter, the functions of the user agent application SSO module and the client application SSO module will be described in more detail with reference to FIGS. 6 and 7. FIG.

6 is a diagram illustrating a user agent application SSO module according to an embodiment of the present invention.

The user agent 200 may be a user agent application that includes a web view, or may be a web browser. If the user agent 200 is an app that includes a web view, it may include a user agent application SSO module as shown in FIG.

As shown in FIG. 6, the user agent application SSO module includes a user agent transmitter, a user agent receiver, a control information repository, a client transmitter, a client receiver, and an access token issuer.

First, the user agent sending module is an abstract module for requesting issuance of an authorization code to an authorization server using a web view or a browser. The application module includes a browser transmission module for requesting issuance of an authorization code using a browser, And a web view sending module for requesting issuance. The user agent transmission unit may include a transmission module selection unit for selecting a transmission module to be used among the browser transmission module and the web view transmission module when there is an issuance request of the authorization code. The transmitter of FIG. 2 may be implemented as the user agent transmitter of FIG.

Next, the user agent receiving unit is an abstract module that receives the authorization code issued by the authorization server, and includes a browser receiving module that receives the authorization code using the browser, a web view receiving module that receives the authorization code using the web view, And a reception module selection unit for determining whether the destination of the data (destination) is a user agent application or a client application. At this time, the browser receiving module may be defined as a Custom URL Scheme. In addition, the receiver of FIG. 2 may be implemented as the user agent receiver of FIG.

The control information repository stores the receiving module information used when receiving the authorization code, the status value used when issuing the authorization code, the return URI value, the user identification value, and the identifier of the client. The user agent transmitting unit and the user agent receiving unit operate by referring to the control information storage.

The client transmitting unit is used when transmitting data to the web view transmitting module, and is responsible for communication with the client app. The client receiver receives the data sent from the app client SSO module and is mainly used for the client-based authorization code issuance request process of the existing OAuth 2.0. The communication unit of FIG. 2 may be implemented separately in the client transmission unit and the client reception unit of FIG.

The access token issuing unit performs the function of issuing the access code using the authorization code.

In FIG. 6, the transmission module selection unit inquires about the latest authorization code reception history stored in the control information storage. After the application has been most recently operated, the transmission module selection unit inquires the reception history of the authorization code of the browser reception module, the web view reception module, and the application reception module, and determines the transmission module corresponding to the reception module that received the authorization code most recently Select as the sending module. The transmission module selection unit requests issuance of an authorization code to the authorization server using the valid transmission module.

If the transmission module selection unit does not have a valid reception history as a result of inquiring about the recent authorization code reception history, the transmission module selection unit checks whether a designated application agent corresponding to the running application exists or not. At this time, the existence of the application agent can be confirmed by inquiring the return URI value registered in the operating system or searching the name of the application program.

The presence of the specified app agent means that the running app is a client app. Therefore, the transmission module selection unit requests the issuance of the authorization code using the application transmission module. On the other hand, the absence of a designated app agent means that the user has started the app directly. Accordingly, the transmission module selection unit confirms whether the current user is logged in. If the user is in the login state, the transmission module selection unit requests the issuance of the authorization code to the authorization server using the web view transmission module.

If the user is not in the login state, the user may request the user authentication using the web view transmission module, and then request issuance of the authorization code to the authorized server using the web view transmission module.

7 is a diagram illustrating a client application SSO module according to an embodiment of the present invention.

As shown in FIG. 7, the client application SSO module includes a user agent transmitter, a user agent receiver, a control information repository, and an access token issuer.

First, the user agent sending unit is an abstract module for requesting issuance of an authorization code to an authorization server using any one of a web view, a browser, and a user agent application. The application module includes a browser transmission module for requesting issuance of an authorization code to a browser, A web view transmitting module for requesting issuance of a code, an appending module for requesting issuance of an authorization code to a user agent application, and a transmission module selecting portion for selecting a transmission module to be used when issuing an authorization code is requested.

The user agent receiving unit is an abstract module for receiving an authorization code issued from an authorization server. The user receiving module receives a authorization code using a browser, a browser receiving module for receiving an authorization code using a browser, a web view receiving module for receiving an authorization code using a web view, And an application receiving module for receiving an authorization code from the application receiving module.

Next, the access token issuing unit may perform the same function as the access token issuing unit of FIG.

As described above, in order to authorize a user to access a protected resource of a user, a user agent, a client, and a authorization method for supporting a single login, an authorized server and a resource It does not change or add the standard protocol on the server side, but performs authorization by improving the protocol of the client side. In order to mix the transition from the web browser to the application and the transition from the application to the application, a module for branch processing has been added to the user agent and the client, respectively.

As described above, the configuration and method of the embodiments described above can be applied to a user agent, a client, and a authorization method for supporting a single login according to the present invention, All or some of the embodiments may be selectively combined.

100: User terminal
200: User agent
300: Client
400: authorization server
500: Resource server
210:
220:
230:
310:
320: Access token issuing unit
330: inquiry and authentication unit
340: resource receiver

Claims (15)

A method for authorizing authorization to support a single login performed by a user terminal comprising a user agent and a client,
The user agent requesting issuance of an authorization code and user authentication corresponding to the client to an authorization server,
The user agent receiving the authorization code from the authorization server and transferring the authorization code to the client,
The client transmitting the authorization code and the return URI value to the authorization server to request the generation of the access token,
The client receiving the access token from the authorization server,
The client sending the access token to the resource server and querying the user identity value, and
Wherein the client receives the protected resource from the resource server using the access token if the user identification value is stored in the resource server,
The step of requesting issuance of the authorization code and user authentication comprises:
The user agent inquiring the authorization code reception history and selecting the transmission module corresponding to the reception module that has received the authorization code most recently as the valid transmission module and issuing the authorization code to the authorization server using the valid transmission module The method comprising the steps of: delete The method according to claim 1,
Wherein the user agent requests issuance of an authorization code and user authentication corresponding to the client to an authorization server,
Wherein the user agent determines whether or not a designated application agent corresponding to an application running in the presence of the application agent exists, and if the application agent is not present, A method of authorizing authorization to support a single login requesting issuance of the authorization code to a server. delete The method according to claim 1,
As a result of determining whether the received authorization code is the authorization code requested by the client, the client uses the authorization code to authenticate the client, using the received status value and the returned URI value, If it is not the requested authorization code, judging whether the user identification value is stored
And if the user identification value is not previously stored, performing a client based authorization code request. An authorization code receiving unit for receiving an authorization code from an authorization server through a user agent,
An access token issuing unit for receiving an access token from the authorization server using the authorization code,
An inquiry and authentication unit for transmitting the access token to a resource server and inquiring a user identification value, and
And if the user identification value is stored in the resource server,
And a resource receiver for receiving the protected resource,
Wherein the inquiry and authentication unit comprises:
Determining whether the received authorization code is a authorization code requested by a client using the authorization code and whether the received status value and the returned URI value are stored in advance, And stores the user identification value. delete delete The method according to claim 6,
Wherein the inquiry and authentication unit comprises:
And determining whether the identified user identification value is stored if the authorization code is not the authorization code requested by the client, thereby determining whether the user identification value is secure from a security threat. 10. The method of claim 9,
And if the user identification value is not previously stored, performing a client based authorization code request. A transmitter for transmitting the identifier of the client and the return URI value to the authorization server, requesting issuance of the authorization code, transmitting the information input from the user to the authorization server,
A receiving unit for receiving an authorization code from the authorization server, and
And a communication unit for transmitting the received authorization code to a client,
The transmitter may further comprise:
A browser transmission module for requesting issuance of the authorization code to the authorization server using a browser,
A web view transmission module for requesting the authorization server to issue the authorization code using a web view, and
And a transmission module selection unit for setting an effective transmission module for requesting issuance of the authorization code from the browser transmission module and the web view transmission module to the authorization server,
Wherein the transmission module selection unit comprises:
And selects a transmission module corresponding to the reception module that has received the authorization code most recently as a valid transmission module as a result of inquiring the authorization code reception history. delete 12. The method of claim 11,
The transmitter may further comprise:
Further comprising an application sending module for requesting issuance of the authorization code by a user agent application, and when it is determined that there is no designated application agent corresponding to a running application without the authorization code reception history, And requesting issuance of the authorization code to the authorization server using the module. 14. The method of claim 13,
If the designated AppAgent does not exist, it is determined whether or not the user has performed login, and if the specified AppAgent is in the logged-in state, the web browser module requests the issuance of the authorization code to the authorization server User agent. 15. The method of claim 14,
Requesting the user to authenticate the user using the web view transmission module and requesting the authorization server to issue the authorization code using the web view transmission module when the login is not performed.
KR1020160001250A 2016-01-05 2016-01-05 User agent, client and method for authorization to support single sing-on KR101746745B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020160001250A KR101746745B1 (en) 2016-01-05 2016-01-05 User agent, client and method for authorization to support single sing-on

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020160001250A KR101746745B1 (en) 2016-01-05 2016-01-05 User agent, client and method for authorization to support single sing-on

Publications (1)

Publication Number Publication Date
KR101746745B1 true KR101746745B1 (en) 2017-06-14

Family

ID=59217874

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020160001250A KR101746745B1 (en) 2016-01-05 2016-01-05 User agent, client and method for authorization to support single sing-on

Country Status (1)

Country Link
KR (1) KR101746745B1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102062851B1 (en) 2018-03-30 2020-01-06 (주)이스톰 Single sign on service authentication method and system using token management demon
WO2021025322A1 (en) * 2019-08-06 2021-02-11 삼성전자 주식회사 Electronic device for activating application through key account, and system including same
CN114338078A (en) * 2021-11-19 2022-04-12 奇安信科技集团股份有限公司 CS client login method and device
KR20220129245A (en) * 2021-03-16 2022-09-23 포항공과대학교 산학협력단 Method and Apparatus of A Blockchain-based Decentralized Authorization Protocol

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2015053069A (en) 2014-10-30 2015-03-19 株式会社 ディー・エヌ・エー Authentication method, authentication system, service provision server and authentication server
JP2015104022A (en) * 2013-11-26 2015-06-04 キヤノン株式会社 Information processing apparatus, control method of the same, and program

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2015104022A (en) * 2013-11-26 2015-06-04 キヤノン株式会社 Information processing apparatus, control method of the same, and program
JP2015053069A (en) 2014-10-30 2015-03-19 株式会社 ディー・エヌ・エー Authentication method, authentication system, service provision server and authentication server

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102062851B1 (en) 2018-03-30 2020-01-06 (주)이스톰 Single sign on service authentication method and system using token management demon
WO2021025322A1 (en) * 2019-08-06 2021-02-11 삼성전자 주식회사 Electronic device for activating application through key account, and system including same
KR20220129245A (en) * 2021-03-16 2022-09-23 포항공과대학교 산학협력단 Method and Apparatus of A Blockchain-based Decentralized Authorization Protocol
KR102651448B1 (en) 2021-03-16 2024-03-25 포항공과대학교 산학협력단 Method and Apparatus of A Blockchain-based Decentralized Authorization Protocol
CN114338078A (en) * 2021-11-19 2022-04-12 奇安信科技集团股份有限公司 CS client login method and device
CN114338078B (en) * 2021-11-19 2024-03-22 奇安信科技集团股份有限公司 CS client login method and device

Similar Documents

Publication Publication Date Title
CA2689847C (en) Network transaction verification and authentication
EP3462701B1 (en) Device, control method of the same, and program
US9264420B2 (en) Single sign-on for network applications
KR101482564B1 (en) Method and apparatus for trusted authentication and logon
US9419974B2 (en) Apparatus and method for performing user authentication by proxy in wireless communication system
EP2879421B1 (en) Terminal identity verification and service authentication method, system, and terminal
US9268922B2 (en) Registration of devices in a digital rights management environment
CN103249045A (en) Identification method, device and system
KR20160127167A (en) Multi-factor certificate authority
US20110107410A1 (en) Methods, systems, and computer program products for controlling server access using an authentication server
CN101986598B (en) Authentication method, server and system
CN109981665B (en) Resource providing method and device, and resource access method, device and system
KR101746745B1 (en) User agent, client and method for authorization to support single sing-on
CN105162777A (en) Wireless network login method and device
WO2009129753A1 (en) A method and apparatus for enhancing the security of the network identity authentication
CN105763517A (en) Router security access and control method and system
US10630669B2 (en) Method and system for user verification
KR101273285B1 (en) Authentification agent and method for authentificating online service and system thereof
KR101001197B1 (en) System and method for log-in control
CN104994498A (en) Method and system for interaction between terminal application and mobile phone card application
KR101619928B1 (en) Remote control system of mobile
CN105871788B (en) Password generation method and device for login server
CN114039748A (en) Identity authentication method, system, computer device and storage medium
US9485654B2 (en) Method and apparatus for supporting single sign-on in a mobile communication system
CN113347190B (en) Authentication method, system, slave station server, client, device and medium

Legal Events

Date Code Title Description
E701 Decision to grant or registration of patent right
GRNT Written decision to grant