WO2014206316A1 - Service authentication method and system - Google Patents

Service authentication method and system Download PDF

Info

Publication number
WO2014206316A1
WO2014206316A1 PCT/CN2014/080852 CN2014080852W WO2014206316A1 WO 2014206316 A1 WO2014206316 A1 WO 2014206316A1 CN 2014080852 W CN2014080852 W CN 2014080852W WO 2014206316 A1 WO2014206316 A1 WO 2014206316A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
user token
terminal
server
authentication
Prior art date
Application number
PCT/CN2014/080852
Other languages
French (fr)
Chinese (zh)
Inventor
查敏
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2014206316A1 publication Critical patent/WO2014206316A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols

Definitions

  • AAA Authentication, Authorization, Accounting, Authentication, Authorization, and Accounting
  • the user In the authentication process, the user generally needs to input a user name and a password. After the authentication is passed, the user is authenticated. You can use the network service provided by the operator.
  • the user name and password registered by the user in the third-party service provider are also required, and each third-party service provider generally needs a separate user name and The password, so that when the user accesses the network, it may need to remember multiple user names and passwords, which is not only easy to forget, but also requires frequent input of user information, which brings inconvenience to the user.
  • the technical problem to be solved by embodiments of the present invention is to provide a service authentication method and system for facilitating users in using third party services.
  • the embodiment of the invention provides a service authentication method, including:
  • the AAA server generates a user token and saves it; Sending, by the AAA server, the user token to the BNG;
  • the AAA server receives the service request information sent by the server of the third-party service;
  • the service request information includes an Internet Protocol IP address of the terminal, a Transmission Control Protocol TCP/User Datagram Protocol UDP port number, and the third-party service.
  • the AAA server determines whether the user token received by the AAA server is equal to the user token stored by the AAA server. If they are equal, the third party service authentication of the terminal is performed.
  • the embodiment of the present invention further provides a service authentication method, where the method includes: receiving, by the terminal, an instruction for calling a shared user information to perform third-party service authentication; the shared user information is that the user is performing authentication, authorization, The user information used for the AAA authentication is charged; the terminal sends a request message for acquiring the user token token to the security server; and the request message for obtaining the user token carries the user token type;
  • the security server generates an authentication confirmation webpage, and stores authentication confirmation information related to the authentication confirmation webpage;
  • the terminal displays the authentication confirmation webpage, receives authentication confirmation information input by the user, and sends the authentication confirmation information input by the user to the security server;
  • the security server determines whether the received authentication confirmation information input by the user is consistent with the previously saved authentication confirmation information, and if yes, sends a request message for acquiring the user token to the AAA server;
  • the AAA server generates a user token and saves the user token and the user token type
  • the service request information includes an IP address of the terminal, a transmission control protocol TCP/user datagram protocol UDP port number, and the third-party service server receives the User token
  • the AAA server determines that the user token it receives and the user token it holds are No, and determine whether the user token type it receives matches its saved user token type, if the user token it receives is equal to the user token it holds and the user token type it receives and the user token type it holds. Matching, the third party service authentication by the terminal.
  • the embodiment of the present invention further provides a service authentication system, where the system includes: a terminal, a broadband service gateway BNG, and an AAA server, where
  • the terminal is configured to receive an instruction sent by the user to invoke the shared user information to perform third-party service authentication;
  • the shared user information is user information used by the user in performing authentication, authorization, and accounting AAA authentication;
  • the terminal is further configured to send a request message for acquiring a user token token to the broadband network gateway BNG;
  • the BNG is configured to send the request message for acquiring a user token to an AAA server;
  • the AAA server is configured to generate a user token and save the message;
  • the AAA server is further configured to send the user token to the BNG;
  • the BNG is further configured to send the user token to the terminal;
  • the terminal is further configured to send the user token to a server of a third-party service
  • the AAA server is further configured to receive service request information sent by a server of the third-party service;
  • the service request information includes an Internet Protocol IP address of the terminal, a Transmission Control Protocol TCP/User Datagram Protocol UDP port number, and a a user token received by a server of the third-party service;
  • the AAA server is further configured to determine whether the user token received by the AAA server is equal to the user token that is saved, and if they are equal, the third-party service authentication of the terminal.
  • the embodiment of the present invention further provides a service authentication system, where the system includes: a terminal, an AAA server, and a security server;
  • the terminal is configured to receive an instruction sent by the user to invoke the shared user information to perform third-party service authentication;
  • the shared user information is user information used by the user in performing authentication, authorization, and accounting AAA authentication;
  • the terminal is further configured to send a request message for acquiring a user token token to the security server; the request message for obtaining the user token carries a user token type;
  • the security server is configured to generate an authentication confirmation webpage, save authentication confirmation information related to the authentication confirmation webpage, and send the authentication confirmation webpage to the terminal;
  • the terminal is further configured to display the authentication confirmation webpage, and receive authentication confirmation information input by the user, where the terminal is further configured to send the authentication confirmation information input by the user to the security server;
  • the security server is further configured to determine whether the received authentication confirmation information input by the user is consistent with the previously stored authentication confirmation information, and if yes, send a request message for acquiring a user token to the AAA server;
  • the AAA server is further configured to generate a user token and save the user token and the user token type;
  • the AAA server is further configured to send the user token to the security server;
  • the security server is further configured to send the user token to the terminal;
  • the terminal is further configured to send the user token to a server of a third-party service
  • the AAA server is further configured to receive service request information sent by a server of the third-party service; the service request information includes an IP address of the terminal, a TCP/UDP port number, and a user token received by the server of the third-party service. ;
  • the AAA server is further configured to determine whether the user token received by the user token is equal to the user token stored by the user, and whether the type of the user token received by the user token matches the type of the user token it holds, if the user token received by the user is The saved user tokens are equal and the received user token type matches the saved user token type, and the third party service authentication is performed by the terminal.
  • the service authentication method and system provided by the embodiment of the present invention can provide a user with a third-party service without using a user to input a user name and a password, thereby facilitating the use of the user and improving the user.
  • the user token assigned by the AAA server needs to be verified, which can improve the security of the authentication.
  • FIG. 1 is a schematic flowchart of a service authentication method according to Embodiment 1 of the present invention.
  • FIG. 2 is a schematic flowchart of a service authentication method according to Embodiment 2 of the present invention.
  • FIG. 3 is a schematic diagram of an interface of an authentication confirmation webpage in an embodiment of the present invention.
  • FIG. 4 is a schematic structural diagram of a service authentication system according to Embodiment 3 of the present invention.
  • FIG. 5 is a schematic structural diagram of a service authentication system according to Embodiment 4 of the present invention.
  • a service authentication method and system are provided in the embodiments of the present invention, which are respectively described in detail below.
  • Embodiment 1 is a diagrammatic representation of Embodiment 1:
  • the present invention provides a service authentication method, and the network architecture involved in the method includes: a terminal, a BNG, and an AAA server. As shown in FIG. 1, the method includes:
  • the terminal receives an instruction sent by the user to invoke the shared user information to perform third-party service authentication.
  • the shared user information is user information used by the user when performing AAA (Authentication, Authorization, Accounting, Authentication, Authorization, and Accounting) authentication;
  • the shared user information may be an account name and a password used when the network service provided by the network operator is input when the user accesses the network, for example, the user dials using ADSL (Asymmetric Digital Subscriber Line).
  • ADSL Asymmetric Digital Subscriber Line
  • the third-party service of the third-party service may provide a "one-click authentication" function button, and the function button may be invoked.
  • An application interface for sharing user information provided by the network operator. After the user clicks the function button, the terminal receives the call sharing sent by the user.
  • the terminal sends a request message for acquiring a user token (token) to a BNG (Broadband Network Gateway, a broadband network gateway);
  • BNG Broadband Network Gateway, a broadband network gateway
  • the foregoing BNG sends the foregoing request message for acquiring a user token to the AAA server.
  • the BNG forwards or transparently transmits the request message for obtaining the user token to the AAA server;
  • the foregoing AAA server generates a user token and saves the user token.
  • the AAA server After receiving the request message, the AAA server generates a user token and saves it for subsequent verification;
  • the foregoing AAA server sends the user token to the BNG.
  • the foregoing BNG sends the user token to the terminal.
  • BNG forwards or transparently transmits the user token to the terminal
  • the foregoing terminal sends the user token to a server of a third-party service
  • the AAA server receives the service request information sent by the server of the third-party service, where the service request information includes an IP (Internet Protocol) address of the terminal, and a Transmission Control Protocol (TCP) I UDP (User) Datagram Protocol, User Datagram Protocol) port number and the user token received by the server of the above third party service;
  • IP Internet Protocol
  • TCP Transmission Control Protocol
  • I UDP User Datagram Protocol
  • the server of the third-party service when the terminal accesses the server of the third-party service, the server of the third-party service can obtain the IP address of the terminal and the TCP/UDP port number; after the server of the third-party service receives the user token sent by the terminal, The IP address of the terminal, the TCP/UDP port number, and the received user token are carried in the service request information and sent to the AAA server.
  • the AAA server determines whether the user token received by the AAA server is equal to the saved user token, and if yes, step 110 is performed; otherwise, step 111 is performed;
  • the AAA server passes the foregoing third-party service authentication of the terminal; the process ends; preferably, in this embodiment, after the third-party service authentication, the AAA server can delete the previously saved user token, so that each User tokens are only used for one-time service authentication to improve security;
  • the AAA server may return the corresponding confirmation information to the server of the third-party service, and the server of the third-party service may also send an appropriate confirmation message to the terminal accordingly.
  • the user is informed that the business certification is passed; 111.
  • the foregoing AAA server determines that the third-party service authentication fails.
  • the AAA server may return a corresponding prompt message to the server of the third-party service, and the server of the third-party service may correspondingly send an appropriate prompt message to the terminal to enable the user to learn that the service authentication fails.
  • the service authentication method provided in this embodiment provides a scheme for using the shared user information for authentication, so that the user does not need to input a user name and password when using the third-party service, thereby facilitating the user's use and improving the user experience;
  • the user token assigned by the AAA server needs to be verified to improve the security of the authentication.
  • step 104 the method further includes:
  • the above AAA server starts a timer; the timing of the timer may be preset, for example, but not limited to 1 minute;
  • the AAA server deletes the user token generated and saved in step 104.
  • the service request information of the server from the third party service received by the AAA server in step 108 may include at least one of the following request information:
  • the method may further include: the AAA server charging the fee generated by the terminal in the process of using the third-party service according to the IP address and the TCP/UDP port number. .
  • the user can use the account provided by the network operator to consume the third-party service, which facilitates unified billing management.
  • Embodiment 2 is a diagrammatic representation of Embodiment 1:
  • the invention also provides a service authentication method, and the network architecture involved in the method includes: a terminal, a security server, and an AAA server. As shown in FIG. 2, the method includes:
  • the terminal receives an instruction sent by the user to invoke the shared user information to perform third-party service authentication.
  • the shared user information is user information used by the user when performing AAA authentication.
  • the shared user information may be an account name and a password used when the network service provided by the network operator is input when the user accesses the network, for example, the user uses China Telecom ADSL. (Asymmetric Digital Subscriber Line, Asymmetric Digital Subscriber Line) Enter the account name and password when dialing up;
  • the third-party service of the third-party service may provide a "one-click authentication" function button, and the function button may be invoked.
  • An application program interface for sharing user information provided by the network operator after the user clicks the function button, the terminal receives an instruction sent by the user to invoke the shared user information for third-party service authentication;
  • the terminal sends a request message for obtaining a user token to the security server.
  • the request message for obtaining the user token carries the user token type, where the user token type may be at least one of the following types: authentication, accounting, and information. Acquisition, QOS control;
  • the request message or other message that the terminal sends to the security server to obtain the user token may be sent to the BNG first and then forwarded by the BNG or transparently transmitted to the security server, and details are not described herein;
  • the security server generates an authentication confirmation webpage, and stores authentication confirmation information related to the authentication confirmation webpage.
  • the security server sends the authentication confirmation webpage to the terminal.
  • the authentication confirmation webpage or other message sent by the security server to the terminal may be sent to the BNG first and then forwarded to the terminal by the BNG or transparently transmitted to the terminal, and details are not described herein;
  • the terminal displays the authentication confirmation webpage, and receives the authentication confirmation information input by the user.
  • the authentication confirmation webpage may be an interface as shown in FIG. 3, and prompts the user to input a verification code, and the verification code may be in the form of a text. Numbers or other suitable formats are not specifically limited herein;
  • the terminal sends the authentication confirmation information input by the user to the security server.
  • the security server determines whether the received authentication confirmation information input by the user is consistent with the previously stored authentication confirmation information, if yes, step 208 is performed, otherwise step 209 is performed;
  • the security server sends a request message for obtaining a user token to the AAA server; and step 210 is performed;
  • the security server sends a request message for acquiring the user token to the AAA server;
  • the security server returns a prompt message to the terminal, and returns to step 203;
  • the security server may return a prompt message that the verification fails, and returns to step 203 to continue the verification;
  • the AAA server generates a user token and saves the user token and the user token type. Specifically, the AAA server may generate a user token matching the user token type according to the received user token type.
  • the foregoing AAA server sends the user token to the security server.
  • the foregoing security server sends the user token to the terminal.
  • the terminal sends the user token to a server of a third-party service.
  • the foregoing AAA server receives the service request information sent by the server of the third-party service, where the service request information includes an Internet Protocol IP address of the terminal, a Transmission Control Protocol TCP/User Datagram Protocol UDP port number, and a received user token.
  • the server of the third-party service can obtain the IP address of the terminal and the TCP/UDP port number; after receiving the user token sent by the terminal, the server of the third-party service can set the IP of the terminal.
  • the address, the TCP/UDP port number, and the received user token are carried in the service request information and sent to the AAA server;
  • the AAA server determines whether the user token received by the AAA server is equal to the saved user token, and determines whether the type of the user token received by the AAA server matches the type of the user token it holds, if the user token received by the user token is the same as the saved token.
  • the user token is equal and the type of the user token it receives matches the type of the user token it holds, step 216 is performed, otherwise step 217 is performed;
  • the AAA server passes the foregoing third-party service authentication of the terminal, and ends the process. After the third-party service is authenticated, the AAA server may delete the previously saved user token, so that each user token is used only for one service authentication. , improve safety;
  • the AAA server may also return corresponding confirmation information to the server of the third-party service;
  • the AAA server determines that the third-party service authentication of the terminal fails. After determining that the third-party service authentication fails, the AAA server may return the corresponding prompt information to the server of the third-party service.
  • the service authentication method provided in this embodiment provides a scheme for using the shared user information for authentication, so that the user does not need to input the user name and password when using the third-party service, thereby facilitating the use of the user and improving the user experience.
  • the security server can provide security verification for calling third party service authentication by sharing user information, and preventing The user's misoperation or malicious operation of some illegal programs further improves the security of the service authentication method and prevents the user's interests from being lost.
  • the method may further include:
  • the above AAA server starts a timer; the timing of the timer may be preset, for example, but not limited to 1 minute;
  • the AAA server deletes the user token generated and saved in step 210.
  • the service request information of the server from the third party service received by the AAA server in step 214 may include at least one of the following request information:
  • the method may further include: the AAA server charging the fee generated by the terminal in the process of using the third-party service according to the IP address and the TCP/UDP port number. .
  • the user can use the account provided by the network operator to consume the third-party service, which facilitates unified billing management.
  • Embodiment 3 is a diagrammatic representation of Embodiment 3
  • the present invention also provides a service authentication system.
  • the system may include: a terminal 100, a BNG 200, and an AAA server 300, where
  • the terminal 100 may be configured to receive an instruction sent by the user to invoke the shared user information to perform third-party service authentication.
  • the shared user information is user information used by the user in performing authentication, authorization, and accounting AAA authentication; for example, sharing user information may be It is the account name and password used when the network service provided by the network operator is input when the user accesses the network. For example, the account name and password entered when the user dials the Internet using ADSL (Asymmetric Digital Subscriber Line).
  • ADSL Asymmetric Digital Subscriber Line
  • An application program interface for sharing user information provided by the network operator after the user clicks the function button, the terminal receives an instruction sent by the user to invoke the shared user information for third-party service authentication;
  • the terminal 100 is further configured to send a request message for acquiring a user token to the BNG 200.
  • the BNG 200 can be configured to send the foregoing request message for acquiring a user token to the AAA server 300;
  • the AAA server 300 can be used to generate a user token and save; after receiving the request message, the AAA server 300 generates a user token and saves it for subsequent verification;
  • the AAA server 300 can also be configured to send the user token to the BNG 200;
  • the BNG 200 can also be used to send the user token to the terminal 100;
  • the terminal 100 can also be used to send the user token to the server of the third party service;
  • the AAA server 300 is further configured to receive service request information sent by the server of the third-party service, where the service request information includes an Internet Protocol IP address of the terminal, a Transmission Control Protocol TCP/User Datagram Protocol UDP port number, and the foregoing third-party service.
  • the user token received by the server in this embodiment, when the terminal accesses the server of the third-party service, the server of the third-party service can obtain the IP address of the terminal and the TCP/UDP port number; the server of the third-party service receives the After the user token is sent by the terminal, the IP address of the terminal, the TCP/UDP port number, and the received user token are carried in the service request information and sent to the AAA server.
  • the AAA server 300 can also be used to determine whether the user token received by the user token is equal to the user token stored by the terminal. If they are equal, the third-party service authentication of the terminal is determined, otherwise the third-party service authentication fails.
  • the AAA server may delete the previously saved user token, so that each user token can be used only for one service authentication, thereby improving security.
  • the AAA server can also return the corresponding confirmation information to the server of the third-party service.
  • the AAA server may also return corresponding prompt information to the server of the third-party service.
  • the service authentication system provided by the embodiment provides a scheme for using the shared user information for authentication, so that the user does not need to input the user name and password when using the third-party service, thereby facilitating the user's use and improving the user experience;
  • the user token assigned by the AAA server needs to be verified to improve the security of the authentication.
  • the AAA server may further start a timer after the user token is generated and saved, where the timer time may be preset, such as but not limited to 1 minute; the AAA server may also be used to perform the foregoing timing. Timeout, delete the saved user token.
  • the service request message of the server from the third-party service received by the AAA server may include at least one of the following request information:
  • the AAA server may be further configured to: charge the fee generated by the terminal in the process of using the third party service according to the IP address and the TCP/UDP port number. In this way, the user can use the account provided by the network operator to consume the third-party service, which facilitates unified billing management.
  • Embodiment 4 is a diagrammatic representation of Embodiment 4:
  • the present invention further provides a service authentication system.
  • the system may include: a terminal 100, an AAA server 300, and a security server 400, where
  • the terminal 100 is configured to receive an instruction that is sent by the user to invoke the shared user information to perform third-party service authentication.
  • the shared user information is user information used by the user when performing AAA authentication.
  • the shared user information may be when the user accesses the network.
  • the account name and password used when entering the network service provided by the network operator, for example, the account name and password entered by the user when dialing the Internet using ADSL (Asymmetric Digital Subscriber Line);
  • the third-party service provides the function of using the shared user information for third-party service authentication.
  • the third-party service web page or interface displayed by the terminal can provide a "one-click authentication" function button, and the function button can call the sharing provided by the network operator.
  • the application interface of the user information after the user clicks the function button, the terminal receives an instruction sent by the user to invoke the shared user information for third-party service authentication;
  • the terminal 100 is further configured to send a request message for acquiring a user token to the security server; the request message for acquiring the user token carries a user token type;
  • the security server 400 is configured to generate an authentication confirmation webpage, save the authentication confirmation information related to the authentication confirmation webpage, and send the authentication confirmation webpage to the terminal;
  • the terminal 100 is further configured to display the authentication confirmation webpage, and receive the authentication confirmation information input by the user, and send the authentication confirmation information input by the user to the security server.
  • the authentication confirmation webpage may be an interface as shown in FIG. , prompting the user to enter a verification code, the form of the verification code can be It is a text, a number or other suitable format and is not specifically limited herein;
  • the security server 400 is further configured to determine whether the received authentication confirmation information input by the user is consistent with the previously saved authentication confirmation information. If they are consistent, the request message for acquiring the user token may be sent to the AAA server, otherwise the prompt information may be returned to the BNG.
  • the BNG forwards the prompt message to the terminal to prompt the user to perform the re-authentication; the token type; specifically, the user token generated by the AAA server matches the user token type;
  • the AAA server 300 is further configured to send the user token to the terminal 100;
  • the terminal 100 is further configured to send the user token to a server of a third-party service
  • the AAA server 300 is further configured to receive service request information sent by the server of the third-party service, where the service request information includes an Internet Protocol IP address of the terminal, a TCP/User Datagram Protocol (UDP) port number, and a server of the third-party service.
  • the received user token wherein, when the terminal accesses the server of the third-party service, the server of the third-party service can obtain the IP address of the terminal and the TCP/UDP port number; the server of the third-party service receives the user sent by the terminal.
  • the IP address of the terminal, the TCP/UDP port number, and the received user token are carried in the service request information and sent to the AAA server.
  • the AAA server 300 is further configured to determine whether the user token received by the user token is equal to the saved user token, and whether the type of the user token received by the user token matches the type of the user token it holds, if the user token received by the user token is saved. The user tokens are equal and the type of the user token received is matched with the type of the user token that is stored, and the third-party service authentication is performed by the terminal. Otherwise, the third-party service authentication fails.
  • the AAA server 300 can delete the previously saved user token, so that each user token can be used only for one service authentication, thereby improving security; Afterwards, the AAA server 300 can also return corresponding confirmation information to the server of the third-party service;
  • the AAA server 300 may return the corresponding prompt information to the server of the third-party service.
  • the system may further include a BNG, and the BNG may serve as a information relay between the terminal and the security server, that is, the received message from the terminal may be forwarded or transparently transmitted to the terminal.
  • the secure server can also forward or transparently receive the received message from the secure server to Terminal.
  • the service authentication system provided in this embodiment provides a scheme for using the shared user information for authentication, so that the user does not need to input a user name and password when using the third-party service, thereby facilitating the use of the user and improving the user experience.
  • the security server can provide security verification for invoking the shared user information for third-party service authentication, preventing user misoperation or malicious operation of some illegal programs, and further improving the service authentication method. Security, to prevent the loss of the user's interests.
  • the AAA server may further start a timer after the user token is generated and saved, where the timer time may be preset, such as but not limited to 1 minute; the AAA server may also be used to perform the foregoing timing. Timeout, delete the saved user token.
  • the service request message of the server from the third party service received by the AAA server may include at least one of the following request information:
  • the AAA server may be further configured to: charge the fee generated by the terminal in the process of using the third party service according to the IP address and the TCP/UDP port number. In this way, the user can use the account provided by the network operator to consume the third-party service, which facilitates unified billing management.
  • the program may be stored in a computer readable storage medium, and the storage medium may include: Flash disk, read-only memory (Read-Only Memory,
  • ROM Read Only Memory
  • RAM Random Access Memory
  • CD Compact Disc

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The embodiments of the present invention relate to the technical field of communications. Disclosed are a service authentication method and system. The method comprises: a terminal receiving an instruction about invoking shared user information to conduct third party service authentication which is sent by a user; the terminal sending a request message of acquiring a user token to a BNG; the BNG sending the request message of acquiring the user token to an AAA server; the AAA server generating and saving the user token; the AAA server sending the user token to the BNG; the BNG sending the user token to the terminal; the terminal sending the user token to a server of the third party service; the AAA server receiving service request information sent by the server of the third party service; and the AAA server judging whether the user token received thereby is equal to the user token saved thereby or not, and if so, passing the third party authentication. By implementing the embodiments of the present invention, the user experience can be improved.

Description

业务认证方法和系统 本申请要求于 2013 年 6 月 26 日提交中国专利局、 申请号为 CN 201310259633.X, 发明名称为 "业务认证方法及和系统" 的中国专利申请的 优先权, 其全部内容通过引用结合在本申请中。 技术领域 本发明涉及通信技术领域, 具体涉及一种业务认证方法和系统。  Business Certification Method and System This application claims priority to Chinese Patent Application No. CN 201310259633.X, entitled "Business Authentication Method and System", filed on June 26, 2013, the entire contents of which are filed on June 26, 2013. This is incorporated herein by reference. The present invention relates to the field of communications technologies, and in particular, to a service authentication method and system.
背景技术 目前, 网络用户在访问网络时一般先需要通过 AAA ( Authentication, Authorization, Accounting, 验证、 授权、 计费)服务器的认证, 认证过程中 用户一般需要输入用户名和密码, 在认证通过之后, 用户可以使用运营商提 供的网络服务。 BACKGROUND Currently, when a network user accesses a network, it is generally required to perform authentication by an AAA (Authentication, Authorization, Accounting, Authentication, Authorization, and Accounting) server. In the authentication process, the user generally needs to input a user name and a password. After the authentication is passed, the user is authenticated. You can use the network service provided by the operator.
在用户使用网络服务的过程中, 在使用某些第三方业务时还需要输入用 户预先在该第三方业务提供商处注册的用户名和密码, 而且各个第三方业务 提供商一般都需要独立的用户名和密码, 这样用户在访问网络时, 可能就需 要记住多个用户名和密码, 不仅容易遗忘, 而且还需要频繁的输入用户信息, 给用户带来不便。  In the process of using the network service by the user, when using some third-party services, the user name and password registered by the user in the third-party service provider are also required, and each third-party service provider generally needs a separate user name and The password, so that when the user accesses the network, it may need to remember multiple user names and passwords, which is not only easy to forget, but also requires frequent input of user information, which brings inconvenience to the user.
发明内容 本发明实施例所要解决的技术问题是提供一种业务认证方法和系统, 用 于为使用户在使用第三方业务时提供便利。 SUMMARY OF THE INVENTION The technical problem to be solved by embodiments of the present invention is to provide a service authentication method and system for facilitating users in using third party services.
本发明实施例提供一种业务认证方法, 包括:  The embodiment of the invention provides a service authentication method, including:
终端接收用户发送的调用共享用户信息进行第三方业务认证的指令; 所 述共享用户信息为用户在进行认证、授权、 计费 AAA认证时使用的用户信息; 所述终端发送获取用户令牌 token的请求消息至宽带网络网关 BNG;  Receiving, by the terminal, an instruction for calling the shared user information to perform third-party service authentication, where the shared user information is user information used by the user for performing authentication, authorization, and accounting AAA authentication; and the terminal sends the user token to obtain the user token token. Requesting a message to the broadband network gateway BNG;
所述 BNG发送所述获取用户 token的请求消息至 AAA服务器;  Sending, by the BNG, the request message for acquiring a user token to an AAA server;
所述 AAA服务器生成用户 token并保存; 所述 AAA服务器将所述用户 token发送至所述 BNG; The AAA server generates a user token and saves it; Sending, by the AAA server, the user token to the BNG;
所述 BNG将所述用户 token发送至所述终端;  Sending, by the BNG, the user token to the terminal;
所述终端将所述用户 token发送至第三方业务的服务器;  Transmitting, by the terminal, the user token to a server of a third-party service;
所述 AAA服务器接收所述第三方业务的服务器发送的业务请求信息; 所 述业务请求信息包括终端的互联网协议 IP地址、 传输控制协议 TCP/用户数据 报协议 UDP端口号以及所述第三方业务的服务器接收到的用户 token;  The AAA server receives the service request information sent by the server of the third-party service; the service request information includes an Internet Protocol IP address of the terminal, a Transmission Control Protocol TCP/User Datagram Protocol UDP port number, and the third-party service. User token received by the server;
所述 AAA服务器判断其接收到的用户 token与其保存的所述用户 token是 否相等, 如果相等, 通过所述终端的所述第三方业务认证。  The AAA server determines whether the user token received by the AAA server is equal to the user token stored by the AAA server. If they are equal, the third party service authentication of the terminal is performed.
相应的, 本发明实施例还提供一种业务认证方法, 所述方法包括: 终端接收用户发送的调用共享用户信息进行第三方业务认证的指令; 所 述共享用户信息为用户在进行认证、授权、 计费 AAA认证时使用的用户信息; 所述终端发送获取用户令牌 token的请求消息至安全服务器; 所述获取用 户 token的请求消息中携带有用户 token类型;  Correspondingly, the embodiment of the present invention further provides a service authentication method, where the method includes: receiving, by the terminal, an instruction for calling a shared user information to perform third-party service authentication; the shared user information is that the user is performing authentication, authorization, The user information used for the AAA authentication is charged; the terminal sends a request message for acquiring the user token token to the security server; and the request message for obtaining the user token carries the user token type;
所述安全服务器生成认证确认网页, 保存与所述认证确认网页相关的认 证确认信息;  The security server generates an authentication confirmation webpage, and stores authentication confirmation information related to the authentication confirmation webpage;
所述安全服务器将所述认证确认网页发送至所述终端;  Sending, by the security server, the authentication confirmation webpage to the terminal;
所述终端显示所述认证确认网页, 接收用户输入的认证确认信息, 将所 述用户输入的认证确认信息发送至所述安全服务器;  The terminal displays the authentication confirmation webpage, receives authentication confirmation information input by the user, and sends the authentication confirmation information input by the user to the security server;
所述安全服务器判断接收的所述用户输入的认证确认信息与之前保存的 认证确认信息是否一致, 如果一致, 发送获取用户 token的请求消息至 AAA服 务器;  The security server determines whether the received authentication confirmation information input by the user is consistent with the previously saved authentication confirmation information, and if yes, sends a request message for acquiring the user token to the AAA server;
所述 AAA服务器生成用户 token并保存所述用户 token和所述用户 token类 型;  The AAA server generates a user token and saves the user token and the user token type;
所述 AAA服务器将所述用户 token发送至所述安全服务器;  Sending, by the AAA server, the user token to the security server;
所述安全服务器将所述用户 token发送至所述终端;  Sending, by the security server, the user token to the terminal;
所述终端将所述用户 token发送至第三方业务的服务器;  Transmitting, by the terminal, the user token to a server of a third-party service;
所述 AAA服务器接收所述第三方业务的服务器发送的业务请求信息; 所 述业务请求信息包括终端的 IP地址、 传输控制协议 TCP/用户数据报协议 UDP 端口号以及所述第三方业务服务器接收到的用户 token;  Receiving, by the AAA server, the service request information sent by the server of the third-party service; the service request information includes an IP address of the terminal, a transmission control protocol TCP/user datagram protocol UDP port number, and the third-party service server receives the User token
所述 AAA服务器判断其接收到的用户 token与其保存的所述用户 token是 否相等, 以及判断其接收到的用户 token类型与其保存的用户 token类型是否匹 配, 如果其接收到的用户 token与其保存的所述用户 token相等且其接收到的用 户 token类型与其保存的用户 token类型匹配, 通过所述终端的所述第三方业务 认证。 The AAA server determines that the user token it receives and the user token it holds are No, and determine whether the user token type it receives matches its saved user token type, if the user token it receives is equal to the user token it holds and the user token type it receives and the user token type it holds. Matching, the third party service authentication by the terminal.
相应的, 本发明实施例还提供一种业务认证系统, 所述系统包括: 终端、 宽带业务网关 BNG、 AAA服务器, 其中,  Correspondingly, the embodiment of the present invention further provides a service authentication system, where the system includes: a terminal, a broadband service gateway BNG, and an AAA server, where
所述终端用于接收用户发送的调用共享用户信息进行第三方业务认证的 指令; 所述共享用户信息为用户在进行认证、 授权、 计费 AAA认证时使用的 用户信息;  The terminal is configured to receive an instruction sent by the user to invoke the shared user information to perform third-party service authentication; the shared user information is user information used by the user in performing authentication, authorization, and accounting AAA authentication;
所述终端还用于发送获取用户令牌 token的请求消息至宽带网络网关 BNG;  The terminal is further configured to send a request message for acquiring a user token token to the broadband network gateway BNG;
所述 BNG用于发送所述获取用户 token的请求消息至 AAA服务器; 所述 AAA服务器用于生成用户 token并保存;  The BNG is configured to send the request message for acquiring a user token to an AAA server; the AAA server is configured to generate a user token and save the message;
所述 AAA服务器还用于将所述用户 token发送至所述 BNG;  The AAA server is further configured to send the user token to the BNG;
所述 BNG还用于将所述用户 token发送至所述终端;  The BNG is further configured to send the user token to the terminal;
所述终端还用于将所述用户 token发送至第三方业务的服务器;  The terminal is further configured to send the user token to a server of a third-party service;
所述 AAA服务器还用于接收所述第三方业务的服务器发送的业务请求信 息;所述业务请求信息包括所述终端的互联网协议 IP地址、传输控制协议 TCP/ 用户数据报协议 UDP端口号以及所述第三方业务的服务器接收到的用户 token;  The AAA server is further configured to receive service request information sent by a server of the third-party service; the service request information includes an Internet Protocol IP address of the terminal, a Transmission Control Protocol TCP/User Datagram Protocol UDP port number, and a a user token received by a server of the third-party service;
所述 AAA服务器还用于判断其接收到的用户 token与其保存的所述用户 token是否相等, 如果相等, 通过所述终端的所述第三方业务认证。  The AAA server is further configured to determine whether the user token received by the AAA server is equal to the user token that is saved, and if they are equal, the third-party service authentication of the terminal.
相应的, 本发明实施例还提供一种业务认证系统, 所述系统包括: 终端、 AAA服务器以及安全服 务器; 其中,  Correspondingly, the embodiment of the present invention further provides a service authentication system, where the system includes: a terminal, an AAA server, and a security server;
所述终端用于接收用户发送的调用共享用户信息进行第三方业务认证的 指令; 所述共享用户信息为用户在进行认证、 授权、 计费 AAA认证时使用的 用户信息;  The terminal is configured to receive an instruction sent by the user to invoke the shared user information to perform third-party service authentication; the shared user information is user information used by the user in performing authentication, authorization, and accounting AAA authentication;
所述终端还用于发送获取用户令牌 token的请求消息至安全服务器; 所述 获取用户 token的请求消息中携带有用户 token类型; 所述安全服务器用于生成认证确认网页, 保存与所述认证确认网页相关 的认证确认信息, 并将所述认证确认网页发送至所述终端; The terminal is further configured to send a request message for acquiring a user token token to the security server; the request message for obtaining the user token carries a user token type; The security server is configured to generate an authentication confirmation webpage, save authentication confirmation information related to the authentication confirmation webpage, and send the authentication confirmation webpage to the terminal;
所述终端还用于显示所述认证确认网页, 接收用户输入的认证确认信息 , 所述终端还用于将所述用户输入的认证确认信息发送至所述安全服务 器;  The terminal is further configured to display the authentication confirmation webpage, and receive authentication confirmation information input by the user, where the terminal is further configured to send the authentication confirmation information input by the user to the security server;
所述安全服务器还用于判断接收的所述用户输入的认证确认信息与之前 保存的认证确认信息是否一致, 如果一致, 发送获取用户 token的请求消息至 AAA服务器;  The security server is further configured to determine whether the received authentication confirmation information input by the user is consistent with the previously stored authentication confirmation information, and if yes, send a request message for acquiring a user token to the AAA server;
所述 AAA服务器还用于生成用户 token并保存所述用户 token和所述用户 token类型;  The AAA server is further configured to generate a user token and save the user token and the user token type;
所述 AAA服务器还用于将所述用户 token发送至所述安全服务器; 所述安全服务器还用于将所述用户 token发送至所述终端;  The AAA server is further configured to send the user token to the security server; the security server is further configured to send the user token to the terminal;
所述终端还用于将所述用户 token发送至第三方业务的服务器;  The terminal is further configured to send the user token to a server of a third-party service;
所述 AAA服务器还用于接收所述第三方业务的服务器发送的业务请求信 息; 所述业务请求信息包括终端的 IP地址、 TCP/ UDP端口号以及所述第三方 业务的服务器接收到的用户 token;  The AAA server is further configured to receive service request information sent by a server of the third-party service; the service request information includes an IP address of the terminal, a TCP/UDP port number, and a user token received by the server of the third-party service. ;
所述 AAA服务器还用于判断其接收到的用户 token与其保存的所述用户 token是否相等,以及判断其接收到的用户 token类型与其保存的用户 token类型 是否匹配, 如果其接收到的用户 token与其保存的所述用户 token相等且其接收 到的用户 token类型与其保存的用户 token类型匹配, 通过所述终端的所述第三 方业务认证。  The AAA server is further configured to determine whether the user token received by the user token is equal to the user token stored by the user, and whether the type of the user token received by the user token matches the type of the user token it holds, if the user token received by the user is The saved user tokens are equal and the received user token type matches the saved user token type, and the third party service authentication is performed by the terminal.
本发明实施例提供的业务认证方法和系统, 通过提供使用共享用户信息 进行认证的方案, 可以使用户在使用第三方业务时, 无需用户输入用户名和 密码, 为用户的使用带来便利, 提升用户体验; 同时在第三方业务认证过程 中, 需要验证 AAA服务器分配的用户 token , 可提高认证的安全性。  The service authentication method and system provided by the embodiment of the present invention can provide a user with a third-party service without using a user to input a user name and a password, thereby facilitating the use of the user and improving the user. Experience; At the same time, in the third-party service authentication process, the user token assigned by the AAA server needs to be verified, which can improve the security of the authentication.
附图说明 为了更清楚地说明本发明实施例或现有技术中的技术方案, 下面将对实 施例中所需要使用的附图作简单地介绍, 显而易见地, 下面描述中的附图仅 仅是本发明的一些实施例, 对于本领域普通技术人员来讲, 在不付出创造性 劳动的前提下, 还可以根据这些附图获得其他的附图。 BRIEF DESCRIPTION OF THE DRAWINGS In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings to be used in the embodiments will be briefly described below. Obviously, the drawings in the following description only It is only some embodiments of the present invention, and those skilled in the art can obtain other drawings according to these drawings without any creative work.
图 1是本发明实施例一提供的业务认证方法的流程示意图;  1 is a schematic flowchart of a service authentication method according to Embodiment 1 of the present invention;
图 2是本发明实施例二提供的业务认证方法的流程示意图;  2 is a schematic flowchart of a service authentication method according to Embodiment 2 of the present invention;
图 3是本发明实施例中认证确认网页的界面示意图;  3 is a schematic diagram of an interface of an authentication confirmation webpage in an embodiment of the present invention;
图 4是本发明实施例三提供的业务认证系统的结构示意图;  4 is a schematic structural diagram of a service authentication system according to Embodiment 3 of the present invention;
图 5是本发明实施例四提供的业务认证系统的结构示意图。  FIG. 5 is a schematic structural diagram of a service authentication system according to Embodiment 4 of the present invention.
具体实施方式 下面将结合本发明实施例中的附图, 对本发明实施例中的技术方案进行清 楚、 完整地描述, 显然, 所描述的实施例仅仅是本发明一部分实施例, 而不 是全部的实施例。 基于本发明中的实施例, 本领域普通技术人员在没有做出 创造性劳动前提下所获得的所有其他实施例, 都属于本发明保护的范围。 The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. example. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
本发明实施例中提供了一种业务认证方法和系统, 以下分别进行详细说 明。  A service authentication method and system are provided in the embodiments of the present invention, which are respectively described in detail below.
实施例一:  Embodiment 1:
本发明提供一种业务认证方法,该方法涉及的网络架构包括: 终端、 BNG 和 AAA^务器, 如图 1所示, 该方法包括:  The present invention provides a service authentication method, and the network architecture involved in the method includes: a terminal, a BNG, and an AAA server. As shown in FIG. 1, the method includes:
101、 终端接收用户发送的调用共享用户信息进行第三方业务认证的指 令; 上述共享用户信息为用户在进行 AAA ( Authentication、 Authorization、 Accounting , 认证、 授权、 计费)认证时使用的用户信息;  101. The terminal receives an instruction sent by the user to invoke the shared user information to perform third-party service authentication. The shared user information is user information used by the user when performing AAA (Authentication, Authorization, Accounting, Authentication, Authorization, and Accounting) authentication;
举例来说, 共享用户信息可以是用户接入网络时输入的网络运营商提供 的网络服务时使用的账户名和密码, 例如用户使用中国电信 ADSL ( Asymmetric Digital Subscriber Line, 非对称数字用户环路)拨号上网时输入 的账户名和密码;  For example, the shared user information may be an account name and a password used when the network service provided by the network operator is input when the user accesses the network, for example, the user dials using ADSL (Asymmetric Digital Subscriber Line). The account name and password entered when surfing the Internet;
本实施例中, 如果第三方业务提供釆用共享用户信息进行第三方业务认 证的功能, 终端显示的第三方业务的网页或者界面上可以提供一个 "一键认 证" 功能按钮, 该功能按钮可以调用网络运营商提供的共享用户信息的应用 程序接口, 用户在点击该功能按钮之后, 终端即接收到用户发送的调用共享 用户信息进行第三方业务认证的指令; In this embodiment, if the third-party service provides the function of using the shared user information to perform the third-party service authentication, the third-party service of the third-party service may provide a "one-click authentication" function button, and the function button may be invoked. An application interface for sharing user information provided by the network operator. After the user clicks the function button, the terminal receives the call sharing sent by the user. User information for third-party service certification instructions;
102、 终端发送获取用户 token (令牌) 的请求消息至 BNG ( Broadband Network Gateway , 宽带网络网关);  102. The terminal sends a request message for acquiring a user token (token) to a BNG (Broadband Network Gateway, a broadband network gateway);
103、 上述 BNG发送上述获取用户 token的请求消息至 AAA^务器;  103. The foregoing BNG sends the foregoing request message for acquiring a user token to the AAA server.
BNG即是将获取用户 token的请求消息转发或透传到 AAA服务器;  The BNG forwards or transparently transmits the request message for obtaining the user token to the AAA server;
104、 上述 AAA服务器生成用户 token并保存上述用户 token;  104. The foregoing AAA server generates a user token and saves the user token.
接收到请求消息之后, AAA服务器生成用户 token, 并保存以便进行之后 的验证;  After receiving the request message, the AAA server generates a user token and saves it for subsequent verification;
105、 上述 AAA服务器将上述用户 token发送至上述 BNG;  105. The foregoing AAA server sends the user token to the BNG.
106、 上述 BNG将上述用户 token发送至上述终端;  106. The foregoing BNG sends the user token to the terminal.
BNG即是将用户 token转发或透传到终端;  BNG forwards or transparently transmits the user token to the terminal;
107、 上述终端将上述用户 token发送至第三方业务的服务器;  107. The foregoing terminal sends the user token to a server of a third-party service;
108、 上述 AAA服务器接收上述第三方业务的服务器发送的业务请求信 息; 该业务请求信息中包括终端的 IP ( Internet Protocol , 互联网协议 )地址、 TCP ( Transmission Control Protocol, 传输控制协议) I UDP ( User Datagram Protocol, 用户数据报协议)端口号以及上述第三方业务的服务器接收到的用 户 token;  108. The AAA server receives the service request information sent by the server of the third-party service, where the service request information includes an IP (Internet Protocol) address of the terminal, and a Transmission Control Protocol (TCP) I UDP (User) Datagram Protocol, User Datagram Protocol) port number and the user token received by the server of the above third party service;
本实施例中, 在终端访问第三方业务的服务器时, 第三方业务的服务器 即可获取到终端的 IP地址以及 TCP/UDP端口号; 第三方业务的服务器在接收 到终端发送的用户 token之后, 可将终端的 IP地址、 TCP/UDP端口号以及接收 到的用户 token携带在业务请求信息中发送至 AAA服务器;  In this embodiment, when the terminal accesses the server of the third-party service, the server of the third-party service can obtain the IP address of the terminal and the TCP/UDP port number; after the server of the third-party service receives the user token sent by the terminal, The IP address of the terminal, the TCP/UDP port number, and the received user token are carried in the service request information and sent to the AAA server.
109、 上述 AAA服务器判断其接收到的用户 token与其保存的上述用户 token是否相等, 如果相等, 执行步骤 110, 否则执行步骤 111 ;  109. The AAA server determines whether the user token received by the AAA server is equal to the saved user token, and if yes, step 110 is performed; otherwise, step 111 is performed;
110、 上述 AAA服务器通过上述终端的上述第三方业务认证; 结束流程; 优选地, 在本实施例中, 在通过第三方业务认证之后, AAA服务器可以 删除之前保存的上述用户 token, 这样可保证每个用户 token只用于一次业务 认证, 提高安全性;  The AAA server passes the foregoing third-party service authentication of the terminal; the process ends; preferably, in this embodiment, after the third-party service authentication, the AAA server can delete the previously saved user token, so that each User tokens are only used for one-time service authentication to improve security;
优选地, 在本实施例中, 在通过第三方业务认证之后, AAA服务器可以 返回相应的确认信息给第三方业务的服务器, 第三方业务的服务器也可相应 的发送适当的确认消息给终端以使用户获知业务认证通过; 111、 上述 AAA服务器判定第三方业务认证失败; Preferably, in this embodiment, after passing the third-party service authentication, the AAA server may return the corresponding confirmation information to the server of the third-party service, and the server of the third-party service may also send an appropriate confirmation message to the terminal accordingly. The user is informed that the business certification is passed; 111. The foregoing AAA server determines that the third-party service authentication fails.
在判定第三方业务认证失败之后, AAA服务器可以返回相应的提示信息 给第三方业务的服务器, 第三方业务的服务器可相应的发送适当的提示消息 给终端以使用户获知业务认证失败。  After determining that the third-party service authentication fails, the AAA server may return a corresponding prompt message to the server of the third-party service, and the server of the third-party service may correspondingly send an appropriate prompt message to the terminal to enable the user to learn that the service authentication fails.
本实施例提供的业务认证方法, 通过提供使用共享用户信息进行认证的 方案, 可以使用户在使用第三方业务时, 无需用户输入用户名和密码, 为用 户的使用带来便利, 提升用户体验; 同时在第三方业务认证过程中, 需要验 证 AAA服务器分配的用户 token, 可提高认证的安全性。  The service authentication method provided in this embodiment provides a scheme for using the shared user information for authentication, so that the user does not need to input a user name and password when using the third-party service, thereby facilitating the user's use and improving the user experience; In the third-party service authentication process, the user token assigned by the AAA server needs to be verified to improve the security of the authentication.
进一步地, 在步骤 104之后, 该方法还包括:  Further, after step 104, the method further includes:
上述 AAA服务器启动定时器; 定时器的定时时间可以是预先设定的, 例 如但不限于 1分钟;  The above AAA server starts a timer; the timing of the timer may be preset, for example, but not limited to 1 minute;
如果上述定时器超时,则上述 AAA服务器删除在步骤 104中生成并保存 的用户 token。  If the timer expires, the AAA server deletes the user token generated and saved in step 104.
进一步地,在步骤 108中 AAA服务器接收的来自第三方业务的服务器的 业务请求信息可以包括下列请求信息中的至少一种:  Further, the service request information of the server from the third party service received by the AAA server in step 108 may include at least one of the following request information:
认证请求信息;  Authentication request information;
计费请求信息;  Billing request information;
信息获取的请求信息;  Request information for information acquisition;
QOS ( Quality Of Service, 服务质量)控制请求信息。  QOS (Quality Of Service) control request information.
进一步地, 如果上述业务请求信息包括计费请求信息, 该方法还可包括: 上述 AAA服务器依据上述 IP地址和上述 TCP/UDP端口号对上述终端在 使用第三方业务过程中产生的费用进行计费。 这样, 用户可以使用网络运营 商提供的账户来进行第三方业务的消费, 便于统一的计费管理。  Further, if the service request information includes the charging request information, the method may further include: the AAA server charging the fee generated by the terminal in the process of using the third-party service according to the IP address and the TCP/UDP port number. . In this way, the user can use the account provided by the network operator to consume the third-party service, which facilitates unified billing management.
实施例二:  Embodiment 2:
本发明还提供一种业务认证方法, 该方法涉及的网络架构包括: 终端、 安全服务器和 AAA服务器, 如图 2所示, 该方法包括:  The invention also provides a service authentication method, and the network architecture involved in the method includes: a terminal, a security server, and an AAA server. As shown in FIG. 2, the method includes:
201、 终端接收用户发送的调用共享用户信息进行第三方业务认证的指 令; 上述共享用户信息为用户在进行 AAA认证时使用的用户信息;  201. The terminal receives an instruction sent by the user to invoke the shared user information to perform third-party service authentication. The shared user information is user information used by the user when performing AAA authentication.
举例来说, 共享用户信息可以是用户接入网络时输入的网络运营商提供 的网络服务时使用的账户名和密码, 例如用户使用中国电信 ADSL ( Asymmetric Digital Subscriber Line, 非对称数字用户环路)拨号上网时输入 的账户名和密码; For example, the shared user information may be an account name and a password used when the network service provided by the network operator is input when the user accesses the network, for example, the user uses China Telecom ADSL. (Asymmetric Digital Subscriber Line, Asymmetric Digital Subscriber Line) Enter the account name and password when dialing up;
本实施例中, 如果第三方业务提供釆用共享用户信息进行第三方业务认 证的功能, 终端显示的第三方业务的网页或者界面上可以提供一个 "一键认 证" 功能按钮, 该功能按钮可以调用网络运营商提供的共享用户信息的应用 程序接口, 用户在点击该功能按钮之后, 终端即接收到用户发送的调用共享 用户信息进行第三方业务认证的指令;  In this embodiment, if the third-party service provides the function of using the shared user information to perform the third-party service authentication, the third-party service of the third-party service may provide a "one-click authentication" function button, and the function button may be invoked. An application program interface for sharing user information provided by the network operator, after the user clicks the function button, the terminal receives an instruction sent by the user to invoke the shared user information for third-party service authentication;
202、 终端发送获取用户 token的请求消息至安全服务器;; 上述获取用户 token的请求消息中携带有用户 token类型,其中用户 token类型可以是以下几种 类型的至少一种: 认证、 计费、 信息获取、 QOS控制;  202. The terminal sends a request message for obtaining a user token to the security server. The request message for obtaining the user token carries the user token type, where the user token type may be at least one of the following types: authentication, accounting, and information. Acquisition, QOS control;
其中, 终端发送给安全服务器的获取用户 token的请求消息或其它消息可 以是先发送至 BNG然后由 BNG转发或透传至安全服务器的, 以下不再赘述; The request message or other message that the terminal sends to the security server to obtain the user token may be sent to the BNG first and then forwarded by the BNG or transparently transmitted to the security server, and details are not described herein;
203、 上述安全服务器生成认证确认网页, 保存与上述认证确认网页相关 的认证确认信息; 203. The security server generates an authentication confirmation webpage, and stores authentication confirmation information related to the authentication confirmation webpage.
204、 上述安全服务器将上述认证确认网页发送至上述终端;  204. The security server sends the authentication confirmation webpage to the terminal.
其中, 安全服务器发送给终端的认证确认网页或其他消息也可以是先发 送至 BNG然后由 BNG转发或透传至终端的, 以下不再赘述;  The authentication confirmation webpage or other message sent by the security server to the terminal may be sent to the BNG first and then forwarded to the terminal by the BNG or transparently transmitted to the terminal, and details are not described herein;
205、 上述终端显示上述认证确认网页, 接收用户输入的认证确认信息; 本实施例中, 认证确认网页可以是如图 3所示的界面, 提示用户输入验证 码, 验证码的形式可以是文字、 数字或其它合适的格式, 在此不予具体限定; 205. The terminal displays the authentication confirmation webpage, and receives the authentication confirmation information input by the user. In this embodiment, the authentication confirmation webpage may be an interface as shown in FIG. 3, and prompts the user to input a verification code, and the verification code may be in the form of a text. Numbers or other suitable formats are not specifically limited herein;
206、 上述终端将上述用户输入的认证确认信息发送至上述安全服务器;206. The terminal sends the authentication confirmation information input by the user to the security server.
207、 上述安全服务器判断接收到的上述用户输入的认证确认信息与之前 保存的认证确认信息是否一致, 如果一致, 执行步骤 208, 否则执行步骤 209; 207, the security server determines whether the received authentication confirmation information input by the user is consistent with the previously stored authentication confirmation information, if yes, step 208 is performed, otherwise step 209 is performed;
208、上述安全服务器发送获取用户 token的请求消息至 AAA服务器;执行 步骤 210;  208, the security server sends a request message for obtaining a user token to the AAA server; and step 210 is performed;
如果验证通过, 则安全服务器将获取用户 token的请求消息发送至 AAA服 务器;  If the verification is passed, the security server sends a request message for acquiring the user token to the AAA server;
209、 上述安全服务器返回提示信息给上述终端, 并返回步骤 203 ;  209, the security server returns a prompt message to the terminal, and returns to step 203;
如果验证不通过, 则安全服务器可返回验证不通过的提示消息, 并返回 步骤 203 , 以继续进行验证; 210、 上述 AAA服务器生成用户 token并保存上述用户 token和上述用户 token类型; 具体地, AAA服务器可根据接收到的用户 token类型, 生成与该用 户 token类型匹配的用户 token; If the verification fails, the security server may return a prompt message that the verification fails, and returns to step 203 to continue the verification; The AAA server generates a user token and saves the user token and the user token type. Specifically, the AAA server may generate a user token matching the user token type according to the received user token type.
211、 上述 AAA服务器将上述用户 token发送至上述安全服务器;  211. The foregoing AAA server sends the user token to the security server.
212、 上述安全服务器将上述用户 token发送至上述终端;  212. The foregoing security server sends the user token to the terminal.
213、 上述终端将上述用户 token发送至第三方业务的服务器;  213. The terminal sends the user token to a server of a third-party service.
214、 上述 AAA服务器接收上述第三方业务的服务器发送的业务请求信 息; 上述业务请求信息包括终端的互联网协议 IP地址、 传输控制协议 TCP/用 户数据报协议 UDP端口号以及接收到的用户 token;  214. The foregoing AAA server receives the service request information sent by the server of the third-party service, where the service request information includes an Internet Protocol IP address of the terminal, a Transmission Control Protocol TCP/User Datagram Protocol UDP port number, and a received user token.
在终端访问第三方业务的服务器时, 第三方业务的服务器即可获取到终 端的 IP地址以及 TCP/UDP端口号; 第三方业务的服务器在接收到终端发送的 用户 token之后, 可将终端的 IP地址、 TCP/UDP端口号以及接收到的用户 token 携带在业务请求信息中发送至 AAA服务器;  When the terminal accesses the server of the third-party service, the server of the third-party service can obtain the IP address of the terminal and the TCP/UDP port number; after receiving the user token sent by the terminal, the server of the third-party service can set the IP of the terminal. The address, the TCP/UDP port number, and the received user token are carried in the service request information and sent to the AAA server;
215、 上述 AAA服务器判断其接收到的用户 token与其保存的上述用户 token是否相等, 以及判断其接收到的用户 token类型与其保存的用户 token 类型是否匹配, 如果其接收到的用户 token与其保存的上述用户 token相等且 其接收到的用户 token类型与其保存的用户 token类型匹配, 执行步骤 216, 否则执行步骤 217;  215. The AAA server determines whether the user token received by the AAA server is equal to the saved user token, and determines whether the type of the user token received by the AAA server matches the type of the user token it holds, if the user token received by the user token is the same as the saved token. The user token is equal and the type of the user token it receives matches the type of the user token it holds, step 216 is performed, otherwise step 217 is performed;
216、 上述 AAA服务器通过上述终端的上述第三方业务认证; 结束流程; 在通过第三方业务认证之后, AAA服务器可以删除之前保存的上述用户 token , 这样可保证每个用户 token只用于一次业务认证, 提高安全性;  216. The AAA server passes the foregoing third-party service authentication of the terminal, and ends the process. After the third-party service is authenticated, the AAA server may delete the previously saved user token, so that each user token is used only for one service authentication. , improve safety;
在通过第三方业务认证之后, AAA服务器还可以返回相应的确认信息给 第三方业务的服务器;  After passing the third-party service authentication, the AAA server may also return corresponding confirmation information to the server of the third-party service;
217、 上述 AAA服务器判定上述终端的上述第三方业务认证失败; 在判定第三方业务认证失败之后, AAA服务器可以返回相应的提示信息 给第三方业务的服务器。  217. The AAA server determines that the third-party service authentication of the terminal fails. After determining that the third-party service authentication fails, the AAA server may return the corresponding prompt information to the server of the third-party service.
本实施例中提供的业务认证方法, 通过提供使用共享用户信息进行认证 的方案, 可以使用户在使用第三方业务时, 无需用户输入用户名和密码, 为 用户的使用带来便利, 提升用户体验。 与实施例一不同的是, 本实施例中安 全服务器可以为调用共享用户信息进行第三方业务认证提供安全验证, 防止 用户的误操作或者某些非法程序的恶意操作, 进一步提高该业务认证方法的 安全性, 防止用户的利益遭受损失。 The service authentication method provided in this embodiment provides a scheme for using the shared user information for authentication, so that the user does not need to input the user name and password when using the third-party service, thereby facilitating the use of the user and improving the user experience. Different from the first embodiment, in this embodiment, the security server can provide security verification for calling third party service authentication by sharing user information, and preventing The user's misoperation or malicious operation of some illegal programs further improves the security of the service authentication method and prevents the user's interests from being lost.
进一步地, 在步骤 210之后, 该方法还可包括:  Further, after step 210, the method may further include:
上述 AAA服务器启动定时器; 定时器的定时时间可以是预先设定的, 例 如但不限于 1分钟;  The above AAA server starts a timer; the timing of the timer may be preset, for example, but not limited to 1 minute;
如果上述定时器超时,则上述 AAA服务器删除在步骤 210中生成并保存 的用户 token。  If the timer expires, the AAA server deletes the user token generated and saved in step 210.
进一步地,在步骤 214中 AAA服务器接收的来自第三方业务的服务器的 业务请求信息可以包括下列请求信息中的至少一种:  Further, the service request information of the server from the third party service received by the AAA server in step 214 may include at least one of the following request information:
认证请求信息;  Authentication request information;
计费请求信息;  Billing request information;
信息获取的请求信息;  Request information for information acquisition;
QOS ( Quality Of Service, 服务质量)控制请求信息。  QOS (Quality Of Service) control request information.
进一步地, 如果上述业务请求信息包括计费请求信息, 该方法还可包括: 上述 AAA服务器依据上述 IP地址和上述 TCP/UDP端口号对上述终端在 使用第三方业务过程中产生的费用进行计费。 这样, 用户可以使用网络运营 商提供的账户来进行第三方业务的消费, 便于统一的计费管理。  Further, if the service request information includes the charging request information, the method may further include: the AAA server charging the fee generated by the terminal in the process of using the third-party service according to the IP address and the TCP/UDP port number. . In this way, the user can use the account provided by the network operator to consume the third-party service, which facilitates unified billing management.
实施例三:  Embodiment 3:
本发明还提供一种业务认证系统,如图 4所示,该系统可包括:终端 100、 BNG200和 AAA服务器 300, 其中,  The present invention also provides a service authentication system. As shown in FIG. 4, the system may include: a terminal 100, a BNG 200, and an AAA server 300, where
终端 100可用于接收用户发送的调用共享用户信息进行第三方业务认证 的指令; 上述共享用户信息为用户在进行认证、 授权、 计费 AAA认证时使用 的用户信息; 举例来说, 共享用户信息可以是用户接入网络时输入的网络运 营商提供的网络服务时使用的账户名和密码, 例如用户使用中国电信 ADSL ( Asymmetric Digital Subscriber Line, 非对称数字用户环路)拨号上网时输入 的账户名和密码; 本实施例中, 如果第三方业务提供釆用共享用户信息进行 第三方业务认证的功能, 终端显示的第三方业务的网页或者界面上可以提供 一个 "一键认证" 功能按钮, 该功能按钮可以调用网络运营商提供的共享用 户信息的应用程序接口, 用户在点击该功能按钮之后, 终端即接收到用户发 送的调用共享用户信息进行第三方业务认证的指令; 终端 100还可用于发送获取用户 token的请求消息至 BNG200; The terminal 100 may be configured to receive an instruction sent by the user to invoke the shared user information to perform third-party service authentication. The shared user information is user information used by the user in performing authentication, authorization, and accounting AAA authentication; for example, sharing user information may be It is the account name and password used when the network service provided by the network operator is input when the user accesses the network. For example, the account name and password entered when the user dials the Internet using ADSL (Asymmetric Digital Subscriber Line). In this embodiment, if the third-party service provides the function of using the shared user information to perform the third-party service authentication, the third-party service of the third-party service may provide a "one-click authentication" function button, and the function button may be invoked. An application program interface for sharing user information provided by the network operator, after the user clicks the function button, the terminal receives an instruction sent by the user to invoke the shared user information for third-party service authentication; The terminal 100 is further configured to send a request message for acquiring a user token to the BNG 200.
BNG200可用于发送上述获取用户 token的请求消息至 AAA^务器 300; The BNG 200 can be configured to send the foregoing request message for acquiring a user token to the AAA server 300;
AAA服务器 300可用于生成用户 token并保存;接收到请求消息之后, AAA 服务器 300生成用户 token, 并保存以便进行之后的验证; The AAA server 300 can be used to generate a user token and save; after receiving the request message, the AAA server 300 generates a user token and saves it for subsequent verification;
AAA服务器 300还可用于将上述用户 token发送至上述 BNG200;  The AAA server 300 can also be configured to send the user token to the BNG 200;
BNG200还可用于将上述用户 token发送至上述终端 100;  The BNG 200 can also be used to send the user token to the terminal 100;
终端 100还可用于将上述用户 token发送至第三方业务的服务器;  The terminal 100 can also be used to send the user token to the server of the third party service;
AAA服务器 300还可用于接收上述第三方业务的服务器发送的业务请求 信息; 上述业务请求信息包括上述终端的互联网协议 IP地址、 传输控制协议 TCP/用户数据报协议 UDP端口号以及上述第三方业务的服务器接收到的用户 token; 本实施例中, 在终端访问第三方业务的服务器时, 第三方业务的服务 器即可获取到终端的 IP地址以及 TCP/UDP端口号; 第三方业务的服务器在接 收到终端发送的用户 token之后, 可将终端的 IP地址、 TCP/UDP端口号以及接 收到的用户 token携带在业务请求信息中发送至 AAA服务器;  The AAA server 300 is further configured to receive service request information sent by the server of the third-party service, where the service request information includes an Internet Protocol IP address of the terminal, a Transmission Control Protocol TCP/User Datagram Protocol UDP port number, and the foregoing third-party service. The user token received by the server; in this embodiment, when the terminal accesses the server of the third-party service, the server of the third-party service can obtain the IP address of the terminal and the TCP/UDP port number; the server of the third-party service receives the After the user token is sent by the terminal, the IP address of the terminal, the TCP/UDP port number, and the received user token are carried in the service request information and sent to the AAA server.
AAA服务器 300还可用于判断其接收到的用户 token与其保存的上述用 户 token是否相等, 如果相等, 通过上述终端的上述第三方业务认证, 否则判 定上述第三方业务认证失败。  The AAA server 300 can also be used to determine whether the user token received by the user token is equal to the user token stored by the terminal. If they are equal, the third-party service authentication of the terminal is determined, otherwise the third-party service authentication fails.
优选地, 在本实施例中, 在 AAA服务器通过上述终端的上述第三方业务 认证之后, AAA服务器可以删除之前保存的上述用户 token, 这样可保证每 个用户 token只用于一次业务认证,提高安全性;在通过第三方业务认证之后, AAA服务器还可以返回相应的确认信息给第三方业务的服务器。  Preferably, in this embodiment, after the AAA server passes the foregoing third-party service authentication of the terminal, the AAA server may delete the previously saved user token, so that each user token can be used only for one service authentication, thereby improving security. After passing the third-party service authentication, the AAA server can also return the corresponding confirmation information to the server of the third-party service.
优选地, 在本实施例中, 在 AAA服务器判定第三方业务认证失败之后, AAA服务器还可以返回相应的提示信息给第三方业务的服务器。  Preferably, in this embodiment, after the AAA server determines that the third-party service authentication fails, the AAA server may also return corresponding prompt information to the server of the third-party service.
本实施例提供的业务认证系统, 通过提供使用共享用户信息进行认证的 方案, 可以使用户在使用第三方业务时, 无需用户输入用户名和密码, 为用 户的使用带来便利, 提升用户体验; 同时在第三方业务认证过程中, 需要验 证 AAA服务器分配的用户 token, 可提高认证的安全性。  The service authentication system provided by the embodiment provides a scheme for using the shared user information for authentication, so that the user does not need to input the user name and password when using the third-party service, thereby facilitating the user's use and improving the user experience; In the third-party service authentication process, the user token assigned by the AAA server needs to be verified to improve the security of the authentication.
进一步地, 上述 AAA服务器还可在生成用户 token并保存之后, 启动定 时器, 其中, 定时器的定时时间可以是预先设定的, 例如但不限于 1分钟; 上述 AAA服务器还可用于当上述定时器超时, 删除保存的用户 token。 进一步地, AAA服务器接收的来自第三方业务的服务器的业务请求消 息可以包括下列请求信息中的至少一种: Further, the AAA server may further start a timer after the user token is generated and saved, where the timer time may be preset, such as but not limited to 1 minute; the AAA server may also be used to perform the foregoing timing. Timeout, delete the saved user token. Further, the service request message of the server from the third-party service received by the AAA server may include at least one of the following request information:
认证请求信息;  Authentication request information;
计费请求信息;  Billing request information;
信息获取的请求信息;  Request information for information acquisition;
QOS ( Quality Of Service, 服务质量)控制请求信息。  QOS (Quality Of Service) control request information.
进一步地, 如果上述业务请求信息包括计费请求信息, 上述 AAA服务器 还可用于: 依据上述 IP地址和上述 TCP/UDP端口号对上述终端在使用第三 方业务过程中产生的费用进行计费。 这样, 用户可以使用网络运营商提供的 账户来进行第三方业务的消费, 便于统一的计费管理。  Further, if the service request information includes the charging request information, the AAA server may be further configured to: charge the fee generated by the terminal in the process of using the third party service according to the IP address and the TCP/UDP port number. In this way, the user can use the account provided by the network operator to consume the third-party service, which facilitates unified billing management.
实施例四:  Embodiment 4:
本发明还提供一种业务认证系统, 如图 5所示, 该系统可包括: 终端 100、 AAA服务器 300和安全服务器 400, 其中,  The present invention further provides a service authentication system. As shown in FIG. 5, the system may include: a terminal 100, an AAA server 300, and a security server 400, where
终端 100用于接收用户发送的调用共享用户信息进行第三方业务认证的 指令; 上述共享用户信息为用户在进行 AAA认证时使用的用户信息; 举例来 说, 共享用户信息可以是用户接入网络时输入的网络运营商提供的网络服务 时使用的账户名和密码, 例如用户使用中国电信 ADSL ( Asymmetric Digital Subscriber Line, 非对称数字用户环路)拨号上网时输入的账户名和密码; 本 实施例中, 如果第三方业务提供釆用共享用户信息进行第三方业务认证的功 能, 终端显示的第三方业务的网页或者界面上可以提供一个 "一键认证" 功 能按钮, 该功能按钮可以调用网络运营商提供的共享用户信息的应用程序接 口, 用户在点击该功能按钮之后, 终端即接收到用户发送的调用共享用户信 息进行第三方业务认证的指令;  The terminal 100 is configured to receive an instruction that is sent by the user to invoke the shared user information to perform third-party service authentication. The shared user information is user information used by the user when performing AAA authentication. For example, the shared user information may be when the user accesses the network. The account name and password used when entering the network service provided by the network operator, for example, the account name and password entered by the user when dialing the Internet using ADSL (Asymmetric Digital Subscriber Line); In this embodiment, The third-party service provides the function of using the shared user information for third-party service authentication. The third-party service web page or interface displayed by the terminal can provide a "one-click authentication" function button, and the function button can call the sharing provided by the network operator. The application interface of the user information, after the user clicks the function button, the terminal receives an instruction sent by the user to invoke the shared user information for third-party service authentication;
终端 100还用于发送获取用户 token的请求消息至安全服务器;上述获取用 户 token的请求消息中携带有用户 token类型;  The terminal 100 is further configured to send a request message for acquiring a user token to the security server; the request message for acquiring the user token carries a user token type;
安全服务器 400用于生成认证确认网页, 保存与上述认证确认网页相关的 认证确认信息, 并将上述认证确认网页发送至上述终端;  The security server 400 is configured to generate an authentication confirmation webpage, save the authentication confirmation information related to the authentication confirmation webpage, and send the authentication confirmation webpage to the terminal;
终端 100还用于显示上述认证确认网页, 接收用户输入的认证确认信息, 将上述用户输入的认证确认信息发送至上述安全服务器; 本实施例中, 认证 确认网页可以是如图 3所示的界面, 提示用户输入验证码, 验证码的形式可以 是文字、 数字或其它合适的格式, 在此不予具体限定; The terminal 100 is further configured to display the authentication confirmation webpage, and receive the authentication confirmation information input by the user, and send the authentication confirmation information input by the user to the security server. In this embodiment, the authentication confirmation webpage may be an interface as shown in FIG. , prompting the user to enter a verification code, the form of the verification code can be It is a text, a number or other suitable format and is not specifically limited herein;
安全服务器 400还用于判断接收的上述用户输入的认证确认信息与之前 保存的认证确认信息是否一致, 如果一致, 可以发送获取用户 token的请求消 息至 AAA服务器, 否则可以返回提示信息给上述 BNG, 以使 BNG将该提示消 息转发到终端以提示用户进行再次验证; token类型; 具体地, AAA服务器生成的用户 token和上述用户 token类型匹配; The security server 400 is further configured to determine whether the received authentication confirmation information input by the user is consistent with the previously saved authentication confirmation information. If they are consistent, the request message for acquiring the user token may be sent to the AAA server, otherwise the prompt information may be returned to the BNG. The BNG forwards the prompt message to the terminal to prompt the user to perform the re-authentication; the token type; specifically, the user token generated by the AAA server matches the user token type;
AAA服务器 300还用于将上述用户 token发送至上述终端 100; The AAA server 300 is further configured to send the user token to the terminal 100;
终端 100还用于将上述用户 token发送至第三方业务的服务器;  The terminal 100 is further configured to send the user token to a server of a third-party service;
AAA服务器 300还用于接收上述第三方业务的服务器发送的业务请求信 息; 上述业务请求信息包括终端的互联网协议 IP地址、 传输控制协议 TCP/用 户数据报协议 UDP端口号以及上述第三方业务的服务器接收到的用户 token; 其中, 在终端访问第三方业务的服务器时, 第三方业务的服务器即可获取到 终端的 IP地址以及 TCP/UDP端口号; 第三方业务的服务器在接收到终端发送 的用户 token之后, 可将终端的 IP地址、 TCP/UDP端口号以及接收到的用户 token携带在业务请求信息中发送至 AAA服务器;  The AAA server 300 is further configured to receive service request information sent by the server of the third-party service, where the service request information includes an Internet Protocol IP address of the terminal, a TCP/User Datagram Protocol (UDP) port number, and a server of the third-party service. The received user token; wherein, when the terminal accesses the server of the third-party service, the server of the third-party service can obtain the IP address of the terminal and the TCP/UDP port number; the server of the third-party service receives the user sent by the terminal. After the token, the IP address of the terminal, the TCP/UDP port number, and the received user token are carried in the service request information and sent to the AAA server.
AAA服务器 300还用于判断其接收到的用户 token与其保存的上述用户 token是否相等, 以及判断其接收到的用户 token类型与其保存的用户 token 类型是否匹配, 如果其接收到的用户 token与其保存的上述用户 token相等且 其接收到的用户 token类型与其保存的用户 token类型匹配, 通过上述终端的 上述第三方业务认证, 否则判定上述第三方业务认证失败。  The AAA server 300 is further configured to determine whether the user token received by the user token is equal to the saved user token, and whether the type of the user token received by the user token matches the type of the user token it holds, if the user token received by the user token is saved. The user tokens are equal and the type of the user token received is matched with the type of the user token that is stored, and the third-party service authentication is performed by the terminal. Otherwise, the third-party service authentication fails.
在本实施例中, 在通过第三方业务认证之后, AAA服务器 300可以删除 之前保存的上述用户 token,这样可保证每个用户 token只用于一次业务认证, 提高安全性; 在通过第三方业务认证之后, AAA服务器 300还可以返回相应 的确认信息给第三方业务的服务器;  In this embodiment, after the third-party service is authenticated, the AAA server 300 can delete the previously saved user token, so that each user token can be used only for one service authentication, thereby improving security; Afterwards, the AAA server 300 can also return corresponding confirmation information to the server of the third-party service;
在本实施例中, 在判定第三方业务认证失败之后, AAA服务器 300可以 返回相应的提示信息给第三方业务的服务器。  In this embodiment, after determining that the third-party service authentication fails, the AAA server 300 may return the corresponding prompt information to the server of the third-party service.
需要说明的是, 在本实施例中, 该系统中还可包括 BNG, BNG可在终端 和安全服务器之间起到信息中转的作用, 即是可将接收的来自终端的消息转 发或透传至安全服务器, 也可将接收的来自安全服务器的消息转发或透传至 终端。 It should be noted that, in this embodiment, the system may further include a BNG, and the BNG may serve as a information relay between the terminal and the security server, that is, the received message from the terminal may be forwarded or transparently transmitted to the terminal. The secure server can also forward or transparently receive the received message from the secure server to Terminal.
本实施例中提供的业务认证系统, 通过提供使用共享用户信息进行认证 的方案, 可以使用户在使用第三方业务时, 无需用户输入用户名和密码, 为 用户的使用带来便利, 提升用户体验。 与实施例三不同的是, 本实施例中安 全服务器可以为调用共享用户信息进行第三方业务认证提供安全验证, 防止 用户的误操作或者某些非法程序的恶意操作, 进一步提高该业务认证方法的 安全性, 防止用户的利益遭受损失。  The service authentication system provided in this embodiment provides a scheme for using the shared user information for authentication, so that the user does not need to input a user name and password when using the third-party service, thereby facilitating the use of the user and improving the user experience. Different from the third embodiment, in this embodiment, the security server can provide security verification for invoking the shared user information for third-party service authentication, preventing user misoperation or malicious operation of some illegal programs, and further improving the service authentication method. Security, to prevent the loss of the user's interests.
进一步地, 上述 AAA服务器还可在生成用户 token并保存之后, 启动定 时器, 其中, 定时器的定时时间可以是预先设定的, 例如但不限于 1分钟; 上述 AAA服务器还可用于当上述定时器超时, 删除保存的用户 token。 进一步地, AAA服务器接收的来自第三方业务的服务器的业务请求消 息可以包括下列请求信息中的至少一种:  Further, the AAA server may further start a timer after the user token is generated and saved, where the timer time may be preset, such as but not limited to 1 minute; the AAA server may also be used to perform the foregoing timing. Timeout, delete the saved user token. Further, the service request message of the server from the third party service received by the AAA server may include at least one of the following request information:
认证请求信息;  Authentication request information;
计费请求信息;  Billing request information;
信息获取的请求信息;  Request information for information acquisition;
QOS ( Quality Of Service, 服务质量)控制请求信息。  QOS (Quality Of Service) control request information.
进一步地, 如果上述业务请求信息包括计费请求信息, 上述 AAA服务器 还可用于: 依据上述 IP地址和上述 TCP/UDP端口号对上述终端在使用第三 方业务过程中产生的费用进行计费。 这样, 用户可以使用网络运营商提供的 账户来进行第三方业务的消费, 便于统一的计费管理。  Further, if the service request information includes the charging request information, the AAA server may be further configured to: charge the fee generated by the terminal in the process of using the third party service according to the IP address and the TCP/UDP port number. In this way, the user can use the account provided by the network operator to consume the third-party service, which facilitates unified billing management.
上述各实施例均基于同一发明构思, 在各实施例中描述各有侧重, 个别 实施例中描述有未详尽之处, 可以参考其他实施例中的描述。  The above embodiments are all based on the same inventive concept, and the descriptions in the respective embodiments are different, and the descriptions in the other embodiments are not exhaustive, and the descriptions in other embodiments may be referred to.
本领域普通技术人员可以理解上述实施例的各种方法中的全部或部分步 骤是可以通过程序来指令相关的硬件来完成, 该程序可以存储于一计算机可 读存储介质中,存储介质可以包括:闪存盘、只读存储器( Read-Only Memory , A person of ordinary skill in the art may understand that all or part of the steps of the foregoing embodiments may be performed by a program to instruct related hardware. The program may be stored in a computer readable storage medium, and the storage medium may include: Flash disk, read-only memory (Read-Only Memory,
ROM ), 随机存取器(Random Access Memory, RAM ), 磁盘或光盘等。 ROM), Random Access Memory (RAM), disk or CD.
以上对本发明实施例所提供的业务认证方法和系统进行了详细介绍, 本文  The service authentication method and system provided by the embodiments of the present invention are described in detail above.
明只是用于帮助理解本发明的方法及其核心思想; 同时, 对于本领域的一般 技术人员, 依据本发明的思想, 在具体实施方式及应用范围上均会有改变之 处, 综上所述, 本说明书内容不应理解为对本发明的限制。 The present invention is only used to help understand the method of the present invention and its core ideas; at the same time, for those skilled in the art, according to the idea of the present invention, there will be changes in the specific implementation and application scope. In the above, the contents of this specification are not to be construed as limiting the invention.

Claims

权 利 要 求 Rights request
1、 一种业务认证方法, 其特征在于, 包括: 1. A business authentication method, characterized by including:
终端接收用户发送的调用共享用户信息进行第三方业务认证的指令; 所 述共享用户信息为用户在进行认证、授权、 计费 AAA认证时使用的用户信息; 所述终端发送获取用户令牌 token的请求消息至宽带网络网关 BNG; The terminal receives the instruction sent by the user to call the shared user information for third-party service authentication; the shared user information is the user information used by the user when performing authentication, authorization, and accounting AAA authentication; the terminal sends the instruction to obtain the user token token. Request message to Broadband Network Gateway BNG;
所述 BNG发送所述获取用户 token的请求消息至 AAA服务器; The BNG sends the request message for obtaining the user token to the AAA server;
所述 AAA服务器生成用户 token并保存; The AAA server generates a user token and saves it;
所述 AAA服务器将所述用户 token发送至所述 BNG; The AAA server sends the user token to the BNG;
所述 BNG将所述用户 token发送至所述终端; The BNG sends the user token to the terminal;
所述终端将所述用户 token发送至第三方业务的服务器; The terminal sends the user token to a third-party service server;
所述 AAA服务器接收所述第三方业务的服务器发送的业务请求信息; 所 述业务请求信息包括终端的互联网协议 IP地址、 传输控制协议 TCP/用户数据 报协议 UDP端口号以及所述第三方业务的服务器接收到的用户 token; The AAA server receives the service request information sent by the server of the third-party service; the service request information includes the Internet Protocol IP address of the terminal, the Transmission Control Protocol TCP/User Datagram Protocol UDP port number and the number of the third-party service The user token received by the server;
所述 AAA服务器判断其接收到的用户 token与其保存的所述用户 token是 否相等, 如果相等, 通过所述终端的所述第三方业务认证。 The AAA server determines whether the user token it receives is equal to the user token it saves. If they are equal, the third-party service authentication of the terminal is passed.
2、 根据权利要求 1所述的方法, 其特征在于, 在所述 AAA服务器生成用 户 token并保存所述用户 token之后, 所述方法还包括: 2. The method according to claim 1, characterized in that, after the AAA server generates a user token and saves the user token, the method further includes:
所述 AAA服务器启动定时器; The AAA server starts the timer;
所述方法还包括: The method also includes:
如果所述定时器超时, 所述 AAA服务器删除其保存的所述用户 token。 If the timer times out, the AAA server deletes the user token saved by it.
3、 根据权利要求 1或 2所述的方法, 其特征在于, 所述方法还包括: 所述 AAA服务器依据所述 IP地址和所述 TCP/UDP端口号对所述终端在使 用第三方业务过程中产生的费用进行计费。 3. The method according to claim 1 or 2, characterized in that, the method further includes: the AAA server determines whether the terminal is using a third-party service based on the IP address and the TCP/UDP port number. Charges incurred will be billed.
4、 一种业务认证方法, 其特征在于, 所述方法包括: 4. A business authentication method, characterized in that the method includes:
终端接收用户发送的调用共享用户信息进行第三方业务认证的指令; 所 述共享用户信息为用户在进行认证、授权、 计费 AAA认证时使用的用户信息; 所述终端发送获取用户令牌 token的请求消息至安全服务器; 所述获取用 户 token的请求消息中携带有用户 token类型; The terminal receives the instruction sent by the user to call the shared user information for third-party service authentication; the shared user information is the user information used by the user when performing authentication, authorization, and accounting AAA authentication; the terminal sends the instruction to obtain the user token token. The request message is sent to the security server; the request message for obtaining the user token carries the user token type;
所述安全服务器生成认证确认网页, 保存与所述认证确认网页相关的认 证确认信息; The security server generates an authentication confirmation web page, and saves the authentication information related to the authentication confirmation web page. Certificate confirmation information;
所述安全服务器将所述认证确认网页发送至所述终端; The security server sends the authentication confirmation web page to the terminal;
所述终端显示所述认证确认网页, 接收用户输入的认证确认信息, 并将 所述用户输入的认证确认信息发送至所述安全服务器; The terminal displays the authentication confirmation web page, receives the authentication confirmation information input by the user, and sends the authentication confirmation information input by the user to the security server;
所述安全服务器判断接收的所述用户输入的认证确认信息与之前保存的 认证确认信息是否一致, 如果一致, 发送获取用户 token的请求消息至 AAA服 务器; The security server determines whether the received authentication confirmation information input by the user is consistent with the previously saved authentication confirmation information. If consistent, sends a request message to obtain the user token to the AAA server;
所述 AAA服务器生成用户 token并保存所述用户 token和所述用户 token类 型; The AAA server generates a user token and saves the user token and the user token type;
所述 AAA服务器将所述用户 token发送至所述安全服务器; The AAA server sends the user token to the security server;
所述安全服务器将所述用户 token发送至所述终端; The security server sends the user token to the terminal;
所述终端将所述用户 token发送至第三方业务的服务器; The terminal sends the user token to a third-party service server;
所述 AAA服务器接收所述第三方业务的服务器发送的业务请求信息; 所 述业务请求信息包括终端的 IP地址、 传输控制协议 TCP/用户数据报协议 UDP 端口号以及所述第三方业务的服务器接收到的用户 token; The AAA server receives the service request information sent by the server of the third-party service; the service request information includes the IP address of the terminal, the Transmission Control Protocol TCP/User Datagram Protocol UDP port number and the server of the third-party service received The user token received;
所述 AAA服务器判断其接收到的用户 token与其保存的所述用户 token是 否相等, 以及判断其接收到的用户 token类型与其保存的用户 token类型是否匹 配, 如果其接收到的用户 token与其保存的所述用户 token相等且其接收到的用 户 token类型与其保存的用户 token类型匹配, 通过所述终端的所述第三方业务 认证。 The AAA server determines whether the user token it receives is equal to the user token it saves, and determines whether the user token type it receives matches the user token type it saves. If the user token it receives matches the user token type it saves, If the user tokens are equal and the user token type received matches the user token type saved, the third-party service authentication of the terminal is passed.
5、 根据权利要求 4所述的方法, 其特征在于, 在所述 AAA服务器生成用 户 token并保存所述用户 token和所述用户 token类型之后, 所述方法还包括: 所述 AAA服务器启动定时器; 5. The method according to claim 4, characterized in that, after the AAA server generates a user token and saves the user token and the user token type, the method further includes: the AAA server starts a timer ;
所述方法还包括: The method also includes:
如果所述定时器超时, 所述 AAA服务器删除其保存的所述用户 token和用 户 token类型。 If the timer times out, the AAA server deletes the user token and user token type it has saved.
6、 根据权利要求 4或 5所述的方法, 其特征在于, 所述方法还包括: 所述 AAA服务器依据所述 IP地址和所述 TCP/UDP端口号对所述终端在使 用第三方业务过程中产生的费用进行计费。 6. The method according to claim 4 or 5, characterized in that, the method further includes: the AAA server determines whether the terminal is using a third-party service based on the IP address and the TCP/UDP port number. Charges incurred will be billed.
7、 一种业务认证系统, 其特征在于, 所述系统包括: 终端、 宽带业务网 关 BNG、 AAA服务器, 其中, 7. A service authentication system, characterized in that the system includes: a terminal, a broadband service network Off BNG, AAA server, among which,
所述终端用于接收用户发送的调用共享用户信息进行第三方业务认证的 指令; 所述共享用户信息为用户在进行认证、 授权、 计费 AAA认证时使用的 用户信息; The terminal is used to receive instructions sent by users to invoke shared user information for third-party service authentication; the shared user information is user information used by users when performing authentication, authorization, and accounting AAA authentication;
所述终端还用于发送获取用户令牌 token的请求消息至宽带网络网关 BNG; The terminal is also used to send a request message to obtain the user token token to the broadband network gateway BNG;
所述 BNG用于发送所述获取用户 token的请求消息至 AAA服务器; 所述 AAA服务器用于生成用户 token并保存; The BNG is used to send the request message for obtaining the user token to the AAA server; the AAA server is used to generate the user token and save it;
所述 AAA服务器还用于将所述用户 token发送至所述 BNG; The AAA server is also used to send the user token to the BNG;
所述 BNG还用于将所述用户 token发送至所述终端; The BNG is also used to send the user token to the terminal;
所述终端还用于将所述用户 token发送至第三方业务的服务器; The terminal is also used to send the user token to a server of a third-party service;
所述 AAA服务器还用于接收所述第三方业务的服务器发送的业务请求信 息;所述业务请求信息包括所述终端的互联网协议 IP地址、传输控制协议 TCP/ 用户数据报协议 UDP端口号以及所述第三方业务的服务器接收到的用户 token; The AAA server is also used to receive service request information sent by the third-party service server; the service request information includes the Internet Protocol IP address of the terminal, Transmission Control Protocol TCP/User Datagram Protocol UDP port number and all The user token received by the server of the above-mentioned third-party business;
所述 AAA服务器还用于判断其接收到的用户 token与其保存的所述用户 token是否相等, 如果相 等, 通过所述终端的所述第三方业务认证。 The AAA server is also used to determine whether the user token it receives is equal to the user token it saves. If they are equal, the third-party service authentication of the terminal is passed.
8、 根据权利要求 7所述的系统, 其特征在于, 所述 AAA服务器还用于在生成用户 token并保存之 后启动定时器; 以及用于当所述定时器超时, 删除保存的所述用户 token。 8. The system according to claim 7, wherein the AAA server is also configured to start a timer after generating and saving a user token; and to delete the saved user token when the timer times out. .
9、 根据权利要求 7或 8所述的系统, 其特征在于, 所述 AAA服务器还用于依据所述 IP地址和所 述 TCP UDP端口号对所述终端在使用第三方业务过程中产生的费用进行计费。 9. The system according to claim 7 or 8, characterized in that the AAA server is also used to calculate the fees incurred by the terminal in using third-party services based on the IP address and the TCP UDP port number. Perform billing.
10、 一种业务认证系统, 其特征在于, 所述系统包括: 终端、 AAA服务器以及安全服务器; 其中, 所述终端用于接收用户发送的调用共享用户信息进行第三方业务认证的 指令; 所述共享用户信息为用户在进行认证、 授权、 计费 AAA认证时使用的 用户信息; 10. A service authentication system, characterized in that the system includes: a terminal, an AAA server and a security server; wherein the terminal is used to receive an instruction sent by a user to invoke shared user information for third-party service authentication; Shared user information is the user information used by users for authentication, authorization, and accounting AAA authentication;
所述终端还用于发送获取用户令牌 token的请求消息至安全服务器; 所述 获取用户 token的请求消息中携带有用户 token类型; The terminal is also used to send a request message to obtain a user token to the security server; the request message to obtain a user token carries a user token type;
所述安全服务器用于生成认证确认网页, 保存与所述认证确认网页相关 的认证确认信息, 并将所述认证确认网页发送至所述终端; 所述终端还用于显示所述认证确认网页, 接收用户输入的认证确认信息 , 所述终端还用于将所述用户输入的认证确认信息发送至所述安全服务 器; The security server is configured to generate an authentication confirmation web page, save authentication confirmation information related to the authentication confirmation web page, and send the authentication confirmation web page to the terminal; The terminal is also used to display the authentication confirmation web page, receive the authentication confirmation information input by the user, and the terminal is also used to send the authentication confirmation information input by the user to the security server;
所述安全服务器还用于判断接收的所述用户输入的认证确认信息与之前 保存的认证确认信息是否一致, 如果一致, 发送获取用户 token的请求消息至 AAA服务器; The security server is also used to determine whether the received authentication confirmation information input by the user is consistent with the previously saved authentication confirmation information. If they are consistent, send a request message to obtain the user token to the AAA server;
所述 AAA服务器还用于生成用户 token并保存所述用户 token和所述用户 token类型; The AAA server is also used to generate a user token and save the user token and the user token type;
所述 AAA服务器还用于将所述用户 token发送至所述安全服务器; 所述安全服务器还用于将所述用户 token发送至所述终端; The AAA server is also used to send the user token to the security server; the security server is also used to send the user token to the terminal;
所述终端还用于将所述用户 token发送至第三方业务的服务器; The terminal is also used to send the user token to a server of a third-party service;
所述 AAA服务器还用于接收所述第三方业务的服务器发送的业务请求信 息; 所述业务请求信息包括终端的 IP地址、 TCP/ UDP端口号以及所述第三方 业务的服务器接收到的用户 token; The AAA server is also used to receive service request information sent by the server of the third-party service; the service request information includes the IP address of the terminal, the TCP/UDP port number, and the user token received by the server of the third-party service. ;
所述 AAA服务器还用于判断其接收到的用户 token与其保存的所述用户 token是否相等,以及判断其接收到的用户 token类型与其保存的用户 token类型 是否匹配, 如果其接收到的用户 token与其保存的所述用户 token相等且其接收 到的用户 token类型与其保存的用户 token类型匹配, 通过所述终端的所述第三 方业务认证。 The AAA server is also used to determine whether the user token it receives is equal to the user token it saves, and to determine whether the user token type it receives matches the user token type it saves. If the user token it receives matches its saved user token type, If the saved user tokens are equal and the received user token type matches the saved user token type, the third-party service authentication of the terminal is passed.
11、 根据权利要求 10所述的系统, 其特征在于, 所述 AAA服务器还用于 在生成用户 token并保存之后启动定时器; 以及用于当所述定时器超时, 删除 保存的所述用户 token。 11. The system according to claim 10, wherein the AAA server is further configured to start a timer after generating and saving a user token; and to delete the saved user token when the timer times out. .
12、 根据权利要求 10或 11所述的系统, 其特征在于, 所述 AAA服务器还 用于依据所述 IP地址和所述 TCP/UDP端口号对所述终端在使用第三方业务过 程中产生的费用进行计费。 12. The system according to claim 10 or 11, characterized in that, the AAA server is also used to analyze the data generated by the terminal during the use of third-party services based on the IP address and the TCP/UDP port number. Fees are billed.
PCT/CN2014/080852 2013-06-26 2014-06-26 Service authentication method and system WO2014206316A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310259633.X 2013-06-26
CN201310259633.XA CN104253787A (en) 2013-06-26 2013-06-26 Service authentication method and system

Publications (1)

Publication Number Publication Date
WO2014206316A1 true WO2014206316A1 (en) 2014-12-31

Family

ID=52141092

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/080852 WO2014206316A1 (en) 2013-06-26 2014-06-26 Service authentication method and system

Country Status (2)

Country Link
CN (1) CN104253787A (en)
WO (1) WO2014206316A1 (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106209522B (en) * 2015-04-30 2019-08-02 东莞市星东升实业有限公司 Token networking construction method based on token protocol
CN107493280B (en) * 2017-08-15 2020-10-09 中国联合网络通信集团有限公司 User authentication method, intelligent gateway and authentication server
CN107682325A (en) * 2017-09-21 2018-02-09 烽火通信科技股份有限公司 Possess the gateway device online Dialing Method and system of authentication functions
CN110430202B (en) * 2019-08-09 2022-09-16 百度在线网络技术(北京)有限公司 Authentication method and device
CN112104673B (en) * 2020-11-12 2021-04-06 中博信息技术研究院有限公司 Multimedia resource web access authority authentication method
CN114500066A (en) * 2022-02-08 2022-05-13 北京沃东天骏信息技术有限公司 Information processing method, gateway and communication system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101350797A (en) * 2008-09-17 2009-01-21 腾讯科技(深圳)有限公司 Website logging method capable of simplifying user operation, system, client and server
CN101764806A (en) * 2009-12-31 2010-06-30 卓望数码技术(深圳)有限公司 Single-point log-in method, system and system and log-in service platform
US20110173105A1 (en) * 2010-01-08 2011-07-14 Nokia Corporation Utilizing AAA/HLR infrastructure for Web-SSO service charging
CN102655494A (en) * 2011-03-01 2012-09-05 广州从兴电子开发有限公司 SAML (Security Assertion Markup Language)-based authentication platform designed in single log-in mode

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101350797A (en) * 2008-09-17 2009-01-21 腾讯科技(深圳)有限公司 Website logging method capable of simplifying user operation, system, client and server
CN101764806A (en) * 2009-12-31 2010-06-30 卓望数码技术(深圳)有限公司 Single-point log-in method, system and system and log-in service platform
US20110173105A1 (en) * 2010-01-08 2011-07-14 Nokia Corporation Utilizing AAA/HLR infrastructure for Web-SSO service charging
CN102655494A (en) * 2011-03-01 2012-09-05 广州从兴电子开发有限公司 SAML (Security Assertion Markup Language)-based authentication platform designed in single log-in mode

Also Published As

Publication number Publication date
CN104253787A (en) 2014-12-31

Similar Documents

Publication Publication Date Title
WO2014206316A1 (en) Service authentication method and system
EP3008935B1 (en) Mobile device authentication in heterogeneous communication networks scenario
WO2016155668A1 (en) Method for unified application authentication in trunking system, server and terminal
US7653933B2 (en) System and method of network authentication, authorization and accounting
EP3120591B1 (en) User identifier based device, identity and activity management system
US9648006B2 (en) System and method for communicating with a client application
WO2008022589A1 (en) A system and method for authenticating the accessing request for the home network
US20070143470A1 (en) Facilitating integrated web and telecommunication services with collaborating web and telecommunication clients
JP4990912B2 (en) Network charging method, system and apparatus
EP3286893A1 (en) Secure transmission of a session identifier during service authentication
US8170185B2 (en) Authentication system and method
US20090043891A1 (en) Mobile WiMax network system including private network and control method thereof
WO2009097778A1 (en) A method, device and system for calling the security interface
WO2013075661A1 (en) Login and open platform identifying method, open platform and system
WO2011023050A1 (en) User online bandwidth adjustment method and remote authentication dial in user service server
US20140348029A1 (en) Method and system for providing sponsored service on ims-based mobile communication network
WO2013060129A1 (en) Rapid authentication method, access controller and system for wireless local area network
CN106790251B (en) User access method and user access system
WO2012089039A1 (en) Method and device for providing user information to carried grade network address translation cgn apparatus
WO2018045798A1 (en) Network authentication method and related device
CN108200039B (en) Non-perception authentication and authorization system and method based on dynamic establishment of temporary account password
WO2012088995A1 (en) Service control method and device
US20150031336A1 (en) System and Method for Providing Telephony Services over WiFi for Non-Cellular Devices
WO2015100874A1 (en) Home gateway access management method and system
WO2012151933A1 (en) Owned service authentication method and system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14818502

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14818502

Country of ref document: EP

Kind code of ref document: A1