WO2016154813A1 - User authentication method, apparatus and system - Google Patents

User authentication method, apparatus and system Download PDF

Info

Publication number
WO2016154813A1
WO2016154813A1 PCT/CN2015/075279 CN2015075279W WO2016154813A1 WO 2016154813 A1 WO2016154813 A1 WO 2016154813A1 CN 2015075279 W CN2015075279 W CN 2015075279W WO 2016154813 A1 WO2016154813 A1 WO 2016154813A1
Authority
WO
WIPO (PCT)
Prior art keywords
application
virtual machine
account
user
further configured
Prior art date
Application number
PCT/CN2015/075279
Other languages
French (fr)
Chinese (zh)
Inventor
桂亦慧
饶超
张晟
田春长
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2015/075279 priority Critical patent/WO2016154813A1/en
Priority to CN201580050981.3A priority patent/CN107079008B/en
Publication of WO2016154813A1 publication Critical patent/WO2016154813A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the embodiments of the present invention relate to communication technologies, and in particular, to a user authentication method, apparatus, and system.
  • Authentication refers to verifying that a user has the right to access the system.
  • the traditional authentication is verified by a password.
  • the premise of this method is that each user who has obtained the password has been authorized.
  • the user When the user registers, the user is assigned a username and password, and the user uses the username and The password is logged in, and the system completes the user authentication by verifying that the username and password are valid.
  • Open Mobile Platform is China Mobile's comprehensive, standards-based comprehensive platform for meeting the development needs of mobile Internet services.
  • OMP integrates the basic capabilities of the Internet and telecommunications, and can provide application programming interfaces. (Application Programming Interface, API for short) can also be used as an operation management platform.
  • OMP provides unified authentication services for applications published on the platform. These applications are used as part of the OMP service.
  • the authentication center manages user information in a unified manner. When users use an application on the OMP, enter the corresponding user name. And the password, the authentication center authenticates it, and the user who passes the authentication can use the application.
  • the OMP platform authentication mechanism can only complete the authentication of the application published on the platform.
  • the application requires the application to be part of the OMP service, which has certain limitations, and the user information management is for each application, resulting in A large amount of user information redundancy increases the management load and affects the efficiency of system authentication.
  • the embodiment of the invention provides a user authentication method, device and system, which can solve the limitation of platform application management, reduce user information redundancy, reduce management load, and improve system authentication efficiency.
  • an embodiment of the present invention provides a user authentication method, including:
  • the method before the receiving the application registration request sent by the user equipment UE, the method further includes:
  • the acquiring, by the core network device, the application account to use the application account After the UE subsequently logs in to the authentication identifier of the first application, and returns an application registration response to the UE, the method further includes:
  • the UE logs in to an application account of the second application, Also includes:
  • the account acquisition request is sent to the core network device, where the account acquisition request includes the service identifier and the user identifier, and the application account is obtained from the core network device.
  • the fourth aspect in the first aspect after the querying, by the application login request, the UE to log in to the application account of the second application, the method further includes:
  • the two or more application accounts are queried, the two or more application accounts are sent to the UE, and the application account that is sent by the UE to log in to the second application is received.
  • the method before the receiving the application registration request sent by the user equipment UE, the method further includes:
  • the virtual machine allocation response stores the username and password of the UE and returns a virtual machine registration response to the UE.
  • the virtual machine registration request includes a user name, a password, and a temporary Identifier.
  • the virtual machine registration request includes using user information of the UE
  • the method further includes: assigning a virtual machine to the UE according to the user identifier,
  • the username and password are randomly generated for the UE.
  • the assigning a virtual machine to the UE according to the user identifier After returning the virtual machine allocation response to the core network device, the method further includes:
  • the core network device Sending the user name and password of the UE to the core network device, so that the core network device authenticates the UE according to the user name and password of the UE, and returns an authentication response, where the authentication response includes User identifier of the UE;
  • the method further includes:
  • an embodiment of the present invention provides a user authentication method, including:
  • the account registration request includes a service identifier of the first application requested by the user equipment UE and a user identifier of the UE;
  • the method before the receiving the account registration request sent by the mobile virtualization device, the method further includes:
  • the sending the application account to the mobile virtualization device and the After an application server it also includes:
  • the method before the receiving the account registration request sent by the mobile virtualization device, the method further includes:
  • the user name and password of the UE are stored, and a virtual machine registration response is returned to the UE.
  • the virtual machine registration request includes a user name, a password, and a temporary Identification code; or,
  • the virtual machine registration request includes user information using the UE.
  • the user name and password of the UE are stored, and the virtual machine is returned to the UE After registering for the response, it also includes:
  • the user name and password of the UE are stored, and After the UE returns the virtual machine registration response, it also includes:
  • the virtual machine removal request including the user identification to cause the mobile virtualization device to remove a virtual machine allocated to the UE according to the virtual machine removal request, And deleting configuration information corresponding to the user identifier;
  • the configuration information corresponding to the user identifier is deleted, and the virtual machine logout response is returned to the UE.
  • an embodiment of the present invention provides a user authentication method, including:
  • the user equipment UE requests the application account allocated when registering the first application.
  • the method further includes:
  • an embodiment of the present invention provides a mobile virtual device, including:
  • a receiving module configured to receive an application registration request sent by the user equipment UE, where the application registration request includes information about the first application that the UE requests to register;
  • a processing module configured to query, according to the application registration request, a service identifier of the first application and a user identifier of the UE;
  • a sending module configured to send an account registration request to the core network device, where the account registration request includes the service identifier and the user identifier, so that the core network device allocates a login office to the UE according to the account registration request. Transmitting an application account of the first application and sending the application account to an application server of the first application;
  • the receiving module is further configured to acquire the application account from the core network device to use the application account as an authentication identifier of the UE to log in to the first application, and return an application registration response to the UE.
  • the receiving module is further configured to obtain, from the core network device, a service identifier that is allocated by the core network device to a pre-registered application.
  • the receiving module is further configured to receive an application login request sent by the UE, where the application is The login request includes information of the second application that the UE requests to log in;
  • the processing module is further configured to query, according to the application login request, the application account of the UE to log in to the second application;
  • the sending module is further configured to send the application account to the application server of the second application, so that the application server authenticates the application account and returns an authentication response;
  • the receiving module is further configured to receive the authentication response from the application server, according to the The authentication response feeds back the login result to the UE.
  • the sending module is further configured to: if the application account is not queried, to the core network The device sends an account acquisition request, where the account acquisition request includes the service identifier and the user identifier;
  • the receiving module is further configured to acquire the application account from the core network device.
  • the sending module is further configured to: if two or more application accounts are queried, Sending the two or more application accounts to the UE;
  • the receiving module is further configured to receive an application account that is sent by the UE and is selected to log in to the second application.
  • the receiving module is further configured to receive, by the core network device, a user identifier that is allocated to the UE according to a virtual machine registration request sent by the UE;
  • the processing module is further configured to allocate a virtual machine to the UE according to the user identifier
  • the sending module is further configured to return a virtual machine allocation response to the core network device, where the virtual machine allocation response includes a username and a password of the UE, so that the core network device allocates response according to the virtual machine allocation The user name and password of the UE and return a virtual machine registration response to the UE.
  • the virtual machine registration request includes a user name, a password, and a temporary Identifier.
  • the virtual machine registration request includes using user information of the UE
  • the processing module is further configured to randomly generate the user name and password for the UE while allocating a virtual machine to the UE according to the user identifier.
  • the receiving module is further configured to receive a virtual machine login request of the UE
  • the virtual machine login request includes a username and a password of the UE
  • the sending module is further configured to send the username and password of the UE to the core network And the core network device performs authentication on the UE according to the username and password of the UE, and returns an authentication response, where the authentication response includes a user identifier of the UE;
  • the processing module is further configured to start, according to the user identifier, the virtual machine allocated for the UE;
  • the sending module is further configured to return a virtual machine login response to the UE.
  • the receiving module is further configured to receive the core network device Deleting a virtual machine removal request sent after the UE is authenticated according to a virtual machine logout request sent by the UE and querying the user identifier of the UE, where the virtual machine removal request includes a user identifier of the UE;
  • the processing module is further configured to remove the virtual machine allocated to the UE according to the virtual machine destruction request, and delete configuration information corresponding to the user identifier of the UE.
  • an embodiment of the present invention provides a core network device, including:
  • a receiving module configured to receive an account registration request sent by the mobile virtualization device, where the account registration request includes a service identifier of the first application that the user equipment UE requests to register, and a user identifier of the UE;
  • a processing module configured to allocate, according to the account registration request, an application account that is used to log in to the first application
  • a sending module configured to send the application account to the mobile virtualization device and the application server of the first application.
  • the processing module is further configured to allocate a service identifier to the pre-registered application
  • the sending module is further configured to send the service identifier to the mobile virtualization device.
  • the receiving module is further configured to receive that the mobile virtualization device is not obtained An account obtaining request sent by the UE after logging in to the application account of the second application, where the account obtaining request includes the service identifier of the second application and the user identifier of the UE;
  • the sending module is further configured to return the application account to the mobile virtualization device according to the account acquisition request.
  • the receiving module is further configured to receive a virtual machine registration request sent by the UE;
  • the processing module is further configured to allocate a user identifier to the UE according to the virtual machine registration request;
  • the sending module is further configured to send the user identifier to the mobile virtualization device, so that the mobile virtualization device allocates a virtual machine to the UE according to the user identifier;
  • the receiving module is further configured to receive a virtual machine allocation response sent by the mobile virtualization device, where the virtual machine allocation response includes a username and a password of the UE;
  • the processing module is further configured to store a username and a password of the UE;
  • the sending module is further configured to return a virtual machine registration response to the UE.
  • the virtual machine registration request includes a user name, a password, and a temporary Identification code; or,
  • the virtual machine registration request includes user information using the UE.
  • the receiving module is further configured to receive, according to the UE, the mobile virtualization device a user name and a password of the UE sent by the virtual machine login request, where the virtual machine login request includes a username and a password of the UE;
  • the processing module is further configured to perform authentication on the UE according to the username and password of the UE;
  • the sending module is further configured to: return an authentication response, where the authentication response includes a user identifier of the UE, so that the mobile virtualization device starts the virtual machine allocated to the UE according to the user identifier. And returning a virtual machine login response to the UE.
  • the receiving module is further configured to receive a virtual machine logout sent by the UE The request, the virtual machine logout request includes a username and a password of the UE;
  • the processing module is further configured to perform authentication on the UE according to the virtual machine logout request, and query a user identifier of the UE;
  • the sending module is further configured to send a virtual machine removal request to the mobile virtualization device, where the virtual machine removal request includes the user identifier, so that the mobile virtualization device removes the allocation according to the virtual machine removal request. Giving the virtual machine of the UE, and deleting the corresponding to the user identifier Configuration information;
  • the processing module is further configured to delete configuration information corresponding to the user identifier
  • the sending module is further configured to return a virtual machine logout response to the UE.
  • an application server including:
  • the receiving module is configured to receive an application account that is sent by the core network device, where the application account is an application account that is allocated when the core network device requests the user equipment UE to register the first application.
  • the method further includes: a processing module and a sending module;
  • the receiving module is further configured to receive an application account that is sent by the mobile virtualization device, where the application account is an application account of the second application that the mobile virtualization device requests to log in according to the application login request sent by the UE. ;
  • the processing module is configured to authenticate the application account
  • the sending module is configured to return an authentication response to the mobile virtualization device.
  • a seventh aspect of the present invention provides a mobile virtual device, including:
  • a receiver configured to receive an application registration request sent by the user equipment UE, where the application registration request includes information about the first application that the UE requests to register;
  • a processor configured to query, according to the application registration request, a service identifier of the first application and a user identifier of the UE;
  • a sender configured to send an account registration request to the core network device, where the account registration request includes the service identifier and the user identifier, so that the core network device allocates a login office to the UE according to the account registration request. Transmitting an application account of the first application and sending the application account to an application server of the first application;
  • the receiver is further configured to acquire the application account from the core network device to use the application account as an authentication identifier of the UE to log in to the first application, and return an application registration response to the UE.
  • the receiver is further configured to obtain, from the core network device, a service identifier that is allocated by the core network device to a pre-registered application.
  • the receiver is further configured to receive an application login request sent by the UE,
  • the application login request includes information of a second application that the UE requests to log in;
  • the processor is further configured to query, according to the application login request, the application account of the UE to log in to the second application;
  • the sender is further configured to send the application account to an application server of the second application, so that the application server authenticates the application account and returns an authentication response;
  • the receiver is further configured to receive the authentication response from the application server, and feed back a login result to the UE according to the authentication response.
  • the transmitter is further configured to: if the application account is not queried, to the core network The device sends an account acquisition request, where the account acquisition request includes the service identifier and the user identifier;
  • the receiver is further configured to acquire the application account from the core network device.
  • the transmitter is further configured to: if two or more application accounts are queried, Sending the two or more application accounts to the UE;
  • the receiver is further configured to receive an application account that is sent by the UE and is selected to log in to the second application.
  • the receiver is further configured to receive, by the core network device, a user identifier that is allocated to the UE according to a virtual machine registration request sent by the UE;
  • the processor is further configured to allocate a virtual machine to the UE according to the user identifier
  • the transmitter is further configured to return a virtual machine allocation response to the core network device, where the virtual machine allocation response includes a username and a password of the UE, so that the core network device allocates response according to the virtual machine allocation The user name and password of the UE and return a virtual machine registration response to the UE.
  • the virtual machine registration request includes a user name, a password, and a temporary Identifier.
  • the virtual machine registration request includes using user information of the UE
  • the processor is further configured to randomly generate the username and password for the UE while allocating a virtual machine to the UE according to the user identifier.
  • the receiver is further configured to receive a virtual machine login request of the UE
  • the virtual machine login request includes a username and a password of the UE
  • the sender is further configured to send the user name and password of the UE to the core network device, so that the core network device authenticates the UE according to the user name and password of the UE, and returns the authentication.
  • the authentication response includes a user identifier of the UE;
  • the processor is further configured to start, according to the user identifier, the virtual machine allocated for the UE;
  • the transmitter is further configured to return a virtual machine login response to the UE.
  • the receiver is further configured to receive the core network device Deleting a virtual machine removal request sent after the UE is authenticated according to a virtual machine logout request sent by the UE and querying the user identifier of the UE, where the virtual machine removal request includes a user identifier of the UE;
  • the processor is further configured to remove the virtual machine allocated to the UE according to the virtual machine destruction request, and delete configuration information corresponding to the user identifier of the UE.
  • the eighth aspect of the present invention provides a core network device, including:
  • a receiver configured to receive an account registration request sent by the mobile virtualization device, where the account registration request includes a service identifier of the first application that the user equipment UE requests to register, and a user identifier of the UE;
  • a processor configured to allocate, according to the account registration request, an application account that is used to log in to the first application
  • a sender configured to send the application account to the mobile virtualization device and the application server of the first application.
  • the processor is further configured to allocate a service identifier to the pre-registered application
  • the transmitter is further configured to send the service identifier to the mobile virtualization device.
  • the receiver is further configured to receive the mobile virtualization device Acquiring an account acquisition request sent after the UE logs in to the application account of the second application, where the account acquisition request includes the service identifier of the second application and the user identifier of the UE;
  • the sender is further configured to return the application account to the mobile virtualization device according to the account acquisition request.
  • the receiver is further configured to receive a virtual machine registration request sent by the UE;
  • the processor is further configured to allocate a user identifier to the UE according to the virtual machine registration request;
  • the transmitter is further configured to send the user identifier to the mobile virtualization device, so that the mobile virtualization device allocates a virtual machine to the UE according to the user identifier;
  • the receiver is further configured to receive a virtual machine allocation response sent by the mobile virtualization device, where the virtual machine allocation response includes a username and a password of the UE;
  • the processor is further configured to store a username and a password of the UE;
  • the transmitter is further configured to return a virtual machine registration response to the UE.
  • the virtual machine registration request includes a user name, a password, and a temporary Identification code; or,
  • the virtual machine registration request includes user information using the UE.
  • the receiver is further configured to receive, by the mobile virtualization device, the UE a user name and a password of the UE sent by the virtual machine login request, where the virtual machine login request includes a username and a password of the UE;
  • the processor is further configured to perform authentication on the UE according to the username and password of the UE;
  • the sender is further configured to return an authentication response, where the authentication response includes a user identifier of the UE, so that the mobile virtualization device starts the virtual machine allocated to the UE according to the user identifier. And returning a virtual machine login response to the UE.
  • the receiver is further configured to receive a virtual machine logout sent by the UE The request, the virtual machine logout request includes a username and a password of the UE;
  • the processor is further configured to perform authentication on the UE according to the virtual machine logout request, and query a user identifier of the UE;
  • the transmitter is further configured to send a virtual machine removal request to the mobile virtualization device, where the virtual machine removal request includes the user identifier, so that the mobile virtualization device removes the allocation according to the virtual machine removal request Giving the virtual machine of the UE, and deleting configuration information corresponding to the user identifier;
  • the processor is further configured to delete configuration information corresponding to the user identifier
  • the transmitter is further configured to return a virtual machine logout response to the UE.
  • an application server including:
  • the receiver is configured to receive an application account that is sent by the core network device, where the application account is an application account that is allocated when the core network device requests the user equipment UE to register the first application.
  • the method further includes: a processor and a transmitter;
  • the receiver is further configured to receive an application account that is sent by the mobile virtualization device, where the application account is an application account of the second application that the mobile virtualization device requests to log in according to the application login request sent by the UE. ;
  • the processor is configured to authenticate the application account
  • the transmitter is configured to return an authentication response to the mobile virtualization device.
  • an embodiment of the present invention provides an authentication system, including: a mobile virtualization device, a core network device, an application server, and a user equipment UE; wherein the mobile virtualization device adopts the fourth aspect and the fourth aspect.
  • the mobile virtualization device according to any one of the first to the ninth possible implementations; the core network device adopting any of the first to sixth aspects of the fifth aspect, the fifth aspect.
  • the core network device according to the implementation manner; the application server adopts the application server described in the sixth aspect or the first possible implementation manner of the sixth aspect.
  • an embodiment of the present invention provides an authentication system, including: a mobile virtualization device, a core network device, an application server, and a user equipment UE; wherein the mobile virtualization device adopts the seventh aspect and the seventh aspect.
  • the mobile virtualization device according to any one of the first to the ninth possible implementation manners; the core network device adopting the eighth aspect, the first one to the sixth aspect of the eighth aspect The implementation of the core network device; the application server adopts the application server of the ninth aspect or the first possible implementation manner of the ninth aspect.
  • the user authentication method, device, and system can eliminate the registration of the UE in each application by using the mobile virtualization device as a proxy of the UE instead of the UE to implement registration and login of the application.
  • Manually set the complicated operation of user name and password solve the limitations of platform application management, reduce user information redundancy, reduce management load, and improve system authentication efficiency.
  • FIG. 1 is a schematic structural diagram of an embodiment of an authentication system according to the present invention.
  • FIG. 2 is a flowchart of an embodiment of a user authentication method according to the present invention.
  • FIG. 3 is a flow chart of another embodiment of a user authentication method according to the present invention.
  • FIG. 4 is a flowchart of still another embodiment of a user authentication method according to the present invention.
  • FIG. 5 is a flowchart of a fourth embodiment of a user authentication method according to the present invention.
  • FIG. 6 is a flowchart of a fifth embodiment of a user authentication method according to the present invention.
  • FIG. 7 is a flowchart of a sixth embodiment of a user authentication method according to the present invention.
  • FIG. 8 is a flowchart of a seventh embodiment of a user authentication method according to the present invention.
  • FIG. 9 is a flowchart of an eighth embodiment of a user authentication method according to the present invention.
  • FIG. 10 is a schematic structural diagram of an embodiment of a mobile virtual device according to the present invention.
  • FIG. 11 is a schematic structural diagram of an embodiment of an application server according to the present invention.
  • FIG. 12 is a schematic structural diagram of another embodiment of a mobile virtual device according to the present invention.
  • FIG. 13 is a schematic structural diagram of still another embodiment of an application server according to the present invention.
  • FIG. 14 is a block diagram showing another embodiment of the authentication system of the present invention.
  • the authentication system of the embodiment may include: a mobile virtualization device 11, a core network device 12, an application server 13, and a user equipment (User Equipment, UE for short) 14. Further, the mobile virtualization device 11 may further include a virtual user module. 111 and lightweight application server 112. The virtual user module 111 provides a virtual machine service for the UE 14.
  • the lightweight application server 112 can be regarded as an implementation of some functions of the multiple application servers in the mobile virtualization device 11, and can also be deployed as an application developer on the authentication system. Application servers that provide complete application services.
  • the user wirelessly connects to the virtual subscriber module 111 in the mobile virtualization device 11 by using the UE 14, thereby using the virtual machine service, with the virtual subscriber module 111 acting as a proxy for the UE 14.
  • the virtual user module 111 interacts with the lightweight application server 112.
  • the core network device 12 may include a Mobility Management Entity (MME) and a Home Subscriber Server (HSS), each storing certain user data to authenticate the user.
  • MME Mobility Management Entity
  • HSS Home Subscriber Server
  • the application server 13 is a corresponding server of a plurality of applications in the authentication system, which stores user information of the user using the application, for example, login information, game progress, recorded data, and the like.
  • the user logs in to the mobile virtualization device 11 through the UE 14, and inputs a user name and password.
  • the mobile virtualization device 11 After the mobile virtualization device 11 authenticates the user, the mobile virtualization device 11 implements registration, login, and the like operations of the user by using the application as a proxy of the user.
  • the user does not have to register once for each application, the mobile virtualization device 11 can interact with the application server 13 of each application instead of the user, and the mobile virtualization device 11 can replace the application account generated by the user, or even
  • the user needs to be fed back to the user, and the application does not need to belong to a fixed management platform.
  • the lightweight application server 112 is deployed on the mobile virtualization device 11, unified authentication and authentication can be implemented, and user information redundancy can be reduced. Improve the efficiency of authentication.
  • FIG. 2 is a flowchart of an embodiment of a user authentication method according to the present invention. As shown in FIG. 2, this embodiment is a process in which a UE requests to register an application, and the method may include:
  • Step 101 Receive an application registration request sent by the user equipment UE, where the application registration request includes information about the first application that the UE requests to register;
  • the execution body of this embodiment may be the mobile virtualization device in the structural diagram shown in FIG. 1.
  • the user initiates an application registration request to the mobile virtualization device through the UE.
  • the user registers the WeChat or the mobile game, and can click the icon of the WeChat or the mobile game on the UE to select the registration, and the application for the WeChat or the mobile game can be sent through the UE.
  • the application registration request includes information related to the first application (such as WeChat or mobile game) that the user requests to register, and may include an application. Name, application ID, corresponding application server ID, and so on.
  • Step 102 Query, according to the application registration request, a service identifier of the first application and a user identifier of the UE.
  • the mobile virtualization device After receiving the application registration request, acquires the service identifier (Service Identity) of the first application according to the information of the first application that the UE requests to register, specifically, the virtual user in the mobile virtualization device.
  • the module receives the application registration request, and then obtains the service identifier of the first application from the lightweight application server of the first application in the mobile virtualization device according to the first application information in the application registration request.
  • the UE needs to be registered before using the authentication system. Therefore, the mobile virtualization device can also obtain the user identity (User Identity, User ID) of the UE to the sender through the application registration request.
  • Step 103 Send an account registration request to the core network device, where the account registration request includes the service identifier and the user identifier, so that the core network device allocates the login to the UE according to the account registration request.
  • the mobile virtualization device packages the service identifier of the first application and the user identifier of the UE to the core network device to initiate an account registration request.
  • the core network device may be an HSS, and the HSS allocates an application account according to the service identifier and the user identifier, where the application account is The account used by the user to identify the application corresponding to the subsequent login service identifier of the UE.
  • the HSS sends the application account to the application server of the first application at the same time, and the application server can also perform authentication according to the application account after the subsequent login. This step is maximally compatible with the authentication mechanism in the existing communication network.
  • the mobile virtualization device interacts with each application server according to the current standard, and the core network device regards the mobile virtualization device as the UE assigning an application account to it, regardless of Which application is used, as long as it is a trusted application that is recognized and supported in the system, the application account can be obtained by the method of this embodiment.
  • Step 104 Obtain the application account from the core network device to use the application account as an authentication identifier for the UE to log in to the first application, and return an application registration response to the UE.
  • the mobile virtualization device After receiving the application account allocated by the core network device, the mobile virtualization device records the application account and feeds back the application registration response to the UE.
  • the application registration response may be a result including whether the registration is successful, and the UE receives the response and may pop up the window.
  • the form informs the user.
  • the mobile virtualization device may store the application account information in the format of Table 1. Each record includes a user identifier, a service identifier, and an application account.
  • the mobile virtualization device may not feed the application account to the UE, but only locally. In this way, when the UE logs in to the application, it only needs to send an application login request, and the mobile virtualization device obtains the application account locally, and then interacts with the application server through the application account to complete authentication and login.
  • the mobile virtualization device as the proxy of the UE, instead of the UE, the registration and login of the application are implemented, the complicated operation of manually setting the user name and password in the registration process of the application is eliminated, and the limitation of the platform application management is solved. Reduce user information redundancy, reduce management load, and improve system authentication efficiency.
  • the method may further include: acquiring, from the core network device, a service identifier that is allocated by the core network device to a pre-registered application.
  • the mobile virtualization device can implement some functions of multiple application servers, and the functions implemented by the application include a configuration file of a pre-registered application.
  • a third party develops a mobile game, if the mobile game supports the authentication of the present invention,
  • the authentication mechanism can register with the core network device first. As long as the core network device passes the authentication of the mobile game and considers it to be a trusted application, it can assign a service identifier to the mobile game and send the service identifier to the mobile device.
  • a virtualization device specifically a lightweight application server in a mobile virtualization device.
  • FIG. 3 is a flowchart of another embodiment of a user authentication method according to the present invention. As shown in FIG. 3, this embodiment is also a process in which a UE requests to register an application, and the method may include:
  • Step 201 Receive an account registration request sent by the mobile virtualization device, where the account registration request includes a service identifier of the first application that the user equipment UE requests to register, and a user identifier of the UE.
  • the execution body of this embodiment may be the core network device in the schematic diagram of the structure shown in FIG. 1.
  • the method in this embodiment corresponds to the method embodiment shown in FIG. 2, and is a method performed by a core network device in a process in which a UE requests to register an application.
  • Step 202 Assign, to the UE, an application account that is logged in to the first application according to the account registration request.
  • Step 203 Send the application account to the mobile virtualization device and the application server of the first application.
  • the core network device regards the mobile virtualization device as the UE requesting the registration application, and allocates an application account for it.
  • the mobile virtualization device instead of the UE, the application registration and login are implemented, and the UE can be exempted from the UE.
  • Manually set the username and password during the registration process for each application Complex operations solve the limitations of platform application management, reduce user information redundancy, reduce management load, and improve system authentication efficiency.
  • FIG. 4 is a flowchart of still another embodiment of a user authentication method according to the present invention. As shown in FIG. 4, this embodiment is also a process for a UE to request to register an application, and the method may include:
  • Step 301 Receive an application account that is sent by the core network device, where the application account is an application account that is allocated when the core network device requests the user equipment UE to register the first application.
  • the execution body of this embodiment may be an application server in the schematic diagram of the structure shown in FIG. 1.
  • the method in this embodiment corresponds to the method embodiment shown in FIG. 2 and FIG. 3, and is a method performed by the application server in the process of requesting registration of the application by the UE.
  • the application server regards the mobile virtualization device as the UE requesting the registration application, records the application account, and uses the mobile virtualization device as the proxy of the UE to replace the UE to implement application registration and login, thereby exempting the UE from Manually set the complicated operation of user name and password during the registration process of the application, solve the limitations of platform application management, reduce user information redundancy, reduce management load, and improve system authentication efficiency.
  • the foregoing method embodiment is an implementation process of the mobile virtualization device, the core network device, and the application server in the process of requesting the registration of the application by the UE.
  • the method in this embodiment further includes the UE requesting the login application, the UE requesting to register the mobile virtualization device, and the UE.
  • the mobile virtualization device includes a virtual user module and a lightweight application server.
  • the virtual user module and the lightweight application server are respectively the execution entities of the partial steps, and the mobile virtualization is described.
  • the interaction process inside the device; the core network device also includes MME and HSS.
  • FIG. 5 is a flowchart of a fourth embodiment of a user authentication method according to the present invention. As shown in FIG. 5, this embodiment is also a process in which a UE requests to register an application, and the method may include:
  • the core network device allocates a service identifier to the pre-registered application, and sends the service identifier to the lightweight application server.
  • the core network device may be an HSS.
  • the virtual user module receives an application registration request sent by the UE to request to register the first application.
  • the virtual user module sends a query request to the lightweight application server according to the application registration request.
  • the service identifier of each application is recorded in the s401 lightweight application server.
  • the lightweight application server returns a service identifier of the first application to the virtual user module.
  • the virtual user module sends an account registration request to the core network device according to the service identifier of the first application and the user identifier of the UE.
  • the virtual user module can obtain the user identifier of the UE, and the service identifier of the first application corresponding to the UE is also recorded in Table 1.
  • the core network device allocates, according to the account registration request, an application account that is used to log in to the first application.
  • the application account is generated when the first registration is performed, and the mobile virtualization device can store it locally without using a notification, so that the subsequent UE can directly obtain the application account and submit it to the application server for authentication when logging in to the first application.
  • the application account that is allocated by the core network device may be a user name and password that are used in a conventional manner, or may be a string of pre-scheduled formats, as long as it can be used as a credential for the login application, and is not specifically limited herein.
  • the core network device sends the application account to the virtual user module and the application server of the first application.
  • the virtual user module stores the application account.
  • the virtual user module informs the UE that the registration is completed.
  • FIG. 6 is a flowchart of a fifth embodiment of a user authentication method according to the present invention. As shown in FIG. 6 , this embodiment is also a process in which a UE requests to log in to an application, and the method may include:
  • the virtual user module receives an application login request that is sent by the UE and is requested to log in to the second application.
  • the virtual user module queries an application account of the second application according to the application login request.
  • the mobile virtualization device records the mapping relationship between the user identifier, the service identifier, and the application account in the locally saved table 1.
  • the virtual user module can obtain the user identifier and UE of the UE according to the request.
  • the service identifier of the second application that requests the login, and the query table 1 obtains the application account of the UE to log in to the second application.
  • the virtual user module sends an account acquisition request to the core network device.
  • the account acquisition request is sent to the core network device, and the application account of the second application is re-acquired from the core network device.
  • the core network device in this embodiment may be an HSS.
  • the core network device returns an application account of the second application to the virtual user module.
  • S503 and s504 are optional steps, and only need to perform these two steps if the virtual user module does not query the application account from the local.
  • the virtual user module sends an application account of two or more second applications to the UE.
  • the virtual user module can query and obtain more than two application accounts, so all application accounts are sent to the UE, and the user selects the account that wants to log in.
  • the UE selects an application account used for login.
  • the virtual user module receives an account selection response sent by the UE.
  • S505 to s507 are optional steps, and only need to be queried for multiple application accounts.
  • the virtual user module sends a login request to the lightweight application server according to the application account.
  • the lightweight application server forwards the login request to an application server of the second application.
  • the application server authenticates the application account.
  • the application server returns an authentication response to the lightweight application server.
  • the lightweight application server forwards the authentication response to the virtual user module.
  • the virtual user module feeds back the login result to the UE according to the authentication response.
  • FIG. 7 is a flowchart of a sixth embodiment of a user authentication method according to the present invention. As shown in FIG. 7, the embodiment is also a process for a UE to request to register a mobile virtualization device, and the method may include:
  • the MME receives a virtual machine registration request sent by the UE.
  • the virtual machine registration request includes a username and a password set by the UE, and a temporary identifier of the UE.
  • the virtual machine registration request may also include user information of the UE.
  • the MME forwards the virtual machine registration request to the HSS;
  • the MME queries and obtains an International Mobile Subscriber Identification Number (IMSI) of the UE, and The IMSI is carried when the virtual machine registration request is forwarded. If the user information of the UE is included in the virtual machine registration request, the information is directly forwarded to the HSS, and the validity is verified by the HSS.
  • IMSI International Mobile Subscriber Identification Number
  • the HSS allocates a user identifier to the UE according to the virtual machine registration request.
  • the HSS can assign a unique user identifier to the UE according to a preset algorithm.
  • the HSS returns the user identifier to the MME
  • the MME sends the user identifier to the mobile virtualization device.
  • the mobile virtualization device allocates a virtual machine to the UE according to the user identifier.
  • the mobile virtualization device also randomly generates a username and a password for the UE, that is, the user name and password of the UE are not set by the user, but are moved.
  • the virtualization device is randomly generated for it.
  • the mobile virtualization device returns a virtual machine allocation response to the MME.
  • the virtual machine allocation response includes a user identifier, a username, and a password of the UE.
  • the MME stores a username and a password of the UE according to the virtual machine allocation response.
  • the MME can store the mapping relationship between the user identifier and the mobile virtualization device identifier in the form of Table 2, and is used to destroy the virtual machine data of the UE and the synchronous user data during the virtual machine migration.
  • the MME can query the virtual used by the UE through Table 2.
  • the MME can store the mapping relationship between the user identifier, the username, and the password of the UE in the form of Table 3.
  • the MME authenticates the user identity.
  • the MME returns a virtual machine registration response to the UE.
  • FIG. 8 is a flowchart of a seventh embodiment of a user authentication method according to the present invention. As shown in FIG. 8 , this embodiment is also a process for a UE to log in to a mobile virtualization device.
  • the method may include:
  • the mobile virtualization device receives a virtual machine login request of the UE.
  • the virtual machine login request includes a username and password of the UE.
  • S702 The mobile virtualization device sends the username and password to the MME.
  • the MME performs authentication on the UE according to the username and password.
  • the MME returns an authentication response to the mobile virtualization device.
  • the authentication response includes a user identification of the UE.
  • the mobile virtualization device starts a virtual machine allocated to the UE according to the user identifier.
  • S706 The mobile virtualization device and the MME perform virtual machine synchronization according to the user identifier.
  • This step is an optional step.
  • the mobile virtualization device returns a virtual machine login response to the UE.
  • the UE establishes a connection with the mobile virtualization device and performs data interaction.
  • FIG. 9 is a flowchart of an eighth embodiment of a user authentication method according to the present invention. As shown in FIG. 9 , this embodiment is also a process for a UE to request to log off a mobile virtualization device.
  • the method may include:
  • the MME receives a virtual machine logout request sent by the UE.
  • the virtual machine logout request includes a username and password of the UE.
  • the MME performs authentication on the UE according to the virtual machine logout request, and queries the user identifier of the UE.
  • the MME sends a virtual machine removal request to the mobile virtualization device.
  • the virtual machine removal request includes the user identification.
  • the mobile virtualization device removes the virtual machine allocated to the UE according to the virtual machine removal request, and deletes configuration information corresponding to the user identifier.
  • the mobile virtualization device returns a virtual machine removal response to the MME.
  • the MME sends a user identity deletion request to the HSS.
  • the user identity deletion request includes the user identity.
  • the HSS deletes the user identifier according to the user identifier deletion request, and configuration information corresponding to the user identifier;
  • the MME deletes configuration information corresponding to the user identifier.
  • the MME returns a virtual machine logout response to the UE.
  • the device in this embodiment may include: a receiving module 11, a processing module 12, and a sending module 13, where the receiving module 11 is used.
  • the sending module 13 is configured to send an account registration request to the core network device, where the account registration request includes the service identifier and the user identifier, so that the core network device is configured according to the account
  • the registration request is that the UE is configured to log in to the application account of the first application, and the application account is sent to the application server of the first application.
  • the receiving module 11 is further configured to acquire the application from the core network device.
  • the application account is used to use the application account as an authentication identifier for the UE to log in to the first application, and return an application registration response to the UE.
  • the device in this embodiment may be used to implement the technical solution of the method embodiment shown in any of FIG. 2 and FIG. 5 to FIG. 9.
  • the implementation principle and technical effects are similar, and details are not described herein again.
  • the receiving module 11 is further configured to acquire, from the core network device, a service identifier that is allocated by the core network device to a pre-registered application.
  • the receiving module 11 is further configured to receive an application login request sent by the UE, where the application login request includes information about the second application that the UE requests to log in; the processing module 12 is further configured to: Applying the login request to query the UE to log in to the application account of the second application; the sending module 13 is further configured to send the application account to the application server of the second application, so that the application server is The application account is used for authentication and returns an authentication response.
  • the receiving module 11 is further configured to receive the authentication response from the application server, and feed back the login result to the UE according to the authentication response.
  • the sending module 13 is further configured to: if the application account is not queried, send an account obtaining request to the core network device, where the account obtaining request includes the service identifier and the user identifier;
  • the receiving module 11 is further configured to acquire the application account from the core network device.
  • the sending module 13 is further configured to: if the two or more application accounts are queried, send the two or more application accounts to the UE; and the receiving module 11 is further configured to receive And sending, by the UE, an application account that is logged in to the second application.
  • the receiving module 11 is further configured to receive, by the core network device, a user identifier that is allocated to the UE according to the virtual machine registration request sent by the UE, where the processing module 12 is further configured to use, according to the user identifier, The UE allocates a virtual machine; the sending module 13 is further configured to return a virtual machine allocation response to the core network device, where the virtual machine allocation response includes a username and a password of the UE, so that the core network device Storing a username and password of the UE according to the virtual machine allocation response and returning a virtual machine registration response to the UE.
  • the virtual machine registration request includes a username, a password, and a temporary identifier of the UE set by the UE.
  • the virtual machine registration request includes using user information of the UE, and the processing module 12 is further configured to randomly generate, for the UE, a virtual machine according to the user identifier. User name and password.
  • the receiving module 11 is further configured to receive a virtual machine login request of the UE, where
  • the virtual machine login request includes the user name and password of the UE
  • the sending module 13 is further configured to send the user name and password of the UE to the core network device, so that the core network device is configured according to the UE.
  • the user name and the password are used to authenticate the UE and return an authentication response, where the authentication response includes the user identifier of the UE, and the processing module 12 is further configured to start, according to the user identifier, the UE to be allocated according to the user identifier.
  • the sending module 13 is further configured to return a virtual machine login response to the UE.
  • the receiving module 11 is further configured to receive a virtual machine removal request sent by the core network device after authenticating the UE according to a virtual machine logout request sent by the UE, and querying the user identifier of the UE,
  • the virtual machine removal request includes a user identifier of the UE;
  • the processing module 12 is further configured to: remove the virtual machine allocated to the UE according to the virtual machine destruction request, and delete the user identifier corresponding to the UE Configuration information.
  • FIG. 10 is a schematic structural diagram of an embodiment of the core network device of the present invention.
  • the receiving module 11 is configured to receive an account registration request sent by the mobile virtualization device, where the account is registered.
  • the request includes the service identifier of the first application and the user identifier of the UE that the user equipment UE requests to register;
  • the processing module 12 is configured to allocate, according to the account registration request, the application account that is logged into the first application according to the account registration request;
  • the module 13 is configured to send the application account to the mobile virtualization device and the application server of the first application.
  • the device of this embodiment may be used to implement the technical solution of the method embodiment shown in any of FIG. 3 and FIG. 5 to FIG. 9.
  • the implementation principle and technical effects are similar, and details are not described herein again.
  • processing module 12 is further configured to allocate a service identifier to the pre-registered application
  • sending module 13 is further configured to send the service identifier to the mobile virtualization device.
  • the receiving module 11 is further configured to receive an account obtaining request that is sent after the mobile virtualization device does not obtain an application account that the UE logs in to the second application, where the account obtaining request includes the second application.
  • the service identifier and the user identifier of the UE; the sending module 13 is further configured to return the application account to the mobile virtualization device according to the account acquisition request.
  • the receiving module 11 is further configured to receive a virtual machine registration request sent by the UE, where the processing module 12 is further configured to allocate a user identifier to the UE according to the virtual machine registration request; And the method is further configured to send the user identifier to the mobile virtualization device, so that the mobile virtualization device allocates a virtual machine to the UE according to the user identifier, and the receiving module 11 is further configured to receive the a virtual machine allocation response sent by the mobile virtualization device, the virtual machine The allocation response includes a username and a password of the UE; the processing module 12 is further configured to store a username and a password of the UE; and the sending module 13 is further configured to return a virtual machine registration response to the UE.
  • the virtual machine registration request includes a user name and a password set by the UE, and a temporary identifier of the UE; or the virtual machine registration request includes user information using the UE.
  • the receiving module 11 is further configured to receive a username and a password of the UE that are sent by the mobile virtualization device according to a virtual machine login request sent by the UE, where the virtual machine login request includes a username of the UE and
  • the receiving module 11 is further configured to receive a virtual machine logout request sent by the UE, where the virtual machine logout request includes a username and a password of the UE, and the processing module 12 is further configured to use the virtual machine according to the virtual machine
  • the sending module 13 is further configured to send a virtual machine removal request to the mobile virtualization device, where the virtual machine removal request includes the a user identifier, so that the mobile virtualization device removes the virtual machine allocated to the UE according to the virtual machine removal request, and deletes configuration information corresponding to the user identifier; the processing module 12 is further configured to delete The configuration information corresponding to the user identifier; the sending module 13 is further configured to return a virtual machine logout response to the UE.
  • FIG. 11 is a schematic structural diagram of an embodiment of an application server according to the present invention.
  • the apparatus in this embodiment may include: a receiving module 21, configured to receive an application account sent by a core network device, where the application account is The core network device requests the user equipment UE to register an application account that is allocated when the first application is registered.
  • the structural diagram shown in FIG. 10 can also be used as a schematic structural diagram of another embodiment of the application server of the present invention.
  • the receiving module 11 is further configured to receive an application account sent by the mobile virtualization device.
  • the application account is an application account of the second application that the mobile virtualization device requests to log in according to the application login request sent by the UE;
  • the processing module 12 is configured to authenticate the application account;
  • the sending module 13 is configured to return an authentication response to the mobile virtualization device.
  • the device in this embodiment may be used to implement the technical solution of the method embodiment shown in any of FIG. 4 to FIG. 9.
  • the implementation principle and technical effects are similar, and details are not described herein again.
  • FIG. 12 is a schematic structural diagram of another embodiment of a mobile virtual device according to the present invention.
  • the device in this embodiment may include: a receiver 31, a processor 32, and a transmitter 33, wherein the receiver 31, For receiving an application registration request sent by the user equipment UE, the application registration request includes information of the first application that the UE requests to be registered, and the processor 32 is configured to query the service of the first application according to the application registration request.
  • the identifier and the user identifier of the UE; the sender 33 is configured to send an account registration request to the core network device, where the account registration request includes the service identifier and the user identifier, so that the core network device is configured according to the
  • the account registration request is configured to allocate an application account of the first application to the UE and send the application account to the application server of the first application; the receiver 31 is further configured to acquire from the core network device.
  • the application account is used to use the application account as an authentication identifier for the UE to log in to the first application, and return an application registration response to the UE.
  • the device in this embodiment may be used to implement the technical solution of the method embodiment shown in any of FIG. 2 and FIG. 5 to FIG. 9.
  • the implementation principle and technical effects are similar, and details are not described herein again.
  • the receiver 31 is further configured to acquire, from the core network device, a service identifier that is allocated by the core network device to a pre-registered application.
  • the receiver 31 is further configured to receive an application login request sent by the UE, where the application login request includes information about a second application that the UE requests to log in, and the processor 32 is further configured to: Applying the login request to query the UE to log in to the application account of the second application; the sender 33 is further configured to send the application account to the application server of the second application, so that the application server is The application account is used for authentication and returns an authentication response.
  • the receiver 31 is further configured to receive the authentication response from the application server, and feed back the login result to the UE according to the authentication response.
  • the sender 33 is further configured to: if the application account is not queried, send an account acquisition request to the core network device, where the account acquisition request includes the service identifier and the user identifier;
  • the receiver 31 is further configured to acquire the application account from the core network device.
  • the sender 33 is further configured to: if the two or more application accounts are queried, send the two or more application accounts to the UE; and the receiver 31 is further configured to receive And sending, by the UE, an application account that is logged in to the second application.
  • the receiver 31 is further configured to receive, by the core network device, a user identifier that is allocated to the UE according to a virtual machine registration request sent by the UE, where the processor 32 is further configured to use, according to the user identifier, The UE allocates a virtual machine; the sender 33 is further configured to return a virtual machine allocation response to the core network device, where the virtual machine allocation response includes a username and a password of the UE, so that the core network device Storing a username and password of the UE according to the virtual machine allocation response and returning a virtual machine registration response to the UE.
  • the virtual machine registration request includes a username, a password, and a temporary identifier of the UE set by the UE.
  • the virtual machine registration request includes using user information of the UE, and the processor 32 is further configured to randomly generate, for the UE, a virtual machine according to the user identifier. User name and password.
  • the receiver 31 is further configured to receive a virtual machine login request of the UE, where the virtual machine login request includes a username and a password of the UE
  • the sender 33 is further configured to:
  • the name and password are sent to the core network device, so that the core network device authenticates the UE according to the user name and password of the UE and returns an authentication response, where the authentication response includes the user identifier of the UE.
  • the processor 32 is further configured to start, according to the user identifier, the virtual machine allocated for the UE, and the sender 33 is further configured to return a virtual machine login response to the UE.
  • the receiver 31 is further configured to receive a virtual machine removal request sent by the core network device after authenticating the UE according to a virtual machine logout request sent by the UE, and querying the user identifier of the UE,
  • the virtual machine removal request includes a user identifier of the UE
  • the processor 32 is further configured to: remove the virtual machine allocated to the UE according to the virtual machine destruction request, and delete the user identifier corresponding to the UE Configuration information.
  • FIG. 12 is a schematic structural diagram of another embodiment of the core network device of the present invention.
  • the receiver 31 is configured to receive an account registration request sent by the mobile virtualization device, where the account is The registration request includes a service identifier of the first application that the user equipment UE requests to register, and a user identifier of the UE;
  • the processor 32 is configured to allocate, according to the account registration request, an application account that is logged into the first application according to the account registration request;
  • the sender 33 is configured to send the application account to the mobile virtualization device and the application server of the first application.
  • the device in this embodiment may be used to execute the method embodiment shown in any one of FIG. 3 and FIG. 5 to FIG.
  • the technical solution has similar implementation principles and technical effects, and will not be described here.
  • the processor 32 is further configured to allocate a service identifier to the pre-registered application, and the sender 33 is further configured to send the service identifier to the mobile virtualization device.
  • the receiver 31 is further configured to receive an account acquisition request sent by the mobile virtualization device after acquiring an application account that the UE logs in to the second application, where the account acquisition request includes the second application
  • the sender 33 is further configured to return the application account to the mobile virtualization device according to the account acquisition request.
  • the receiver 31 is further configured to receive a virtual machine registration request sent by the UE, where the processor 32 is further configured to allocate a user identifier to the UE according to the virtual machine registration request; And sending the user identifier to the mobile virtualization device, so that the mobile virtualization device allocates a virtual machine to the UE according to the user identifier; the receiver 31 is further configured to receive the a virtual machine allocation response sent by the mobile virtualization device, the virtual machine allocation response including a username and a password of the UE; the processor 32, further configured to store a username and a password of the UE; the sender 33, Also used to return a virtual machine registration response to the UE.
  • the virtual machine registration request includes a user name and a password set by the UE, and a temporary identifier of the UE; or the virtual machine registration request includes user information using the UE.
  • the receiver 31 is further configured to receive a username and a password of the UE that are sent by the mobile virtualization device according to a virtual machine login request sent by the UE, where the virtual machine login request includes a username of the UE and
  • the processor 32 is further configured to perform authentication on the UE according to the user name and password of the UE;
  • the sender 33 is further configured to return an authentication response, where the authentication response includes the UE User identification, such that the mobile virtualization device initiates the virtual machine allocated for the UE according to the user identifier, and returns a virtual machine login response to the UE.
  • the receiver 31 is further configured to receive a virtual machine logout request sent by the UE, where the virtual machine logout request includes a username and a password of the UE, and the processor 32 is further configured to use the virtual machine according to the virtual machine Deleting a request to authenticate the UE, and querying a user identifier of the UE;
  • the sender 33 is further configured to send a virtual machine removal request to the mobile virtualization device, where the virtual machine removal request includes the a user identifier, so that the mobile virtualization device removes the virtual machine allocated to the UE according to the virtual machine removal request, and deletes configuration information corresponding to the user identifier;
  • the processor 32 is further configured to delete Configuration information corresponding to the user identifier;
  • the sending The device 33 is further configured to return a virtual machine logout response to the UE.
  • FIG. 13 is a schematic structural diagram of still another embodiment of an application server according to the present invention.
  • the device in this embodiment may include: a receiver 41, configured to receive an application account sent by a core network device, where the application account is The core network device requests the user equipment UE to register an application account that is allocated when the first application is registered.
  • the structural diagram shown in FIG. 12 can also be used as a schematic structural diagram of another embodiment of the application server of the present invention.
  • the receiver 31 is further configured to receive an application account sent by the mobile virtualization device.
  • the application account is an application account of the second application that the mobile virtualization device requests to log in according to the application login request sent by the UE, and the processor 32 is configured to authenticate the application account.
  • the transmitter 33 is configured to return an authentication response to the mobile virtualization device.
  • the device in this embodiment may be used to implement the technical solution of the method embodiment shown in any of FIG. 4 to FIG. 9.
  • the implementation principle and technical effects are similar, and details are not described herein again.
  • FIG. 14 is a schematic structural diagram of another embodiment of an authentication system according to the present invention.
  • the system in this embodiment includes: a mobile virtualization device 51, a core network device 52, an application server 53, and a UE 54;
  • the mobile virtualization device 51 may adopt the structure of the device embodiment shown in FIG. 10 or FIG. 12, and correspondingly, the technical solution of the method embodiment of any one of FIG. 2, FIG. 5 to FIG. The technical effects are similar, and are not described herein again;
  • the core network device 52 may adopt the structure of the device embodiment shown in FIG. 10 or FIG. 12, and correspondingly, the method embodiment of any one of FIG. 3, FIG. 5 to FIG.
  • the application server 53 can adopt the structure of the device embodiment shown in any one of FIG. 10 to FIG. 13 , and correspondingly, the execution can be performed in FIG. 4 to FIG. 9 .
  • the technical solution of any method embodiment is similar to the technical solution, and details are not described herein again.
  • the disclosed apparatus and method may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
  • the units described as separate components may or may not be physically separated, and the components displayed as the unit may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. . Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of hardware plus software functional units.
  • the above-described integrated unit implemented in the form of a software functional unit can be stored in a computer readable storage medium.
  • the above software functional unit is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) or a processor to perform the methods of the various embodiments of the present invention. Part of the steps.
  • the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like, which can store program codes. .

Abstract

Provided are a user authentication method, apparatus and system. The user authentication method in the present invention comprises: receiving an application registration request sent by a user equipment (UE), wherein the application registration request comprises information about a first application in which the UE requests registration; querying a service identifier of the first application and a user identifier of the UE according to the application registration request; sending an account registration request to a core network device, wherein the account registration request comprises the service identifier and the user identifier; and acquiring the application account from the core network device so as to take the application account as an authentication identifier for the UE to subsequently log into the first application, and returning an application registration response to the UE. The embodiments of the present invention solve the limitation in platform application management, reduce user information redundancy, reduce management loads, and improve the efficiency of system authorization.

Description

用户认证方法、装置及系统User authentication method, device and system 技术领域Technical field
本发明实施例涉及通信技术,尤其涉及一种用户认证方法、装置及系统。The embodiments of the present invention relate to communication technologies, and in particular, to a user authentication method, apparatus, and system.
背景技术Background technique
鉴权是指验证用户是否拥有访问系统的权利。传统的鉴权是通过密码来验证的,这种方式的前提是,每个获得密码的用户都已经被授权,在用户注册时,就为该用户分配一个用户名及密码,用户使用用户名与密码进行登录,系统通过验证该用户名和密码是否有效来完成用户鉴权。Authentication refers to verifying that a user has the right to access the system. The traditional authentication is verified by a password. The premise of this method is that each user who has obtained the password has been authorized. When the user registers, the user is assigned a username and password, and the user uses the username and The password is logged in, and the system completes the user authentication by verifying that the username and password are valid.
开放移动平台(Open Mobile Platform,简称:OMP)是中国移动提出的满足移动互联网业务发展需求、开放的、基于标准的综合平台,OMP整合了互联网和电信的基础能力,既可以提供应用程序编程接口(Application Programming Interface,简称:API),又可作为一个运营管理平台。OMP为发布在该平台上的应用提供了统一的鉴权服务,即将这些应用作为OMP服务的一部分,由鉴权中心统一管理用户信息,用户使用OMP上的某个应用时,输入对应的用户名及密码,鉴权中心对其进行鉴权,鉴权通过的用户即可使用该应用。Open Mobile Platform (OMP) is China Mobile's comprehensive, standards-based comprehensive platform for meeting the development needs of mobile Internet services. OMP integrates the basic capabilities of the Internet and telecommunications, and can provide application programming interfaces. (Application Programming Interface, API for short) can also be used as an operation management platform. OMP provides unified authentication services for applications published on the platform. These applications are used as part of the OMP service. The authentication center manages user information in a unified manner. When users use an application on the OMP, enter the corresponding user name. And the password, the authentication center authenticates it, and the user who passes the authentication can use the application.
但是,OMP平台鉴权的机制只能完成对发布在该平台上的应用的鉴权,其要求应用必须属于OMP服务的一部分,有一定的局限性,而且用户信息管理是针对各个应用的,造成大量用户信息冗余,增加了管理负荷,影响系统鉴权的效率。However, the OMP platform authentication mechanism can only complete the authentication of the application published on the platform. The application requires the application to be part of the OMP service, which has certain limitations, and the user information management is for each application, resulting in A large amount of user information redundancy increases the management load and affects the efficiency of system authentication.
发明内容Summary of the invention
本发明实施例提供一种用户认证方法、装置及系统,以解决平台应用管理的局限性,减少用户信息冗余,降低管理负荷,提高系统鉴权的效率。The embodiment of the invention provides a user authentication method, device and system, which can solve the limitation of platform application management, reduce user information redundancy, reduce management load, and improve system authentication efficiency.
第一方面,本发明实施例提供一种用户认证方法,包括:In a first aspect, an embodiment of the present invention provides a user authentication method, including:
接收用户设备UE发送的应用注册请求,所述应用注册请求包括所述UE请求注册的第一应用的信息; Receiving an application registration request sent by the user equipment UE, where the application registration request includes information about the first application that the UE requests to register;
根据所述应用注册请求查询所述第一应用的服务标识和所述UE的用户标识;Querying, according to the application registration request, a service identifier of the first application and a user identifier of the UE;
向核心网设备发送账号注册请求,所述账号注册请求包括所述服务标识和所述用户标识,以使所述核心网设备根据所述账号注册请求为所述UE分配登录所述第一应用的应用账号并将所述应用账号发送给所述第一应用的应用服务器;Sending an account registration request to the core network device, where the account registration request includes the service identifier and the user identifier, so that the core network device allocates the login to the first application according to the account registration request. Applying an account and sending the application account to the application server of the first application;
从所述核心网设备获取所述应用账号以将所述应用账号作为所述UE后续登录所述第一应用的认证标识,并向所述UE返回应用注册响应。Acquiring the application account from the core network device to use the application account as the authentication identifier of the UE to log in to the first application, and return an application registration response to the UE.
结合第一方面,在第一方面的第一种可能的实现方式中,所述接收用户设备UE发送的应用注册请求之前,还包括:With reference to the first aspect, in a first possible implementation manner of the first aspect, before the receiving the application registration request sent by the user equipment UE, the method further includes:
从所述核心网设备获取所述核心网设备为预先注册的应用分配的服务标识。Obtaining, from the core network device, a service identifier allocated by the core network device to a pre-registered application.
结合第一方面或第一方面的第一种可能的实现方式,在第一方面的第二种可能的实现方式中,所述从所述核心网设备获取所述应用账号以将所述应用账号作为所述UE后续登录所述第一应用的认证标识,并向所述UE返回应用注册响应之后,还包括:With reference to the first aspect or the first possible implementation manner of the first aspect, in a second possible implementation manner of the first aspect, the acquiring, by the core network device, the application account to use the application account After the UE subsequently logs in to the authentication identifier of the first application, and returns an application registration response to the UE, the method further includes:
接收UE发送的应用登录请求,所述应用登录请求包括所述UE请求登录的第二应用的信息;Receiving an application login request sent by the UE, where the application login request includes information about the second application that the UE requests to log in;
根据所述应用登录请求查询所述UE登录所述第二应用的应用账号;Querying, according to the application login request, the application account that the UE logs in to the second application;
将所述应用账号发送给所述第二应用的应用服务器,以使所述应用服务器对所述应用账号进行鉴权并返回鉴权响应;Sending the application account to the application server of the second application, so that the application server authenticates the application account and returns an authentication response;
从所述应用服务器接收所述鉴权响应,根据所述鉴权响应向所述UE反馈登录结果。Receiving the authentication response from the application server, and feeding back the login result to the UE according to the authentication response.
结合第一方面的第二种可能的实现方式,在第一方面的第三种可能的实现方式中,所述根据所述应用登录请求查询所述UE登录所述第二应用的应用账号之后,还包括:With the second possible implementation of the first aspect, in a third possible implementation manner of the first aspect, after the querying, by the application login request, the UE logs in to an application account of the second application, Also includes:
若没有查询到所述应用账号,则向所述核心网设备发送账号获取请求,所述账号获取请求包括所述服务标识和所述用户标识,并从所述核心网设备获取所述应用账号。If the application account is not queried, the account acquisition request is sent to the core network device, where the account acquisition request includes the service identifier and the user identifier, and the application account is obtained from the core network device.
结合第一方面的第二种或第三种可能的实现方式,在第一方面的第四种 可能的实现方式中,所述根据所述应用登录请求查询所述UE登录所述第二应用的应用账号之后,还包括:In combination with the second or third possible implementation of the first aspect, the fourth aspect in the first aspect In a possible implementation, after the querying, by the application login request, the UE to log in to the application account of the second application, the method further includes:
若查询到两个以上所述应用账号,则将所述两个以上所述应用账号发送给所述UE,并接收所述UE发送的选出登录所述第二应用的应用账号。If the two or more application accounts are queried, the two or more application accounts are sent to the UE, and the application account that is sent by the UE to log in to the second application is received.
结合第一方面,在第一方面的第五种可能的实现方式中,所述接收用户设备UE发送的应用注册请求之前,还包括:With reference to the first aspect, in a fifth possible implementation manner of the first aspect, before the receiving the application registration request sent by the user equipment UE, the method further includes:
接收所述核心网设备根据UE发送的虚拟机注册请求为所述UE分配的用户标识;Receiving, by the core network device, a user identifier allocated to the UE according to a virtual machine registration request sent by the UE;
根据所述用户标识为所述UE分配虚拟机,并向所述核心网设备返回虚拟机分配响应,所述虚拟机分配响应包括所述UE的用户名和密码,以使所述核心网设备根据所述虚拟机分配响应存储所述UE的用户名和密码并向所述UE返回虚拟机注册响应。Allocating a virtual machine to the UE according to the user identifier, and returning a virtual machine allocation response to the core network device, where the virtual machine allocation response includes a username and a password of the UE, so that the core network device according to the The virtual machine allocation response stores the username and password of the UE and returns a virtual machine registration response to the UE.
结合第一方面的第五种可能的实现方式,在第一方面的第六种可能的实现方式中,所述虚拟机注册请求包括所述UE设置的用户名、密码,以及所述UE的临时识别码。With reference to the fifth possible implementation manner of the first aspect, in a sixth possible implementation manner of the first aspect, the virtual machine registration request includes a user name, a password, and a temporary Identifier.
结合第一方面的第五种可能的实现方式,在第一方面的第七种可能的实现方式中,所述虚拟机注册请求包括使用所述UE的用户信息;With reference to the fifth possible implementation of the first aspect, in a seventh possible implementation manner of the first aspect, the virtual machine registration request includes using user information of the UE;
所述根据所述用户标识为所述UE分配虚拟机的同时,还包括:The method further includes: assigning a virtual machine to the UE according to the user identifier,
为所述UE随机生成所述用户名和密码。The username and password are randomly generated for the UE.
结合第一方面的第五种至第七种中任一种可能的实现方式,在第一方面的第八种可能的实现方式中,所述根据所述用户标识为所述UE分配虚拟机,并向所述核心网设备返回虚拟机分配响应之后,还包括:With the possible implementation of any one of the fifth to seventh aspects of the first aspect, in an eighth possible implementation manner of the first aspect, the assigning a virtual machine to the UE according to the user identifier, After returning the virtual machine allocation response to the core network device, the method further includes:
接收UE的虚拟机登录请求,所述虚拟机登录请求包括所述UE的用户名和密码;Receiving a virtual machine login request of the UE, where the virtual machine login request includes a username and a password of the UE;
将所述UE的用户名和密码发送给所述核心网设备,以使所述核心网设备根据所述UE的用户名和密码对所述UE进行鉴权并返回鉴权响应,所述鉴权响应包括所述UE的用户标识;Sending the user name and password of the UE to the core network device, so that the core network device authenticates the UE according to the user name and password of the UE, and returns an authentication response, where the authentication response includes User identifier of the UE;
根据所述用户标识启动为所述UE分配的所述虚拟机,并向所述UE返回虚拟机登录响应。Starting the virtual machine allocated for the UE according to the user identifier, and returning a virtual machine login response to the UE.
结合第一方面的第五种至第八种中任一种可能的实现方式,在第一方面 的第九种可能的实现方式中,所述根据所述用户标识为所述UE分配虚拟机,并向所述核心网设备返回虚拟机分配响应之后,还包括:In combination with any of the fifth to eighth possible implementations of the first aspect, in a first aspect The ninth possible implementation manner, after the allocating a virtual machine to the UE according to the user identifier, and returning the virtual machine allocation response to the core network device, the method further includes:
接收所述核心网设备在根据UE发送的虚拟机注销请求对所述UE进行鉴权并查询所述UE的用户标识之后发送的虚拟机撤除请求,所述虚拟机撤除请求包括所述UE的用户标识;Receiving a virtual machine removal request sent by the core network device after authenticating the UE according to the virtual machine logout request sent by the UE and querying the user identifier of the UE, where the virtual machine removal request includes the user of the UE Identification
根据所述虚拟机销毁请求撤除分配给所述UE的虚拟机,并删除与所述UE的用户标识对应的配置信息。And deleting the virtual machine allocated to the UE according to the virtual machine destruction request, and deleting configuration information corresponding to the user identifier of the UE.
第二方面,本发明实施例提供一种用户认证方法,包括:In a second aspect, an embodiment of the present invention provides a user authentication method, including:
接收移动虚拟化设备发送的账号注册请求,所述账号注册请求包括用户设备UE请求注册的第一应用的服务标识和所述UE的用户标识;Receiving an account registration request sent by the mobile virtualization device, where the account registration request includes a service identifier of the first application requested by the user equipment UE and a user identifier of the UE;
根据所述账号注册请求为所述UE分配登录所述第一应用的应用账号;Assigning, to the UE, an application account that is logged in to the first application according to the account registration request;
将所述应用账号发送给所述移动虚拟化设备和所述第一应用的应用服务器。Sending the application account to the mobile virtualization device and the application server of the first application.
结合第二方面,在第二方面的第一种可能的实现方式中,所述接收移动虚拟化设备发送的账号注册请求之前,还包括:With reference to the second aspect, in a first possible implementation manner of the second aspect, before the receiving the account registration request sent by the mobile virtualization device, the method further includes:
为预先注册的应用分配服务标识,并将所述服务标识发送给所述移动虚拟化设备。Assigning a service identifier to the pre-registered application and transmitting the service identifier to the mobile virtualization device.
结合第二方面或第二方面的第一种可能的实现方式,在第二方面的第二种可能的实现方式中,所述将所述应用账号发送给所述移动虚拟化设备和所述第一应用的应用服务器之后,还包括:With the second aspect or the first possible implementation manner of the second aspect, in a second possible implementation manner of the second aspect, the sending the application account to the mobile virtualization device and the After an application server, it also includes:
接收所述移动虚拟化设备在没有获取到UE登录第二应用的应用账号之后发送的账号获取请求,所述账号获取请求包括所述第二应用的服务标识和所述UE的用户标识;Receiving an account acquisition request sent by the mobile virtualization device after the UE is logged in to the application account of the second application, where the account acquisition request includes the service identifier of the second application and the user identifier of the UE;
根据所述账号获取请求向所述移动虚拟化设备返回所述应用账号。Returning the application account to the mobile virtualization device according to the account acquisition request.
结合第二方面或第二方面的第一种可能的实现方式,在第二方面的第三种可能的实现方式中,所述接收移动虚拟化设备发送的账号注册请求之前,还包括:With the second aspect or the first possible implementation manner of the second aspect, in a third possible implementation manner of the second aspect, before the receiving the account registration request sent by the mobile virtualization device, the method further includes:
接收UE发送的虚拟机注册请求,根据所述虚拟机注册请求为所述UE分配用户标识;Receiving a virtual machine registration request sent by the UE, and assigning a user identifier to the UE according to the virtual machine registration request;
向所述移动虚拟化设备发送所述用户标识,以使所述移动虚拟化设备根 据所述用户标识为所述UE分配虚拟机;Sending the user identifier to the mobile virtualization device to cause the mobile virtualization device root Allocating a virtual machine to the UE according to the user identifier;
接收所述移动虚拟化设备发送的虚拟机分配响应,所述虚拟机分配响应包括所述UE的用户名和密码;Receiving a virtual machine allocation response sent by the mobile virtualization device, where the virtual machine allocation response includes a username and a password of the UE;
存储所述UE的用户名和密码,并向所述UE返回虚拟机注册响应。The user name and password of the UE are stored, and a virtual machine registration response is returned to the UE.
结合第二方面的第三种可能的实现方式,在第二方面的第四种可能的实现方式中,所述虚拟机注册请求包括所述UE设置的用户名、密码,以及所述UE的临时识别码;或者,With reference to the third possible implementation of the second aspect, in a fourth possible implementation manner of the second aspect, the virtual machine registration request includes a user name, a password, and a temporary Identification code; or,
所述虚拟机注册请求包括使用所述UE的用户信息。The virtual machine registration request includes user information using the UE.
结合第二方面的第三种或第四种可能的实现方式,在第二方面的第五种可能的实现方式中,所述存储所述UE的用户名和密码,并向所述UE返回虚拟机注册响应之后,还包括:With reference to the third or fourth possible implementation of the second aspect, in a fifth possible implementation manner of the second aspect, the user name and password of the UE are stored, and the virtual machine is returned to the UE After registering for the response, it also includes:
接收所述移动虚拟化设备根据UE发送的虚拟机登录请求发送的所述UE的用户名和密码,所述虚拟机登录请求包括所述UE的用户名和密码;Receiving, by the mobile virtualization device, a user name and a password of the UE that are sent according to a virtual machine login request sent by the UE, where the virtual machine login request includes a username and a password of the UE;
根据所述UE的用户名和密码对所述UE进行鉴权,并返回鉴权响应,所述鉴权响应包括所述UE的用户标识,以使所述移动虚拟化设备根据所述用户标识启动为所述UE分配的所述虚拟机,并向所述UE返回虚拟机登录响应。And authenticating the UE according to the user name and password of the UE, and returning an authentication response, where the authentication response includes a user identifier of the UE, so that the mobile virtualization device is started according to the user identifier. The virtual machine allocated by the UE, and returning a virtual machine login response to the UE.
结合第二方面的第三种至第五种中任一种可能的实现方式,在第二方面的第六种可能的实现方式中,所述存储所述UE的用户名和密码,并向所述UE返回虚拟机注册响应之后,还包括:With reference to the possible implementation of any one of the third to fifth aspects of the second aspect, in a sixth possible implementation manner of the second aspect, the user name and password of the UE are stored, and After the UE returns the virtual machine registration response, it also includes:
接收UE发送的虚拟机注销请求,所述虚拟机注销请求包括所述UE的用户名和密码;Receiving a virtual machine logout request sent by the UE, where the virtual machine logout request includes a username and a password of the UE;
根据所述虚拟机注销请求对所述UE进行鉴权,并查询所述UE的用户标识;And authenticating the UE according to the virtual machine logout request, and querying a user identifier of the UE;
向所述移动虚拟化设备发送虚拟机撤除请求,所述虚拟机撤除请求包括所述用户标识,以使所述移动虚拟化设备根据所述虚拟机撤除请求撤除分配给所述UE的虚拟机,并删除与所述用户标识对应的配置信息;Sending a virtual machine removal request to the mobile virtualization device, the virtual machine removal request including the user identification to cause the mobile virtualization device to remove a virtual machine allocated to the UE according to the virtual machine removal request, And deleting configuration information corresponding to the user identifier;
删除与所述用户标识对应的配置信息,并向所述UE返回虚拟机注销响应。The configuration information corresponding to the user identifier is deleted, and the virtual machine logout response is returned to the UE.
第三方面,本发明实施例提供一种用户认证方法,包括:In a third aspect, an embodiment of the present invention provides a user authentication method, including:
接收核心网设备发送的应用账号,所述应用账号为所述核心网设备给用 户设备UE请求注册第一应用时分配的应用账号。Receiving an application account sent by the core network device, where the application account is used by the core network device The user equipment UE requests the application account allocated when registering the first application.
结合第三方面,在第三方面的第一种可能的实现方式中,所述接收核心网设备发送的应用账号之后,还包括:With reference to the third aspect, in a first possible implementation manner of the third aspect, after receiving the application account that is sent by the core network device, the method further includes:
接收移动虚拟化设备发送的应用账号,所述应用账号为所述移动虚拟化设备根据UE发送的应用登录请求查询的所述UE请求登录的第二应用的应用账号;Receiving an application account that is sent by the mobile virtualization device, where the application account is an application account of the second application that the mobile virtualization device requests to log in according to the application login request sent by the UE;
对所述应用账号进行鉴权,并向所述移动虚拟化设备返回鉴权响应。And authenticating the application account, and returning an authentication response to the mobile virtualization device.
第四方面,本发明实施例提供一种移动化虚拟设备,包括:In a fourth aspect, an embodiment of the present invention provides a mobile virtual device, including:
接收模块,用于接收用户设备UE发送的应用注册请求,所述应用注册请求包括所述UE请求注册的第一应用的信息;a receiving module, configured to receive an application registration request sent by the user equipment UE, where the application registration request includes information about the first application that the UE requests to register;
处理模块,用于根据所述应用注册请求查询所述第一应用的服务标识和所述UE的用户标识;a processing module, configured to query, according to the application registration request, a service identifier of the first application and a user identifier of the UE;
发送模块,用于向核心网设备发送账号注册请求,所述账号注册请求包括所述服务标识和所述用户标识,以使所述核心网设备根据所述账号注册请求为所述UE分配登录所述第一应用的应用账号并将所述应用账号发送给所述第一应用的应用服务器;a sending module, configured to send an account registration request to the core network device, where the account registration request includes the service identifier and the user identifier, so that the core network device allocates a login office to the UE according to the account registration request. Transmitting an application account of the first application and sending the application account to an application server of the first application;
所述接收模块,还用于从所述核心网设备获取所述应用账号以将所述应用账号作为所述UE后续登录所述第一应用的认证标识,并向所述UE返回应用注册响应。The receiving module is further configured to acquire the application account from the core network device to use the application account as an authentication identifier of the UE to log in to the first application, and return an application registration response to the UE.
结合第四方面,在第四方面的第一种可能的实现方式中,所述接收模块,还用于从所述核心网设备获取所述核心网设备为预先注册的应用分配的服务标识。With reference to the fourth aspect, in a first possible implementation manner of the fourth aspect, the receiving module is further configured to obtain, from the core network device, a service identifier that is allocated by the core network device to a pre-registered application.
结合第四方面或第四方面的第一种可能的实现方式,在第四方面的第二种可能的实现方式中,所述接收模块,还用于接收UE发送的应用登录请求,所述应用登录请求包括所述UE请求登录的第二应用的信息;With reference to the fourth aspect, or the first possible implementation manner of the fourth aspect, in a second possible implementation manner of the fourth aspect, the receiving module is further configured to receive an application login request sent by the UE, where the application is The login request includes information of the second application that the UE requests to log in;
所述处理模块,还用于根据所述应用登录请求查询所述UE登录所述第二应用的应用账号;The processing module is further configured to query, according to the application login request, the application account of the UE to log in to the second application;
所述发送模块,还用于将所述应用账号发送给所述第二应用的应用服务器,以使所述应用服务器对所述应用账号进行鉴权并返回鉴权响应;The sending module is further configured to send the application account to the application server of the second application, so that the application server authenticates the application account and returns an authentication response;
所述接收模块,还用于从所述应用服务器接收所述鉴权响应,根据所述 鉴权响应向所述UE反馈登录结果。The receiving module is further configured to receive the authentication response from the application server, according to the The authentication response feeds back the login result to the UE.
结合第四方面的第二种可能的实现方式,在第四方面的第三种可能的实现方式中,所述发送模块,还用于若没有查询到所述应用账号,则向所述核心网设备发送账号获取请求,所述账号获取请求包括所述服务标识和所述用户标识;In conjunction with the second possible implementation of the fourth aspect, in a third possible implementation manner of the fourth aspect, the sending module is further configured to: if the application account is not queried, to the core network The device sends an account acquisition request, where the account acquisition request includes the service identifier and the user identifier;
所述接收模块,还用于从所述核心网设备获取所述应用账号。The receiving module is further configured to acquire the application account from the core network device.
结合第四方面的第二种或第三种可能的实现方式,在第四方面的第四种可能的实现方式中,所述发送模块,还用于若查询到两个以上所述应用账号,则将所述两个以上所述应用账号发送给所述UE;With reference to the second or third possible implementation manner of the fourth aspect, in a fourth possible implementation manner of the fourth aspect, the sending module is further configured to: if two or more application accounts are queried, Sending the two or more application accounts to the UE;
所述接收模块,还用于接收所述UE发送的选出登录所述第二应用的应用账号。The receiving module is further configured to receive an application account that is sent by the UE and is selected to log in to the second application.
结合第四方面,在第四方面的第五种可能的实现方式中,所述接收模块,还用于接收所述核心网设备根据UE发送的虚拟机注册请求为所述UE分配的用户标识;With reference to the fourth aspect, in a fifth possible implementation manner of the fourth aspect, the receiving module is further configured to receive, by the core network device, a user identifier that is allocated to the UE according to a virtual machine registration request sent by the UE;
所述处理模块,还用于根据所述用户标识为所述UE分配虚拟机;The processing module is further configured to allocate a virtual machine to the UE according to the user identifier;
所述发送模块,还用于向所述核心网设备返回虚拟机分配响应,所述虚拟机分配响应包括所述UE的用户名和密码,以使所述核心网设备根据所述虚拟机分配响应存储所述UE的用户名和密码并向所述UE返回虚拟机注册响应。The sending module is further configured to return a virtual machine allocation response to the core network device, where the virtual machine allocation response includes a username and a password of the UE, so that the core network device allocates response according to the virtual machine allocation The user name and password of the UE and return a virtual machine registration response to the UE.
结合第四方面的第五种可能的实现方式,在第四方面的第六种可能的实现方式中,所述虚拟机注册请求包括所述UE设置的用户名、密码,以及所述UE的临时识别码。With reference to the fifth possible implementation manner of the fourth aspect, in a sixth possible implementation manner of the fourth aspect, the virtual machine registration request includes a user name, a password, and a temporary Identifier.
结合第四方面的第五种可能的实现方式,在第四方面的第七种可能的实现方式中,所述虚拟机注册请求包括使用所述UE的用户信息;With reference to the fifth possible implementation manner of the fourth aspect, in a seventh possible implementation manner of the fourth aspect, the virtual machine registration request includes using user information of the UE;
所述处理模块,还用于在根据所述用户标识为所述UE分配虚拟机的同时,为所述UE随机生成所述用户名和密码。The processing module is further configured to randomly generate the user name and password for the UE while allocating a virtual machine to the UE according to the user identifier.
结合第四方面的第五种至第七种中任一种可能的实现方式,在第四方面的第八种可能的实现方式中,所述接收模块,还用于接收UE的虚拟机登录请求,所述虚拟机登录请求包括所述UE的用户名和密码;With reference to any one of the fifth to seventh possible implementation manners of the fourth aspect, in the eighth possible implementation manner of the fourth aspect, the receiving module is further configured to receive a virtual machine login request of the UE The virtual machine login request includes a username and a password of the UE;
所述发送模块,还用于将所述UE的用户名和密码发送给所述核心网设 备,以使所述核心网设备根据所述UE的用户名和密码对所述UE进行鉴权并返回鉴权响应,所述鉴权响应包括所述UE的用户标识;The sending module is further configured to send the username and password of the UE to the core network And the core network device performs authentication on the UE according to the username and password of the UE, and returns an authentication response, where the authentication response includes a user identifier of the UE;
所述处理模块,还用于根据所述用户标识启动为所述UE分配的所述虚拟机;The processing module is further configured to start, according to the user identifier, the virtual machine allocated for the UE;
所述发送模块,还用于向所述UE返回虚拟机登录响应。The sending module is further configured to return a virtual machine login response to the UE.
结合第四方面的第五种至第八种中任一种可能的实现方式,在第四方面的第九种可能的实现方式中,所述接收模块,还用于接收所述核心网设备在根据UE发送的虚拟机注销请求对所述UE进行鉴权并查询所述UE的用户标识之后发送的虚拟机撤除请求,所述虚拟机撤除请求包括所述UE的用户标识;With reference to any one of the fifth to eighth possible implementations of the fourth aspect, in a ninth possible implementation manner of the fourth aspect, the receiving module is further configured to receive the core network device Deleting a virtual machine removal request sent after the UE is authenticated according to a virtual machine logout request sent by the UE and querying the user identifier of the UE, where the virtual machine removal request includes a user identifier of the UE;
所述处理模块,还用于根据所述虚拟机销毁请求撤除分配给所述UE的虚拟机,并删除与所述UE的用户标识对应的配置信息。The processing module is further configured to remove the virtual machine allocated to the UE according to the virtual machine destruction request, and delete configuration information corresponding to the user identifier of the UE.
第五方面,本发明实施例提供一种核心网设备,包括:In a fifth aspect, an embodiment of the present invention provides a core network device, including:
接收模块,用于接收移动虚拟化设备发送的账号注册请求,所述账号注册请求包括用户设备UE请求注册的第一应用的服务标识和所述UE的用户标识;a receiving module, configured to receive an account registration request sent by the mobile virtualization device, where the account registration request includes a service identifier of the first application that the user equipment UE requests to register, and a user identifier of the UE;
处理模块,用于根据所述账号注册请求为所述UE分配登录所述第一应用的应用账号;a processing module, configured to allocate, according to the account registration request, an application account that is used to log in to the first application;
发送模块,用于将所述应用账号发送给所述移动虚拟化设备和所述第一应用的应用服务器。And a sending module, configured to send the application account to the mobile virtualization device and the application server of the first application.
结合第五方面,在第五方面的第一种可能的实现方式中,所述处理模块,还用于为预先注册的应用分配服务标识;With reference to the fifth aspect, in a first possible implementation manner of the fifth aspect, the processing module is further configured to allocate a service identifier to the pre-registered application;
所述发送模块,还用于将所述服务标识发送给所述移动虚拟化设备。The sending module is further configured to send the service identifier to the mobile virtualization device.
结合第五方面或第五方面的第一种可能的实现方式,在第五方面的第二种可能的实现方式中,所述接收模块,还用于接收所述移动虚拟化设备在没有获取到UE登录第二应用的应用账号之后发送的账号获取请求,所述账号获取请求包括所述第二应用的服务标识和所述UE的用户标识;With reference to the fifth aspect, or the first possible implementation manner of the fifth aspect, in a second possible implementation manner of the fifth aspect, the receiving module is further configured to receive that the mobile virtualization device is not obtained An account obtaining request sent by the UE after logging in to the application account of the second application, where the account obtaining request includes the service identifier of the second application and the user identifier of the UE;
所述发送模块,还用于根据所述账号获取请求向所述移动虚拟化设备返回所述应用账号。The sending module is further configured to return the application account to the mobile virtualization device according to the account acquisition request.
结合第五方面或第五方面的第一种可能的实现方式,在第五方面的第三 种可能的实现方式中,所述接收模块,还用于接收UE发送的虚拟机注册请求;In combination with the fifth aspect or the first possible implementation of the fifth aspect, the third aspect of the fifth aspect In a possible implementation manner, the receiving module is further configured to receive a virtual machine registration request sent by the UE;
所述处理模块,还用于根据所述虚拟机注册请求为所述UE分配用户标识;The processing module is further configured to allocate a user identifier to the UE according to the virtual machine registration request;
所述发送模块,还用于向所述移动虚拟化设备发送所述用户标识,以使所述移动虚拟化设备根据所述用户标识为所述UE分配虚拟机;The sending module is further configured to send the user identifier to the mobile virtualization device, so that the mobile virtualization device allocates a virtual machine to the UE according to the user identifier;
所述接收模块,还用于接收所述移动虚拟化设备发送的虚拟机分配响应,所述虚拟机分配响应包括所述UE的用户名和密码;The receiving module is further configured to receive a virtual machine allocation response sent by the mobile virtualization device, where the virtual machine allocation response includes a username and a password of the UE;
所述处理模块,还用于存储所述UE的用户名和密码;The processing module is further configured to store a username and a password of the UE;
所述发送模块,还用于向所述UE返回虚拟机注册响应。The sending module is further configured to return a virtual machine registration response to the UE.
结合第五方面的第三种可能的实现方式,在第五方面的第四种可能的实现方式中,所述虚拟机注册请求包括所述UE设置的用户名、密码,以及所述UE的临时识别码;或者,With reference to the third possible implementation manner of the fifth aspect, in a fourth possible implementation manner of the fifth aspect, the virtual machine registration request includes a user name, a password, and a temporary Identification code; or,
所述虚拟机注册请求包括使用所述UE的用户信息。The virtual machine registration request includes user information using the UE.
结合第五方面的第三种或第四种可能的实现方式,在第五方面的第五种可能的实现方式中,所述接收模块,还用于接收所述移动虚拟化设备根据UE发送的虚拟机登录请求发送的所述UE的用户名和密码,所述虚拟机登录请求包括所述UE的用户名和密码;With reference to the third or fourth possible implementation manner of the fifth aspect, in a fifth possible implementation manner of the fifth aspect, the receiving module is further configured to receive, according to the UE, the mobile virtualization device a user name and a password of the UE sent by the virtual machine login request, where the virtual machine login request includes a username and a password of the UE;
所述处理模块,还用于根据所述UE的用户名和密码对所述UE进行鉴权;The processing module is further configured to perform authentication on the UE according to the username and password of the UE;
所述发送模块,还用于返回鉴权响应,所述鉴权响应包括所述UE的用户标识,以使所述移动虚拟化设备根据所述用户标识启动为所述UE分配的所述虚拟机,并向所述UE返回虚拟机登录响应。The sending module is further configured to: return an authentication response, where the authentication response includes a user identifier of the UE, so that the mobile virtualization device starts the virtual machine allocated to the UE according to the user identifier. And returning a virtual machine login response to the UE.
结合第五方面的第三种至第五种中任一种可能的实现方式,在第五方面的第六种可能的实现方式中,所述接收模块,还用于接收UE发送的虚拟机注销请求,所述虚拟机注销请求包括所述UE的用户名和密码;With reference to the possible implementation of any one of the third to fifth aspects of the fifth aspect, in a sixth possible implementation manner of the fifth aspect, the receiving module is further configured to receive a virtual machine logout sent by the UE The request, the virtual machine logout request includes a username and a password of the UE;
所述处理模块,还用于根据所述虚拟机注销请求对所述UE进行鉴权,并查询所述UE的用户标识;The processing module is further configured to perform authentication on the UE according to the virtual machine logout request, and query a user identifier of the UE;
所述发送模块,还用于向所述移动虚拟化设备发送虚拟机撤除请求,所述虚拟机撤除请求包括所述用户标识,以使所述移动虚拟化设备根据所述虚拟机撤除请求撤除分配给所述UE的虚拟机,并删除与所述用户标识对应的 配置信息;The sending module is further configured to send a virtual machine removal request to the mobile virtualization device, where the virtual machine removal request includes the user identifier, so that the mobile virtualization device removes the allocation according to the virtual machine removal request. Giving the virtual machine of the UE, and deleting the corresponding to the user identifier Configuration information;
所述处理模块,还用于删除与所述用户标识对应的配置信息;The processing module is further configured to delete configuration information corresponding to the user identifier;
所述发送模块,还用于向所述UE返回虚拟机注销响应。The sending module is further configured to return a virtual machine logout response to the UE.
第六方面,本发明实施例提供一种应用服务器,包括:In a sixth aspect, an embodiment of the present invention provides an application server, including:
接收模块,用于接收核心网设备发送的应用账号,所述应用账号为所述核心网设备给用户设备UE请求注册第一应用时分配的应用账号。The receiving module is configured to receive an application account that is sent by the core network device, where the application account is an application account that is allocated when the core network device requests the user equipment UE to register the first application.
结合第六方面,在第六方面的第一种可能的实现方式中,还包括:处理模块和发送模块;With reference to the sixth aspect, in a first possible implementation manner of the sixth aspect, the method further includes: a processing module and a sending module;
所述接收模块,还用于接收移动虚拟化设备发送的应用账号,所述应用账号为所述移动虚拟化设备根据UE发送的应用登录请求查询的所述UE请求登录的第二应用的应用账号;The receiving module is further configured to receive an application account that is sent by the mobile virtualization device, where the application account is an application account of the second application that the mobile virtualization device requests to log in according to the application login request sent by the UE. ;
所述处理模块,用于对所述应用账号进行鉴权;The processing module is configured to authenticate the application account;
所述发送模块,用于向所述移动虚拟化设备返回鉴权响应。The sending module is configured to return an authentication response to the mobile virtualization device.
第七方面,本发明实施例提供一种移动化虚拟设备,包括:A seventh aspect of the present invention provides a mobile virtual device, including:
接收器,用于接收用户设备UE发送的应用注册请求,所述应用注册请求包括所述UE请求注册的第一应用的信息;a receiver, configured to receive an application registration request sent by the user equipment UE, where the application registration request includes information about the first application that the UE requests to register;
处理器,用于根据所述应用注册请求查询所述第一应用的服务标识和所述UE的用户标识;a processor, configured to query, according to the application registration request, a service identifier of the first application and a user identifier of the UE;
发送器,用于向核心网设备发送账号注册请求,所述账号注册请求包括所述服务标识和所述用户标识,以使所述核心网设备根据所述账号注册请求为所述UE分配登录所述第一应用的应用账号并将所述应用账号发送给所述第一应用的应用服务器;a sender, configured to send an account registration request to the core network device, where the account registration request includes the service identifier and the user identifier, so that the core network device allocates a login office to the UE according to the account registration request. Transmitting an application account of the first application and sending the application account to an application server of the first application;
所述接收器,还用于从所述核心网设备获取所述应用账号以将所述应用账号作为所述UE后续登录所述第一应用的认证标识,并向所述UE返回应用注册响应。The receiver is further configured to acquire the application account from the core network device to use the application account as an authentication identifier of the UE to log in to the first application, and return an application registration response to the UE.
结合第七方面,在第七方面的第一种可能的实现方式中,所述接收器,还用于从所述核心网设备获取所述核心网设备为预先注册的应用分配的服务标识。With reference to the seventh aspect, in a first possible implementation manner of the seventh aspect, the receiver is further configured to obtain, from the core network device, a service identifier that is allocated by the core network device to a pre-registered application.
结合第七方面或第七方面的第一种可能的实现方式,在第七方面的第二种可能的实现方式中,所述接收器,还用于接收UE发送的应用登录请求, 所述应用登录请求包括所述UE请求登录的第二应用的信息;With reference to the seventh aspect, or the first possible implementation manner of the seventh aspect, in a second possible implementation manner of the seventh aspect, the receiver is further configured to receive an application login request sent by the UE, The application login request includes information of a second application that the UE requests to log in;
所述处理器,还用于根据所述应用登录请求查询所述UE登录所述第二应用的应用账号;The processor is further configured to query, according to the application login request, the application account of the UE to log in to the second application;
所述发送器,还用于将所述应用账号发送给所述第二应用的应用服务器,以使所述应用服务器对所述应用账号进行鉴权并返回鉴权响应;The sender is further configured to send the application account to an application server of the second application, so that the application server authenticates the application account and returns an authentication response;
所述接收器,还用于从所述应用服务器接收所述鉴权响应,根据所述鉴权响应向所述UE反馈登录结果。The receiver is further configured to receive the authentication response from the application server, and feed back a login result to the UE according to the authentication response.
结合第七方面的第二种可能的实现方式,在第七方面的第三种可能的实现方式中,所述发送器,还用于若没有查询到所述应用账号,则向所述核心网设备发送账号获取请求,所述账号获取请求包括所述服务标识和所述用户标识;In conjunction with the second possible implementation of the seventh aspect, in a third possible implementation manner of the seventh aspect, the transmitter is further configured to: if the application account is not queried, to the core network The device sends an account acquisition request, where the account acquisition request includes the service identifier and the user identifier;
所述接收器,还用于从所述核心网设备获取所述应用账号。The receiver is further configured to acquire the application account from the core network device.
结合第七方面的第二种或第三种可能的实现方式,在第七方面的第四种可能的实现方式中,所述发送器,还用于若查询到两个以上所述应用账号,则将所述两个以上所述应用账号发送给所述UE;With reference to the second or third possible implementation manner of the seventh aspect, in a fourth possible implementation manner of the seventh aspect, the transmitter is further configured to: if two or more application accounts are queried, Sending the two or more application accounts to the UE;
所述接收器,还用于接收所述UE发送的选出登录所述第二应用的应用账号。The receiver is further configured to receive an application account that is sent by the UE and is selected to log in to the second application.
结合第七方面,在第七方面的第五种可能的实现方式中,所述接收器,还用于接收所述核心网设备根据UE发送的虚拟机注册请求为所述UE分配的用户标识;With reference to the seventh aspect, in a fifth possible implementation manner of the seventh aspect, the receiver is further configured to receive, by the core network device, a user identifier that is allocated to the UE according to a virtual machine registration request sent by the UE;
所述处理器,还用于根据所述用户标识为所述UE分配虚拟机;The processor is further configured to allocate a virtual machine to the UE according to the user identifier;
所述发送器,还用于向所述核心网设备返回虚拟机分配响应,所述虚拟机分配响应包括所述UE的用户名和密码,以使所述核心网设备根据所述虚拟机分配响应存储所述UE的用户名和密码并向所述UE返回虚拟机注册响应。The transmitter is further configured to return a virtual machine allocation response to the core network device, where the virtual machine allocation response includes a username and a password of the UE, so that the core network device allocates response according to the virtual machine allocation The user name and password of the UE and return a virtual machine registration response to the UE.
结合第七方面的第五种可能的实现方式,在第七方面的第六种可能的实现方式中,所述虚拟机注册请求包括所述UE设置的用户名、密码,以及所述UE的临时识别码。With reference to the fifth possible implementation manner of the seventh aspect, in a sixth possible implementation manner of the seventh aspect, the virtual machine registration request includes a user name, a password, and a temporary Identifier.
结合第七方面的第五种可能的实现方式,在第七方面的第七种可能的实现方式中,所述虚拟机注册请求包括使用所述UE的用户信息; With reference to the fifth possible implementation manner of the seventh aspect, in a seventh possible implementation manner of the seventh aspect, the virtual machine registration request includes using user information of the UE;
所述处理器,还用于在根据所述用户标识为所述UE分配虚拟机的同时,为所述UE随机生成所述用户名和密码。The processor is further configured to randomly generate the username and password for the UE while allocating a virtual machine to the UE according to the user identifier.
结合第七方面的第五种至第七种中任一种可能的实现方式,在第七方面的第八种可能的实现方式中,所述接收器,还用于接收UE的虚拟机登录请求,所述虚拟机登录请求包括所述UE的用户名和密码;With reference to any one of the fifth to seventh possible implementation manners of the seventh aspect, in the eighth possible implementation manner of the seventh aspect, the receiver is further configured to receive a virtual machine login request of the UE The virtual machine login request includes a username and a password of the UE;
所述发送器,还用于将所述UE的用户名和密码发送给所述核心网设备,以使所述核心网设备根据所述UE的用户名和密码对所述UE进行鉴权并返回鉴权响应,所述鉴权响应包括所述UE的用户标识;The sender is further configured to send the user name and password of the UE to the core network device, so that the core network device authenticates the UE according to the user name and password of the UE, and returns the authentication. In response, the authentication response includes a user identifier of the UE;
所述处理器,还用于根据所述用户标识启动为所述UE分配的所述虚拟机;The processor is further configured to start, according to the user identifier, the virtual machine allocated for the UE;
所述发送器,还用于向所述UE返回虚拟机登录响应。The transmitter is further configured to return a virtual machine login response to the UE.
结合第七方面的第五种至第八种中任一种可能的实现方式,在第七方面的第九种可能的实现方式中,所述接收器,还用于接收所述核心网设备在根据UE发送的虚拟机注销请求对所述UE进行鉴权并查询所述UE的用户标识之后发送的虚拟机撤除请求,所述虚拟机撤除请求包括所述UE的用户标识;With reference to any one of the fifth to eighth possible implementations of the seventh aspect, in a ninth possible implementation manner of the seventh aspect, the receiver is further configured to receive the core network device Deleting a virtual machine removal request sent after the UE is authenticated according to a virtual machine logout request sent by the UE and querying the user identifier of the UE, where the virtual machine removal request includes a user identifier of the UE;
所述处理器,还用于根据所述虚拟机销毁请求撤除分配给所述UE的虚拟机,并删除与所述UE的用户标识对应的配置信息。The processor is further configured to remove the virtual machine allocated to the UE according to the virtual machine destruction request, and delete configuration information corresponding to the user identifier of the UE.
第八方面,本发明实施例提供一种核心网设备,包括:The eighth aspect of the present invention provides a core network device, including:
接收器,用于接收移动虚拟化设备发送的账号注册请求,所述账号注册请求包括用户设备UE请求注册的第一应用的服务标识和所述UE的用户标识;a receiver, configured to receive an account registration request sent by the mobile virtualization device, where the account registration request includes a service identifier of the first application that the user equipment UE requests to register, and a user identifier of the UE;
处理器,用于根据所述账号注册请求为所述UE分配登录所述第一应用的应用账号;a processor, configured to allocate, according to the account registration request, an application account that is used to log in to the first application;
发送器,用于将所述应用账号发送给所述移动虚拟化设备和所述第一应用的应用服务器。And a sender, configured to send the application account to the mobile virtualization device and the application server of the first application.
结合第八方面,在第八方面的第一种可能的实现方式中,所述处理器,还用于为预先注册的应用分配服务标识;With reference to the eighth aspect, in a first possible implementation manner of the eighth aspect, the processor is further configured to allocate a service identifier to the pre-registered application;
所述发送器,还用于将所述服务标识发送给所述移动虚拟化设备。The transmitter is further configured to send the service identifier to the mobile virtualization device.
结合第八方面或第八方面的第一种可能的实现方式,在第八方面的第二种可能的实现方式中,所述接收器,还用于接收所述移动虚拟化设备在没有 获取到UE登录第二应用的应用账号之后发送的账号获取请求,所述账号获取请求包括所述第二应用的服务标识和所述UE的用户标识;With reference to the eighth aspect, or the first possible implementation manner of the eighth aspect, in a second possible implementation manner of the eighth aspect, the receiver is further configured to receive the mobile virtualization device Acquiring an account acquisition request sent after the UE logs in to the application account of the second application, where the account acquisition request includes the service identifier of the second application and the user identifier of the UE;
所述发送器,还用于根据所述账号获取请求向所述移动虚拟化设备返回所述应用账号。The sender is further configured to return the application account to the mobile virtualization device according to the account acquisition request.
结合第八方面或第八方面的第一种可能的实现方式,在第八方面的第三种可能的实现方式中,所述接收器,还用于接收UE发送的虚拟机注册请求;With reference to the eighth aspect, or the first possible implementation manner of the eighth aspect, in a third possible implementation manner of the eighth aspect, the receiver is further configured to receive a virtual machine registration request sent by the UE;
所述处理器,还用于根据所述虚拟机注册请求为所述UE分配用户标识;The processor is further configured to allocate a user identifier to the UE according to the virtual machine registration request;
所述发送器,还用于向所述移动虚拟化设备发送所述用户标识,以使所述移动虚拟化设备根据所述用户标识为所述UE分配虚拟机;The transmitter is further configured to send the user identifier to the mobile virtualization device, so that the mobile virtualization device allocates a virtual machine to the UE according to the user identifier;
所述接收器,还用于接收所述移动虚拟化设备发送的虚拟机分配响应,所述虚拟机分配响应包括所述UE的用户名和密码;The receiver is further configured to receive a virtual machine allocation response sent by the mobile virtualization device, where the virtual machine allocation response includes a username and a password of the UE;
所述处理器,还用于存储所述UE的用户名和密码;The processor is further configured to store a username and a password of the UE;
所述发送器,还用于向所述UE返回虚拟机注册响应。The transmitter is further configured to return a virtual machine registration response to the UE.
结合第八方面的第三种可能的实现方式,在第八方面的第四种可能的实现方式中,所述虚拟机注册请求包括所述UE设置的用户名、密码,以及所述UE的临时识别码;或者,With reference to the third possible implementation of the eighth aspect, in a fourth possible implementation manner of the eighth aspect, the virtual machine registration request includes a user name, a password, and a temporary Identification code; or,
所述虚拟机注册请求包括使用所述UE的用户信息。The virtual machine registration request includes user information using the UE.
结合第八方面的第三种或第四种可能的实现方式,在第八方面的第五种可能的实现方式中,所述接收器,还用于接收所述移动虚拟化设备根据UE发送的虚拟机登录请求发送的所述UE的用户名和密码,所述虚拟机登录请求包括所述UE的用户名和密码;In conjunction with the third or fourth possible implementation of the eighth aspect, in a fifth possible implementation of the eighth aspect, the receiver is further configured to receive, by the mobile virtualization device, the UE a user name and a password of the UE sent by the virtual machine login request, where the virtual machine login request includes a username and a password of the UE;
所述处理器,还用于根据所述UE的用户名和密码对所述UE进行鉴权;The processor is further configured to perform authentication on the UE according to the username and password of the UE;
所述发送器,还用于返回鉴权响应,所述鉴权响应包括所述UE的用户标识,以使所述移动虚拟化设备根据所述用户标识启动为所述UE分配的所述虚拟机,并向所述UE返回虚拟机登录响应。The sender is further configured to return an authentication response, where the authentication response includes a user identifier of the UE, so that the mobile virtualization device starts the virtual machine allocated to the UE according to the user identifier. And returning a virtual machine login response to the UE.
结合第八方面的第三种至第五种中任一种可能的实现方式,在第八方面的第六种可能的实现方式中,所述接收器,还用于接收UE发送的虚拟机注销请求,所述虚拟机注销请求包括所述UE的用户名和密码;With reference to any one of the third to fifth possible implementation manners of the eighth aspect, in a sixth possible implementation manner of the eighth aspect, the receiver is further configured to receive a virtual machine logout sent by the UE The request, the virtual machine logout request includes a username and a password of the UE;
所述处理器,还用于根据所述虚拟机注销请求对所述UE进行鉴权,并查询所述UE的用户标识; The processor is further configured to perform authentication on the UE according to the virtual machine logout request, and query a user identifier of the UE;
所述发送器,还用于向所述移动虚拟化设备发送虚拟机撤除请求,所述虚拟机撤除请求包括所述用户标识,以使所述移动虚拟化设备根据所述虚拟机撤除请求撤除分配给所述UE的虚拟机,并删除与所述用户标识对应的配置信息;The transmitter is further configured to send a virtual machine removal request to the mobile virtualization device, where the virtual machine removal request includes the user identifier, so that the mobile virtualization device removes the allocation according to the virtual machine removal request Giving the virtual machine of the UE, and deleting configuration information corresponding to the user identifier;
所述处理器,还用于删除与所述用户标识对应的配置信息;The processor is further configured to delete configuration information corresponding to the user identifier;
所述发送器,还用于向所述UE返回虚拟机注销响应。The transmitter is further configured to return a virtual machine logout response to the UE.
第九方面,本发明实施例提供一种应用服务器,包括:A ninth aspect, an embodiment of the present invention provides an application server, including:
接收器,用于接收核心网设备发送的应用账号,所述应用账号为所述核心网设备给用户设备UE请求注册第一应用时分配的应用账号。The receiver is configured to receive an application account that is sent by the core network device, where the application account is an application account that is allocated when the core network device requests the user equipment UE to register the first application.
结合第九方面,在第九方面的第一种可能的实现方式中,还包括:处理器和发送器;With reference to the ninth aspect, in a first possible implementation manner of the ninth aspect, the method further includes: a processor and a transmitter;
所述接收器,还用于接收移动虚拟化设备发送的应用账号,所述应用账号为所述移动虚拟化设备根据UE发送的应用登录请求查询的所述UE请求登录的第二应用的应用账号;The receiver is further configured to receive an application account that is sent by the mobile virtualization device, where the application account is an application account of the second application that the mobile virtualization device requests to log in according to the application login request sent by the UE. ;
所述处理器,用于对所述应用账号进行鉴权;The processor is configured to authenticate the application account;
所述发送器,用于向所述移动虚拟化设备返回鉴权响应。The transmitter is configured to return an authentication response to the mobile virtualization device.
第十方面,本发明实施例提供一种鉴权系统,包括:移动虚拟化设备、核心网设备、应用服务器以及用户设备UE;其中,所述移动虚拟化设备采用第四方面、第四方面的第一种至第九种中任一种可能的实现方式所述的移动虚拟化设备;所述核心网设备采用第五方面、第五方面的第一种至第六种中任一种可能的实现方式所述的核心网设备;所述应用服务器采用第六方面或第六方面的第一种可能的实现方式所述的应用服务器。According to a tenth aspect, an embodiment of the present invention provides an authentication system, including: a mobile virtualization device, a core network device, an application server, and a user equipment UE; wherein the mobile virtualization device adopts the fourth aspect and the fourth aspect. The mobile virtualization device according to any one of the first to the ninth possible implementations; the core network device adopting any of the first to sixth aspects of the fifth aspect, the fifth aspect The core network device according to the implementation manner; the application server adopts the application server described in the sixth aspect or the first possible implementation manner of the sixth aspect.
第十一方面,本发明实施例提供一种鉴权系统,包括:移动虚拟化设备、核心网设备、应用服务器以及用户设备UE;其中,所述移动虚拟化设备采用第七方面、第七方面的第一种至第九种中任一种可能的实现方式所述的移动虚拟化设备;所述核心网设备采用第八方面、第八方面的第一种至第六种中任一种可能的实现方式所述的核心网设备;所述应用服务器采用第九方面或第九方面的第一种可能的实现方式所述的应用服务器。In an eleventh aspect, an embodiment of the present invention provides an authentication system, including: a mobile virtualization device, a core network device, an application server, and a user equipment UE; wherein the mobile virtualization device adopts the seventh aspect and the seventh aspect. The mobile virtualization device according to any one of the first to the ninth possible implementation manners; the core network device adopting the eighth aspect, the first one to the sixth aspect of the eighth aspect The implementation of the core network device; the application server adopts the application server of the ninth aspect or the first possible implementation manner of the ninth aspect.
本发明实施例用户认证方法、装置及系统,通过以移动虚拟化设备作为UE的代理,代替UE实现应用的注册和登录,可免除UE在各应用的注册过 程中手动设置用户名和密码的繁杂操作,解决平台应用管理的局限性,减少用户信息冗余,降低管理负荷,提高系统鉴权的效率。In the embodiment of the present invention, the user authentication method, device, and system can eliminate the registration of the UE in each application by using the mobile virtualization device as a proxy of the UE instead of the UE to implement registration and login of the application. Manually set the complicated operation of user name and password, solve the limitations of platform application management, reduce user information redundancy, reduce management load, and improve system authentication efficiency.
附图说明DRAWINGS
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作一简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, a brief description of the drawings used in the embodiments or the prior art description will be briefly described below. Obviously, the drawings in the following description It is a certain embodiment of the present invention, and other drawings can be obtained from those skilled in the art without any inventive labor.
图1为本发明鉴权系统的一个实施例的结构示意图;1 is a schematic structural diagram of an embodiment of an authentication system according to the present invention;
图2为本发明用户认证方法的一个实施例的流程图;2 is a flowchart of an embodiment of a user authentication method according to the present invention;
图3为本发明用户认证方法的另一个实施例的流程图;3 is a flow chart of another embodiment of a user authentication method according to the present invention;
图4为本发明用户认证方法的又一个实施例的流程图;4 is a flowchart of still another embodiment of a user authentication method according to the present invention;
图5为本发明用户认证方法的第四个实施例的流程图;FIG. 5 is a flowchart of a fourth embodiment of a user authentication method according to the present invention; FIG.
图6为本发明用户认证方法的第五个实施例的流程图;6 is a flowchart of a fifth embodiment of a user authentication method according to the present invention;
图7为本发明用户认证方法的第六个实施例的流程图;7 is a flowchart of a sixth embodiment of a user authentication method according to the present invention;
图8为本发明用户认证方法的第七个实施例的流程图;FIG. 8 is a flowchart of a seventh embodiment of a user authentication method according to the present invention; FIG.
图9为本发明用户认证方法的第八个实施例的流程图;9 is a flowchart of an eighth embodiment of a user authentication method according to the present invention;
图10为本发明移动化虚拟设备的一个实施例的结构示意图;10 is a schematic structural diagram of an embodiment of a mobile virtual device according to the present invention;
图11为本发明应用服务器的一个实施例的结构示意图;11 is a schematic structural diagram of an embodiment of an application server according to the present invention;
图12为本发明移动化虚拟设备的另一个实施例的结构示意图;12 is a schematic structural diagram of another embodiment of a mobile virtual device according to the present invention;
图13为本发明应用服务器的又一个实施例的结构示意图;FIG. 13 is a schematic structural diagram of still another embodiment of an application server according to the present invention; FIG.
图14为本发明鉴权系统的另一个实施例的结构示意图。Figure 14 is a block diagram showing another embodiment of the authentication system of the present invention.
具体实施方式detailed description
为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention will be clearly and completely described in conjunction with the drawings in the embodiments of the present invention. It is a partial embodiment of the invention, and not all of the embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
图1为本发明鉴权系统的一个实施例的结构示意图,如图1所示,本实 施例的鉴权系统可以包括:移动虚拟化设备11、核心网设备12、应用服务器13以及用户设备(User Equipment,简称:UE)14,进一步的,移动虚拟化设备11还可以包括虚拟用户模块111和轻量应用服务器112。虚拟用户模块111为UE 14提供虚拟机服务,轻量应用服务器112可以看做多个应用服务器在移动虚拟化设备11中部分功能的实现,还可以作为应用开发者部署在鉴权系统上的多个应用服务器,提供完整的应用服务。用户通过使用UE 14与移动虚拟化设备11中的虚拟用户模块111无线连接,从而使用虚拟机服务,以虚拟用户模块111作为UE 14的代理。虚拟用户模块111与轻量应用服务器112交互。核心网设备12可以包括移动管理实体(Mobility Management Entity,简称:MME)和归属用户服务器(Home Subscriber Server,简称:HSS),各存储一定的用户数据,对用户进行鉴权。应用服务器13为鉴权系统中多个应用的对应的服务器,其存储用户使用应用的用户信息,例如,登录信息、游戏进度、记录数据等。1 is a schematic structural diagram of an embodiment of an authentication system according to the present invention, as shown in FIG. The authentication system of the embodiment may include: a mobile virtualization device 11, a core network device 12, an application server 13, and a user equipment (User Equipment, UE for short) 14. Further, the mobile virtualization device 11 may further include a virtual user module. 111 and lightweight application server 112. The virtual user module 111 provides a virtual machine service for the UE 14. The lightweight application server 112 can be regarded as an implementation of some functions of the multiple application servers in the mobile virtualization device 11, and can also be deployed as an application developer on the authentication system. Application servers that provide complete application services. The user wirelessly connects to the virtual subscriber module 111 in the mobile virtualization device 11 by using the UE 14, thereby using the virtual machine service, with the virtual subscriber module 111 acting as a proxy for the UE 14. The virtual user module 111 interacts with the lightweight application server 112. The core network device 12 may include a Mobility Management Entity (MME) and a Home Subscriber Server (HSS), each storing certain user data to authenticate the user. The application server 13 is a corresponding server of a plurality of applications in the authentication system, which stores user information of the user using the application, for example, login information, game progress, recorded data, and the like.
本实施例,用户通过UE 14登录移动虚拟化设备11,输入用户名和密码,而移动虚拟化设备11在对用户鉴权通过后,作为用户的代理实现用户使用多个应用的注册、登录等操作,在这个过程中,用户不必再针对每个应用都注册一次,移动虚拟化设备11可以代替用户与各应用的应用服务器13交互,而且移动虚拟化设备11代替用户生成的各应用账号甚至可以不需要反馈给用户,各应用也不需要一定是属于一个固定管理平台,只要其在移动虚拟化设备11部署了轻量应用服务器112,就可以实现统一的认证、鉴权,减少用户信息冗余,提高鉴权效率。In this embodiment, the user logs in to the mobile virtualization device 11 through the UE 14, and inputs a user name and password. After the mobile virtualization device 11 authenticates the user, the mobile virtualization device 11 implements registration, login, and the like operations of the user by using the application as a proxy of the user. In this process, the user does not have to register once for each application, the mobile virtualization device 11 can interact with the application server 13 of each application instead of the user, and the mobile virtualization device 11 can replace the application account generated by the user, or even The user needs to be fed back to the user, and the application does not need to belong to a fixed management platform. As long as the lightweight application server 112 is deployed on the mobile virtualization device 11, unified authentication and authentication can be implemented, and user information redundancy can be reduced. Improve the efficiency of authentication.
图2为本发明用户认证方法的一个实施例的流程图,如图2所示,本实施例是UE请求注册应用的流程,该方法可以包括:2 is a flowchart of an embodiment of a user authentication method according to the present invention. As shown in FIG. 2, this embodiment is a process in which a UE requests to register an application, and the method may include:
步骤101、接收用户设备UE发送的应用注册请求,所述应用注册请求包括所述UE请求注册的第一应用的信息;Step 101: Receive an application registration request sent by the user equipment UE, where the application registration request includes information about the first application that the UE requests to register;
本实施例的执行主体可以是图1所示结构示意图中的移动虚拟化设备。用户通过UE向移动虚拟化设备发起应用注册请求,例如,用户注册微信或手机游戏,可以在UE上点击微信或手机游戏的图标,选择注册,即可通过UE发送出针对微信或手机游戏的应用注册请求,该应用注册请求中包括了用户请求注册的第一应用(例如微信或手机游戏)的相关信息,可以包括应用 名称、应用标识、对应的应用服务器标识等。The execution body of this embodiment may be the mobile virtualization device in the structural diagram shown in FIG. 1. The user initiates an application registration request to the mobile virtualization device through the UE. For example, the user registers the WeChat or the mobile game, and can click the icon of the WeChat or the mobile game on the UE to select the registration, and the application for the WeChat or the mobile game can be sent through the UE. a registration request, the application registration request includes information related to the first application (such as WeChat or mobile game) that the user requests to register, and may include an application. Name, application ID, corresponding application server ID, and so on.
步骤102、根据所述应用注册请求查询所述第一应用的服务标识和所述UE的用户标识;Step 102: Query, according to the application registration request, a service identifier of the first application and a user identifier of the UE.
移动虚拟化设备接收到应用注册请求后,根据UE请求注册的第一应用的信息,获取该第一应用的服务标识(Service Identity,简称:ServiceID),具体地,移动虚拟化设备中的虚拟用户模块接收应用注册请求,再根据应用注册请求中的第一应用信息从移动虚拟化设备中的第一应用的轻量应用服务器处查询获取到第一应用的服务标识。而UE在使用鉴权系统前需要进行注册,因此移动虚拟化设备也可以通过应用注册请求获取到发送端的UE的用户标识(User Identity,简称:UserID)。After receiving the application registration request, the mobile virtualization device acquires the service identifier (Service Identity) of the first application according to the information of the first application that the UE requests to register, specifically, the virtual user in the mobile virtualization device. The module receives the application registration request, and then obtains the service identifier of the first application from the lightweight application server of the first application in the mobile virtualization device according to the first application information in the application registration request. The UE needs to be registered before using the authentication system. Therefore, the mobile virtualization device can also obtain the user identity (User Identity, User ID) of the UE to the sender through the application registration request.
步骤103、向核心网设备发送账号注册请求,所述账号注册请求包括所述服务标识和所述用户标识,以使所述核心网设备根据所述账号注册请求为所述UE分配登录所述第一应用的应用账号并将所述应用账号发送给所述第一应用的应用服务器;Step 103: Send an account registration request to the core network device, where the account registration request includes the service identifier and the user identifier, so that the core network device allocates the login to the UE according to the account registration request. An application account of an application and sending the application account to an application server of the first application;
移动虚拟化设备将第一应用的服务标识和UE的用户标识打包向核心网设备发起账号注册请求,该核心网设备可以是HSS,由HSS根据服务标识和用户标识分配应用账号,该应用账号即为用户标识对应的UE后续登录服务标识对应的应用时使用的账号。HSS同时将该应用账号发送给第一应用的应用服务器,后续登录时应用服务器也可根据该应用账号进行鉴权。该步骤最大限度地与现有通信网络中的鉴权机制兼容,移动虚拟化设备以现行标准与各应用服务器实现交互,核心网设备将移动虚拟化设备看做是UE对其分配应用账号,无论是哪种应用,只要是系统中认可并支持的可信任应用,都可通过本实施例的方法获取到应用账号。The mobile virtualization device packages the service identifier of the first application and the user identifier of the UE to the core network device to initiate an account registration request. The core network device may be an HSS, and the HSS allocates an application account according to the service identifier and the user identifier, where the application account is The account used by the user to identify the application corresponding to the subsequent login service identifier of the UE. The HSS sends the application account to the application server of the first application at the same time, and the application server can also perform authentication according to the application account after the subsequent login. This step is maximally compatible with the authentication mechanism in the existing communication network. The mobile virtualization device interacts with each application server according to the current standard, and the core network device regards the mobile virtualization device as the UE assigning an application account to it, regardless of Which application is used, as long as it is a trusted application that is recognized and supported in the system, the application account can be obtained by the method of this embodiment.
步骤104、从所述核心网设备获取所述应用账号以将所述应用账号作为所述UE后续登录所述第一应用的认证标识,并向所述UE返回应用注册响应。Step 104: Obtain the application account from the core network device to use the application account as an authentication identifier for the UE to log in to the first application, and return an application registration response to the UE.
移动虚拟化设备接收到核心网设备分配的应用账号后,记录该应用账号并向UE反馈应用注册响应,该应用注册响应可以是包含注册是否成功的结果,UE接收到该响应可以以弹窗的形式告知用户。移动虚拟化设备可以以表1的格式存储应用账号信息,每条记录包括用户标识、服务标识以及应用账号,移动虚拟化设备可以不用将应用账号反馈给UE,而只在本地存储即可, 这样UE在登录应用时,只需要发送应用登录请求,由移动虚拟化设备从本地获取应用账号,再通过应用账号与应用服务器交互,完整鉴权和登录。After receiving the application account allocated by the core network device, the mobile virtualization device records the application account and feeds back the application registration response to the UE. The application registration response may be a result including whether the registration is successful, and the UE receives the response and may pop up the window. The form informs the user. The mobile virtualization device may store the application account information in the format of Table 1. Each record includes a user identifier, a service identifier, and an application account. The mobile virtualization device may not feed the application account to the UE, but only locally. In this way, when the UE logs in to the application, it only needs to send an application login request, and the mobile virtualization device obtains the application account locally, and then interacts with the application server through the application account to complete authentication and login.
表1Table 1
用户标识User ID 服务标识Service identifier 应用账号Application account
本实施例,通过以移动虚拟化设备作为UE的代理,代替UE实现应用的注册和登录,可免除UE在各应用的注册过程中手动设置用户名和密码的繁杂操作,解决平台应用管理的局限性,减少用户信息冗余,降低管理负荷,提高系统鉴权的效率。In this embodiment, by using the mobile virtualization device as the proxy of the UE, instead of the UE, the registration and login of the application are implemented, the complicated operation of manually setting the user name and password in the registration process of the application is eliminated, and the limitation of the platform application management is solved. Reduce user information redundancy, reduce management load, and improve system authentication efficiency.
进一步的,上述步骤101之前,还可以包括:从所述核心网设备获取所述核心网设备为预先注册的应用分配的服务标识。Further, before the step 101, the method may further include: acquiring, from the core network device, a service identifier that is allocated by the core network device to a pre-registered application.
移动虚拟化设备可以实现多个应用服务器的部分功能,其实现的这些功能包括预先注册过的应用的配置文件,例如,第三方开发出一个手机游戏,该手机游戏如果要支持本发明的认证、鉴权机制,可以先向核心网设备进行注册,只要核心网设备通过了手机游戏的认证,认为其为可信任的应用,就可以为手机游戏分配一个服务标识,并将该服务标识发送给移动虚拟化设备,具体地是移动虚拟化设备中的轻量应用服务器。The mobile virtualization device can implement some functions of multiple application servers, and the functions implemented by the application include a configuration file of a pre-registered application. For example, a third party develops a mobile game, if the mobile game supports the authentication of the present invention, The authentication mechanism can register with the core network device first. As long as the core network device passes the authentication of the mobile game and considers it to be a trusted application, it can assign a service identifier to the mobile game and send the service identifier to the mobile device. A virtualization device, specifically a lightweight application server in a mobile virtualization device.
图3为本发明用户认证方法的另一个实施例的流程图,如图3所示,本实施例也是UE请求注册应用的流程,该方法可以包括:FIG. 3 is a flowchart of another embodiment of a user authentication method according to the present invention. As shown in FIG. 3, this embodiment is also a process in which a UE requests to register an application, and the method may include:
步骤201、接收移动虚拟化设备发送的账号注册请求,所述账号注册请求包括用户设备UE请求注册的第一应用的服务标识和所述UE的用户标识;Step 201: Receive an account registration request sent by the mobile virtualization device, where the account registration request includes a service identifier of the first application that the user equipment UE requests to register, and a user identifier of the UE.
本实施例的执行主体可以是图1所示结构示意图中的核心网设备。本实施例中的方法与图2所示方法实施例相对应,是在UE请求注册应用的过程中,核心网设备执行的方法。The execution body of this embodiment may be the core network device in the schematic diagram of the structure shown in FIG. 1. The method in this embodiment corresponds to the method embodiment shown in FIG. 2, and is a method performed by a core network device in a process in which a UE requests to register an application.
步骤202、根据所述账号注册请求为所述UE分配登录所述第一应用的应用账号;Step 202: Assign, to the UE, an application account that is logged in to the first application according to the account registration request.
步骤203、将所述应用账号发送给所述移动虚拟化设备和所述第一应用的应用服务器。Step 203: Send the application account to the mobile virtualization device and the application server of the first application.
本实施例,核心网设备将移动虚拟化设备看做是请求注册应用的UE,为其分配应用账号,通过以移动虚拟化设备作为UE的代理,代替UE实现应用的注册和登录,可免除UE在各应用的注册过程中手动设置用户名和密码的 繁杂操作,解决平台应用管理的局限性,减少用户信息冗余,降低管理负荷,提高系统鉴权的效率。In this embodiment, the core network device regards the mobile virtualization device as the UE requesting the registration application, and allocates an application account for it. By using the mobile virtualization device as a proxy of the UE, instead of the UE, the application registration and login are implemented, and the UE can be exempted from the UE. Manually set the username and password during the registration process for each application Complex operations, solve the limitations of platform application management, reduce user information redundancy, reduce management load, and improve system authentication efficiency.
图4为本发明用户认证方法的又一个实施例的流程图,如图4所示,本实施例还是UE请求注册应用的流程,该方法可以包括:4 is a flowchart of still another embodiment of a user authentication method according to the present invention. As shown in FIG. 4, this embodiment is also a process for a UE to request to register an application, and the method may include:
步骤301、接收核心网设备发送的应用账号,所述应用账号为所述核心网设备给用户设备UE请求注册第一应用时分配的应用账号。Step 301: Receive an application account that is sent by the core network device, where the application account is an application account that is allocated when the core network device requests the user equipment UE to register the first application.
本实施例的执行主体可以是图1所示结构示意图中的应用服务器。本实施例中的方法与图2、图3所示方法实施例相对应,是在UE请求注册应用的过程中,应用服务器执行的方法。The execution body of this embodiment may be an application server in the schematic diagram of the structure shown in FIG. 1. The method in this embodiment corresponds to the method embodiment shown in FIG. 2 and FIG. 3, and is a method performed by the application server in the process of requesting registration of the application by the UE.
本实施例,应用服务器将移动虚拟化设备看做是请求注册应用的UE,记录其应用账号,通过以移动虚拟化设备作为UE的代理,代替UE实现应用的注册和登录,可免除UE在各应用的注册过程中手动设置用户名和密码的繁杂操作,解决平台应用管理的局限性,减少用户信息冗余,降低管理负荷,提高系统鉴权的效率。In this embodiment, the application server regards the mobile virtualization device as the UE requesting the registration application, records the application account, and uses the mobile virtualization device as the proxy of the UE to replace the UE to implement application registration and login, thereby exempting the UE from Manually set the complicated operation of user name and password during the registration process of the application, solve the limitations of platform application management, reduce user information redundancy, reduce management load, and improve system authentication efficiency.
上述方法实施例是UE请求注册应用的过程中移动虚拟化设备、核心网设备以及应用服务器三侧分别的实施过程,本实施例的方法还包括UE请求登录应用、UE请求注册移动虚拟化设备、UE请求登录移动虚拟化设备、UE请求注销移动虚拟化设备的过程。下面采用几个具体的交互实施例,对本发明方法实施例的技术方案进行详细说明。在下述方法实施例中,移动虚拟化设备包括虚拟用户模块和轻量应用服务器,为了使方法步骤更清晰,分别以虚拟用户模块和轻量应用服务器为其中部分步骤的执行主体,描述移动虚拟化设备内部的交互过程;核心网设备也包括MME和HSS两种。The foregoing method embodiment is an implementation process of the mobile virtualization device, the core network device, and the application server in the process of requesting the registration of the application by the UE. The method in this embodiment further includes the UE requesting the login application, the UE requesting to register the mobile virtualization device, and the UE. The process of requesting to log in to the mobile virtualization device and requesting to log off the mobile virtualization device. The technical solutions of the method embodiments of the present invention are described in detail below by using several specific interaction embodiments. In the following method embodiments, the mobile virtualization device includes a virtual user module and a lightweight application server. In order to make the method steps clearer, the virtual user module and the lightweight application server are respectively the execution entities of the partial steps, and the mobile virtualization is described. The interaction process inside the device; the core network device also includes MME and HSS.
图5为本发明用户认证方法的第四个实施例的流程图,如图5所示,本实施例还是UE请求注册应用的流程,该方法可以包括:FIG. 5 is a flowchart of a fourth embodiment of a user authentication method according to the present invention. As shown in FIG. 5, this embodiment is also a process in which a UE requests to register an application, and the method may include:
s401、核心网设备为预先注册的应用分配服务标识,并将所述服务标识发送给轻量应用服务器;S401. The core network device allocates a service identifier to the pre-registered application, and sends the service identifier to the lightweight application server.
本实施例中核心网设备可以是HSS。In this embodiment, the core network device may be an HSS.
s402、虚拟用户模块接收UE发送的请求注册第一应用的应用注册请求;S402. The virtual user module receives an application registration request sent by the UE to request to register the first application.
s403、虚拟用户模块根据所述应用注册请求向轻量应用服务器发送查询请求; S403. The virtual user module sends a query request to the lightweight application server according to the application registration request.
通过s401轻量应用服务器中记录了各个应用的服务标识。The service identifier of each application is recorded in the s401 lightweight application server.
s404、轻量应用服务器向虚拟用户模块返回第一应用的服务标识;S404. The lightweight application server returns a service identifier of the first application to the virtual user module.
s405、虚拟用户模块根据第一应用的服务标识和所述UE的用户标识向核心网设备发送账号注册请求;S405. The virtual user module sends an account registration request to the core network device according to the service identifier of the first application and the user identifier of the UE.
根据表1中的记录,虚拟用户模块即可获取到UE的用户标识,并将与该UE对应的第一应用的服务标识也一并记录在表1中。According to the record in Table 1, the virtual user module can obtain the user identifier of the UE, and the service identifier of the first application corresponding to the UE is also recorded in Table 1.
s406、核心网设备根据所述账号注册请求为所述UE分配登录第一应用的应用账号;S406. The core network device allocates, according to the account registration request, an application account that is used to log in to the first application.
该应用账号在首次注册时生成,可以无需通知给UE,移动虚拟化设备将其存储在本地,方便后续UE登录第一应用时直接获取该应用账号交由应用服务器鉴权即可。核心网设备分配的应用账号可以是常规使用的用户名和密码,也可以是一串预先预定格式的数字,只要可以作为登录应用的凭证均可,此处不做具体限定。The application account is generated when the first registration is performed, and the mobile virtualization device can store it locally without using a notification, so that the subsequent UE can directly obtain the application account and submit it to the application server for authentication when logging in to the first application. The application account that is allocated by the core network device may be a user name and password that are used in a conventional manner, or may be a string of pre-scheduled formats, as long as it can be used as a credential for the login application, and is not specifically limited herein.
s407、核心网设备将所述应用账号发送给虚拟用户模块和第一应用的应用服务器;S407. The core network device sends the application account to the virtual user module and the application server of the first application.
s408、虚拟用户模块存储所述应用账号;S408. The virtual user module stores the application account.
s409、虚拟用户模块告知所述UE注册完成。S409. The virtual user module informs the UE that the registration is completed.
图6为本发明用户认证方法的第五个实施例的流程图,如图6所示,本实施例还是UE请求登录应用的流程,该方法可以包括:FIG. 6 is a flowchart of a fifth embodiment of a user authentication method according to the present invention. As shown in FIG. 6 , this embodiment is also a process in which a UE requests to log in to an application, and the method may include:
s501、虚拟用户模块接收UE发送的请求登录第二应用的应用登录请求;S501. The virtual user module receives an application login request that is sent by the UE and is requested to log in to the second application.
s502、虚拟用户模块根据所述应用登录请求查询所述第二应用的应用账号;S502. The virtual user module queries an application account of the second application according to the application login request.
通过图5所示的注册过程,移动虚拟化设备在本地保存的表1中记录了用户标识、服务标识以及应用账号之间的映射关系,虚拟用户模块可以根据请求登录的UE的用户标识、UE请求登陆的第二应用的服务标识,查询表1获取该UE登录第二应用的应用账号。Through the registration process shown in FIG. 5, the mobile virtualization device records the mapping relationship between the user identifier, the service identifier, and the application account in the locally saved table 1. The virtual user module can obtain the user identifier and UE of the UE according to the request. The service identifier of the second application that requests the login, and the query table 1 obtains the application account of the UE to log in to the second application.
s503、虚拟用户模块向核心网设备发送账号获取请求;S503. The virtual user module sends an account acquisition request to the core network device.
若虚拟用户模块没有在本地查询到第二应用的应用账号,则向核心网设备发送所述账号获取请求,从核心网设备重新获取第二应用的应用账号。本实施例中的核心网设备可以是HSS。 If the virtual user module does not locally query the application account of the second application, the account acquisition request is sent to the core network device, and the application account of the second application is re-acquired from the core network device. The core network device in this embodiment may be an HSS.
s504、核心网设备向虚拟用户模块返回第二应用的应用账号;S504. The core network device returns an application account of the second application to the virtual user module.
s503和s504为可选步骤,只有在虚拟用户模块没有从本地查询到所述应用账号,才需要执行这两个步骤。S503 and s504 are optional steps, and only need to perform these two steps if the virtual user module does not query the application account from the local.
s505、虚拟用户模块向所述UE发送两个以上第二应用的应用账号;S505. The virtual user module sends an application account of two or more second applications to the UE.
若用户在第二应用中注册有多个应用账号,则虚拟用户模块可以查询获取到两个以上的应用账号,因此将所有的应用账号发送给UE,由用户选择希望登陆的账号。If the user registers multiple application accounts in the second application, the virtual user module can query and obtain more than two application accounts, so all application accounts are sent to the UE, and the user selects the account that wants to log in.
s506、UE选出登录使用的应用账号;S506. The UE selects an application account used for login.
s507、虚拟用户模块接收所述UE发送的账号选择响应;S507. The virtual user module receives an account selection response sent by the UE.
s505~s507为可选步骤,只有查询到多个应用账号才需要执行。S505 to s507 are optional steps, and only need to be queried for multiple application accounts.
s508、虚拟用户模块根据所述应用账号向轻量应用服务器发送登录请求;S508. The virtual user module sends a login request to the lightweight application server according to the application account.
s509、轻量应用服务器向第二应用的应用服务器转发所述登录请求;S509. The lightweight application server forwards the login request to an application server of the second application.
s510、应用服务器对所述应用账号进行鉴权;S510. The application server authenticates the application account.
s511、应用服务器向所述轻量应用服务器返回鉴权响应;S511. The application server returns an authentication response to the lightweight application server.
s512、轻量应用服务器向虚拟用户模块转发所述鉴权响应;S512. The lightweight application server forwards the authentication response to the virtual user module.
s513、虚拟用户模块根据所述鉴权响应向所述UE反馈登录结果。S513. The virtual user module feeds back the login result to the UE according to the authentication response.
图7为本发明用户认证方法的第六个实施例的流程图,如图7所示,本实施例还是UE请求注册移动虚拟化设备的流程,该方法可以包括:FIG. 7 is a flowchart of a sixth embodiment of a user authentication method according to the present invention. As shown in FIG. 7, the embodiment is also a process for a UE to request to register a mobile virtualization device, and the method may include:
s601、MME接收UE发送的虚拟机注册请求;S601: The MME receives a virtual machine registration request sent by the UE.
虚拟机注册请求中包括UE设置的用户名和密码,以及所述UE的临时识别码。可选的,虚拟机注册请求中也可以包括UE的用户信息。The virtual machine registration request includes a username and a password set by the UE, and a temporary identifier of the UE. Optionally, the virtual machine registration request may also include user information of the UE.
s602、MME将虚拟机注册请求转发给HSS;S602, the MME forwards the virtual machine registration request to the HSS;
如果虚拟机注册请求中包括的是UE设置的用户名和密码,以及所述UE的临时识别码,则MME查询获取该UE的国际移动用户识别码(International Mobile Subscriber Identification Number,简称:IMSI),并在转发虚拟机注册请求时携带上该IMSI。如果虚拟机注册请求中包括的是UE的用户信息,则直接将这些信息转发给HSS,由HSS验证其合法性。If the virtual machine registration request includes the user name and password set by the UE, and the temporary identifier of the UE, the MME queries and obtains an International Mobile Subscriber Identification Number (IMSI) of the UE, and The IMSI is carried when the virtual machine registration request is forwarded. If the user information of the UE is included in the virtual machine registration request, the information is directly forwarded to the HSS, and the validity is verified by the HSS.
s603、HSS根据所述虚拟机注册请求为所述UE分配用户标识;S603. The HSS allocates a user identifier to the UE according to the virtual machine registration request.
HSS可以根据预设算法为UE分配唯一的用户标识。The HSS can assign a unique user identifier to the UE according to a preset algorithm.
s604、HSS将所述用户标识返回给MME; S604, the HSS returns the user identifier to the MME;
s605、MME将所述用户标识发送给移动虚拟化设备;S605. The MME sends the user identifier to the mobile virtualization device.
s606、移动虚拟化设备根据所述用户标识为所述UE分配虚拟机;S606. The mobile virtualization device allocates a virtual machine to the UE according to the user identifier.
可选的,如果虚拟机注册请求中包含的是UE的用户信息,移动虚拟化设备还要为UE随机生成用户名和密码,即此时UE的用户名和密码不是由用户自己设置的,而是移动虚拟化设备为其随机生成的。Optionally, if the virtual machine registration request includes the user information of the UE, the mobile virtualization device also randomly generates a username and a password for the UE, that is, the user name and password of the UE are not set by the user, but are moved. The virtualization device is randomly generated for it.
s607、移动虚拟化设备向MME返回虚拟机分配响应;S607. The mobile virtualization device returns a virtual machine allocation response to the MME.
所述虚拟机分配响应包括所述UE的用户标识、用户名和密码。The virtual machine allocation response includes a user identifier, a username, and a password of the UE.
s608、MME根据所述虚拟机分配响应存储UE的用户名和密码;S608. The MME stores a username and a password of the UE according to the virtual machine allocation response.
MME中可以以表2的形式存储用户标识和移动虚拟化设备标识之间的映射关系,用于销毁UE的虚拟机数据和虚拟机迁移时同步用户数据,MME通过表2可以查询UE使用的虚拟机所在的移动虚拟化设备。The MME can store the mapping relationship between the user identifier and the mobile virtualization device identifier in the form of Table 2, and is used to destroy the virtual machine data of the UE and the synchronous user data during the virtual machine migration. The MME can query the virtual used by the UE through Table 2. The mobile virtualization device where the machine is located.
表2Table 2
用户标识User ID 移动虚拟化设备标识Mobile virtualization device ID
MME中可以以表3的形式存储UE的用户标识、用户名和密码之间的映射关系,当UE请求登陆移动虚拟化设备时,MME对用户身份进行验证。The MME can store the mapping relationship between the user identifier, the username, and the password of the UE in the form of Table 3. When the UE requests to log in to the mobile virtualization device, the MME authenticates the user identity.
表3table 3
用户标识User ID 用户名username 密码password
s609、MME向所述UE返回虚拟机注册响应。S609. The MME returns a virtual machine registration response to the UE.
图8为本发明用户认证方法的第七个实施例的流程图,如图8所示,本实施例还是UE请求登录移动虚拟化设备的流程,该方法可以包括:FIG. 8 is a flowchart of a seventh embodiment of a user authentication method according to the present invention. As shown in FIG. 8 , this embodiment is also a process for a UE to log in to a mobile virtualization device. The method may include:
s701、移动虚拟化设备接收UE的虚拟机登录请求;S701. The mobile virtualization device receives a virtual machine login request of the UE.
所述虚拟机登录请求包括所述UE的用户名和密码。The virtual machine login request includes a username and password of the UE.
s702、移动虚拟化设备将所述用户名和密码发送给MME;S702: The mobile virtualization device sends the username and password to the MME.
s703、MME根据所述用户名和密码对所述UE进行鉴权;S703. The MME performs authentication on the UE according to the username and password.
s704、MME向移动虚拟化设备返回鉴权响应;S704. The MME returns an authentication response to the mobile virtualization device.
所述鉴权响应包括所述UE的用户标识。The authentication response includes a user identification of the UE.
s705、移动虚拟化设备根据所述用户标识启动为所述UE分配的虚拟机;S705. The mobile virtualization device starts a virtual machine allocated to the UE according to the user identifier.
s706、移动虚拟化设备和MME根据用户标识进行虚拟机同步;S706: The mobile virtualization device and the MME perform virtual machine synchronization according to the user identifier.
该步骤为可选步骤。This step is an optional step.
s707、移动虚拟化设备向所述UE返回虚拟机登录响应; S707. The mobile virtualization device returns a virtual machine login response to the UE.
s708、UE与移动虚拟化设备建立连接并进行数据交互。S708. The UE establishes a connection with the mobile virtualization device and performs data interaction.
图9为本发明用户认证方法的第八个实施例的流程图,如图9所示,本实施例还是UE请求注销移动虚拟化设备的流程,该方法可以包括:FIG. 9 is a flowchart of an eighth embodiment of a user authentication method according to the present invention. As shown in FIG. 9 , this embodiment is also a process for a UE to request to log off a mobile virtualization device. The method may include:
s801、MME接收UE发送的虚拟机注销请求;S801. The MME receives a virtual machine logout request sent by the UE.
所述虚拟机注销请求包括所述UE的用户名和密码。The virtual machine logout request includes a username and password of the UE.
s802、MME根据所述虚拟机注销请求对所述UE进行鉴权,并查询所述UE的用户标识;S802. The MME performs authentication on the UE according to the virtual machine logout request, and queries the user identifier of the UE.
s803、MME向移动虚拟化设备发送虚拟机撤除请求;S803. The MME sends a virtual machine removal request to the mobile virtualization device.
所述虚拟机撤除请求包括所述用户标识。The virtual machine removal request includes the user identification.
s804、移动虚拟化设备根据所述虚拟机撤除请求撤除分配给所述UE的虚拟机,并删除与所述用户标识对应的配置信息;S804. The mobile virtualization device removes the virtual machine allocated to the UE according to the virtual machine removal request, and deletes configuration information corresponding to the user identifier.
s805、移动虚拟化设备向MME返回虚拟机撤除响应;S805. The mobile virtualization device returns a virtual machine removal response to the MME.
s806、MME向HSS发送用户标识删除请求;S806. The MME sends a user identity deletion request to the HSS.
所述用户标识删除请求包括所述用户标识。The user identity deletion request includes the user identity.
s807、HSS根据所述用户标识删除请求删除所述用户标识,以及与所述用户标识对应的配置信息;S807, the HSS deletes the user identifier according to the user identifier deletion request, and configuration information corresponding to the user identifier;
s808、HSS向MME返回用户标识删除响应;S808, the HSS returns a user identity deletion response to the MME;
s809、MME删除与所述用户标识对应的配置信息;S809. The MME deletes configuration information corresponding to the user identifier.
s810、MME向所述UE返回虚拟机注销响应。S810. The MME returns a virtual machine logout response to the UE.
图10为本发明移动化虚拟设备的一个实施例的结构示意图,如图10所示,本实施例的装置可以包括:接收模块11、处理模块12以及发送模块13,其中,接收模块11,用于接收用户设备UE发送的应用注册请求,所述应用注册请求包括所述UE请求注册的第一应用的信息;处理模块12,用于根据所述应用注册请求查询所述第一应用的服务标识和所述UE的用户标识;发送模块13,用于向核心网设备发送账号注册请求,所述账号注册请求包括所述服务标识和所述用户标识,以使所述核心网设备根据所述账号注册请求为所述UE分配登录所述第一应用的应用账号并将所述应用账号发送给所述第一应用的应用服务器;所述接收模块11,还用于从所述核心网设备获取所述应用账号以将所述应用账号作为所述UE后续登录所述第一应用的认证标识,并向所述UE返回应用注册响应。 10 is a schematic structural diagram of an embodiment of a mobile virtual device according to the present invention. As shown in FIG. 10, the device in this embodiment may include: a receiving module 11, a processing module 12, and a sending module 13, where the receiving module 11 is used. Receiving an application registration request sent by the user equipment UE, where the application registration request includes information of the first application that the UE requests to register; the processing module 12 is configured to query the service identifier of the first application according to the application registration request. And the user identifier of the UE; the sending module 13 is configured to send an account registration request to the core network device, where the account registration request includes the service identifier and the user identifier, so that the core network device is configured according to the account The registration request is that the UE is configured to log in to the application account of the first application, and the application account is sent to the application server of the first application. The receiving module 11 is further configured to acquire the application from the core network device. The application account is used to use the application account as an authentication identifier for the UE to log in to the first application, and return an application registration response to the UE.
本实施例的装置,可以用于执行图2、图5~图9任一所示方法实施例的技术方案,其实现原理和技术效果类似,此处不再赘述。The device in this embodiment may be used to implement the technical solution of the method embodiment shown in any of FIG. 2 and FIG. 5 to FIG. 9. The implementation principle and technical effects are similar, and details are not described herein again.
进一步的,所述接收模块11,还用于从所述核心网设备获取所述核心网设备为预先注册的应用分配的服务标识。Further, the receiving module 11 is further configured to acquire, from the core network device, a service identifier that is allocated by the core network device to a pre-registered application.
进一步的,所述接收模块11,还用于接收UE发送的应用登录请求,所述应用登录请求包括所述UE请求登录的第二应用的信息;所述处理模块12,还用于根据所述应用登录请求查询所述UE登录所述第二应用的应用账号;所述发送模块13,还用于将所述应用账号发送给所述第二应用的应用服务器,以使所述应用服务器对所述应用账号进行鉴权并返回鉴权响应;所述接收模块11,还用于从所述应用服务器接收所述鉴权响应,根据所述鉴权响应向所述UE反馈登录结果。Further, the receiving module 11 is further configured to receive an application login request sent by the UE, where the application login request includes information about the second application that the UE requests to log in; the processing module 12 is further configured to: Applying the login request to query the UE to log in to the application account of the second application; the sending module 13 is further configured to send the application account to the application server of the second application, so that the application server is The application account is used for authentication and returns an authentication response. The receiving module 11 is further configured to receive the authentication response from the application server, and feed back the login result to the UE according to the authentication response.
进一步的,所述发送模块13,还用于若没有查询到所述应用账号,则向所述核心网设备发送账号获取请求,所述账号获取请求包括所述服务标识和所述用户标识;所述接收模块11,还用于从所述核心网设备获取所述应用账号。Further, the sending module 13 is further configured to: if the application account is not queried, send an account obtaining request to the core network device, where the account obtaining request includes the service identifier and the user identifier; The receiving module 11 is further configured to acquire the application account from the core network device.
进一步的,所述发送模块13,还用于若查询到两个以上所述应用账号,则将所述两个以上所述应用账号发送给所述UE;所述接收模块11,还用于接收所述UE发送的选出登录所述第二应用的应用账号。Further, the sending module 13 is further configured to: if the two or more application accounts are queried, send the two or more application accounts to the UE; and the receiving module 11 is further configured to receive And sending, by the UE, an application account that is logged in to the second application.
进一步的,所述接收模块11,还用于接收所述核心网设备根据UE发送的虚拟机注册请求为所述UE分配的用户标识;所述处理模块12,还用于根据所述用户标识为所述UE分配虚拟机;所述发送模块13,还用于向所述核心网设备返回虚拟机分配响应,所述虚拟机分配响应包括所述UE的用户名和密码,以使所述核心网设备根据所述虚拟机分配响应存储所述UE的用户名和密码并向所述UE返回虚拟机注册响应。Further, the receiving module 11 is further configured to receive, by the core network device, a user identifier that is allocated to the UE according to the virtual machine registration request sent by the UE, where the processing module 12 is further configured to use, according to the user identifier, The UE allocates a virtual machine; the sending module 13 is further configured to return a virtual machine allocation response to the core network device, where the virtual machine allocation response includes a username and a password of the UE, so that the core network device Storing a username and password of the UE according to the virtual machine allocation response and returning a virtual machine registration response to the UE.
进一步的,所述虚拟机注册请求包括所述UE设置的用户名、密码,以及所述UE的临时识别码。Further, the virtual machine registration request includes a username, a password, and a temporary identifier of the UE set by the UE.
进一步的,所述虚拟机注册请求包括使用所述UE的用户信息;所述处理模块12,还用于在根据所述用户标识为所述UE分配虚拟机的同时,为所述UE随机生成所述用户名和密码。Further, the virtual machine registration request includes using user information of the UE, and the processing module 12 is further configured to randomly generate, for the UE, a virtual machine according to the user identifier. User name and password.
进一步的,所述接收模块11,还用于接收UE的虚拟机登录请求,所述 虚拟机登录请求包括所述UE的用户名和密码;所述发送模块13,还用于将所述UE的用户名和密码发送给所述核心网设备,以使所述核心网设备根据所述UE的用户名和密码对所述UE进行鉴权并返回鉴权响应,所述鉴权响应包括所述UE的用户标识;所述处理模块12,还用于根据所述用户标识启动为所述UE分配的所述虚拟机;所述发送模块13,还用于向所述UE返回虚拟机登录响应。Further, the receiving module 11 is further configured to receive a virtual machine login request of the UE, where The virtual machine login request includes the user name and password of the UE, and the sending module 13 is further configured to send the user name and password of the UE to the core network device, so that the core network device is configured according to the UE. The user name and the password are used to authenticate the UE and return an authentication response, where the authentication response includes the user identifier of the UE, and the processing module 12 is further configured to start, according to the user identifier, the UE to be allocated according to the user identifier. The sending module 13 is further configured to return a virtual machine login response to the UE.
进一步的,所述接收模块11,还用于接收所述核心网设备在根据UE发送的虚拟机注销请求对所述UE进行鉴权并查询所述UE的用户标识之后发送的虚拟机撤除请求,所述虚拟机撤除请求包括所述UE的用户标识;所述处理模块12,还用于根据所述虚拟机销毁请求撤除分配给所述UE的虚拟机,并删除与所述UE的用户标识对应的配置信息。Further, the receiving module 11 is further configured to receive a virtual machine removal request sent by the core network device after authenticating the UE according to a virtual machine logout request sent by the UE, and querying the user identifier of the UE, The virtual machine removal request includes a user identifier of the UE; the processing module 12 is further configured to: remove the virtual machine allocated to the UE according to the virtual machine destruction request, and delete the user identifier corresponding to the UE Configuration information.
图10所示的结构示意图也可作为本发明核心网设备的一个实施例的结构示意图,如图10所示,接收模块11,用于接收移动虚拟化设备发送的账号注册请求,所述账号注册请求包括用户设备UE请求注册的第一应用的服务标识和所述UE的用户标识;处理模块12,用于根据所述账号注册请求为所述UE分配登录所述第一应用的应用账号;发送模块13,用于将所述应用账号发送给所述移动虚拟化设备和所述第一应用的应用服务器。FIG. 10 is a schematic structural diagram of an embodiment of the core network device of the present invention. As shown in FIG. 10, the receiving module 11 is configured to receive an account registration request sent by the mobile virtualization device, where the account is registered. The request includes the service identifier of the first application and the user identifier of the UE that the user equipment UE requests to register; the processing module 12 is configured to allocate, according to the account registration request, the application account that is logged into the first application according to the account registration request; The module 13 is configured to send the application account to the mobile virtualization device and the application server of the first application.
本实施例的装置,可以用于执行图3、图5~图9任一所示方法实施例的技术方案,其实现原理和技术效果类似,此处不再赘述。The device of this embodiment may be used to implement the technical solution of the method embodiment shown in any of FIG. 3 and FIG. 5 to FIG. 9. The implementation principle and technical effects are similar, and details are not described herein again.
进一步的,所述处理模块12,还用于为预先注册的应用分配服务标识;所述发送模块13,还用于将所述服务标识发送给所述移动虚拟化设备。Further, the processing module 12 is further configured to allocate a service identifier to the pre-registered application, and the sending module 13 is further configured to send the service identifier to the mobile virtualization device.
进一步的,所述接收模块11,还用于接收所述移动虚拟化设备在没有获取到UE登录第二应用的应用账号之后发送的账号获取请求,所述账号获取请求包括所述第二应用的服务标识和所述UE的用户标识;所述发送模块13,还用于根据所述账号获取请求向所述移动虚拟化设备返回所述应用账号。Further, the receiving module 11 is further configured to receive an account obtaining request that is sent after the mobile virtualization device does not obtain an application account that the UE logs in to the second application, where the account obtaining request includes the second application. The service identifier and the user identifier of the UE; the sending module 13 is further configured to return the application account to the mobile virtualization device according to the account acquisition request.
进一步的,所述接收模块11,还用于接收UE发送的虚拟机注册请求;所述处理模块12,还用于根据所述虚拟机注册请求为所述UE分配用户标识;所述发送模块13,还用于向所述移动虚拟化设备发送所述用户标识,以使所述移动虚拟化设备根据所述用户标识为所述UE分配虚拟机;所述接收模块11,还用于接收所述移动虚拟化设备发送的虚拟机分配响应,所述虚拟机分 配响应包括所述UE的用户名和密码;所述处理模块12,还用于存储所述UE的用户名和密码;所述发送模块13,还用于向所述UE返回虚拟机注册响应。Further, the receiving module 11 is further configured to receive a virtual machine registration request sent by the UE, where the processing module 12 is further configured to allocate a user identifier to the UE according to the virtual machine registration request; And the method is further configured to send the user identifier to the mobile virtualization device, so that the mobile virtualization device allocates a virtual machine to the UE according to the user identifier, and the receiving module 11 is further configured to receive the a virtual machine allocation response sent by the mobile virtualization device, the virtual machine The allocation response includes a username and a password of the UE; the processing module 12 is further configured to store a username and a password of the UE; and the sending module 13 is further configured to return a virtual machine registration response to the UE.
进一步的,所述虚拟机注册请求包括所述UE设置的用户名、密码,以及所述UE的临时识别码;或者,所述虚拟机注册请求包括使用所述UE的用户信息。Further, the virtual machine registration request includes a user name and a password set by the UE, and a temporary identifier of the UE; or the virtual machine registration request includes user information using the UE.
进一步的,所述接收模块11,还用于接收所述移动虚拟化设备根据UE发送的虚拟机登录请求发送的所述UE的用户名和密码,所述虚拟机登录请求包括所述UE的用户名和密码;所述处理模块12,还用于根据所述UE的用户名和密码对所述UE进行鉴权;所述发送模块13,还用于返回鉴权响应,所述鉴权响应包括所述UE的用户标识,以使所述移动虚拟化设备根据所述用户标识启动为所述UE分配的所述虚拟机,并向所述UE返回虚拟机登录响应。Further, the receiving module 11 is further configured to receive a username and a password of the UE that are sent by the mobile virtualization device according to a virtual machine login request sent by the UE, where the virtual machine login request includes a username of the UE and The processing module 12 is further configured to perform authentication on the UE according to the user name and password of the UE; the sending module 13 is further configured to return an authentication response, where the authentication response includes the UE User identification, such that the mobile virtualization device initiates the virtual machine allocated for the UE according to the user identifier, and returns a virtual machine login response to the UE.
进一步的,所述接收模块11,还用于接收UE发送的虚拟机注销请求,所述虚拟机注销请求包括所述UE的用户名和密码;所述处理模块12,还用于根据所述虚拟机注销请求对所述UE进行鉴权,并查询所述UE的用户标识;所述发送模块13,还用于向所述移动虚拟化设备发送虚拟机撤除请求,所述虚拟机撤除请求包括所述用户标识,以使所述移动虚拟化设备根据所述虚拟机撤除请求撤除分配给所述UE的虚拟机,并删除与所述用户标识对应的配置信息;所述处理模块12,还用于删除与所述用户标识对应的配置信息;所述发送模块13,还用于向所述UE返回虚拟机注销响应。Further, the receiving module 11 is further configured to receive a virtual machine logout request sent by the UE, where the virtual machine logout request includes a username and a password of the UE, and the processing module 12 is further configured to use the virtual machine according to the virtual machine And the sending module 13 is further configured to send a virtual machine removal request to the mobile virtualization device, where the virtual machine removal request includes the a user identifier, so that the mobile virtualization device removes the virtual machine allocated to the UE according to the virtual machine removal request, and deletes configuration information corresponding to the user identifier; the processing module 12 is further configured to delete The configuration information corresponding to the user identifier; the sending module 13 is further configured to return a virtual machine logout response to the UE.
图11为本发明应用服务器的一个实施例的结构示意图,如图11所示,本实施例的装置可以包括:接收模块21,用于接收核心网设备发送的应用账号,所述应用账号为所述核心网设备给用户设备UE请求注册第一应用时分配的应用账号。FIG. 11 is a schematic structural diagram of an embodiment of an application server according to the present invention. As shown in FIG. 11, the apparatus in this embodiment may include: a receiving module 21, configured to receive an application account sent by a core network device, where the application account is The core network device requests the user equipment UE to register an application account that is allocated when the first application is registered.
进一步的,图10所示的结构示意图也可作为本发明应用服务器的另一个实施例的结构示意图,如图10所示,接收模块11,还用于接收移动虚拟化设备发送的应用账号,所述应用账号为所述移动虚拟化设备根据UE发送的应用登录请求查询的所述UE请求登录的第二应用的应用账号;所述处理模块12,用于对所述应用账号进行鉴权;所述发送模块13,用于向所述移动虚拟化设备返回鉴权响应。 Further, the structural diagram shown in FIG. 10 can also be used as a schematic structural diagram of another embodiment of the application server of the present invention. As shown in FIG. 10, the receiving module 11 is further configured to receive an application account sent by the mobile virtualization device. The application account is an application account of the second application that the mobile virtualization device requests to log in according to the application login request sent by the UE; the processing module 12 is configured to authenticate the application account; The sending module 13 is configured to return an authentication response to the mobile virtualization device.
本实施例的设备,可以用于执行图4~图9任一所示方法实施例的技术方案,其实现原理和技术效果类似,此处不再赘述。The device in this embodiment may be used to implement the technical solution of the method embodiment shown in any of FIG. 4 to FIG. 9. The implementation principle and technical effects are similar, and details are not described herein again.
图12为本发明移动化虚拟设备的另一个实施例的结构示意图,如图12所示,本实施例的设备可以包括:接收器31、处理器32以及发送器33,其中,接收器31,用于接收用户设备UE发送的应用注册请求,所述应用注册请求包括所述UE请求注册的第一应用的信息;处理器32,用于根据所述应用注册请求查询所述第一应用的服务标识和所述UE的用户标识;发送器33,用于向核心网设备发送账号注册请求,所述账号注册请求包括所述服务标识和所述用户标识,以使所述核心网设备根据所述账号注册请求为所述UE分配登录所述第一应用的应用账号并将所述应用账号发送给所述第一应用的应用服务器;所述接收器31,还用于从所述核心网设备获取所述应用账号以将所述应用账号作为所述UE后续登录所述第一应用的认证标识,并向所述UE返回应用注册响应。FIG. 12 is a schematic structural diagram of another embodiment of a mobile virtual device according to the present invention. As shown in FIG. 12, the device in this embodiment may include: a receiver 31, a processor 32, and a transmitter 33, wherein the receiver 31, For receiving an application registration request sent by the user equipment UE, the application registration request includes information of the first application that the UE requests to be registered, and the processor 32 is configured to query the service of the first application according to the application registration request. The identifier and the user identifier of the UE; the sender 33 is configured to send an account registration request to the core network device, where the account registration request includes the service identifier and the user identifier, so that the core network device is configured according to the The account registration request is configured to allocate an application account of the first application to the UE and send the application account to the application server of the first application; the receiver 31 is further configured to acquire from the core network device. The application account is used to use the application account as an authentication identifier for the UE to log in to the first application, and return an application registration response to the UE.
本实施例的设备,可以用于执行图2、图5~图9任一所示方法实施例的技术方案,其实现原理和技术效果类似,此处不再赘述。The device in this embodiment may be used to implement the technical solution of the method embodiment shown in any of FIG. 2 and FIG. 5 to FIG. 9. The implementation principle and technical effects are similar, and details are not described herein again.
进一步的,所述接收器31,还用于从所述核心网设备获取所述核心网设备为预先注册的应用分配的服务标识。Further, the receiver 31 is further configured to acquire, from the core network device, a service identifier that is allocated by the core network device to a pre-registered application.
进一步的,所述接收器31,还用于接收UE发送的应用登录请求,所述应用登录请求包括所述UE请求登录的第二应用的信息;所述处理器32,还用于根据所述应用登录请求查询所述UE登录所述第二应用的应用账号;所述发送器33,还用于将所述应用账号发送给所述第二应用的应用服务器,以使所述应用服务器对所述应用账号进行鉴权并返回鉴权响应;所述接收器31,还用于从所述应用服务器接收所述鉴权响应,根据所述鉴权响应向所述UE反馈登录结果。Further, the receiver 31 is further configured to receive an application login request sent by the UE, where the application login request includes information about a second application that the UE requests to log in, and the processor 32 is further configured to: Applying the login request to query the UE to log in to the application account of the second application; the sender 33 is further configured to send the application account to the application server of the second application, so that the application server is The application account is used for authentication and returns an authentication response. The receiver 31 is further configured to receive the authentication response from the application server, and feed back the login result to the UE according to the authentication response.
进一步的,所述发送器33,还用于若没有查询到所述应用账号,则向所述核心网设备发送账号获取请求,所述账号获取请求包括所述服务标识和所述用户标识;所述接收器31,还用于从所述核心网设备获取所述应用账号。Further, the sender 33 is further configured to: if the application account is not queried, send an account acquisition request to the core network device, where the account acquisition request includes the service identifier and the user identifier; The receiver 31 is further configured to acquire the application account from the core network device.
进一步的,所述发送器33,还用于若查询到两个以上所述应用账号,则将所述两个以上所述应用账号发送给所述UE;所述接收器31,还用于接收所述UE发送的选出登录所述第二应用的应用账号。 Further, the sender 33 is further configured to: if the two or more application accounts are queried, send the two or more application accounts to the UE; and the receiver 31 is further configured to receive And sending, by the UE, an application account that is logged in to the second application.
进一步的,所述接收器31,还用于接收所述核心网设备根据UE发送的虚拟机注册请求为所述UE分配的用户标识;所述处理器32,还用于根据所述用户标识为所述UE分配虚拟机;所述发送器33,还用于向所述核心网设备返回虚拟机分配响应,所述虚拟机分配响应包括所述UE的用户名和密码,以使所述核心网设备根据所述虚拟机分配响应存储所述UE的用户名和密码并向所述UE返回虚拟机注册响应。Further, the receiver 31 is further configured to receive, by the core network device, a user identifier that is allocated to the UE according to a virtual machine registration request sent by the UE, where the processor 32 is further configured to use, according to the user identifier, The UE allocates a virtual machine; the sender 33 is further configured to return a virtual machine allocation response to the core network device, where the virtual machine allocation response includes a username and a password of the UE, so that the core network device Storing a username and password of the UE according to the virtual machine allocation response and returning a virtual machine registration response to the UE.
进一步的,所述虚拟机注册请求包括所述UE设置的用户名、密码,以及所述UE的临时识别码。Further, the virtual machine registration request includes a username, a password, and a temporary identifier of the UE set by the UE.
进一步的,所述虚拟机注册请求包括使用所述UE的用户信息;所述处理器32,还用于在根据所述用户标识为所述UE分配虚拟机的同时,为所述UE随机生成所述用户名和密码。Further, the virtual machine registration request includes using user information of the UE, and the processor 32 is further configured to randomly generate, for the UE, a virtual machine according to the user identifier. User name and password.
进一步的,所述接收器31,还用于接收UE的虚拟机登录请求,所述虚拟机登录请求包括所述UE的用户名和密码;所述发送器33,还用于将所述UE的用户名和密码发送给所述核心网设备,以使所述核心网设备根据所述UE的用户名和密码对所述UE进行鉴权并返回鉴权响应,所述鉴权响应包括所述UE的用户标识;所述处理器32,还用于根据所述用户标识启动为所述UE分配的所述虚拟机;所述发送器33,还用于向所述UE返回虚拟机登录响应。Further, the receiver 31 is further configured to receive a virtual machine login request of the UE, where the virtual machine login request includes a username and a password of the UE, and the sender 33 is further configured to: The name and password are sent to the core network device, so that the core network device authenticates the UE according to the user name and password of the UE and returns an authentication response, where the authentication response includes the user identifier of the UE. The processor 32 is further configured to start, according to the user identifier, the virtual machine allocated for the UE, and the sender 33 is further configured to return a virtual machine login response to the UE.
进一步的,所述接收器31,还用于接收所述核心网设备在根据UE发送的虚拟机注销请求对所述UE进行鉴权并查询所述UE的用户标识之后发送的虚拟机撤除请求,所述虚拟机撤除请求包括所述UE的用户标识;所述处理器32,还用于根据所述虚拟机销毁请求撤除分配给所述UE的虚拟机,并删除与所述UE的用户标识对应的配置信息。Further, the receiver 31 is further configured to receive a virtual machine removal request sent by the core network device after authenticating the UE according to a virtual machine logout request sent by the UE, and querying the user identifier of the UE, The virtual machine removal request includes a user identifier of the UE, and the processor 32 is further configured to: remove the virtual machine allocated to the UE according to the virtual machine destruction request, and delete the user identifier corresponding to the UE Configuration information.
图12所示的结构示意图也可作为本发明核心网设备的另一个实施例的结构示意图,如图12所示,接收器31,用于接收移动虚拟化设备发送的账号注册请求,所述账号注册请求包括用户设备UE请求注册的第一应用的服务标识和所述UE的用户标识;处理器32,用于根据所述账号注册请求为所述UE分配登录所述第一应用的应用账号;发送器33,用于将所述应用账号发送给所述移动虚拟化设备和所述第一应用的应用服务器。FIG. 12 is a schematic structural diagram of another embodiment of the core network device of the present invention. As shown in FIG. 12, the receiver 31 is configured to receive an account registration request sent by the mobile virtualization device, where the account is The registration request includes a service identifier of the first application that the user equipment UE requests to register, and a user identifier of the UE; the processor 32 is configured to allocate, according to the account registration request, an application account that is logged into the first application according to the account registration request; The sender 33 is configured to send the application account to the mobile virtualization device and the application server of the first application.
本实施例的设备,可以用于执行图3、图5~图9任一所示方法实施例的 技术方案,其实现原理和技术效果类似,此处不再赘述。The device in this embodiment may be used to execute the method embodiment shown in any one of FIG. 3 and FIG. 5 to FIG. The technical solution has similar implementation principles and technical effects, and will not be described here.
进一步的,所述处理器32,还用于为预先注册的应用分配服务标识;所述发送器33,还用于将所述服务标识发送给所述移动虚拟化设备。Further, the processor 32 is further configured to allocate a service identifier to the pre-registered application, and the sender 33 is further configured to send the service identifier to the mobile virtualization device.
进一步的,所述接收器31,还用于接收所述移动虚拟化设备在没有获取到UE登录第二应用的应用账号之后发送的账号获取请求,所述账号获取请求包括所述第二应用的服务标识和所述UE的用户标识;所述发送器33,还用于根据所述账号获取请求向所述移动虚拟化设备返回所述应用账号。Further, the receiver 31 is further configured to receive an account acquisition request sent by the mobile virtualization device after acquiring an application account that the UE logs in to the second application, where the account acquisition request includes the second application The service identifier and the user identifier of the UE; the sender 33 is further configured to return the application account to the mobile virtualization device according to the account acquisition request.
进一步的,所述接收器31,还用于接收UE发送的虚拟机注册请求;所述处理器32,还用于根据所述虚拟机注册请求为所述UE分配用户标识;所述发送器33,还用于向所述移动虚拟化设备发送所述用户标识,以使所述移动虚拟化设备根据所述用户标识为所述UE分配虚拟机;所述接收器31,还用于接收所述移动虚拟化设备发送的虚拟机分配响应,所述虚拟机分配响应包括所述UE的用户名和密码;所述处理器32,还用于存储所述UE的用户名和密码;所述发送器33,还用于向所述UE返回虚拟机注册响应。Further, the receiver 31 is further configured to receive a virtual machine registration request sent by the UE, where the processor 32 is further configured to allocate a user identifier to the UE according to the virtual machine registration request; And sending the user identifier to the mobile virtualization device, so that the mobile virtualization device allocates a virtual machine to the UE according to the user identifier; the receiver 31 is further configured to receive the a virtual machine allocation response sent by the mobile virtualization device, the virtual machine allocation response including a username and a password of the UE; the processor 32, further configured to store a username and a password of the UE; the sender 33, Also used to return a virtual machine registration response to the UE.
进一步的,所述虚拟机注册请求包括所述UE设置的用户名、密码,以及所述UE的临时识别码;或者,所述虚拟机注册请求包括使用所述UE的用户信息。Further, the virtual machine registration request includes a user name and a password set by the UE, and a temporary identifier of the UE; or the virtual machine registration request includes user information using the UE.
进一步的,所述接收器31,还用于接收所述移动虚拟化设备根据UE发送的虚拟机登录请求发送的所述UE的用户名和密码,所述虚拟机登录请求包括所述UE的用户名和密码;所述处理器32,还用于根据所述UE的用户名和密码对所述UE进行鉴权;所述发送器33,还用于返回鉴权响应,所述鉴权响应包括所述UE的用户标识,以使所述移动虚拟化设备根据所述用户标识启动为所述UE分配的所述虚拟机,并向所述UE返回虚拟机登录响应。Further, the receiver 31 is further configured to receive a username and a password of the UE that are sent by the mobile virtualization device according to a virtual machine login request sent by the UE, where the virtual machine login request includes a username of the UE and The processor 32 is further configured to perform authentication on the UE according to the user name and password of the UE; the sender 33 is further configured to return an authentication response, where the authentication response includes the UE User identification, such that the mobile virtualization device initiates the virtual machine allocated for the UE according to the user identifier, and returns a virtual machine login response to the UE.
进一步的,所述接收器31,还用于接收UE发送的虚拟机注销请求,所述虚拟机注销请求包括所述UE的用户名和密码;所述处理器32,还用于根据所述虚拟机注销请求对所述UE进行鉴权,并查询所述UE的用户标识;所述发送器33,还用于向所述移动虚拟化设备发送虚拟机撤除请求,所述虚拟机撤除请求包括所述用户标识,以使所述移动虚拟化设备根据所述虚拟机撤除请求撤除分配给所述UE的虚拟机,并删除与所述用户标识对应的配置信息;所述处理器32,还用于删除与所述用户标识对应的配置信息;所述发送 器33,还用于向所述UE返回虚拟机注销响应。Further, the receiver 31 is further configured to receive a virtual machine logout request sent by the UE, where the virtual machine logout request includes a username and a password of the UE, and the processor 32 is further configured to use the virtual machine according to the virtual machine Deleting a request to authenticate the UE, and querying a user identifier of the UE; the sender 33 is further configured to send a virtual machine removal request to the mobile virtualization device, where the virtual machine removal request includes the a user identifier, so that the mobile virtualization device removes the virtual machine allocated to the UE according to the virtual machine removal request, and deletes configuration information corresponding to the user identifier; the processor 32 is further configured to delete Configuration information corresponding to the user identifier; the sending The device 33 is further configured to return a virtual machine logout response to the UE.
图13为本发明应用服务器的又一个实施例的结构示意图,如图13所示,本实施例的设备可以包括:接收器41,用于接收核心网设备发送的应用账号,所述应用账号为所述核心网设备给用户设备UE请求注册第一应用时分配的应用账号。FIG. 13 is a schematic structural diagram of still another embodiment of an application server according to the present invention. As shown in FIG. 13, the device in this embodiment may include: a receiver 41, configured to receive an application account sent by a core network device, where the application account is The core network device requests the user equipment UE to register an application account that is allocated when the first application is registered.
进一步的,图12所示的结构示意图也可作为本发明应用服务器的再一个实施例的结构示意图,如图12所示,所述接收器31,还用于接收移动虚拟化设备发送的应用账号,所述应用账号为所述移动虚拟化设备根据UE发送的应用登录请求查询的所述UE请求登录的第二应用的应用账号;所述处理器32,用于对所述应用账号进行鉴权;所述发送器33,用于向所述移动虚拟化设备返回鉴权响应。Further, the structural diagram shown in FIG. 12 can also be used as a schematic structural diagram of another embodiment of the application server of the present invention. As shown in FIG. 12, the receiver 31 is further configured to receive an application account sent by the mobile virtualization device. The application account is an application account of the second application that the mobile virtualization device requests to log in according to the application login request sent by the UE, and the processor 32 is configured to authenticate the application account. The transmitter 33 is configured to return an authentication response to the mobile virtualization device.
本实施例的设备,可以用于执行图4~图9任一所示方法实施例的技术方案,其实现原理和技术效果类似,此处不再赘述。The device in this embodiment may be used to implement the technical solution of the method embodiment shown in any of FIG. 4 to FIG. 9. The implementation principle and technical effects are similar, and details are not described herein again.
图14为本发明鉴权系统的另一个实施例的结构示意图,如图14所示,本实施例的系统包括:移动虚拟化设备51、核心网设备52、应用服务器53以及UE 54;其中,所述移动虚拟化设备51可以采用图10或图12所示装置实施例的结构,其对应地,可以执行图2、图5~图9中任一方法实施例的技术方案,其实现原理和技术效果类似,此处不再赘述;核心网设备52可以采用图10或图12所示装置实施例的结构,其对应地,可以执行图3、图5~图9中任一方法实施例的技术方案,其实现原理和技术效果类似,此处不再赘述;应用服务器53可以采用图10~图13中任一所示装置实施例的结构,其对应地,可以执行图4~图9中任一方法实施例的技术方案,其实现原理和技术效果类似,此处不再赘述。FIG. 14 is a schematic structural diagram of another embodiment of an authentication system according to the present invention. As shown in FIG. 14, the system in this embodiment includes: a mobile virtualization device 51, a core network device 52, an application server 53, and a UE 54; The mobile virtualization device 51 may adopt the structure of the device embodiment shown in FIG. 10 or FIG. 12, and correspondingly, the technical solution of the method embodiment of any one of FIG. 2, FIG. 5 to FIG. The technical effects are similar, and are not described herein again; the core network device 52 may adopt the structure of the device embodiment shown in FIG. 10 or FIG. 12, and correspondingly, the method embodiment of any one of FIG. 3, FIG. 5 to FIG. The technical solution, the implementation principle and the technical effect are similar, and are not described herein again; the application server 53 can adopt the structure of the device embodiment shown in any one of FIG. 10 to FIG. 13 , and correspondingly, the execution can be performed in FIG. 4 to FIG. 9 . The technical solution of any method embodiment is similar to the technical solution, and details are not described herein again.
在本发明所提供的几个实施例中,应该理解到,所揭露的装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。 In the several embodiments provided by the present invention, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner, for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
所述该作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as the unit may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. . Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用硬件加软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit. The above integrated unit can be implemented in the form of hardware or in the form of hardware plus software functional units.
上述以软件功能单元的形式实现的集成的单元,可以存储在一个计算机可读取存储介质中。上述软件功能单元存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)或处理器(processor)执行本发明各个实施例所述方法的部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read-Only Memory,ROM)、随机存取存储器(Random Access Memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。The above-described integrated unit implemented in the form of a software functional unit can be stored in a computer readable storage medium. The above software functional unit is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) or a processor to perform the methods of the various embodiments of the present invention. Part of the steps. The foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like, which can store program codes. .
本领域技术人员可以清楚地了解到,为描述的方便和简洁,仅以上述各功能模块的划分进行举例说明,实际应用中,可以根据需要而将上述功能分配由不同的功能模块完成,即将装置的内部结构划分成不同的功能模块,以完成以上描述的全部或者部分功能。上述描述的装置的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。A person skilled in the art can clearly understand that for the convenience and brevity of the description, only the division of each functional module described above is exemplified. In practical applications, the above function assignment can be completed by different functional modules as needed, that is, the device is installed. The internal structure is divided into different functional modules to perform all or part of the functions described above. For the specific working process of the device described above, refer to the corresponding process in the foregoing method embodiment, and details are not described herein again.
最后应说明的是:以上各实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述各实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分或者全部技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的范围。 Finally, it should be noted that the above embodiments are merely illustrative of the technical solutions of the present invention, and are not intended to be limiting; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art will understand that The technical solutions described in the foregoing embodiments may be modified, or some or all of the technical features may be equivalently replaced; and the modifications or substitutions do not deviate from the technical solutions of the embodiments of the present invention. range.

Claims (39)

  1. 一种用户认证方法,其特征在于,包括:A user authentication method, comprising:
    接收用户设备UE发送的应用注册请求,所述应用注册请求包括所述UE请求注册的第一应用的信息;Receiving an application registration request sent by the user equipment UE, where the application registration request includes information about the first application that the UE requests to register;
    根据所述应用注册请求查询所述第一应用的服务标识和所述UE的用户标识;Querying, according to the application registration request, a service identifier of the first application and a user identifier of the UE;
    向核心网设备发送账号注册请求,所述账号注册请求包括所述服务标识和所述用户标识,以使所述核心网设备根据所述账号注册请求为所述UE分配登录所述第一应用的应用账号并将所述应用账号发送给所述第一应用的应用服务器;Sending an account registration request to the core network device, where the account registration request includes the service identifier and the user identifier, so that the core network device allocates the login to the first application according to the account registration request. Applying an account and sending the application account to the application server of the first application;
    从所述核心网设备获取所述应用账号以将所述应用账号作为所述UE后续登录所述第一应用的认证标识,并向所述UE返回应用注册响应。Acquiring the application account from the core network device to use the application account as the authentication identifier of the UE to log in to the first application, and return an application registration response to the UE.
  2. 根据权利要求1所述的方法,其特征在于,所述接收用户设备UE发送的应用注册请求之前,还包括:The method according to claim 1, wherein before receiving the application registration request sent by the user equipment UE, the method further includes:
    从所述核心网设备获取所述核心网设备为预先注册的应用分配的服务标识。Obtaining, from the core network device, a service identifier allocated by the core network device to a pre-registered application.
  3. 根据权利要求1或2所述的方法,其特征在于,所述从所述核心网设备获取所述应用账号以将所述应用账号作为所述UE后续登录所述第一应用的认证标识,并向所述UE返回应用注册响应之后,还包括:The method according to claim 1 or 2, wherein the acquiring the application account from the core network device to use the application account as the authentication identifier of the UE for subsequent login to the first application, and After returning the application registration response to the UE, the method further includes:
    接收UE发送的应用登录请求,所述应用登录请求包括所述UE请求登录的第二应用的信息;Receiving an application login request sent by the UE, where the application login request includes information about the second application that the UE requests to log in;
    根据所述应用登录请求查询所述UE登录所述第二应用的应用账号;Querying, according to the application login request, the application account that the UE logs in to the second application;
    将所述应用账号发送给所述第二应用的应用服务器,以使所述应用服务器对所述应用账号进行鉴权并返回鉴权响应;Sending the application account to the application server of the second application, so that the application server authenticates the application account and returns an authentication response;
    从所述应用服务器接收所述鉴权响应,根据所述鉴权响应向所述UE反馈登录结果。Receiving the authentication response from the application server, and feeding back the login result to the UE according to the authentication response.
  4. 根据权利要求3所述的方法,其特征在于,所述根据所述应用登录请求查询所述UE登录所述第二应用的应用账号之后,还包括:The method according to claim 3, after the querying the UE to log in to the application account of the second application according to the application login request, the method further includes:
    若没有查询到所述应用账号,则向所述核心网设备发送账号获取请求,所述账号获取请求包括所述服务标识和所述用户标识,并从所述核心网设备 获取所述应用账号。And if the application account is not queried, sending an account acquisition request to the core network device, where the account acquisition request includes the service identifier and the user identifier, and from the core network device Obtain the application account.
  5. 根据权利要求3或4所述的方法,其特征在于,所述根据所述应用登录请求查询所述UE登录所述第二应用的应用账号之后,还包括:The method according to claim 3 or 4, wherein after the querying the UE to log in to the application account of the second application according to the application login request, the method further includes:
    若查询到两个以上所述应用账号,则将所述两个以上所述应用账号发送给所述UE,并接收所述UE发送的选出登录所述第二应用的应用账号。If the two or more application accounts are queried, the two or more application accounts are sent to the UE, and the application account that is sent by the UE to log in to the second application is received.
  6. 根据权利要求1所述的方法,其特征在于,所述接收用户设备UE发送的应用注册请求之前,还包括:The method according to claim 1, wherein before receiving the application registration request sent by the user equipment UE, the method further includes:
    接收所述核心网设备根据UE发送的虚拟机注册请求为所述UE分配的用户标识;Receiving, by the core network device, a user identifier allocated to the UE according to a virtual machine registration request sent by the UE;
    根据所述用户标识为所述UE分配虚拟机,并向所述核心网设备返回虚拟机分配响应,所述虚拟机分配响应包括所述UE的用户名和密码,以使所述核心网设备根据所述虚拟机分配响应存储所述UE的用户名和密码并向所述UE返回虚拟机注册响应。Allocating a virtual machine to the UE according to the user identifier, and returning a virtual machine allocation response to the core network device, where the virtual machine allocation response includes a username and a password of the UE, so that the core network device according to the The virtual machine allocation response stores the username and password of the UE and returns a virtual machine registration response to the UE.
  7. 根据权利要求6所述的方法,其特征在于,所述虚拟机注册请求包括所述UE设置的用户名、密码,以及所述UE的临时识别码。The method according to claim 6, wherein the virtual machine registration request comprises a username, a password set by the UE, and a temporary identifier of the UE.
  8. 根据权利要求6所述的方法,其特征在于,所述虚拟机注册请求包括使用所述UE的用户信息;The method according to claim 6, wherein the virtual machine registration request comprises user information using the UE;
    所述根据所述用户标识为所述UE分配虚拟机的同时,还包括:The method further includes: assigning a virtual machine to the UE according to the user identifier,
    为所述UE随机生成所述用户名和密码。The username and password are randomly generated for the UE.
  9. 根据权利要求6~8中任一项所述的方法,其特征在于,所述根据所述用户标识为所述UE分配虚拟机,并向所述核心网设备返回虚拟机分配响应之后,还包括:The method according to any one of claims 6 to 8, wherein after the virtual machine is allocated to the UE according to the user identifier, and the virtual machine allocation response is returned to the core network device, the method further includes :
    接收UE的虚拟机登录请求,所述虚拟机登录请求包括所述UE的用户名和密码;Receiving a virtual machine login request of the UE, where the virtual machine login request includes a username and a password of the UE;
    将所述UE的用户名和密码发送给所述核心网设备,以使所述核心网设备根据所述UE的用户名和密码对所述UE进行鉴权并返回鉴权响应,所述鉴权响应包括所述UE的用户标识;Sending the user name and password of the UE to the core network device, so that the core network device authenticates the UE according to the user name and password of the UE, and returns an authentication response, where the authentication response includes User identifier of the UE;
    根据所述用户标识启动为所述UE分配的所述虚拟机,并向所述UE返回虚拟机登录响应。Starting the virtual machine allocated for the UE according to the user identifier, and returning a virtual machine login response to the UE.
  10. 根据权利要求6~9中任一项所述的方法,其特征在于,所述根据所 述用户标识为所述UE分配虚拟机,并向所述核心网设备返回虚拟机分配响应之后,还包括:The method according to any one of claims 6 to 9, wherein the basis After the user identifier is allocated to the UE and the VM is allocated to the core network device, the method further includes:
    接收所述核心网设备在根据UE发送的虚拟机注销请求对所述UE进行鉴权并查询所述UE的用户标识之后发送的虚拟机撤除请求,所述虚拟机撤除请求包括所述UE的用户标识;Receiving a virtual machine removal request sent by the core network device after authenticating the UE according to the virtual machine logout request sent by the UE and querying the user identifier of the UE, where the virtual machine removal request includes the user of the UE Identification
    根据所述虚拟机销毁请求撤除分配给所述UE的虚拟机,并删除与所述UE的用户标识对应的配置信息。And deleting the virtual machine allocated to the UE according to the virtual machine destruction request, and deleting configuration information corresponding to the user identifier of the UE.
  11. 一种用户认证方法,其特征在于,包括:A user authentication method, comprising:
    接收移动虚拟化设备发送的账号注册请求,所述账号注册请求包括用户设备UE请求注册的第一应用的服务标识和所述UE的用户标识;Receiving an account registration request sent by the mobile virtualization device, where the account registration request includes a service identifier of the first application requested by the user equipment UE and a user identifier of the UE;
    根据所述账号注册请求为所述UE分配登录所述第一应用的应用账号;Assigning, to the UE, an application account that is logged in to the first application according to the account registration request;
    将所述应用账号发送给所述移动虚拟化设备和所述第一应用的应用服务器。Sending the application account to the mobile virtualization device and the application server of the first application.
  12. 根据权利要求11所述的方法,其特征在于,所述接收移动虚拟化设备发送的账号注册请求之前,还包括:The method according to claim 11, wherein before receiving the account registration request sent by the mobile virtualization device, the method further includes:
    为预先注册的应用分配服务标识,并将所述服务标识发送给所述移动虚拟化设备。Assigning a service identifier to the pre-registered application and transmitting the service identifier to the mobile virtualization device.
  13. 根据权利要求11或12所述的方法,其特征在于,所述将所述应用账号发送给所述移动虚拟化设备和所述第一应用的应用服务器之后,还包括:The method according to claim 11 or 12, wherein after the sending the application account to the mobile virtualization device and the application server of the first application, the method further includes:
    接收所述移动虚拟化设备在没有获取到UE登录第二应用的应用账号之后发送的账号获取请求,所述账号获取请求包括所述第二应用的服务标识和所述UE的用户标识;Receiving an account acquisition request sent by the mobile virtualization device after the UE is logged in to the application account of the second application, where the account acquisition request includes the service identifier of the second application and the user identifier of the UE;
    根据所述账号获取请求向所述移动虚拟化设备返回所述应用账号。Returning the application account to the mobile virtualization device according to the account acquisition request.
  14. 根据权利要求11或12所述的方法,其特征在于,所述接收移动虚拟化设备发送的账号注册请求之前,还包括:The method according to claim 11 or 12, wherein before receiving the account registration request sent by the mobile virtualization device, the method further includes:
    接收UE发送的虚拟机注册请求,根据所述虚拟机注册请求为所述UE分配用户标识;Receiving a virtual machine registration request sent by the UE, and assigning a user identifier to the UE according to the virtual machine registration request;
    向所述移动虚拟化设备发送所述用户标识,以使所述移动虚拟化设备根据所述用户标识为所述UE分配虚拟机;Sending the user identifier to the mobile virtualization device, so that the mobile virtualization device allocates a virtual machine to the UE according to the user identifier;
    接收所述移动虚拟化设备发送的虚拟机分配响应,所述虚拟机分配响应 包括所述UE的用户名和密码;Receiving a virtual machine allocation response sent by the mobile virtualization device, the virtual machine assigning a response Including the username and password of the UE;
    存储所述UE的用户名和密码,并向所述UE返回虚拟机注册响应。The user name and password of the UE are stored, and a virtual machine registration response is returned to the UE.
  15. 根据权利要求14所述的方法,其特征在于,所述虚拟机注册请求包括所述UE设置的用户名、密码,以及所述UE的临时识别码;或者,The method according to claim 14, wherein the virtual machine registration request includes a username, a password set by the UE, and a temporary identifier of the UE; or
    所述虚拟机注册请求包括使用所述UE的用户信息。The virtual machine registration request includes user information using the UE.
  16. 根据权利要求14或15所述的方法,其特征在于,所述存储所述UE的用户名和密码,并向所述UE返回虚拟机注册响应之后,还包括:The method according to claim 14 or 15, wherein after the user name and password of the UE are stored and the virtual machine registration response is returned to the UE, the method further includes:
    接收所述移动虚拟化设备根据UE发送的虚拟机登录请求发送的所述UE的用户名和密码,所述虚拟机登录请求包括所述UE的用户名和密码;Receiving, by the mobile virtualization device, a user name and a password of the UE that are sent according to a virtual machine login request sent by the UE, where the virtual machine login request includes a username and a password of the UE;
    根据所述UE的用户名和密码对所述UE进行鉴权,并返回鉴权响应,所述鉴权响应包括所述UE的用户标识,以使所述移动虚拟化设备根据所述用户标识启动为所述UE分配的所述虚拟机,并向所述UE返回虚拟机登录响应。And authenticating the UE according to the user name and password of the UE, and returning an authentication response, where the authentication response includes a user identifier of the UE, so that the mobile virtualization device is started according to the user identifier. The virtual machine allocated by the UE, and returning a virtual machine login response to the UE.
  17. 根据权利要求14~16中任一项所述的方法,其特征在于,所述存储所述UE的用户名和密码,并向所述UE返回虚拟机注册响应之后,还包括:The method according to any one of claims 14 to 16, wherein after the user name and password of the UE are stored and the virtual machine registration response is returned to the UE, the method further includes:
    接收UE发送的虚拟机注销请求,所述虚拟机注销请求包括所述UE的用户名和密码;Receiving a virtual machine logout request sent by the UE, where the virtual machine logout request includes a username and a password of the UE;
    根据所述虚拟机注销请求对所述UE进行鉴权,并查询所述UE的用户标识;And authenticating the UE according to the virtual machine logout request, and querying a user identifier of the UE;
    向所述移动虚拟化设备发送虚拟机撤除请求,所述虚拟机撤除请求包括所述用户标识,以使所述移动虚拟化设备根据所述虚拟机撤除请求撤除分配给所述UE的虚拟机,并删除与所述用户标识对应的配置信息;Sending a virtual machine removal request to the mobile virtualization device, the virtual machine removal request including the user identification to cause the mobile virtualization device to remove a virtual machine allocated to the UE according to the virtual machine removal request, And deleting configuration information corresponding to the user identifier;
    删除与所述用户标识对应的配置信息,并向所述UE返回虚拟机注销响应。The configuration information corresponding to the user identifier is deleted, and the virtual machine logout response is returned to the UE.
  18. 一种用户认证方法,其特征在于,包括:A user authentication method, comprising:
    接收核心网设备发送的应用账号,所述应用账号为所述核心网设备给用户设备UE请求注册第一应用时分配的应用账号。Receiving an application account that is sent by the core network device, where the application account is an application account that is allocated when the core network device requests the user equipment UE to register the first application.
  19. 根据权利要求18所述的方法,其特征在于,所述接收核心网设备发送的应用账号之后,还包括:The method according to claim 18, wherein after receiving the application account sent by the core network device, the method further includes:
    接收移动虚拟化设备发送的应用账号,所述应用账号为所述移动虚拟化设备根据UE发送的应用登录请求查询的所述UE请求登录的第二应用的应用 账号;Receiving an application account sent by the mobile virtualization device, where the application account is an application of the second application that the mobile virtualization device requests to log in according to the application login request sent by the UE. account number;
    对所述应用账号进行鉴权,并向所述移动虚拟化设备返回鉴权响应。And authenticating the application account, and returning an authentication response to the mobile virtualization device.
  20. 一种移动化虚拟设备,其特征在于,包括:A mobile virtual device, comprising:
    接收模块,用于接收用户设备UE发送的应用注册请求,所述应用注册请求包括所述UE请求注册的第一应用的信息;a receiving module, configured to receive an application registration request sent by the user equipment UE, where the application registration request includes information about the first application that the UE requests to register;
    处理模块,用于根据所述应用注册请求查询所述第一应用的服务标识和所述UE的用户标识;a processing module, configured to query, according to the application registration request, a service identifier of the first application and a user identifier of the UE;
    发送模块,用于向核心网设备发送账号注册请求,所述账号注册请求包括所述服务标识和所述用户标识,以使所述核心网设备根据所述账号注册请求为所述UE分配登录所述第一应用的应用账号并将所述应用账号发送给所述第一应用的应用服务器;a sending module, configured to send an account registration request to the core network device, where the account registration request includes the service identifier and the user identifier, so that the core network device allocates a login office to the UE according to the account registration request. Transmitting an application account of the first application and sending the application account to an application server of the first application;
    所述接收模块,还用于从所述核心网设备获取所述应用账号以将所述应用账号作为所述UE后续登录所述第一应用的认证标识,并向所述UE返回应用注册响应。The receiving module is further configured to acquire the application account from the core network device to use the application account as an authentication identifier of the UE to log in to the first application, and return an application registration response to the UE.
  21. 根据权利要求20所述的设备,其特征在于,所述接收模块,还用于从所述核心网设备获取所述核心网设备为预先注册的应用分配的服务标识。The device according to claim 20, wherein the receiving module is further configured to acquire, from the core network device, a service identifier that is allocated by the core network device to a pre-registered application.
  22. 根据权利要求20或21所述的设备,其特征在于,所述接收模块,还用于接收UE发送的应用登录请求,所述应用登录请求包括所述UE请求登录的第二应用的信息;The device according to claim 20 or 21, wherein the receiving module is further configured to receive an application login request sent by the UE, where the application login request includes information of the second application that the UE requests to log in;
    所述处理模块,还用于根据所述应用登录请求查询所述UE登录所述第二应用的应用账号;The processing module is further configured to query, according to the application login request, the application account of the UE to log in to the second application;
    所述发送模块,还用于将所述应用账号发送给所述第二应用的应用服务器,以使所述应用服务器对所述应用账号进行鉴权并返回鉴权响应;The sending module is further configured to send the application account to the application server of the second application, so that the application server authenticates the application account and returns an authentication response;
    所述接收模块,还用于从所述应用服务器接收所述鉴权响应,根据所述鉴权响应向所述UE反馈登录结果。The receiving module is further configured to receive the authentication response from the application server, and feed back a login result to the UE according to the authentication response.
  23. 根据权利要求22所述的设备,其特征在于,所述发送模块,还用于若没有查询到所述应用账号,则向所述核心网设备发送账号获取请求,所述账号获取请求包括所述服务标识和所述用户标识;The device according to claim 22, wherein the sending module is further configured to: if the application account is not queried, send an account obtaining request to the core network device, where the account obtaining request includes the Service identifier and the user identifier;
    所述接收模块,还用于从所述核心网设备获取所述应用账号。The receiving module is further configured to acquire the application account from the core network device.
  24. 根据权利要求22或23所述的设备,其特征在于,所述发送模块, 还用于若查询到两个以上所述应用账号,则将所述两个以上所述应用账号发送给所述UE;The device according to claim 22 or 23, wherein said transmitting module, The method is further configured to send the two or more application accounts to the UE if two or more application accounts are queried;
    所述接收模块,还用于接收所述UE发送的选出登录所述第二应用的应用账号。The receiving module is further configured to receive an application account that is sent by the UE and is selected to log in to the second application.
  25. 根据权利要求20所述的设备,其特征在于,所述接收模块,还用于接收所述核心网设备根据UE发送的虚拟机注册请求为所述UE分配的用户标识;The device according to claim 20, wherein the receiving module is further configured to receive a user identifier that is allocated by the core network device to the UE according to a virtual machine registration request sent by the UE;
    所述处理模块,还用于根据所述用户标识为所述UE分配虚拟机;The processing module is further configured to allocate a virtual machine to the UE according to the user identifier;
    所述发送模块,还用于向所述核心网设备返回虚拟机分配响应,所述虚拟机分配响应包括所述UE的用户名和密码,以使所述核心网设备根据所述虚拟机分配响应存储所述UE的用户名和密码并向所述UE返回虚拟机注册响应。The sending module is further configured to return a virtual machine allocation response to the core network device, where the virtual machine allocation response includes a username and a password of the UE, so that the core network device allocates response according to the virtual machine allocation The user name and password of the UE and return a virtual machine registration response to the UE.
  26. 根据权利要求25所述的设备,其特征在于,所述虚拟机注册请求包括所述UE设置的用户名、密码,以及所述UE的临时识别码。The device according to claim 25, wherein the virtual machine registration request comprises a username, a password set by the UE, and a temporary identifier of the UE.
  27. 根据权利要求25所述的设备,其特征在于,所述虚拟机注册请求包括使用所述UE的用户信息;The device according to claim 25, wherein the virtual machine registration request comprises user information using the UE;
    所述处理模块,还用于在根据所述用户标识为所述UE分配虚拟机的同时,为所述UE随机生成所述用户名和密码。The processing module is further configured to randomly generate the user name and password for the UE while allocating a virtual machine to the UE according to the user identifier.
  28. 根据权利要求25~27中任一项所述的设备,其特征在于,所述接收模块,还用于接收UE的虚拟机登录请求,所述虚拟机登录请求包括所述UE的用户名和密码;The device according to any one of claims 25 to 27, wherein the receiving module is further configured to receive a virtual machine login request of the UE, where the virtual machine login request includes a username and a password of the UE;
    所述发送模块,还用于将所述UE的用户名和密码发送给所述核心网设备,以使所述核心网设备根据所述UE的用户名和密码对所述UE进行鉴权并返回鉴权响应,所述鉴权响应包括所述UE的用户标识;The sending module is further configured to send the user name and password of the UE to the core network device, so that the core network device authenticates the UE according to the user name and password of the UE, and returns the authentication. In response, the authentication response includes a user identifier of the UE;
    所述处理模块,还用于根据所述用户标识启动为所述UE分配的所述虚拟机;The processing module is further configured to start, according to the user identifier, the virtual machine allocated for the UE;
    所述发送模块,还用于向所述UE返回虚拟机登录响应。The sending module is further configured to return a virtual machine login response to the UE.
  29. 根据权利要求25~28中任一项所述的设备,其特征在于,所述接收模块,还用于接收所述核心网设备在根据UE发送的虚拟机注销请求对所述UE进行鉴权并查询所述UE的用户标识之后发送的虚拟机撤除请求,所述虚 拟机撤除请求包括所述UE的用户标识;The device according to any one of claims 25 to 28, wherein the receiving module is further configured to receive, by the core network device, an authentication of the UE according to a virtual machine logout request sent by the UE. Querying a virtual machine removal request sent after the user identifier of the UE, the virtual The virtual machine removal request includes a user identifier of the UE;
    所述处理模块,还用于根据所述虚拟机销毁请求撤除分配给所述UE的虚拟机,并删除与所述UE的用户标识对应的配置信息。The processing module is further configured to remove the virtual machine allocated to the UE according to the virtual machine destruction request, and delete configuration information corresponding to the user identifier of the UE.
  30. 一种核心网设备,其特征在于,包括:A core network device, comprising:
    接收模块,用于接收移动虚拟化设备发送的账号注册请求,所述账号注册请求包括用户设备UE请求注册的第一应用的服务标识和所述UE的用户标识;a receiving module, configured to receive an account registration request sent by the mobile virtualization device, where the account registration request includes a service identifier of the first application that the user equipment UE requests to register, and a user identifier of the UE;
    处理模块,用于根据所述账号注册请求为所述UE分配登录所述第一应用的应用账号;a processing module, configured to allocate, according to the account registration request, an application account that is used to log in to the first application;
    发送模块,用于将所述应用账号发送给所述移动虚拟化设备和所述第一应用的应用服务器。And a sending module, configured to send the application account to the mobile virtualization device and the application server of the first application.
  31. 根据权利要求30所述的设备,其特征在于,所述处理模块,还用于为预先注册的应用分配服务标识;The device according to claim 30, wherein the processing module is further configured to allocate a service identifier to the pre-registered application;
    所述发送模块,还用于将所述服务标识发送给所述移动虚拟化设备。The sending module is further configured to send the service identifier to the mobile virtualization device.
  32. 根据权利要求30或31所述的设备,其特征在于,所述接收模块,还用于接收所述移动虚拟化设备在没有获取到UE登录第二应用的应用账号之后发送的账号获取请求,所述账号获取请求包括所述第二应用的服务标识和所述UE的用户标识;The device according to claim 30 or 31, wherein the receiving module is further configured to receive an account obtaining request sent by the mobile virtualization device after acquiring an application account that the UE logs in to the second application, where The account acquisition request includes a service identifier of the second application and a user identifier of the UE;
    所述发送模块,还用于根据所述账号获取请求向所述移动虚拟化设备返回所述应用账号。The sending module is further configured to return the application account to the mobile virtualization device according to the account acquisition request.
  33. 根据权利要求30或31所述的设备,其特征在于,所述接收模块,还用于接收UE发送的虚拟机注册请求;The device according to claim 30 or 31, wherein the receiving module is further configured to receive a virtual machine registration request sent by the UE;
    所述处理模块,还用于根据所述虚拟机注册请求为所述UE分配用户标识;The processing module is further configured to allocate a user identifier to the UE according to the virtual machine registration request;
    所述发送模块,还用于向所述移动虚拟化设备发送所述用户标识,以使所述移动虚拟化设备根据所述用户标识为所述UE分配虚拟机;The sending module is further configured to send the user identifier to the mobile virtualization device, so that the mobile virtualization device allocates a virtual machine to the UE according to the user identifier;
    所述接收模块,还用于接收所述移动虚拟化设备发送的虚拟机分配响应,所述虚拟机分配响应包括所述UE的用户名和密码;The receiving module is further configured to receive a virtual machine allocation response sent by the mobile virtualization device, where the virtual machine allocation response includes a username and a password of the UE;
    所述处理模块,还用于存储所述UE的用户名和密码;The processing module is further configured to store a username and a password of the UE;
    所述发送模块,还用于向所述UE返回虚拟机注册响应。 The sending module is further configured to return a virtual machine registration response to the UE.
  34. 根据权利要求33所述的设备,其特征在于,所述虚拟机注册请求包括所述UE设置的用户名、密码,以及所述UE的临时识别码;或者,The device according to claim 33, wherein the virtual machine registration request comprises a username, a password set by the UE, and a temporary identifier of the UE; or
    所述虚拟机注册请求包括使用所述UE的用户信息。The virtual machine registration request includes user information using the UE.
  35. 根据权利要求33或34所述的设备,其特征在于,所述接收模块,还用于接收所述移动虚拟化设备根据UE发送的虚拟机登录请求发送的所述UE的用户名和密码,所述虚拟机登录请求包括所述UE的用户名和密码;The device according to claim 33 or 34, wherein the receiving module is further configured to receive a username and a password of the UE that are sent by the mobile virtualization device according to a virtual machine login request sent by the UE, The virtual machine login request includes a username and password of the UE;
    所述处理模块,还用于根据所述UE的用户名和密码对所述UE进行鉴权;The processing module is further configured to perform authentication on the UE according to the username and password of the UE;
    所述发送模块,还用于返回鉴权响应,所述鉴权响应包括所述UE的用户标识,以使所述移动虚拟化设备根据所述用户标识启动为所述UE分配的所述虚拟机,并向所述UE返回虚拟机登录响应。The sending module is further configured to: return an authentication response, where the authentication response includes a user identifier of the UE, so that the mobile virtualization device starts the virtual machine allocated to the UE according to the user identifier. And returning a virtual machine login response to the UE.
  36. 根据权利要求33~35中任一项所述的设备,其特征在于,所述接收模块,还用于接收UE发送的虚拟机注销请求,所述虚拟机注销请求包括所述UE的用户名和密码;The device according to any one of claims 33 to 35, wherein the receiving module is further configured to receive a virtual machine logout request sent by the UE, where the virtual machine logout request includes a username and a password of the UE. ;
    所述处理模块,还用于根据所述虚拟机注销请求对所述UE进行鉴权,并查询所述UE的用户标识;The processing module is further configured to perform authentication on the UE according to the virtual machine logout request, and query a user identifier of the UE;
    所述发送模块,还用于向所述移动虚拟化设备发送虚拟机撤除请求,所述虚拟机撤除请求包括所述用户标识,以使所述移动虚拟化设备根据所述虚拟机撤除请求撤除分配给所述UE的虚拟机,并删除与所述用户标识对应的配置信息;The sending module is further configured to send a virtual machine removal request to the mobile virtualization device, where the virtual machine removal request includes the user identifier, so that the mobile virtualization device removes the allocation according to the virtual machine removal request. Giving the virtual machine of the UE, and deleting configuration information corresponding to the user identifier;
    所述处理模块,还用于删除与所述用户标识对应的配置信息;The processing module is further configured to delete configuration information corresponding to the user identifier;
    所述发送模块,还用于向所述UE返回虚拟机注销响应。The sending module is further configured to return a virtual machine logout response to the UE.
  37. 一种应用服务器,其特征在于,包括:An application server, comprising:
    接收模块,用于接收核心网设备发送的应用账号,所述应用账号为所述核心网设备给用户设备UE请求注册第一应用时分配的应用账号。The receiving module is configured to receive an application account that is sent by the core network device, where the application account is an application account that is allocated when the core network device requests the user equipment UE to register the first application.
  38. 根据权利要求37所述的设备,其特征在于,还包括:处理模块和发送模块;The device according to claim 37, further comprising: a processing module and a sending module;
    所述接收模块,还用于接收移动虚拟化设备发送的应用账号,所述应用账号为所述移动虚拟化设备根据UE发送的应用登录请求查询的所述UE请求登录的第二应用的应用账号;The receiving module is further configured to receive an application account that is sent by the mobile virtualization device, where the application account is an application account of the second application that the mobile virtualization device requests to log in according to the application login request sent by the UE. ;
    所述处理模块,用于对所述应用账号进行鉴权; The processing module is configured to authenticate the application account;
    所述发送模块,用于向所述移动虚拟化设备返回鉴权响应。The sending module is configured to return an authentication response to the mobile virtualization device.
  39. 一种鉴权系统,其特征在于,包括:移动虚拟化设备、核心网设备、应用服务器以及用户设备UE;其中,所述移动虚拟化设备采用权利要求20~29中任一项所述的移动虚拟化设备;所述核心网设备采用权利要求30~36中任一项所述的核心网设备;所述应用服务器采用权利要求37或38所述的应用服务器。 An authentication system, comprising: a mobile virtualization device, a core network device, an application server, and a user equipment UE; wherein the mobile virtualization device uses the mobile device according to any one of claims 20-29 The core network device adopts the core network device according to any one of claims 30 to 36; and the application server adopts the application server according to claim 37 or 38.
PCT/CN2015/075279 2015-03-27 2015-03-27 User authentication method, apparatus and system WO2016154813A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2015/075279 WO2016154813A1 (en) 2015-03-27 2015-03-27 User authentication method, apparatus and system
CN201580050981.3A CN107079008B (en) 2015-03-27 2015-03-27 User authentication method, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2015/075279 WO2016154813A1 (en) 2015-03-27 2015-03-27 User authentication method, apparatus and system

Publications (1)

Publication Number Publication Date
WO2016154813A1 true WO2016154813A1 (en) 2016-10-06

Family

ID=57003818

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/075279 WO2016154813A1 (en) 2015-03-27 2015-03-27 User authentication method, apparatus and system

Country Status (2)

Country Link
CN (1) CN107079008B (en)
WO (1) WO2016154813A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112532653B (en) * 2020-12-22 2022-06-07 富途网络科技(深圳)有限公司 Method and device for managing third-party account

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104066070A (en) * 2013-03-20 2014-09-24 中兴通讯股份有限公司 Terminal registration method, terminal finding method, terminal and devices
WO2014176808A1 (en) * 2013-04-28 2014-11-06 Tencent Technology (Shenzhen) Company Limited Authorization authentication method and apparatus
CN104243433A (en) * 2013-06-20 2014-12-24 腾讯科技(深圳)有限公司 Logging-in method, device and system based on browser client-side account

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7444508B2 (en) * 2003-06-30 2008-10-28 Nokia Corporation Method of implementing secure access
CN103037368A (en) * 2011-09-29 2013-04-10 中国移动通信集团四川有限公司 Method, device and system for identity authentication
CN103023921A (en) * 2012-12-27 2013-04-03 中国建设银行股份有限公司 Authentication and access method and authentication system
CN104468487B (en) * 2013-09-23 2018-10-19 华为技术有限公司 Communication authentication method and device, terminal device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104066070A (en) * 2013-03-20 2014-09-24 中兴通讯股份有限公司 Terminal registration method, terminal finding method, terminal and devices
WO2014176808A1 (en) * 2013-04-28 2014-11-06 Tencent Technology (Shenzhen) Company Limited Authorization authentication method and apparatus
CN104243433A (en) * 2013-06-20 2014-12-24 腾讯科技(深圳)有限公司 Logging-in method, device and system based on browser client-side account

Also Published As

Publication number Publication date
CN107079008A (en) 2017-08-18
CN107079008B (en) 2020-02-21

Similar Documents

Publication Publication Date Title
JP6280641B2 (en) Account login method, device and system
US9038138B2 (en) Device token protocol for authorization and persistent authentication shared across applications
WO2015135331A1 (en) Authorization method, apparatus and system for authentication
JP6349579B2 (en) Conditional login promotion
US8583794B2 (en) Apparatus, method, and computer program product for registering user address information
WO2018145605A1 (en) Authentication method and server, and access control device
WO2015101125A1 (en) Network access control method and device
WO2013159576A1 (en) Method and terminal for accessing wireless network, wi-fi access network node, and authentication server
US20130212653A1 (en) Systems and methods for password-free authentication
EP3226506A1 (en) Authorization processing method, device and system
US10225871B2 (en) Method and system for hosting network access point
WO2013163944A1 (en) Iaas service cloud account sharing method, sharing platform and network device
WO2018161970A1 (en) Charging pile management method and charging pile management client terminal, and management server
WO2006000152A1 (en) A method for managing the user equipment accessed to the network by using the generic authentication architecture
WO2017041562A1 (en) Method and device for identifying user identity of terminal device
TW201602824A (en) Dual channel identity authentication
WO2018045983A1 (en) Information processing method and device, and network system
WO2020248284A1 (en) Method and apparatus for access control, and storage medium
TWI598762B (en) A network system, method and mobile device based on remote user authentication
JPWO2016152416A1 (en) Communication management system, access point, communication management apparatus, connection control method, communication management method, and program
JP6456409B2 (en) Method, apparatus and system for controlling the total number of users attached online
WO2016154813A1 (en) User authentication method, apparatus and system
WO2017084322A1 (en) Router-based network access control method and system, and related device
WO2018099407A1 (en) Account authentication login method and device
US20220413885A1 (en) Virtual Machine Provisioning and Directory Service Management

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15886800

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15886800

Country of ref document: EP

Kind code of ref document: A1