CN101562621B

CN101562621B - User authorization method and system and device thereof

Info

Publication number: CN101562621B
Application number: CN 200910143737
Authority: CN
Inventors: 岑文初
Original assignee: Alibaba Group Holding Ltd
Current assignee: Alibaba Group Holding Ltd
Priority date: 2009-05-25
Filing date: 2009-05-25
Publication date: 2013-05-22
Anticipated expiration: 2029-05-25
Also published as: CN101562621A; HK1135815A1

Abstract

The invention discloses a user authorization method and a system and a device thereof, which are applied to a network consisting of a service integration platform (SIP), an Internet service provider (ISP) and an independent software vendor (ISV) application. The ISP provides different open application programming interfaces (Open API); the method comprises the following steps: the SIP creates a user authorization token according to the registration information of the Open API called by the ISV application when the ISP authorizes user identity; the SIP processes a call request for the Open API by the ISV application according to the user authorization token. The invention refines the application range, the use type and the use right of the user authorization token, supports the mode of asynchronous user authorization, improves the safety of the system and solves the problem of low service efficiency due to data relay during service request of large data.

Description

A kind of mthods, systems and devices of subscriber authorisation

Technical field

The application relates to networking technology area, particularly relates to a kind of mthods, systems and devices of subscriber authorisation.

Background technology

along with SOA (Service-Oriented Architecture, service-oriented architecture) continuous maturation, REST (Representational State Transfer, the transfer of statement sexual state) style is rooted in the hearts of the people, make the Internet open service become gradually the emerging resource of the Internet, open after namely the service encapsulates of website being become series of computation machine data-interface easy to identify, for third party developer, the API that opens (Application Programming Interface, API) just be known as Open API (open application programming interface).Simultaneously, abundantization along with Web 2.0 application, ISV (Independent Software Vendor, the independent software vendor) utilize the effective Service Source of network, demand for the client, design rich and varied interactive application, the Services Composition that different service providers are provided produces the innovation effect after polymerization together.

in prior art, SIP (Service Integration Platform, service integration platform) with a plurality of ISP (Internet Service Provider, ISP) service is integrated on unified platform, unified safety is provided simultaneously, charging, the non-business sexual functions such as monitoring, allow ISP is more concentrated to be absorbed in business development and to need not to be concerned about non-business Frame Design, also provide unified flow process for the ISV exploitation simultaneously, the easier integrated service that in many ways provides of ISV is provided, adopt the unified flow processs such as Secure Billing, shorten the development time, be absorbed in more efficiently to utilize and serve the integrated novelty application that realizes.Facebook has been arranged abroad, Amazon, Google etc. are the website successful story greatly, and ISV developer builds distinctive application for the website of these Open API, attracts the user.

In prior art, Open API comprises the step of subscriber authorisation:

1.ISV being provided, the Open API that provides to ISP initiates call request;

2.ISP return to user's login and the authorization page of using ISV to use;

3. the user logins and licenses to ISV application access and operation user profile;

4.ISV use and call Open API according to the subscriber authorisation token, access and operation user profile.

The inventor is in realizing the application's process, and there are the following problems at least to find prior art:

In prior art, the subscriber authorisation that relates in authorization token is ageing and scope is indefinite, easily makes user's data in unwitting situation be modified or access.Simultaneously the indefinite and authorization token that will comprise user profile of the term of validity of subscriber authorisation transmits as parameter, can reduce Security of the system like this, and user profile is threatened.In addition, in prior art, authorization flow and service browsing process are in conjunction with closely, and when having the big data quantity service request, meeting is because data retransmission causes efficiency of service low.

Summary of the invention

The application provides a kind of mthods, systems and devices of subscriber authorisation; be applied to comprise in the network of service integration platform SIP, the ISP of ISP, independent software vendor ISV application; described ISP provides different open application programming interface Open API; for the protection of user profile, improve Security of the system.

The application provides a kind of method of subscriber authorisation, is applied to comprise that in the network of service integration platform SIP, the ISP of ISP, independent software vendor ISV application, described ISP provides different open application programming interface Open API; Described method comprises:

Described SIP described ISP to the authentication of user identity by the time, the log-on message according to the Open API of described ISV application call creates the subscriber authorisation token;

Described SIP processes described ISV application to the call request of described Open API according to described subscriber authorisation token.

Under the synchronous licensing mode of user, described SIP receives ISP the authentication of user identity is passed through before, also comprise:

Described SIP receives described ISV application to the call request of Open API;

When described SIP receives described ISV and uses call request to Open API and need described subscriber authorisation, described SIP uses to described ISV and sends the user and login the authorization page address, triggers described ISV application and described user and carries out the authentication of user identity to described ISP.

Described ISV uses and described user comprises to the authentication that described ISP carries out user identity:

Described ISV uses and receives user that described SIP sends and login the authorization page address;

Described ISV uses and described user is logined the authorization page address and authorize rear back page address and session id to send to described user;

Described user is according to described login authorization page address, sends login and authorization requests to described ISP, and back page address and session id after described mandate, asks described ISP to carry out the authentication of user identity.

The described subscriber authorisation token of described establishment comprises:

The attribute of SIP described subscriber authorisation token of the judgement of the log-on message on SIP according to Open API, the attribute of described subscriber authorisation token comprises the scope of application of subscriber authorisation token, the rights of using of subscriber authorisation token and the type of service of subscriber authorisation token;

SIP creates described subscriber authorisation token according to the attribute of described subscriber authorisation token, and described subscriber authorisation token is related with user login name;

SIP is with described subscriber authorisation token and session id binding.

Before the described subscriber authorisation token of described establishment, also comprise:

Described SIP receive ISP to the authentication of user identity by the time establishment subscriber authorisation token that sends request and session id and user login name.

Described SIP is according to described subscriber authorisation token, processes the call request that described ISV uses the Open API that described ISP is provided and comprises:

Described SIP receives the call request that ISV uses the Open API that described ISP is provided, and carries session id in described request;

When described session id user bound authorization token, described SIP obtains described subscriber authorisation token and user login name according to described session id, and described subscriber authorisation token and user login name and call request are forwarded to the Open API that described ISP provides;

The result that the Open API that described SIP receives described ISP to be provided sends is used described result and is transmitted to described user by described ISV.

Under the asynchronous licensing mode of user, described SIP receives ISP the authentication of user identity is passed through before, also comprise:

Described SIP receives described ISV and uses the authenticating user identification request of Open API and the identify label of carrying;

Described SIP forwards to ISP the described ISV that receives and uses the authenticating user identification request of Open API and the identify label of carrying.

Described identify label of carrying is specially: user's Open Id, exempt to step on Cookie or transfer to the user cipher of user in ISP of ISV keeping.

SIP creates described subscriber authorisation token and token stub according to the attribute of described subscriber authorisation token, and described subscriber authorisation token is related with user login name.

Described SIP receive ISP to the authentication of user identity by the time establishment subscriber authorisation token that sends request and user login name.

Described SIP receives the request of the checking authorization token stub of ISP transmission, the token stub is verified and returned to ISP the result of checking token stub.

The application provides a kind of system of subscriber authorisation, is applied to comprise that in the network of service integration platform, ISP, ISV application, described ISP provides different open application programming interface Open API; Described system comprises:

Service integration platform, be used for to the authentication of client by the time, the log-on message according to the Open API of described ISV application call creates the subscriber authorisation token, processes ISV and uses call request to ISP;

ISV uses, and is used for the request of calling ISP;

ISP is used for the identity of checking client and carries out call request.

The application provides a kind of service integration platform of subscriber authorisation, is applied to comprise that in the network of service integration platform, ISP, ISV application, described ISP provides different open application programming interface Open API; Described service integration platform comprises:

The request receiving module is used for receiving ISP to the authentication result of user identity;

The token creation module when ISP that is used for receiving when the request receiving module passes through for authentication the authentication result of user identity, creates the subscriber authorisation token;

Processing module is used for processing according to described subscriber authorisation token the call request that ISV uses the open application programming interface Open API that described ISP is provided.

Described token creation module specifically comprises:

The request receiving submodule, be used for to receive ISP to the authentication of user identity by the time establishment subscriber authorisation token that sends request and user login name;

Token determined property submodule is for the attribute of the described subscriber authorisation token of the judgement of the log-on message on SIP according to Open API;

The token creation submodule is used for the described subscriber authorisation token of attribute establishment according to the subscriber authorisation token of described token determined property submodule judgement.

Under the synchronous licensing mode of user, also comprise:

The subscriber authorisation judge module for the call request of the described ISV application that receives according to the request receiving module to OpenAPI, judges whether described request needs subscriber authorisation;

Information is returned to module, when described subscriber authorisation judge module judgement described request needs subscriber authorisation, uses to ISV and returns to the user and login the authorization page address.

Described token creation submodule also is used for:

With described subscriber authorisation token and session id binding, and related with user name.

Described processing module specifically is used for:

When described establishment token submodule had been bound described session id and subscriber authorisation token, described processing module forwarded described subscriber authorisation token and user login name and call request to the OpenAPI that described ISP provides.

Under the asynchronous licensing mode of user,

The described request receiver module also is used for: receive described ISV and use the authenticating user identification request of Open API and the identify label of carrying;

Described processing module also is used for: forward to ISP the described ISV that receives and use the authenticating user identification request of Open API and the identify label of carrying;

Described token creation submodule also is used for: create the token stub of described subscriber authorisation token according to the attribute of the subscriber authorisation token of described token determined property submodule judgement, and the subscriber authorisation token is related with user name;

Described processing module specifically is used for: receive the request of the checking authorization token stub of ISP transmission, the token stub is verified and returned to ISP the result of checking token stub.

In the application's technical scheme, the scope of application, type of service and rights of using to the subscriber authorisation token have been carried out refinement, the application supports the pattern of the asynchronous mandate of user simultaneously, improve Security of the system, and solved in the process of large data service request because data relay causes the low problem of efficiency of service.

Description of drawings

In order to be illustrated more clearly in the application or technical scheme of the prior art, the below will do simple the introduction to the accompanying drawing of required use in the application or description of the Prior Art, apparently, accompanying drawing in the following describes is only some embodiment of the application, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain according to these accompanying drawings other accompanying drawing.

Fig. 1 is the flow chart of a kind of subscriber entitlement method in the embodiment of the present application;

Fig. 2 is the flow chart of the subscriber entitlement method under the synchronous licensing mode of a kind of user in the embodiment of the present application;

Fig. 3 creates the flow chart of subscriber authorisation token method under the synchronous licensing mode of a kind of user in the embodiment of the present application;

Fig. 4 is the flow chart of the subscriber entitlement method under the asynchronous licensing mode of a kind of user in the embodiment of the present application;

Fig. 5 creates the flow chart of subscriber authorisation token method under the asynchronous licensing mode of a kind of user in the embodiment of the present application;

Fig. 6 is the flow chart of a kind of client plug-in updating method in the embodiment of the present application;

Fig. 7 is the flow chart of the subscriber entitlement method under the asynchronous licensing mode of a kind of user in the embodiment of the present application;

Fig. 8 is the flow chart of the subscriber entitlement method under the asynchronous licensing mode of a kind of user in the embodiment of the present application;

Fig. 9 is the structural representation of a kind of SAS Subscriber Authorization System in the embodiment of the present application;

Figure 10 is the structural representation of a kind of service integration platform in the embodiment of the present application;

Figure 11 is the structural representation of the service integration platform under the synchronous licensing mode of a kind of user in the embodiment of the present application;

Figure 12 is the structural representation of the service integration platform under the asynchronous licensing mode of a kind of user in the embodiment of the present application;

Embodiment

The application's main thought is, service integration platform SIP the ISP of ISP to the authentication of user identity by the time, the log-on message according to the Open API of described ISV application call creates the subscriber authorisation token; SIP processes according to the subscriber authorisation token call request that ISV uses the OpenAPI that described ISP is provided.

Below in conjunction with the accompanying drawing in the application, the technical scheme in the application is carried out clear, complete description, obviously, described embodiment is a part of embodiment of the application, rather than whole embodiment.Based on the embodiment in the application, the every other embodiment that those of ordinary skills obtain under the prerequisite of not making creative work belongs to the scope that the application protects.

ISV is applied as its user various softwares is provided, and for example electronic fax, recruit instrument, e-magazine and online transaction etc. online.Service integration platform SIP uses with ISV the various softwares that provide and is integrated in identical platform, use the user of ISV software only need log in SIP and username and password is provided, just can use the software that ISV uses to be provided, and need not in order to use different software to log in different websites.And for the Open API that ISP provides, when using ISV to use on SIP as the user, ISV uses by calling corresponding Open API, for the user provides required various data or network service.

In the application's a embodiment, the subscriber entitlement method that the application provides applied internet comprises: the Open API that user, ISV application, SIP and ISP provide.Wherein, ISV uses, and is used to the user that various application software are provided.SIP is used for using the software that provides by ISV and is integrated in identical platform, makes the user can use different software on this platform.The Open API that ISP provides is used for providing various data or network service to the user who uses ISV to use on SIP.The flow chart of this subscriber entitlement method as shown in Figure 1, concrete steps are:

Step 101, SIP ISP to the authentication of user identity by the time, the log-on message according to the Open API of ISV application call creates the subscriber authorisation token.

Concrete, the user logs in SIP, uses the upper ISV of SIP that the software that provides is provided.When SIP ISP to the authentication of user identity by the time, SIP creates with ISV and uses the subscriber authorisation token that the log-on message of the Open API that will call is complementary.

When ISV is applied in when providing software on SIP, ISV uses the various Open API that will call and can register on SIP, and its log-on message comprises:

(1) the business classified information of Open API.

For example, the different business such as the electronic fax business that provides according to Open API, online transaction business carry out the business classification with Open API, determine the business classification under Open API.

(2) the authorization attribute information of Open API.

For example, according to the authorization attribute of Open API, different Open API are divided into following 0～3 Four types: wherein type 0 refers to without any need for the Open API that authorizes or verify, is used for providing the operating function to the user profile that need not subscriber authorisation; Class1 refers to the Open API that need to verify the identity that ISV uses be used for verifying that this ISV uses the validated user that whether belongs to SIP; Type 2 refers on the basis that the ISV identity is verified, need to carry out subscriber authorisation to this Open API, is used to provide user profile is conducted interviews or the function of the operation such as modification; When definite Open API was the type, the type of service of confirming simultaneously the subscriber authorisation token that this Open API is corresponding was disposable token or muptiple-use token; Type 3 fingers are on the basis that the ISV identity is verified, optionally this Open API is carried out subscriber authorisation, when this Open API not being carried out subscriber authorisation, this Open API only provides the operating function to the user profile that need not subscriber authorisation, when this Open API was carried out subscriber authorisation, this Open API can operate the user profile that needs subscriber authorisation.

The attribute of subscriber authorisation token comprises: the scope of application of subscriber authorisation token, rights of using and type of service.Wherein, the scope of application of subscriber authorisation token is divided into single Open API, a plurality of Open API etc.The rights of using of subscriber authorisation token are divided into read right, access limit etc.The type of service of subscriber authorisation token can be divided into disposable token and muptiple-use token etc. by access times.SIP can control by the scope of application of subscriber authorisation token the number of ISV application call Open API, control the ISV application to the operating right of user profile by the rights of using of subscriber authorisation token, control the number of times of ISV application call Open API by the type of service of subscriber authorisation token.

In addition, disposable token, expression the type subscriber authorisation token is merely able to be used once, is applicable to the Open API high to security requirement.When the success of the subscriber authorisation token creation of the type, ISV uses and can only call the Open API that is integrated on SIP once.Muptiple-use token, the subscriber authorisation token of expression the type can by Reusability, be applicable to the Open API not high but high to user's experience requirements to security requirement.The subscriber authorisation token of the type just has been set the token term of validity when creating, SIP controls the service time of this token by the term of validity of controlling the type subscriber authorisation token.Muptiple-use token term of validity type is divided into fixedly duration inefficacy class and idle fixedly duration inefficacy class.

For example, as the seller of user for online transaction, in the time of need to modifying to the commodity in the shop by the OpenAPI that ISV application call ISP provides, SIP is according to business classified information and the authorization attribute information of Open API, set up the subscriber authorisation token that is complementary with this Open API log-on message, rights of using as the subscriber authorisation token that creates are access limit, the scope of application of subscriber authorisation token is a plurality of OpenAPI, and the type of service of subscriber authorisation token is muptiple-use token by access times.

Step 102, SIP processes according to described subscriber authorisation token the call request that described ISV uses the Open API that ISP is provided.

In the technical scheme of the embodiment of the present application, the scope of application, type of service and the rights of using of subscriber authorisation token are carried out refinement, and according to the subscriber authorisation token, processed the call request that ISV uses the OpenAPI that ISP is provided.In addition, the application supports the pattern of the asynchronous mandate of user simultaneously, improves Security of the system, and has solved in the process of large data service request because data relay causes the low problem of efficiency of service.

In the application's embodiment, the embodiment the when method in the application at first described adopts the synchronous licensing mode of user to be applied to the internet.This network comprises: the Open API that user, ISV application, SIP and ISP provide.Wherein, ISV uses, and is used to the user that various application software are provided.SIP is used for using the software that provides by ISV and is integrated in identical platform, makes the user can use different software on this platform.The Open API that ISP provides is used for providing various data or network service to the user who uses ISV that the software that provides is provided on SIP.

In the embodiment of the present application, when the user used ISV to use, the user used ISV and authorizes, confirming that ISV uses can conduct interviews or the operation such as modification to user profile, and creating the subscriber authorisation token by SIP, the ISV application call is integrated in the Open API on SIP, for the user provides required service.

Concrete, as shown in Figure 2, the method flow diagram when adopting the synchronous licensing mode of user for the application comprises the following steps:

Step 201, the user uses ISV to use.

For example, in the process of online transaction, modify by the merchandise news that need to provide oneself as seller's identity for the user, uses the ISV that the merchandise news modify feature is provided to use.

Step 202, ISV uses to the Open API that is integrated on SIP and sends call request.

Concrete, ISV uses according to user's use content and selects corresponding Open API and send call request to it in numerous Open API.For example, ISV is applied in to be provided in the Open of difference in functionality API, and selection can provide the Open API of merchandise news modify feature and send call request to it.

Step 203, SIP receives ISV and uses the call request that sends, and judges whether this call request needs subscriber authorisation.

Concrete, when registering, Open API can be registered with the log-on message about this Open API on SIP, and log-on message comprises business classified information and the authorization attribute information of this Open API.When the ISV application call was integrated in Open API on SIP, SIP called whether needs subscriber authorisation of this OpenAPI according to this log-on message judgement, and this subscriber authorisation refers to whether the user allows Open API user profile is conducted interviews or operate.For the Open API that does not need subscriber authorisation, can be in the situation that allow directly user profile to be conducted interviews without the user, as provide the merchandise news that the seller is provided to carry out the Open API of function of browse; For the Open API that needs subscriber authorisation, must be in the situation that allow user profile is conducted interviews or operates through the user, as the Open API that provides the merchandise news that the seller is provided to modify function.

Do not need subscriber authorisation if this calls, forward step 216 to.

Need subscriber authorisation if this calls, forward step 204 to.

Step 204, SIP use to send the user to ISV and logins the authorization page address.

Wherein, the user logins the authorization page address, is used for user's login and ISV is used authorize; For example, when the Open API of ISV application call modified the Open API of function for the merchandise news that the seller is provided, SIP logined the authorization page address with the user and sends to ISV to use.

Step 205 after ISV use to receive user that SIP sends and logins the authorization page address, forwards the user to the user and logins the authorization page address, carry simultaneously authorize after back page address and ISV the session id that provides is provided.

Back page address after authorizing is used for being illustrated in the page address that message that ISP receives the token creation success needs later on to return to the user; For example, when the Open API of ISV application call modifies the Open API of function for the merchandise news that the seller is provided, receive the message of token creation success at ISP after, need to return to the page address that merchandise news is modified to the user, need to return to user's the page after after this mandate, the page corresponding to back page address namely authorized.

ISV is provided by the session id that provides, used by ISV and carry out at random the distribution of session id, be used for the sign of unique definite user identity, when SIP creates token, ISV is provided by the session id and the subscriber authorisation token that provide binds, set up the corresponding relation of session id and subscriber authorisation token, substitute and transmit token, improve fail safe, reduced the maintenance cost of ISV application to the subscriber authorisation token.

Step 206, the user opens this page and submits login and authorization requests by this page to ISP after receiving the user and logining the authorization page address, carry simultaneously authorize after back page address and ISV the session id that provides is provided.

Step 207, ISP receives login and the authorization requests that the user submits to, and authorizes rear back page address and ISV that the session id that provides is provided, and user identity is authenticated.

Step 208, when by authentication, ISP sends to SIP and creates the subscriber authorisation token request, carries the session id that user login name and ISV use to be provided.

Step 209, SIP receives the establishment subscriber authorisation token request that ISP sends, be registered in log-on message on SIP according to Open API, determine the scope of application, rights of using and the type of service of subscriber authorisation token, create the subscriber authorisation token, the subscriber authorisation token store that creates is bound at SIP and with session id, and concrete binding form is to set up the corresponding relation of subscriber authorisation token and session id.Carry out related with the user login name that receives the subscriber authorisation token simultaneously.This subscriber authorisation token is specifically as follows binary file.

Step 210, when creating the success of subscriber authorisation token, SIP returns to the message of subscriber authorisation token creation success to ISP.

Step 211, ISP receives the message of token creation success, and according to back page address after the mandate that receives in step 207, after mandate that will be corresponding with back page address after this mandate, back page sends to the user.

Step 212, user's back page after mandate uses ISV to use.For example, when back page was for the page that merchandise news is modified after authorizing, the user modified to merchandise news in this page.

Step 213, the Open API after ISV application call subscriber authorisation sends call request to SIP, carries the session id that ISV uses to be provided in call request.For example, the user is in the process that the merchandise news that oneself is provided is modified, use provides the ISV of merchandise news modify feature to use, ISV uses and still need call the modify Open API of function of the merchandise news that the seller is provided, pass through subscriber authorisation before this Open API, be the Open API after subscriber authorisation.

Step 214, SIP receives ISV and uses the call request that sends, and judges that ISV the session id that provides is provided whether has been bound the subscriber authorisation token.Concrete, SIP can according to the subscriber authorisation token of having set up and the corresponding relation of session id, judge whether to exist the subscriber authorisation token of binding with session id.

Step 215 has been bound the subscriber authorisation token if ISV is provided by the session id that provides, and SIP is transmitted to ISP with the ISV call request that receives, and carries the user login name that obtains according to the subscriber authorisation token,

Need to prove, in step 215, user login name does not adopt the ISV parameter to transmit the mode of user login name when ISV application call Open API, and obtained according to the subscriber authorisation token by SIP, and pass to ISP, thereby guarantee the authenticity of user login name, prevent that ISV from using the user profile that deception ISP obtains unbundling.

Step 216, ISP receives the ISV call request that SIP forwards, and carries out this call request.For example, the ISV call request is when revising the request of merchandise news, to modify according to the merchandise news that the content of carrying in request is revised needs.

Step 217 after ISP carries out this call request, will be returned and call execution result to SIP.For example, the ISV call request is that when revising the request of merchandise news, the result after ISP will modify to merchandise news returns to SIP.

Step 218, SIP is transmitted to the ISV application with the execution result that calls that ISP returns.

Step 219, ISV uses the execution result that calls that will receive and represents to the user.So far, the user browses to the modification result after merchandise news is modified.

Wherein, as shown in Figure 3, step 209 specifically comprises the following steps:

Step 301, SIP determines the scope of application of subscriber authorisation token according to the log-on message of Open API in SIP.For example, according to the business classified information in the log-on message of Open API, the scope of application of subscriber authorisation token is defined as only using an Open API, maybe can uses a plurality of Open APIs relevant to this Open API etc.

Step 302, SIP determines the rights of using of subscriber authorisation token according to the log-on message of Open API in SIP.For example, according to the business classified information in the log-on message of Open API, the rights of using of subscriber authorisation token are defined as only having read right or have simultaneously access limit etc.

Step 303, in SIP root SIP, the log-on message of Open API is determined the type of service of subscriber authorisation token.For example, according to the authorization attribute information in the log-on message of Open API, the type of service of subscriber authorisation token is defined as disposable token and muptiple-use token etc. according to access times.

Step 304, SIP creates the subscriber authorisation token, the user login name that related ISP provides, and the session id binding that provides is provided for subscriber authorisation token and ISV.

Need to prove, the application's embodiment can adjust each step order according to actual needs.SIP in above-mentioned steps 301 is registered in log-on message on SIP according to Open API, the scope of application, the SIP in step 302 of determining the subscriber authorisation token is registered in log-on message on SIP according to Open API, determine that the rights of using of subscriber authorisation token and the SIP in step 303 are registered in log-on message on SIP according to Open API, determining does not have inevitable sequencing between three steps of type of service of subscriber authorisation token, can adjust.

The embodiment of the present application has been carried out refinement by the scope of application, type of service and rights of using to the subscriber authorisation token, clear and definite ISV uses authority, scope and the timeliness to the user profile operation, improve Security of the system, for the user provides good service integration platform.

In another embodiment of the application, for adopting the asynchronous licensing mode of user, the method in the application is applied in the internet.This network comprises: the Open API that user, ISV application, SIP and ISP provide.Wherein, ISV uses, and is used to the user that various application software are provided.SIP is used for using the software that provides by ISV and is integrated in identical platform, makes the user can use different software on this platform.The Open API that ISP provides is used for providing various data or network service to the user.

In the embodiment of the present application, when the user used ISV to use, the user used ISV and authorizes and create the subscriber authorisation token by SIP, and the ISV application call is integrated in the Open API on SIP.Wherein ISV uses and adopts the mode of Open Id to send call request to SIP.

Concrete, as shown in Figure 4, adopt the method flow chart of the asynchronous licensing mode of user, comprise the following steps:

Step 401, the user uses ISV to use.

Concrete, the user logins SIP, uses ISV to use, and authorizes ISV application access and operation user profile.For example, the user logins SIP, uses the online transaction business that ISV uses to be provided, and directly authorizes simultaneously this ISV application access and operation user profile.

Step 402, ISV uses to SIP and sends the authenticating user identification request, carries the title that identify label and ISV use the Open API that will call in this request.This identify label is user's Open Id, or exempts to step on Cookie, or transfers to the user cipher in ISV application ISP certainly.For example, the user is as the seller, and the merchandise news that provide oneself is modified, and the ISV application call provides the Open API of merchandise news modify feature, ISV uses to SIP and sends authenticating user identification request, title and the identify label of carrying OpenAPI in this request.

Wherein, when the title of the Open API that the ISV application will be called was used for SIP establishment subscriber authorisation token, SIP determined the attribute of subscriber authorisation token according to the log-on message of this Open API of name query of this Open API.

For Open Id, Open Id is the distributing authentication system of a customer-centric, the user only need to select supplier's registration of an Open Id service to obtain Open Id, can rely on this Open Id account freely to login use just between the caller of a plurality of support Open Id service, and do not need each login all to need register account number, the more important thing is that the user only needs user cipher is informed the supplier of Open Id service, avoids user cipher is revealed.In the application's embodiment, ISV is applied as the caller of supporting the OpenId service, and ISP is the supplier of Open Id service.The user freely uses in the ISV application by the OpenId in the ISP registration, uses and need not repeatedly login or user cipher is offered ISV.

For Cookie, but storage user's identifying information in Cookie, and when the user accesses same website again, but the identifying information of the user in Cookie can be read in this website, judges that whether this user is validated user and whether needs again to login etc.

For the user cipher in the ISP that transfers to ISV application keeping, that the password in ISP is transferred to ISV application keeping with the user, when ISV uses to the request of SIP transmission authenticating user identification, need not the user password in ISP is provided, and directly carried when SIP sends the authenticating user identification request by ISV.

Step 403, SIP receives the authenticating user identification request that ISV uses, and forwards the authenticating user identification request to ISP, carries identify label in this request.

Step 404, ISP receives the authenticating user identification request of the ISV application of SIP forwarding, authenticated user identity.

Step 405, when by authentication, ISP sends to SIP and creates the subscriber authorisation token request, carries user login name.

Step 406, SIP receives the establishment subscriber authorisation token request that ISP sends, and creates subscriber authorisation token and token stub.

Concrete, SIP is registered in log-on message on SIP according to Open API, determine the scope of application, rights of using and the type of service of subscriber authorisation token, create this subscriber authorisation token and token stub, with the subscriber authorisation token store that creates at SIP and user login name that the related ISP of this subscriber authorisation token is provided.The token stub uses as ISV the checking foundation have the right to call the Open API that ISP provides.For example, the user determines the attribute of this subscriber authorisation token according to the title of the Open API that the merchandise news modify feature is provided and the log-on message of this Open API, and wherein the scope of application is a plurality of API, rights of using are access limit, and type of service is muptiple-use token.

Step 407, SIP sends the token stub and the actual call address of Open API is used to ISV.

Wherein, the actual call address of Open API is used for when ISV application call Open API, and by the SIP transfer, but direct and ISP connects.

Step 408, ISV uses the request that sends the request of connecting and call Open API to ISP, carries the token stub of SIP to should Open API creating.

Need to prove, before step 408, ISV uses and has passed through subscriber authorisation and obtained the token stub, so request of calling Open API in step 408, to be used by ISV directly to send to the ISP that Open API is provided, and need not be given to SIP in the request of Open API and judge whether to have bound the subscriber authorisation token calling, thereby the security mechanism of call request and subscriber authorisation is separated, reduced the processing pressure that causes due to the transfer call request when mass data is mutual, the fail safe of also serving for ISP simultaneously provides guarantee.

Step 409, ISP receives ISV and uses the request of calling Open API that sends and the request that sends checking token stub to SIP, carries the token stub in this request.

Step 410, SIP receives the request of the checking token stub of ISP transmission, checking token stub.

Step 411, SIP returns to the result to the token stub to ISP, carries user login name in this result.

Step 412, ISP receives SIP to the result of token stub, and when this authentication result is token stub during by checking, ISP carries out call request.For example, when the user need to revise merchandise news as the seller, the ISV application call provided the Open API of this function, and when being the token stub by checking, ISP will be by this Open API modification user's merchandise news when this authentication result.

Step 413, ISP returns and calls Open API execution result and use to ISV.

Step 414, ISV uses to represent and calls Open API execution result to the user.

Wherein, in step 406, SIP creates subscriber authorisation token and token stub, and is concrete, as shown in Figure 5, comprises the following steps:

Step 501, SIP determines the scope of application of subscriber authorisation token according to the log-on message of Open API in SIP.

Step 502, SIP determines the rights of using of subscriber authorisation token according to the log-on message of Open API in SIP.

Step 503, SIP determines the attribute of subscriber authorisation token according to the log-on message of Open API in SIP.

Step 504, SIP creates subscriber authorisation token and stub, and the subscriber authorisation token is related with the user login name that ISP provides, and the authorization token stub will be used the checking foundation of having the right to call Open API as ISV.

Need to prove, the embodiment of the present application can be adjusted each step order according to actual needs.SIP in above-mentioned steps 501 is registered in log-on message on SIP according to Open API, the scope of application, the SIP in step 502 of determining the subscriber authorisation token is registered in log-on message on SIP according to Open API, determine that the rights of using of subscriber authorisation token and the SIP in step 503 are registered in log-on message on SIP according to Open API, determining does not have inevitable sequencing between three steps of type of service of subscriber authorisation token, can adjust.

In addition, when the subscriber authorisation token of SIP establishment was muptiple-use token, concrete, the control method of the muptiple-use token term of validity was as described below:

Fixing duration inefficacy class, the subscriber authorisation token of the type just has been set the subscriber authorisation token term of validity afterwards in establishment, when arriving the term of validity of subscriber authorisation token, this token lost efficacy, and ISV uses can not recycle the Open API that this subscriber authorisation token grant is called.

Idle fixedly duration inefficacy class after the subscriber authorisation token token creation of the type, when this subscriber authorisation token of each use, will be upgraded the time started of using this subscriber authorisation token to use, thus the term of validity that extends this subscriber authorisation token.The type subscriber authorisation token adopts call request updating method and client plug-in updating method dual mode to upgrade the subscriber authorisation token term of validity.

Concrete, update method is as described below:

The call request updating method, when the ISV application call was integrated in Open API on SIP, SIP upgraded the term of validity of subscriber authorisation token.

Client plug-in updating method, SIP offer ISV and use unified client plug-in, upgrade the term of validity by client plug-in, prevent that ISV from adopting backstage implicit expression to operate to continue subscriber authorisation.

Concrete, as shown in Figure 6, the client plug-in updating method comprises the following steps:

Step 601, SIP plug-in unit are obtained the Cookie that ISV uses, and whether check has session id or token stub.

Step 602 has session id or token stub in checking the Cookie that ISV uses, the SIP plug-in unit sends the request of upgrading the subscriber authorisation token term of validity to SIP.

Step 603, SIP receives the request of SIP plug-in unit, judges whether user bound authorization token of session id or token stub.

Concrete, judge session id or token stub whether the result of user bound authorization token comprise any in following three kinds:

(a) session id or token stub user bound authorization token not;

(b) session id or token stub user bound authorization token and this subscriber authorisation token have surpassed the term of validity;

(c) session id or token stub user bound authorization token and this subscriber authorisation token do not surpass the term of validity.

Step 604, SIP processes according to judged result, comprises any in following three kinds:

(a) when session id or token stub not during the user bound authorization token, SIP does not upgrade the term of validity of subscriber authorisation token.

(b) when session id or token stub user bound authorization token and this subscriber authorisation token had surpassed the term of validity, SIP did not upgrade the term of validity of subscriber authorisation token.

(c) surpass the term of validity when session id or token stub user bound authorization token and this subscriber authorisation token, SIP upgrades the term of validity of subscriber authorisation token.

Step 605, SIP returns to result to the SIP plug-in unit.

Step 606, the SIP plug-in unit judges whether that according to result needs remove session id or the token stub in Cookie, comprises any in following three kinds:

(a) when session id or token stub user bound authorization token not, when SIP did not upgrade the term of validity of subscriber authorisation token, the SIP plug-in unit removed session id or the token stub in Cookie.

(b) surpassed the term of validity when session id or token stub user bound authorization token and this subscriber authorisation token, when SIP did not upgrade the term of validity of subscriber authorisation token, the SIP plug-in unit removed session id or the token stub in Cookie.

(c) surpass the term of validity when session id or token stub user bound authorization token and this subscriber authorisation token, when SIP upgraded the term of validity of subscriber authorisation token, the SIP plug-in unit was preserved session id or the token stub in Cookie.

At first above-mentioned subscriber authorisation token design satisfies the subscriber authorisation for the different Open API that require of level of security; secondly done more many-sided protection for the fail safe of user data; prevent that ISV applications exploiting subscriber authorisation token information lacks, and steals and abuses user profile.

In another embodiment of the application, for adopting the asynchronous licensing mode of user, the method in the application is applied to another embodiment in the internet.This network comprises: the Open API that user, ISV application, SIP and ISP provide.Wherein, ISV uses, and is used to the user that various application software are provided.SIP is used for using the software that provides by ISV and is integrated in identical platform, makes the user can use different software on this platform.The Open API that ISP provides is used for providing various data or network service to the user.

In the embodiment of the present application, when the user used ISV to use, the user used ISV and authorizes and create the subscriber authorisation token by SIP, and the ISV application call is integrated in the Open API on SIP, the use that completing user is used ISV.Wherein ISV uses and adopts the mode of Open Id to send call request to SIP, and the type of service of the subscriber authorisation token that SIP creates adopts disposable token.

Concrete, as shown in Figure 7, adopt the method flow chart of the asynchronous licensing mode of user, comprise the following steps:

Step 701, the user uses ISV to use.

Concrete, the user logins SIP, uses ISV to use, and authorizes ISV application access and operation user profile.For example, the user is as the buyer, and login SIP uses the online transaction business that ISV uses to be provided, and carries out the commodity payment.

Step 702, ISV uses to SIP and sends the authenticating user identification request, carries user's Open Id and the title that ISV uses the Open API that will call in this request.

Concrete, when the title that ISV uses the Open API that will call is used for creating the subscriber authorisation token, according to the log-on message of this Open API of name query of this Open API, be used for the attribute of definite subscriber authorisation token.

Open Id is the distributing authentication system of a customer-centric, the user only need to select supplier's registration of an Open Id service to obtain Open Id, can rely on this Open Id account freely to login use just between the caller of a plurality of support Open Id service, and do not need each login all to need register account number, the more important thing is that the user only needs user cipher is informed the supplier of Open Id service, avoids user cipher is revealed.In the application's embodiment, ISV uses and is the caller of supporting Open Id service, and ISP is the supplier of Open Id service.The user freely uses in the ISV application by the Open Id in the ISP registration, and need not repeatedly login and user cipher be revealed ISV use.

For example, ISV uses according to user's use content and selects to provide the Open API of commodity payment function and send the authenticating user identification request to SIP in numerous Open API, carries ISV in this request and uses submission user's Open Id and the title that ISV uses the Open API that will call.

Step 703, SIP receives the authenticating user identification request that ISV uses, and forwards the authenticating user identification request to ISP, carries identify label in this request.

Step 704, ISP receives the authenticating user identification request of the ISV application of SIP forwarding, authenticated user identity.

Step 705, when by authentication, ISP sends to SIP and creates the subscriber authorisation token request, carries user login name.

Step 706, SIP receives the establishment subscriber authorisation token request that ISP sends, and creates subscriber authorisation token and token stub.

Concrete, SIP is registered in log-on message on SIP according to Open API, determine the scope of application, rights of using and the type of service of subscriber authorisation token, create this subscriber authorisation token and token stub, with the subscriber authorisation token store that creates at SIP and user login name that the related ISP of this subscriber authorisation token is provided; The token stub uses as ISV the checking foundation have the right to call the Open API that ISP provides.For example, the user determines the attribute of this subscriber authorisation token according to the title of the Open API that the merchandise news modify feature is provided and the log-on message of this Open API, and wherein the scope of application is single API, rights of using are access limit, and type of service is disposable token.

Step 707, SIP will send the token stub and the actual call address of Open API is used to ISV.

Step 708, ISV uses the request that sends the request of connecting and call Open API to ISP, carries the token stub of SIP to should Open API creating.

Need to prove, before step 708, ISV uses and has passed through subscriber authorisation and obtained the token stub, so request of calling Open API in step 708, to be used by ISV directly to send to the ISP that Open API is provided, and need not be given to SIP in the request of Open API and judge whether to have bound the subscriber authorisation token calling, thereby the security mechanism of call request and subscriber authorisation is separated, reduced the processing pressure that causes due to the transfer call request when mass data is mutual, the fail safe of also serving for ISP simultaneously provides guarantee.

Step 709, ISP receives ISV and uses the request of calling Open API that sends and the request that sends checking token stub to SIP, carries the token stub in this request.

Step 710, SIP receives the request of the checking token stub of ISP transmission, checking token stub.

Step 711, SIP returns to the result to the token stub to ISP, carries user login name in this result.

Step 712, ISP receives SIP to the result of token stub, and when this authentication result is token stub during by checking, ISP carries out call request.

For example, when the user need to carry out commodity when payment as the buyer, the ISV application call provides the Open API of this function, and when this authentication result is token stub during by checking, ISP will carry out the commodity payment by this Open API.

Step 713, ISP returns and calls Open API execution result and use to ISV.For example, the information paid of these commodity of ISP sends to ISV to use.

Step 714, ISV uses to represent and calls Open API execution result to the user.

Step 715, ISV uses the request that again sends the request of connecting and call this Open API to ISP, carries the token stub in this request.

Step 716, ISP receives ISV and uses the request of calling Open API that sends and the request that sends checking token stub to SIP.

Step 717, SIP receives the request of the checking token stub of ISP transmission, checking token stub.

Step 718, SIP returns to the result to the token stub to ISP, carries user login name in this result.

Step 719, ISP processes according to the result of token stub.

SIP is by verifying the token stub as can be known, and this subscriber authorisation is disposable token, has called ISP, so SIP will refuse the request of this time calling ISP of ISV.For example; when this Open API that the commodity payment function is provided was called, when again being called, because the type of service of this Open API is disposable token; refusal is paid commodity again, has protected the safety as buyer user's user profile.

Step 720, ISP returns and calls Open API failed message and use to ISV.

Step 721, ISV uses to return and calls Open API failed message to the user.

Wherein, in step 706, SIP creates subscriber authorisation token and token stub, and is concrete, as shown in Figure 5.

In the application's technical scheme, the scope of application, type of service and rights of using to the subscriber authorisation token have been carried out refinement, by the type of service of subscriber authorisation token, to have avoided in the situation that higher to security requirement, user profile is in the situation that unauthorized problem of modifying.The application supports the pattern of the asynchronous mandate of user simultaneously, has solved in the process of large data service request because data relay causes the low problem of efficiency of service.

In the embodiment of the present application, when the user used ISV to use, the user used ISV and authorizes and create the subscriber authorisation token by SIP, and the ISV application call is integrated in the Open API on SIP, the use that completing user is used ISV.Wherein ISV uses and adopts the mode of Open Id to send call request to SIP, and the type of service of the subscriber authorisation token that SIP creates adopts the fixedly duration inefficacy class in muptiple-use token.

Concrete, as shown in Figure 8, adopt the method flow chart of the asynchronous licensing mode of user, comprise the following steps:

Step 801, the user uses ISV to use.

Step 802, ISV uses to SIP and sends the authenticating user identification request, carries user's Open Id in this request, and ISV uses the title of the Open API that will call.

Wherein, when the title that ISV uses the Open API that will call is used for creating the subscriber authorisation token, according to the log-on message of this Open API of name query of this Open API, be used for the attribute of definite subscriber authorisation token.

For example, the user is as the seller, and the merchandise news that provide oneself is modified, and the ISV application call provides the Open API of merchandise news modify feature, ISV uses to SIP and sends authenticating user identification request, title and the identify label of carrying Open API in this request.

Step 803, SIP receives the authenticating user identification request that ISV uses, and forwards the authenticating user identification request to ISP, carries identify label in this request.

Step 804, ISP receives the authenticating user identification request of the ISV application of SIP forwarding, authenticated user identity.

Step 805, when by authentication, ISP sends to SIP and creates the subscriber authorisation token request, carries user login name.

Step 806, SIP receives the establishment subscriber authorisation token request that ISP sends, and creates subscriber authorisation token and token stub.

Concrete, SIP is registered in log-on message on SIP according to Open API, determine the scope of application, rights of using and the type of service of subscriber authorisation token, create this subscriber authorisation token and token stub, with the subscriber authorisation token store that creates at SIP and user login name that the related ISP of this subscriber authorisation token is provided; The token stub uses as ISV the checking foundation have the right to call the Open API that ISP provides.For example, the user determines the attribute of this subscriber authorisation token according to the title of the Open API that the merchandise news modify feature is provided and the log-on message of this Open API, and wherein the scope of application is a plurality of API, rights of using are access limit, and type of service is muptiple-use token.

Step 807, SIP will send the token stub and the actual call address of Open API is used to ISV.

Step 808, ISV uses the request that sends the request of connecting and call Open API to ISP, carries the token stub of SIP to should Open API creating.

Need to prove, before step 808, ISV uses and has passed through subscriber authorisation and obtained the token stub, so request of calling Open API in step 808, to be used by ISV directly to send to the ISP that Open API is provided, and need not be given to SIP in the request of Open API and judge whether to have bound the subscriber authorisation token calling, thereby the security mechanism of call request and subscriber authorisation is separated, reduced the processing pressure that causes due to the transfer call request when mass data is mutual, the fail safe of also serving for ISP simultaneously provides guarantee.

Step 809, ISP receives ISV and uses the request of calling Open API that sends and the request that sends checking token stub to SIP, carries the token stub in this request.

Step 810, SIP receives the request of the checking token stub of ISP transmission, checking token stub.

Step 811, SIP returns to the result to the token stub to ISP, carries user login name in this result.

Step 812, ISP receives SIP to the result of token stub, and when this authentication result is token stub during by checking, ISP carries out call request.

For example, when the user need to revise merchandise news as the seller, the ISV application call provided the Open API of this function, and when being the token stub by checking, ISP will be by this Open API modification user's merchandise news when this authentication result.

Step 813, ISP returns and calls Open API execution result and use to ISV.

Step 814, ISV uses to represent and calls Open API execution result to the user.

Step 815, ISV uses the request that again sends the request of connecting and call Open API to ISP, carries the token stub.

Step 816, ISP receives ISV and uses the request of calling Open API that sends and the request that sends checking token stub to SIP.

Step 817, SIP receives the request of the checking token stub of ISP transmission, checking token stub.SIP is by verifying the token stub as can be known, and this subscriber authorisation is the fixedly duration inefficacy class of muptiple-use token, judges whether also before the deadline this subscriber authorisation token.

Step 818, SIP returns to the result to the token stub to ISP, carries user login name.

Step 819, ISP processes according to the result of token stub.

If this subscriber authorisation token is not before the deadline, the request that ISP will refuse that ISV uses this time calls the Open API that ISP provides;

If this subscriber authorisation token also before the deadline, ISP carries out call request again.

For example, when this subscriber authorisation token also before the deadline, ISV uses the Open API call merchandise news is modified.

Also describe as example before the deadline take the subscriber authorisation token in the present embodiment.

Step 820, ISP returns and again carries out the call request result and use to ISV.

Step 821, ISV uses to represent and again carries out the call request result to the user.

Wherein, in step 806, SIP creates subscriber authorisation token and token stub, and is concrete, as shown in Figure 5.

In the application's technical scheme, the scope of application, type of service and rights of using to the subscriber authorisation token have been carried out refinement, by the type of service of subscriber authorisation token, have avoided not high to security requirement, read-write operation in situation, repeats login frequently.The application supports the pattern of the asynchronous mandate of user simultaneously, has solved in the process of large data service request because data relay causes the low problem of efficiency of service.

In the application's embodiment, also provide a kind of SAS Subscriber Authorization System, its structural representation comprises as shown in Figure 9:

Service integration platform 91, be used for 93 pairs of client certificates of ISP by the time, the log-on message according to the Open API of described ISV application call creates the subscriber authorisation token, processes the call request that ISV uses 92 couples of ISP 93;

ISV uses 92, is used for sending call request to ISP 93;

ISP 93, are used for the identity of checking client and carry out call request;

A kind of structural representation of service integration platform 100 in the application's embodiment as shown in figure 10, comprising:

Request receiving module 101 is used for receiving ISP to the authentication result of user identity;

Token creation module 102 when the ISP that is used for receiving when request receiving module 101 passes through for authentication the authentication result of user identity, creates the subscriber authorisation token;

Processing module 103 is used for processing according to the subscriber authorisation token that described token creation module 102 creates the call request that ISV uses the Open API that described ISP is provided.

Wherein, token creation module 102 specifically comprises:

Request receiving submodule 1021, be used for to receive ISP to the authentication of user identity by the time establishment subscriber authorisation token that sends request and user login name;

Token determined property submodule 1022 is for the attribute of the described subscriber authorisation token of the judgement of the log-on message on SIP according to Open API;

Token creation submodule 1023 is used for the described subscriber authorisation token of attribute establishment according to the subscriber authorisation token of described token determined property submodule 1022 judgements.

In the application's embodiment, under the synchronous licensing mode of user, a kind of structural representation of service integration platform 110 as shown in figure 11, comprising:

Request receiving module 111 is used for receiving ISP to the authentication result of user identity;

Token creation module 112 is used for creating the subscriber authorisation token when the ISP of request receiving module reception 111 passes through for authentication the authentication result of user identity;

Processing module 113 is used for processing according to the subscriber authorisation token that described token creation module 112 creates the call request that ISV uses the Open API that described ISP is provided.

Concrete, when described establishment token submodule had been bound described session id and subscriber authorisation token, described processing module forwarded described subscriber authorisation token and user login name and call request to the Open API that described ISP provides.

Wherein, token creation module 112 specifically comprises:

Request receiving submodule 1121, be used for to receive ISP to the authentication of user identity by the time establishment subscriber authorisation token that sends request and user login name;

Token determined property submodule 1122 is for the attribute of the described subscriber authorisation token of the judgement of the log-on message on SIP according to Open API;

Token creation submodule 1123 is used for the described subscriber authorisation token of attribute establishment according to the subscriber authorisation token of described token determined property submodule 1122 judgements.

Request receiving module 111 also is used for receiving described ISV application to the call request of Open API.

Subscriber authorisation judge module 114 for the call request of the described ISV application that receives according to the request receiving module to Open API, judges whether described request needs subscriber authorisation.

Information is returned to module 115, when described subscriber authorisation judge module is sentenced 114 disconnected described requests and needed subscriber authorisation, uses to ISV and returns to the user and login the authorization page address.

Token creation submodule 1123 also is used for described subscriber authorisation token and session id binding, and the associated user login name.

In the application's embodiment, under the asynchronous licensing mode of user, a kind of structural representation of subscriber authorisation service integration platform 120 as shown in figure 12, comprising:

Request receiving module 121 is used for receiving ISP to the authentication result of user identity;

Token creation module 122 when the ISP that is used for receiving when the request receiving module passes through for authentication the authentication result of user identity, creates the subscriber authorisation token;

Processing module 123 is used for processing according to the subscriber authorisation token that described token creation module 122 creates the call request that ISV uses the open application programming interface Open API that described ISP is provided.

Concrete, receive the request of the checking authorization token stub of ISP transmission, the token stub is verified and is returned to ISP the result of checking token stub.

Wherein, token creation module 122 specifically comprises:

Request receiving submodule 1221, be used for to receive ISP to the authentication of user identity by the time establishment subscriber authorisation token that sends request and user login name;

Token determined property submodule 1222 is for the attribute of the described subscriber authorisation token of the judgement of the log-on message on SIP according to Open API;

Token creation submodule 1223 is used for creating described subscriber authorisation token according to the attribute of described subscriber authorisation token.

Request receiving module 121 also is used for receiving described ISV and uses the authenticating user identification request of Open API and the identify label of carrying.

Processing module 123 also is used for forwarding to ISP the described ISV that receives and uses the authenticating user identification request of Open API and the identify label of carrying.

Token creation submodule 1223 also is used for the token stub according to the described subscriber authorisation token of attribute establishment of described subscriber authorisation token, and the subscriber authorisation token is related with user name.

For the convenience of describing, the each several part of the described Integrated Service Platform in above-described embodiment is divided into various modules with function to be described respectively.Certainly, can realize the function of each module in same or a plurality of softwares or hardware when implementing the application.

The application comprises following advantage, and the attribute of refinement subscriber authorisation token, and the pattern of the asynchronous mandate of support user improve Security of the system, and solved in the process of large data service request because data relay causes the low problem of efficiency of service.Certainly, arbitrary product of enforcement the application might not need to reach simultaneously above-described all advantages.

Through the above description of the embodiments, those skilled in the art can be well understood to the application and can realize by the mode that software adds essential general hardware platform, can certainly pass through hardware, but in a lot of situation, the former is better execution mode.Based on such understanding, the part that the application's technical scheme contributes to prior art in essence in other words can embody with the form of software product, this computer software product is stored in a storage medium, comprise that some instructions are with so that a station terminal equipment (can be mobile phone, personal computer, server, the perhaps network equipment etc.) carry out the described method of each embodiment of the application.

The above is only the application's preferred implementation; should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the application's principle; can also make some improvements and modifications, these improvements and modifications also should be looked the application's protection range.

Claims

1. the method for a subscriber authorisation, be applied to comprise that in the network of service integration platform SIP, the ISP of ISP, independent software vendor ISV application, described ISP provides different open application programming interface Open API; It is characterized in that, described method comprises:

Described SIP processes described ISV application to the call request of described Open API according to described subscriber authorisation token;

Wherein, described SIP processes according to described subscriber authorisation token the call request that described ISV uses the Open API that described ISP is provided, and comprising:

Under the synchronous licensing mode of user, described SIP receives the call request that ISV uses the Open API that described ISP is provided, and carries session id in described request; When described session id user bound authorization token, described SIP obtains described subscriber authorisation token and user login name according to described session id, and described subscriber authorisation token and user login name and call request are forwarded to the Open API that described ISP provides; The result that the Open API that described SIP receives described ISP to be provided sends is used described result and is transmitted to described user by described ISV;

Under the asynchronous licensing mode of user, described SIP receives the request of the checking authorization token stub of described ISP transmission, the authorization token stub is verified and returned to described ISP the result of checking authorization token stub.

2. the method for claim 1, is characterized in that, under the synchronous licensing mode of user, described SIP receives ISP the authentication of user identity is passed through before, also comprise:

When the described ISV that receives as described SIP uses call request to Open API and needs described subscriber authorisation, described SIP uses to described ISV and sends the user and login the authorization page address, triggers described ISV application and described user and carries out the authentication of user identity to described ISP.

3. method as claimed in claim 2, is characterized in that, described ISV uses and described user comprises to the authentication that described ISP carries out user identity:

4. method as claimed in claim 2, is characterized in that, under the synchronous licensing mode of user, the described subscriber authorisation token of described establishment comprises:

SIP is with described subscriber authorisation token and session id binding.

5. method as claimed in claim 2, is characterized in that, under the synchronous licensing mode of user, before the described subscriber authorisation token of described establishment, also comprises:

6. the method for claim 1, is characterized in that, under the asynchronous licensing mode of user, described SIP receives ISP the authentication of user identity is passed through before, also comprise:

7. method as claimed in claim 6, is characterized in that, described identify label of carrying is specially: user's Open Id, exempt to step on Cookie or transfer to the user cipher of user in ISP of ISV keeping.

8. method as claimed in claim 6, is characterized in that, under the asynchronous licensing mode of user, the described subscriber authorisation token of described establishment comprises:

SIP creates described subscriber authorisation token and authorization token stub according to the attribute of described subscriber authorisation token, and described subscriber authorisation token is related with user login name.

9. method as claimed in claim 6, is characterized in that, under the asynchronous licensing mode of user, before the described subscriber authorisation token of described establishment, also comprises:

10. the system of a subscriber authorisation, be applied to comprise that in the network of service integration platform, ISP, ISV application, described ISP provides different open application programming interface Open API; It is characterized in that, described system comprises:

ISV uses, and is used for the request of calling ISP;

ISP is used for the identity of checking client and carries out call request;

Wherein, described service integration platform is processed the ISV application to the call request of ISP, comprising:

Under the asynchronous licensing mode of user, described SIP receives the request of the checking authorization token stub of described ISP transmission, the token stub is verified and returned to described ISP the result of checking token stub.

11. the service integration platform of a subscriber authorisation is applied to comprise that in the network of service integration platform, ISP, ISV application, described ISP provides different open application programming interface Open API; It is characterized in that, described service integration platform comprises:

The request receiving module is used for receiving the ISV application to the call request of Open API under the synchronous licensing mode of user, carry session id in described call request, also is used for receiving ISP to the authentication result of user identity;

Processing module is used for processing according to described subscriber authorisation token the call request that ISV uses the open application programming interface Open API that described ISP is provided;

Wherein, described processing module specifically is used for:

Under the synchronous licensing mode of user, when the session id user bound authorization token that carries in described call request, described processing module forwards described subscriber authorisation token and user login name and call request to the Open API that described ISP provides;

Under the asynchronous licensing mode of user, receive the request of the checking authorization token stub of ISP transmission, the authorization token stub is verified and returned to ISP the result of checking authorization token stub.

12. service integration platform as claimed in claim 11 is characterized in that, described token creation module specifically comprises:

13. service integration platform as claimed in claim 11 is characterized in that, under the synchronous licensing mode of user, also comprises:

The subscriber authorisation judge module for the call request of the described ISV application that receives according to the request receiving module to Open API, judges whether described request needs subscriber authorisation;

14. service integration platform as claimed in claim 12 is characterized in that, under the synchronous licensing mode of user, described token creation submodule also is used for:

15. service integration platform as claimed in claim 12 is characterized in that, under the asynchronous licensing mode of user,

Described token creation submodule also is used for: create the authorization token stub of described subscriber authorisation token according to the attribute of the subscriber authorisation token of described token determined property submodule judgement, and the subscriber authorisation token is related with user name.