CN102638473A

CN102638473A - User data authorization method, device and system

Info

Publication number: CN102638473A
Application number: CN201210137848XA
Authority: CN
Inventors: 胡溢洋; 杜江杰; 王奎
Original assignee: SHENGQU INFORMATION TECHNOLOGY (SHANGHAI) Co Ltd
Current assignee: SHENGQU INFORMATION TECHNOLOGY (SHANGHAI) Co Ltd
Priority date: 2012-05-04
Filing date: 2012-05-04
Publication date: 2012-08-15
Anticipated expiration: 2032-05-04
Also published as: CN102638473B

Abstract

The invention discloses a user data authorization method, a user data authorization device and a user data authorization system. The method comprises the steps that an authorization server receives an authorization request transmitted by a third-party application server, wherein the authorization request comprises a server identifier and a server address; an identity authentication request is transmitted to an authentication gateway to authenticate the identity of a client user by the authentication gateway; an identity authentication response which is fed back by the authentication gateway is received, wherein the identity authentication response comprises an user identifier of the authenticated user; user sub-accounts which are matched with the user identifier are searched from the authorization server and are transmitted to a client for the client user to select an authorized sub-account; the authorized sub-account which is fed back by the client is received, and a corresponding relationship among the server identifier, the user identifier and the authorized sub-account is built and saved; and the user identifier, the authorized sub-account and an access token are transmitted to the third-party application server by using the server address. The third-party partial use authorization by the user is realized, the network service quality is improved and the service experience of the user is improved.

Description

A kind of user data authorization method, Apparatus and system

Technical field

The present invention relates to the web services technologies field, relate in particular to a kind of user data authorization method, Apparatus and system.

Background technology

Current, the network service comprehensively has been applied in people's the routine work and life.When using the network service, the user data that the Internet Service Provider preserves according to its inside is for the user provides corresponding service.

With the online game is example; When this network service of user's enjoy network recreation; The user data that relates to possibly comprise: a plurality of game roles that user basic information (for example address name, age of user, ownership place etc.), user gradation, this user create, the distinctive information of each game role (for example the game article of role's grade, configuration, and other user roles between relation) etc.; Internet Service Provider's game server just can be according to the above-mentioned user data of its inside preservation, for the user provides game services.

Along with the continuous development of information technology, for the maximum value of excavating the data of Internet Service Provider's preservation, each macroreticular service provider releases open platform one after another, and the data opening of itself storing is gone out, and confession third party developer uses.Yet; Because include the higher user data of security requirement in the data that the Internet Service Provider opens away, therefore, when the third party need visit this part user data; To obtain user's use authority on the one hand; Also to have only and satisfy this two aspects requirement simultaneously the user data that third party's ability access network services provider preserves on the other hand through Internet Service Provider's authentication.

To obtain this requirement of use authority of user for the third party; Be that unit accomplishes with user by the authorization method of extensive employing at present; That is to say; User or the third party carried out use authority, or the third party is not carried out use authority, can not realize that the user is to third-party part use authority.Yet, generally speaking, tend to include a plurality of sub-numbers of the account under user's the number of the account, if only wanting the parton number of the account corresponding user data that it is had, the user carries out use authority to the third party, existing technical scheme just can't satisfy this demand.

It still is example with the online game; A plurality of game roles in the user data just are equivalent to a plurality of sub-number of the account under the user account; If the user only wants to the mandate of third party's application server one of them or several game role, when the scheme that adopts prior art is carried out use authority, as long as the user carries out use authority to third party's application server; What third party's application server obtained so is exactly the use authority of all game roles of user's establishment; This authorization obvious and user is contrary, can not satisfy user's demand, has reduced the service experience of user to online game.

Summary of the invention

Technical problem to be solved by this invention is a kind of user data authorization method, Apparatus and system to be provided, to realize the purpose of user to the part use authority of third party's application server.

For solving the problems of the technologies described above, the embodiment of the invention provides a kind of user data authorization method, comprising:

Authorization server receives the authorization requests that third party's application server sends, and said authorization requests comprises server identification and server address;

Send ID authentication request to authentication gateway, so that said authentication gateway carries out authentication to the client user;

Receive the authentication response that said authentication gateway returns, said authentication response comprises the ID of authentication through the user;

In authorization server, search the sub-number of the account of the user who is complementary with said ID, and be sent to client, supply the client user to select to authorize sub-number of the account;

Receive the sub-number of the account of mandate that client is returned, set up and preserve the corresponding relation between the sub-number of the account of said server identification, ID and mandate;

Utilize said server address that the access token of said ID, the sub-number of the account of said mandate and expression access rights is sent to said third party's application server.

Preferably, said authentication gateway carries out authentication to the client user, specifically comprises:

Obtain client user's logging status, if, judge that then the user passes through the user for authentication for successfully login; If not successfully login then points out the user to carry out the username and password checking, and after the username and password checking is passed through, judges that the user passes through the user for authentication;

Convert the user name of said authentication through the user into ID, and said ID added in the authentication response be sent to authorization server.

Preferably, said method also comprises: after the sub-number of the account of mandate that said reception client is returned,

The user data that the sub-number of the account of said mandate is comprised is sent to client, supplies the client user to select the authorized user data; Then,

Said foundation is also preserved said corresponding relation and is specifically comprised: after receiving the authorized user data that said client returns, set up and preserve the corresponding relation between said server identification, ID, the sub-number of the account of mandate and authorized user data;

Saidly utilize said server address to be specially: ID, to authorize sub-number of the account, authorized user data and access token to the information that said third party's application server sends.

Preferably, said method also comprises: before said foundation and preserving the corresponding relation between said server identification, ID, the sub-number of the account of mandate and authorized user data,

Judge whether the sub-number of the account of said mandate is contained in the sub-number of the account of said user, and judge whether said authorized user data are contained in said user data, if judged result is are, then continue to carry out the step of setting up and preserving said corresponding relation.

Preferably, said utilize said server address with said ID, authorize sub-number of the account and access token to be sent to said third party's application server, specifically comprise:

Generate authorization code, and utilize said server address that said ID, the sub-number of the account of mandate and authorization code are sent to said third party's application server;

Receive server identification and authorization code that said third party's application server sends; If said server identification conforms to server identification in the said authorization requests; And said authorization code conforms to the authorization code of said generation, then said access token is sent to said third party's application server.

Preferably, said method also comprises:

Receive the access request of said third party's application server transmission of open platform gateway forwards; Said access request comprises server identification, access token, ID, four information of sub-number of the account, and the digital signature of said four information and the endorsement method that generates said digital signature employing;

Said access request is carried out the legitimacy authentication, if authentication is passed through all customer data that then allows the sub-number of the account in the said access request of said third party's application server access to comprise;

Wherein, said legitimacy authentication comprises:

Utilize said endorsement method that said four information are carried out digital signature, and with said access request in the digital signature comparison that comprises, if identical, judge that then said access request is legal;

Judge whether server identification, ID and sub-number of the account in the said access request satisfies the corresponding relation between the sub-number of the account of said authorization server, ID and mandate that said authorization server preserves; If satisfy, judge that then authorization server, ID and the sub-number of the account in the said access request is legal;

Judge that whether said access token conforms to the access token that said authorization server sends to third party's application server, if conform to, judges that then said access token is legal.

Preferably, said method also comprises:

Said access request also comprises user data, then,

Digital signature in the said access request is specially the digital signature of utilizing server identification, access token, ID, sub-number of the account and five information of user data to generate;

Said legitimacy authentication specifically comprises:

Utilize said endorsement method that said five information are carried out digital signature, and with said access request in the digital signature comparison that comprises, if identical, judge that then said access request is legal;

Judge whether server identification, ID, sub-number of the account and user data in the said access request satisfy the sub-number of the account of said authorization server, ID, mandate of said authorization server preservation and the corresponding relation between the authorized user data; If satisfy, judge that then authorization server, ID, sub-number of the account and the user data in the said access request is legal;

Preferably, said method also comprises:

Said access request also comprises the current time stamp; Then,

Said legitimacy authentication also comprises:

Judge that whether said current time stab in preset time of delay section, if judge that then said current time stamp is legal.

The embodiment of the invention also provides a kind of user data authorization device, comprising:

The authorization requests receiving element is used to receive the authorization requests that third party's application server sends, and said authorization requests comprises server identification and server address;

The authentication request transmitting element is used for sending ID authentication request to authentication gateway, so that said authentication gateway carries out authentication to the client user;

The authentication response receiving element is used to receive the authentication response that said authentication gateway returns, and said authentication response comprises the ID of authentication through the user;

Search the unit, be used in authorization server, searching the sub-number of the account of the user who is complementary with said ID, and be sent to client, supply the client user to select to authorize sub-number of the account;

Corresponding relation is set up the unit, is used to receive the sub-number of the account of mandate that client is returned, and sets up and preserve the corresponding relation between the sub-number of the account of said server identification, ID and mandate;

The authorization message transmitting element is used to utilize said server address that the access token of said ID, the sub-number of the account of said mandate and expression access rights is sent to said third party's application server.

Preferably, said device also comprises:

The user data transmitting element is used for the user data that the sub-number of the account of said mandate comprises is sent to client, supplies the client user to select the authorized user data;

Said corresponding relation is set up the unit, is used for after receiving the authorized user data that said client returns, setting up and preserve the corresponding relation between said server identification, ID, the sub-number of the account of mandate and authorized user data;

Said authorization message transmitting element, be used to utilize said server address with said ID, authorize sub-number of the account, authorized user data and access token to be sent to said third party's application server.

Preferably, said device also comprises:

Judging unit; Be used to judge whether the sub-number of the account of said mandate is contained in the sub-number of the account of said user; And judge whether said authorized user data are contained in said user data, if judged result is are, then notify said corresponding relation to set up the unit and set up and preserve said corresponding relation.

Preferably, said authorization message transmitting element specifically comprises:

The authorization code generation unit is used to generate authorization code;

Communication unit is used to utilize said server address that said ID, the sub-number of the account of mandate and authorization code are sent to said third party's application server; And receive server identification and the authorization code that said third party's application server sends;

Comparing unit; Whether be used for comparing said server identification conforms to the server identification of said authorization requests; And whether said authorization code conforms to the authorization code of said generation, if all conform to, then said access token is sent to said third party's application server.

Preferably, said device also comprises:

The access request receiving element; Be used to receive the access request that said third party's application server of open platform gateway forwards sends; Said access request comprises server identification, access token, ID, four information of sub-number of the account, and the digital signature of said four information and the endorsement method that generates said digital signature employing;

Authenticating unit is used for said access request is carried out the legitimacy authentication, if authentication is passed through all customer data that then allows the sub-number of the account in the said access request of said third party's application server access to comprise;

Wherein, said legitimacy authentication comprises:

The embodiment of the invention also provides a kind of user data authoring system, and said system comprises: authorization server, third party's application server, authentication gateway, client,

Said authorization server; Be used to receive the authorization requests that said third party's application server sends; And to authentication gateway transmission ID authentication request, so that said authentication gateway carries out authentication to the client user, said authorization requests comprises server identification and server address;

Said authentication gateway is used for the client user is carried out authentication, and sends to said authorization server and to comprise that authentication passes through the authentication response of user's ID;

Said authorization server also is used to receive said authentication response, and searches the sub-number of the account of the user who is complementary with said ID, and is sent to client;

Said client is used to receive the sub-number of the account of said user, and therefrom selects to authorize sub-number of the account to be sent to said authorization server;

Said authorization server also is used to receive the sub-number of the account of mandate that client is returned, and sets up and preserve the corresponding relation between the sub-number of the account of said server identification, ID and mandate; And utilize said server address that the access token of said ID, the sub-number of the account of said mandate and expression access rights is sent to said third party's application server.

Preferably, said authentication gateway specifically comprises:

The logging status acquiring unit is used to obtain client user's logging status, if for successfully login, judge that then the user passes through the user for authentication; If not successfully login then points out the user to carry out the username and password checking, and after the username and password checking is passed through, judges that the user passes through the user for authentication;

Converting unit is used for converting the user name of said authentication through the user into ID, and said ID added in the authentication response is sent to authorization server.

Preferably; Said authorization server; Also be used for the user data that the sub-number of the account of said mandate comprises is sent to client; And after receiving the authorized user data that said client returns, set up and preserve the corresponding relation between said server identification, ID, the sub-number of the account of mandate and authorized user data; And utilize said server address with said ID, authorize sub-number of the account, authorized user data and access token to be sent to said third party's application server.

Preferably; Said authorization server is used to also judge whether the sub-number of the account of said mandate is contained in the sub-number of the account of said user, and judges whether said authorized user data are contained in said user data; Be then to continue to carry out the step of setting up and preserving said corresponding relation if judged result is.

Preferably, said system also comprises the open platform gateway;

Said open platform gateway; Be used to receive the access request that said third party's application server sends; And be forwarded to said authorization server; Said access request comprises server identification, access token, ID, four information of sub-number of the account, and the digital signature of said four information and the endorsement method that generates said digital signature employing;

Said authorization server is used for said access request is carried out the legitimacy authentication, if authentication is passed through all customer data that then allows the sub-number of the account in the said access request of said third party's application server access to comprise;

Wherein, said legitimacy authentication comprises:

Preferably; Also comprise user data in the said access request that said authorization server receives, and the digital signature in the said access request is specially the digital signature of utilizing server identification, access token, ID, sub-number of the account and five information of user data to generate;

Then, said authorization server carries out the legitimacy authentication and specifically comprises:

Preferably, also comprise the current time stamp in the said access request that said authorization server receives;

Then, said authorization server carries out the legitimacy authentication and also comprises:

The user data authorization method of the embodiment of the invention, Apparatus and system; Preserve a plurality of sub-account information under the user account in the authorization server; Thereby when the guiding user carries out use authority to third party's application server; Can therefrom select the parton number of the account as the mode of authorizing sub-number of the account by the user through searching a plurality of sub-account information that is complementary with ID, realize the part use authority of user third party's application server; Improve the service quality of network service, improved user service experience.

Description of drawings

In order to be illustrated more clearly in the application embodiment or technical scheme of the prior art; To do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art below; Obviously, the accompanying drawing in describing below only is some embodiment that put down in writing among the application, for those of ordinary skills; Under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.

Fig. 1 is the schematic flow sheet of the inventive method embodiment 1;

Fig. 2 is the schematic flow sheet of the inventive method embodiment 2;

Fig. 3 is the schematic flow sheet of the inventive method embodiment 3;

Fig. 4 is the schematic flow sheet of the inventive method embodiment 4;

Fig. 5 is the schematic flow sheet of the inventive method embodiment 5;

Fig. 6 is the schematic flow sheet of the inventive method embodiment 6;

Fig. 7 is the structural representation of apparatus of the present invention embodiment 1;

Fig. 8 is the structural representation of authorization message transmitting element 706 among apparatus of the present invention embodiment 1;

Fig. 9 is the structural representation of apparatus of the present invention embodiment 2;

Figure 10 is the structural representation of apparatus of the present invention embodiment 3;

Figure 11 is the structural representation of apparatus of the present invention embodiment 4;

Figure 12 is the structural representation of system embodiment 1 of the present invention;

Figure 13 is the structural representation of authentication gateway 113 in the system embodiment 1 of the present invention;

Figure 14 is the structural representation of system embodiment 2 of the present invention.

Embodiment

In order to make those skilled in the art person understand the present invention program better; To combine the accompanying drawing in the embodiment of the invention below; Technical scheme in the embodiment of the invention is carried out clear, intactly description; Obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills are not making the every other embodiment that is obtained under the creative work prerequisite, all belong to the scope of the present invention's protection.

User data authorization method of the present invention, Apparatus and system are intended to realize the user to third-party part use authority this purpose, understand for ease, at first introduce applied environment of the present invention.

Original network service only relates to two sides; The one, as user's user, the one, as the service provider who serves the provider, the user saves the data in service provider's the server; And send request to server when needed, be that the user provides corresponding network service by the service provider.For example; User A has created a user account on the game server of game services provider magnificence; And (for example on this game server, preserved the user data relevant with user A; The user basic information of filling in during registration, the user data such as role of the user gradation that produces in the game process, game article, establishment), so when user A wants this network service of enjoy network recreation; Only need with game server between sets up and communicates by letter, game server just can provide game services for user A according to the user data of preservation.

Development along with information technology; Open platform arises at the historic moment; The service provider is open to third party (can be that company also can be the individual) with the data of its preservation, and at this new network service mode, the user just can enjoy the network service that the third party provide through service provider's platform; For example, user A can enjoy the stars that provide of playing more and becomes the network service that recreation is supplemented with money through the magnificence open platform of playing; Also can equip inquiry service or the like through the magnificence AION role that open platform enjoys Sina's microblogging and provide that plays.

For this new network service mode; If the user wants to enjoy the service that the third party provides through open platform; So just must can obtain its user data from the service provider with the third party is prerequisite; Otherwise the third party just can't depend on that the user is to third-party use authority and can the third party get access to user data for the user provides service.The user can only do himself as a wholely in the prior art, is that unit carries out use authority to the third party with user, but can not the implementation part use authority, and the present invention has proposed a kind of little user data authorization method of granularity of authorizing under this demand.

Embodiment one

Referring to Fig. 1, show the flow chart of a kind of user data authorization method embodiment 1 of the present invention, can may further comprise the steps:

Step 101, authorization server receives the authorization requests that third party's application server sends, and said authorization requests comprises server identification and server address.

If user A has registered a user account on the platform of game services provider, under this user account, created three sub-numbers of the account simultaneously, be respectively game role A ₁, A ₂And A ₃(game role can be presented as game identifier, Game Zone sign, game sign and the game role sign that each role has), these data just have been stored in game services merchant's the platform so.In addition, if two third party B have been given in game services merchant's platform opening ₁And B ₂, that is to say third party B ₁And B ₂On platform, accomplished registration, platform is also preserved B so ₁And B ₂Log-on message (for example third-party server identification ID ₁, communication with information such as keys).

If user A wants with sub-number of the account A ₁Identity login third party B ₁, enjoy B ₁The network service that provides, B so ₁Receiving A ₁Logging request after, can go open platform to obtain sub-number of the account A ₁Corresponding user data, B like this ₁Could corresponding network service be provided for user A.If user A is to third party B ₁Carried out sub-number of the account A ₁Use authority, open platform will be to B so ₁Access request carry out authentication, and after judging that request is legal, with B ₁The A of request ₁User data return to B ₁, and then by B ₁For the user provides services on the Internet.But, if user A is not to B ₁Carry out sub-number of the account A ₁Use authority or open platform to B ₁Authentication do not pass through, open platform will be pointed out third party B so ₁Guide user A that it is carried out sub-number of the account A ₁Use authority.

The authorization requests that this step authorization server receives the transmission of third party's application server promptly is that the third party guides the user to carry out the setting up procedure of use authority.Wherein, comprise server identification ID in the authorization requests ₁Purpose be for make authorization server know the third party who carries out this authorization requests be who (in addition, authorization server can also be according to ID ₁Judge whether this third party registered at open platform; Because the third party who only registered at open platform just has the authority request user that it is carried out use authority); The purpose that comprises server address is for after accomplishing use authority the user, the third party that authorization server can be authorized the authorization message request of sending to accurately.

Need to prove that so-called " guiding " promptly is that webpage is redirected, just forward the fixed again direction of diverse network request to other position through various methods.Guiding in this step is meant that the page that is shown to user A is from third party B ₁Login interface jump to the prompting user to B ₁Carry out the process at interface of the mandate website of use authority.

Step 102 is sent ID authentication request to authentication gateway, so that said authentication gateway carries out authentication to the client user.

Step 103 receives the authentication response that said authentication gateway returns, and said authentication response comprises the ID of authentication through the user.

After authorization server receives third-party authorization requests, directly do not point out user A to third party B ₁Carry out use authority; But to guide user A to carry out authentication (the guiding here is meant the interface that the page that is shown to A is jumped to authentication from the interface of authorizing the website) earlier to authentication gateway; If being, this user is not carried out the identity information that authentication just can't be known the user; And then also just can't know the sub-account information that this user has, cause Authorized operation to be obstructed.

Authentication gateway can be presented as the mode that the user carries out authentication:

At first, obtain the logging status of user A, if, judge that then the user passes through the user for authentication for successfully login; If not successfully login then points out user A to carry out the username and password checking, and after the username and password checking is passed through, judges that the user passes through the user for authentication.

Logging status for the user need be explained here; The user who is directed to authentication gateway through authorization server generally speaking is the user that success is logined; But also possibly (interconnect because of interconnecting between the network; Being meant between different telecommunication networks to set up effectively to connect, make between the user of heterogeneous networks and can communicate by letter, or the user of a network can using the service of another network) situation causes user's logging status for successfully logining.

Secondly, convert the user name of said authentication through the user into ID, and said ID added in the authentication response be sent to authorization server.

Convert the user name of successful login user into ID ID ₂Purpose be in order to guarantee safety of user data, directly user's privacy information (for example user name) is not revealed and is given the third party.

Step 104 is searched the sub-number of the account of the user who is complementary with said ID, and is sent to client in authorization server, supply the client user to select to authorize sub-number of the account.

Authorization server extracts ID ID from the authentication response ₂, and in this authorization server, search the sub-number of the account of the user who is complementary with this sign, for example find the sub-number of the account that the sign with user A is complementary and comprise A ₁, A ₂And A ₃, then these three sub-numbers of the account are sent to client, show to the user, supply the user therefrom to select desire to third party B ₂The sub-number of the account of authorizing, for example the user has selected sub-number of the account A ₁

Step 105 receives the sub-number of the account of mandate that client is returned, and sets up and preserve the corresponding relation between the sub-number of the account of said server identification, ID and mandate.

Authorization server is pushed to the whole sub-number of the account of user A after the user checks, just wait for the feedback information that receives the user, and the sub-number of the account that the user is selected licenses to B as this ₁The sub-number of the account of mandate, set up server identification ID then ₁, ID ID ₂With the sub-number of the account A of mandate ₁Between corresponding relation.Like this, which user authorization server has just known has licensed to which sub-number of the account of its subordinate for which third party, so that when the third party sends access request, authorization server can carry out the legitimacy authentication to access request.

Step 106 utilizes said server address that the access token of said ID, the sub-number of the account of said mandate and expression access rights is sent to said third party's application server.

Authorization server has just been known the authorization conditions between third party, user and the sub-number of the account after execution in step 105; And if accomplish the user to third-party use authority; Also need let the third party also know the use authority that it has obtained which sub-number of the account of which user, thus authorization server also need according to the server address in step 101 authorization requests with ID, authorize the access token of sub-number of the account and expression access rights to be sent to the third party.So far, just accomplished the user to third-party part use authority process.

According to above-mentioned as an exampleBSEMGVR takeN-PSVSEMOBJ, just realized that through carrying out step of the present invention user A is to third party B ₁Authorize sub-number of the account A ₁Rights of using (come down to B to the third party ₁Authorized its antithetical phrase number of the account A ₁The access rights of corresponding user data) this purpose.

A kind of implementation as step 106 can be embodied as:

At first, generate authorization code, and utilize said server address that said ID, the sub-number of the account of mandate and authorization code are sent to said third party's application server.

Secondly; Receive server identification and authorization code that said third party's application server sends; If said server identification conforms to server identification in the said authorization requests; And said authorization code conforms to the authorization code of said generation, then said access token is sent to said third party's application server.

Authorization server can directly send to third party's application server with ID, the sub-number of the account of mandate and access token; But; For fail safe and the reliability that guarantees to communicate by letter between authorization server and third party's application server; Authorization server generates one group of random number as authorization code, and ID, the sub-number of the account of mandate and authorization code are sent to third party's application server; Third party's application server then after receiving above-mentioned authorization message, feeds back to authorization server with authorization code and the server identification of self, exchanges access token for this.

Embodiment two

On the basis of embodiment 1, the also further refinement of the present invention is that unit carries out use authority to the third party to third-party mandate granularity with sub-number of the account corresponding user data.Referring to Fig. 2, show the flow chart of a kind of user data authorization method embodiment 2 of the present invention, can may further comprise the steps:

Step 201, authorization server receives the authorization requests that third party's application server sends, and said authorization requests comprises server identification and server address.

Step 202 is sent ID authentication request to authentication gateway, so that said authentication gateway carries out authentication to the client user.

Step 203 receives the authentication response that said authentication gateway returns, and said authentication response comprises the ID of authentication through the user.

Step 204 is searched the sub-number of the account of the user who is complementary with said ID, and is sent to client in authorization server, supply the client user to select to authorize sub-number of the account.

Step 201 ~ step 204 is identical with step 101 ~ step 104, repeats no more here.

Step 205 receives the sub-number of the account of mandate that client is returned, and the user data that the sub-number of the account of said mandate is comprised is sent to client, supplies the client user to select the authorized user data.

Different with embodiment 1; The further refinement of present embodiment the granularity of authorizing to the third party, after authorization server receives the sub-number of the account of mandate that the user selects, also further remove to obtain the user data that this sub-number of the account comprises; For example; The pet name of sub-number of the account, grade, head portrait, good friend, dynamic dispatching push to client with these user data that sub-number of the account comprises then, are shown to the user and check; So that the user can therefrom select which user data of wanting to authorize to the third party sub-number of the account, promptly select its desire with sub-number of the account A by user A ₁Which user data license to third party B ₁, for example the user has selected A ₁" head portrait " user data.

Step 206 receives the authorized user data that said client is returned, and sets up and preserve the corresponding relation between said server identification, ID, the sub-number of the account of mandate and authorized user data.

Through after the step 205; Authorization server is known in this step, and which third party is exactly which user licensed to which user data of which sub-number of the account of its subordinate; Therefore, the corresponding relation that need set up of authorization server is exactly the corresponding relation between server identification, ID, the sub-number of the account of mandate and authorized user data.

According to above-mentioned as an exampleBSEMGVR takeN-PSVSEMOBJ, that authorization server is set up at this moment and preserved is server identification ID ₁, ID ID ₂, authorize sub-number of the account A ₁And the corresponding relation between the authorized user data " head portrait ".

Step 207, utilize said server address with said ID, authorize sub-number of the account, authorized user data and access token to be sent to said third party's application server.

Embodiment three

In order to improve the mandate reliability, prevent that user's the act of authorization is maliciously tampered, referring to Fig. 3, show the flow chart of a kind of user data authorization method embodiment 3 of the present invention, can may further comprise the steps:

Step 301, authorization server receives the authorization requests that third party's application server sends, and said authorization requests comprises server identification and server address.

Step 302 is sent ID authentication request to authentication gateway, so that said authentication gateway carries out authentication to the client user.

Step 303 receives the authentication response that said authentication gateway returns, and said authentication response comprises the ID of authentication through the user.

Step 304 is searched the sub-number of the account of the user who is complementary with said ID, and is sent to client in authorization server, supply the client user to select to authorize sub-number of the account.

Step 301 ~ step 304 is identical with step 101 ~ step 104, repeats no more here.

Step 305 receives the sub-number of the account of mandate that client is returned, and judges whether the sub-number of the account of said mandate is contained in the sub-number of the account of said user.

The corresponding relation between the sub-number of the account of said server identification, ID and mandate is set up and preserved to step 306 when the sub-number of the account of said mandate is contained in the sub-number of the account of said user.

Authorization server is before setting up and preserving said corresponding relation; Judge the legitimacy of its sub-number of the account of mandate that receives earlier; Whether promptly judge to authorize sub-number of the account is one or more in a plurality of sub-number of the account of user underling; If judge that then the sub-number of the account of mandate that receives is legal, and then set up said corresponding relation.If through authorization server judges, (the sub-number of the account of the mandate that for example, receives is A not have the sub-number of the account of the mandate that receives in the sub-number of the account of discovery user underling ₄, user A subordinate's sub-number of the account A ₁, A ₂And A ₃All can't match), the sub-number of the account of mandate of user's selection possibly be maliciously tampered so, judged that the sub-number of the account of mandate that receives is illegal this moment, no longer continued to set up said corresponding relation, also can alarm to the user simultaneously.

Step 307 utilizes said server address that the access token of said ID, the sub-number of the account of said mandate and expression access rights is sent to said third party's application server.

Step 307 is identical with step 106, also repeats no more here.

Embodiment four

Likewise,, prevent that user's the act of authorization is maliciously tampered,, show the flow chart of a kind of user data authorization method embodiment 4 of the present invention, can may further comprise the steps referring to Fig. 4 in order to improve the mandate reliability:

Step 401, authorization server receives the authorization requests that third party's application server sends, and said authorization requests comprises server identification and server address.

Step 402 is sent ID authentication request to authentication gateway, so that said authentication gateway carries out authentication to the client user.

Step 403 receives the authentication response that said authentication gateway returns, and said authentication response comprises the ID of authentication through the user.

Step 404 is searched the sub-number of the account of the user who is complementary with said ID, and is sent to client in authorization server, supply the client user to select to authorize sub-number of the account.

Step 405 receives the sub-number of the account of mandate that client is returned, and the user data that the sub-number of the account of said mandate is comprised is sent to client, supplies the client user to select the authorized user data.

Step 401 ~ step 405 is identical with step 201 ~ step 205, repeats no more here.

Need to prove, after step 405 receives the sub-number of the account of mandate that client returns, also can utilize the sub-number of the account of user underling to judge the legitimacy of the sub-number of the account of mandate that receives, guarantee the mandate reliability of sub-number of the account.

Step 406 receives the authorized user data that said client is returned, and judges whether said authorized user data are contained in said user data.

The corresponding relation between said server identification, ID, the sub-number of the account of mandate and authorized user data is set up and preserved to step 407 when said authorized user packet is contained in said user data.

Authorization server is before setting up and preserving said corresponding relation; Judge the legitimacy of its authorized user data that receive earlier; Judge that promptly whether the authorized user data are to authorize one or more in a plurality of user data that sub-number of the account comprises; If judge that then the authorized user data that receive are legal, and then set up said corresponding relation.If through authorization server judges, there is not authorized user data (for example, the sub-number of the account A of user A that receives in the user data of finding to authorize sub-number of the account to comprise ₁The user data that comprises is grade, head portrait, good friend, dynamic, and the authorized user data that authorization server receives are " pet name ", so sub-number of the account A ₁The all customer data that comprises all can't match), then the authorized user data of user's selection possibly be maliciously tampered, and judged that the authorized user data that receive are illegal this moment, no longer continued to set up said corresponding relation, also can alarm to the user simultaneously.

Process step 406 and step 407 just can guarantee the mandate reliability of user data.

Step 408, utilize said server address with said ID, authorize sub-number of the account, authorized user data and access token to be sent to said third party's application server.

Embodiment five

Referring to Fig. 5; Show the flow chart of a kind of user data authorization method embodiment 5 of the present invention; After embodiment shown in Figure 11 and embodiment 3 shown in Figure 3 are sent to third party's application server with ID, the sub-number of the account of mandate and access token; Said method can also comprise the process of the access request that authentication third party application server sends, and is embodied as following steps:

Step 501; Receive the access request of said third party's application server transmission of open platform gateway forwards; Said access request comprises server identification, access token, ID, four information of sub-number of the account, and the digital signature of said four information and the endorsement method that generates said digital signature employing.

Step 502 is carried out the legitimacy authentication to said access request, if authentication is passed through all customer data that then allows the sub-number of the account in the said access request of said third party's application server access to comprise;

Wherein, said legitimacy authentication comprises:

(1) utilize said endorsement method that said four information are carried out digital signature, and with said access request in the digital signature comparison that comprises, if identical, judge that then said access request is legal;

(2) judge whether server identification, ID and sub-number of the account in the said access request satisfies the corresponding relation between the sub-number of the account of said authorization server, ID and mandate that said authorization server preserves; If satisfy, judge that then authorization server, ID and the sub-number of the account in the said access request is legal;

(3) judge that whether said access token conforms to the access token that said authorization server sends to third party's application server, if conform to, judges that then said access token is legal.

If access request, authorization server, ID, sub-number of the account and access token are all legal, judge that then authentication passes through.

Embodiment six

Referring to Fig. 6; Show the flow chart of a kind of user data authorization method embodiment 6 of the present invention; Embodiment shown in Figure 22 and embodiment 4 shown in Figure 4 with ID, authorize after sub-number of the account, authorized user data and access token be sent to third party's application server; Said method can also comprise the process of the access request that authentication third party application server sends, and is embodied as following steps:

Step 601; Receive the access request of said third party's application server transmission of open platform gateway forwards; Said access request comprises server identification, access token, ID, sub-number of the account, user data, and (user data is the content of this request visit of third party; Can be presented as access program interface API Name) five information, and the digital signature of said five information with generate the endorsement method that said digital signature adopts.

Step 602 is carried out the legitimacy authentication to said access request, if authentication is passed through all customer data that then allows the sub-number of the account in the said access request of said third party's application server access to comprise;

Wherein, said legitimacy authentication specifically comprises:

(1) utilize said endorsement method that said five information are carried out digital signature, and with said access request in the digital signature comparison that comprises, if identical, judge that then said access request is legal;

(2) judge whether server identification, ID, sub-number of the account and user data in the said access request satisfy the sub-number of the account of said authorization server, ID, mandate of said authorization server preservation and the corresponding relation between the authorized user data; If satisfy, judge that then authorization server, ID, sub-number of the account and the user data in the said access request is legal;

If access request, authorization server, ID, sub-number of the account, user data and access token are all legal, judge that then authentication passes through.

Embodiment seven

In order to prevent Replay Attack, on the basis of embodiment shown in Figure 55 and embodiment 6 shown in Figure 6, the access request that the present invention also can send according to following method authentication third party application server particularly, comprise also in the said access request that the current time stabs; Then said legitimacy authentication also comprises: judge that whether said current time stab in preset time of delay section, if judge that then said current time stamp is legal.

If it is all legal that access request, authorization server, ID, sub-number of the account, user data, access token and current time stab, judge that then authentication passes through.

Embodiment eight

Referring to Fig. 7, show the structured flowchart of a kind of user data authorization device embodiment 1 of the present invention, said device comprises:

Authorization requests receiving element 701 is used to receive the authorization requests that third party's application server sends, and said authorization requests comprises server identification and server address;

Authentication request transmitting element 702 is used for sending ID authentication request to authentication gateway, so that said authentication gateway carries out authentication to the client user;

Authentication response receiving element 703 is used to receive the authentication response that said authentication gateway returns, and said authentication response comprises the ID of authentication through the user;

Search unit 704, be used in authorization server, searching the sub-number of the account of the user who is complementary with said ID, and be sent to client, supply the client user to select to authorize sub-number of the account;

Corresponding relation is set up unit 705, is used to receive the sub-number of the account of mandate that client is returned, and sets up and preserve the corresponding relation between the sub-number of the account of said server identification, ID and mandate;

Authorization message transmitting element 706 is used to utilize said server address that the access token of said ID, the sub-number of the account of said mandate and expression access rights is sent to said third party's application server.

Further, as shown in Figure 8, said authorization message transmitting element specifically can comprise:

Authorization code generation unit 7061 is used to generate authorization code;

Communication unit 7062 is used to utilize said server address that said ID, the sub-number of the account of mandate and authorization code are sent to said third party's application server; And receive server identification and the authorization code that said third party's application server sends;

Comparing unit 7063; Whether be used for comparing said server identification conforms to the server identification of said authorization requests; And whether said authorization code conforms to the authorization code of said generation, if all conform to, then said access token is sent to said third party's application server.

Embodiment nine

Referring to Fig. 9, show the structured flowchart of a kind of user data authorization device embodiment 2 of the present invention, said device also comprises:

User data transmitting element 707 is used for the user data that the sub-number of the account of said mandate comprises is sent to client, supplies the client user to select the authorized user data;

Said corresponding relation is set up unit 705, is used for after receiving the authorized user data that said client returns, setting up and preserve the corresponding relation between said server identification, ID, the sub-number of the account of mandate and authorized user data;

Said authorization message transmitting element 706, be used to utilize said server address with said ID, authorize sub-number of the account, authorized user data and access token to be sent to said third party's application server.

Embodiment ten

Referring to Figure 10, show the structured flowchart of a kind of user data authorization device embodiment 3 of the present invention, said device also comprises:

Judging unit 708; Be used to judge whether the sub-number of the account of said mandate is contained in the sub-number of the account of said user; And judge whether said authorized user data are contained in said user data, if judged result is are, then notify said corresponding relation to set up the unit and set up and preserve said corresponding relation.

Embodiment 11

Referring to Figure 11, show the structured flowchart of a kind of user data authorization device embodiment 4 of the present invention, said device also comprises:

Access request receiving element 709; Be used to receive the access request that said third party's application server of open platform gateway forwards sends; Said access request comprises server identification, access token, ID, four information of sub-number of the account, and the digital signature of said four information and the endorsement method that generates said digital signature employing;

Authenticating unit 710 is used for said access request is carried out the legitimacy authentication, if authentication is passed through all customer data that then allows the sub-number of the account in the said access request of said third party's application server access to comprise;

Wherein, said legitimacy authentication comprises:

Embodiment 12

Referring to Figure 12, show the structured flowchart of a kind of user data authoring system embodiment 1 of the present invention, said system comprises: authorization server 111, third party's application server 112, authentication gateway 113, client 114, wherein,

Authorization server in the user data authoring system of the present invention, third party's application server, authentication gateway and client cooperatively interact and have just realized the purpose of user of the present invention to third party's part use authority.Referring to Figure 13, show the structured flowchart of authentication gateway, specifically comprise:

Logging status acquiring unit 1131 is used to obtain client user's logging status, if for successfully login, judge that then the user passes through the user for authentication; If not successfully login then points out the user to carry out the username and password checking, and after the username and password checking is passed through, judges that the user passes through the user for authentication;

Converting unit 1132 is used for converting the user name of said authentication through the user into ID, and said ID added in the authentication response is sent to authorization server.

Further; But the present invention also refinement user realizes that the user data that comprises with sub-number of the account is that unit is authorized, at this moment to the granularity of third party's mandate; Said authorization server; Also be used for the user data that the sub-number of the account of said mandate comprises is sent to client, and after receiving the authorized user data that said client returns, set up and preserve the corresponding relation between said server identification, ID, the sub-number of the account of mandate and authorized user data; And utilize said server address with said ID, authorize sub-number of the account, authorized user data and access token to be sent to said third party's application server.

Further; In order to improve the mandate reliability, prevent that user's the act of authorization is maliciously tampered, said authorization server; Be used to also judge whether the sub-number of the account of said mandate is contained in the sub-number of the account of said user; And judge whether said authorized user data are contained in said user data, if judged result is are, then continue to carry out the step of setting up and preserving said corresponding relation.

Embodiment 13

Referring to Figure 14, show the structured flowchart of a kind of user data authoring system embodiment 2 of the present invention, said system also comprises open platform gateway 115;

Wherein, said legitimacy authentication comprises:

Further; If the user data that the user comprises with sub-number of the account is a unit third party is carried out use authority; So when authentication third party access request legitimacy; Also comprise user data in the said access request that said authorization server receives, and the digital signature in the said access request is specially the digital signature of utilizing server identification, access token, ID, sub-number of the account and five information of user data to generate; Then,

Said authorization server carries out the legitimacy authentication and specifically comprises:

Further, in order to prevent Replay Attack, when authentication third party access request legitimacy, also comprise the current time stamp in the said access request that said authorization server receives so; Then,

Said authorization server carries out the legitimacy authentication and also comprises:

The present invention can describe in the general context of the computer executable instructions of being carried out by computer, for example program module.Usually, program module comprises the routine carrying out particular task or realize particular abstract, program, object, assembly, data structure or the like.Also can in DCE, put into practice the present invention, in these DCEs, by through communication network connected teleprocessing equipment execute the task.In DCE, program module can be arranged in this locality and the remote computer storage medium that comprises memory device.

Need to prove; In this article; Relational terms such as first and second grades only is used for an entity or operation are made a distinction with another entity or operation, and not necessarily requires or hint relation or the order that has any this reality between these entities or the operation.And; Term " comprises ", " comprising " or its any other variant are intended to contain comprising of nonexcludability; Thereby make and comprise that process, method, article or the equipment of a series of key elements not only comprise those key elements; But also comprise other key elements of clearly not listing, or also be included as this process, method, article or equipment intrinsic key element.Under the situation that do not having much more more restrictions, the key element that limits by statement " comprising ... ", and be not precluded within process, method, article or the equipment that comprises said key element and also have other identical element.

For device embodiment, because it corresponds essentially to method embodiment, so relevant part gets final product referring to the part explanation of method embodiment.Device embodiment described above only is schematic; Wherein said unit as the separating component explanation can or can not be physically to separate also; The parts that show as the unit can be or can not be physical locations also; Promptly can be positioned at a place, perhaps also can be distributed on a plurality of NEs.Can realize the purpose of present embodiment scheme according to the needs selection some or all of module wherein of reality.Those of ordinary skills promptly can understand and implement under the situation of not paying creative work.

The above only is an embodiment of the present invention; Should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; Can also make some improvement and retouching, these improvement and retouching also should be regarded as protection scope of the present invention.

Claims

1. a user data authorization method is characterized in that, comprising:

2. method according to claim 1 is characterized in that, said authentication gateway carries out authentication to the client user, specifically comprises:

3. method according to claim 1 is characterized in that, said method also comprises: after the sub-number of the account of mandate that said reception client is returned,

4. method according to claim 3 is characterized in that, said method also comprises: before said foundation and preserving the corresponding relation between said server identification, ID, the sub-number of the account of mandate and authorized user data,

5. method according to claim 1 is characterized in that, said utilize said server address with said ID, authorize sub-number of the account and access token to be sent to said third party's application server, specifically comprise:

6. according to each described method of claim 1-5, it is characterized in that said method also comprises:

Wherein, said legitimacy authentication comprises:

7. method according to claim 6 is characterized in that, said method also comprises:

Said access request also comprises user data, then,

Said legitimacy authentication specifically comprises:

8. method according to claim 6 is characterized in that, said method also comprises:

Said access request also comprises the current time stamp; Then,

Said legitimacy authentication also comprises:

9. a user data authorization device is characterized in that, comprising:

10. device according to claim 9 is characterized in that, said device also comprises:

11. device according to claim 10 is characterized in that, said device also comprises:

12. device according to claim 9 is characterized in that, said authorization message transmitting element specifically comprises:

The authorization code generation unit is used to generate authorization code;

13., it is characterized in that said device also comprises according to each described device of claim 9-12:

Wherein, said legitimacy authentication comprises:

14. a user data authoring system is characterized in that, said system comprises: authorization server, third party's application server, authentication gateway, client,

15. system according to claim 14 is characterized in that, said authentication gateway specifically comprises:

16. system according to claim 14 is characterized in that,

Said authorization server; Also be used for the user data that the sub-number of the account of said mandate comprises is sent to client; And after receiving the authorized user data that said client returns, set up and preserve the corresponding relation between said server identification, ID, the sub-number of the account of mandate and authorized user data; And utilize said server address with said ID, authorize sub-number of the account, authorized user data and access token to be sent to said third party's application server.

17. system according to claim 16 is characterized in that,

Said authorization server; Be used to also judge whether the sub-number of the account of said mandate is contained in the sub-number of the account of said user; And judge whether said authorized user data are contained in said user data, if judged result is are, then continue to carry out the step of setting up and preserving said corresponding relation.

18., it is characterized in that said system also comprises the open platform gateway according to each described system of claim 14-17;

Wherein, said legitimacy authentication comprises:

19. system according to claim 18 is characterized in that,

Also comprise user data in the said access request that said authorization server receives, and the digital signature in the said access request is specially the digital signature of utilizing server identification, access token, ID, sub-number of the account and five information of user data to generate;

20. system according to claim 18 is characterized in that,

Also comprise the current time stamp in the said access request that said authorization server receives;