CN103581140B - Authentication control method and device and system, authorization requests method and device - Google Patents
Authentication control method and device and system, authorization requests method and device Download PDFInfo
- Publication number
- CN103581140B CN103581140B CN201210275220.6A CN201210275220A CN103581140B CN 103581140 B CN103581140 B CN 103581140B CN 201210275220 A CN201210275220 A CN 201210275220A CN 103581140 B CN103581140 B CN 103581140B
- Authority
- CN
- China
- Prior art keywords
- token
- identification code
- control device
- party application
- unit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The present invention relates to authentication control method, authorization control device, authorization requests method, authorization requests device, authorization control system, wherein authentication control method includes step:Receive user authentication information and the identification code that third-party application is sent;User authentication is carried out according to user authentication information;Interim token is returned if to third-party application if user authentication and preserves identification code into memory;The service invocation request that third-party application is sent is received, service invocation request includes interim token;Token outdated information is returned to third-party application if interim token is out of date and receives the identification code of third-party application return;The identification code returned to third-party application matches with the identification code preserved in memory, if the match is successful in memory for the identification code of third-party application return, returns to new interim token to third-party application.The present invention remains able to completion timing and exchanges token automatically when cookie loses.
Description
Technical field
The present invention relates to network service control technology field, more particularly to a kind of authentication control method, authorization control device,
Authorization requests method, authorization requests device and authorization control system.
Background technology
At present, computer network popularization is more and more wider, and the application on network is also more and more, and network is based on as one
Information Sharing, propagation and the open platform of acquisition of customer relationship.In order to thus the open platform on construction network generates
Many agreements and standard.OAUTH2.0 is exactly an open standard, and it provides safety, an opening for the mandate of user resources
And easy standard.OAUTH2.0 allows user from third-party application invoking server(Such as open platform or website)'s
Interface, such as API(Application Programming Interface, application programming interface)To be visited by interface
Open platform or website are asked, it supports following two checking authorizations:User's authorization page mode and user name, password side
Formula.User's authorization page mode includes service end flow and client flow.Service end flow(Web Server Flow), fit
For there is web page server(Web Server)Application, its be send API Calls from the web page server of third-party application please
The application asked.Such as:Web site, the client application for having Web Server supports etc..Client flow(Implicit
Flow)Suitable for the application of serverless backup, it is the application that API Calls request is sent in client.Such as:Operate in browser
In shell script(Such as JavaScript program), cell-phone customer terminal, desktop client end etc..User name, pin mode are typically suitable
Used for depth cooperation partner.
After the mode that client flow generally use token refreshes, i.e. user are authorized to time-out, it is necessary to again to opening
Authorization requests are initiated to obtain new interim token in platform or website(access token), website or open platform could be called
Or the API of website.The basic step that its OAuth2.0 is authorized mainly includes:1. user accesses website by third-party application or opened
Before being laid flat platform, obtain interim token, refresh token(refresh token)And the interim token out-of-service time(expires_in)
Etc. information.After 2. interim token is expired, third-party application obtains from the cookie of user refreshes token and using refreshing token
Request is initiated again to open platform or website to obtain new interim token, refresh token and interim token out-of-service time etc.
Information, so circulation.The mode that this token refreshes refreshes token by being obtained from the cookie of user, new with timing acquisition
Interim token, new refresh the information such as token and new interim token out-of-service time.But in practical application, often
The identification information loss of the phenomenon that browser prohibits the use of cookie or cookie to be cleared by the user, i.e. user occurs, that
Third-party application, which will be unable to obtain from cookie, to be refreshed token and carrys out completion timing and refresh the information such as interim token automatically, so
User can be caused can not to call open platform or the API of website consequence.
The content of the invention
Therefore, the present invention provides authentication control method, authorization control device, authorization requests method, authorization requests device, awarded
Weigh control system, can timing automatic exchange token, improve the reliability of system intelligence and system operation.
Specifically, a kind of authentication control method that the embodiment of the present invention proposes, including step:Third-party application is received to send
User authentication information and identification code;User authentication is carried out according to user authentication information;Returned if user authentication if temporarily
Token is to third-party application and preserves identification code into memory;The service invocation request that third-party application is sent is received, service
Call request includes interim token;Token outdated information is returned if interim token is out of date to third-party application and reception the 3rd
The identification code that Fang Yingyong is returned;The identification code returned to third-party application matches with the identification code preserved in memory, if
The match is successful in memory for the identification code that third-party application returns, then returns to new interim token to third-party application.
In addition, a kind of authorization control device that the embodiment of the present invention proposes, including user profile receiving unit, user authentication
Unit, token returning unit, memory cell, service request reception unit, outdated information returning unit, fresh information receiving unit
And token updating block.Wherein, user profile receiving unit, for receive third-party application transmission user authentication information and
Identification code;User authentication unit, for carrying out user authentication according to user authentication information;Token returning unit, if for user
Certification is by then returning to interim token to third-party application;Memory cell, for preserving identification code into memory;Service request
Receiving unit, for receiving the service invocation request of third-party application transmission, service invocation request includes interim token;Expired letter
Returning unit is ceased, for returning to token outdated information to third-party application if interim token is out of date;Fresh information receives single
Member, for receiving the identification code of third-party application transmission;Token updating block, for the identification code that is sent to third-party application with
The identification code preserved in memory is matched, if the match is successful in memory for the identification code of third-party application return, is returned
Hui Xin interim token is to third-party application.
In addition, a kind of authorization requests method for third-party application that the embodiment of the present invention proposes, including step:Controlled to authorizing
Device processed sends user authentication information and identification code, and carries out user authentication by authorization control device and preserve identification code;Awarding
Weigh the interim token that control device returns by obtaining authorization control device after user authentication;Using interim token to authorization control
Device initiates service invocation request and receives the information of authorization control device return;, will if information includes token outdated information
Identification code is sent to authorization control device again, and identification code is matched with the identification code that it is preserved by control device;With
And if the match is successful in authorization control device for identification code, the new interim token that authorization control device returns is received.
In addition, a kind of authorization requests device that the embodiment of the present invention proposes, including login unit, the first token obtain list
Member, service call unit, token renewal request unit and the second token acquiring unit.Wherein, login unit, for mandate
Control device sends user authentication information and identification code, and carries out user authentication by authorization control device and preserve identification code;The
One token acquiring unit, in authorization control device by user authentication after obtain the interim order that authorization control device returns
Board;Service call unit, for initiating service invocation request to authorization control device using interim token and receiving authorization control
The information that device returns;Token updates request unit, if including token outdated information for information, identification code is sent again
Identification code is matched with the identification code that it is preserved to authorization control device, and by control device;Second token acquiring unit,
If the match is successful in authorization control device for identification code, the new interim token that authorization control device returns is obtained.
Furthermore a kind of authorization control system that the embodiment of the present invention proposes, including authorization requests device and authorization control dress
Put;Authorization requests device include login unit, the first token acquiring unit, service call unit, token renewal request unit with
And the second token acquiring unit, authorization control device include user profile receiving unit, user authentication unit, token return it is single
Member, memory cell, service request reception unit, outdated information returning unit, fresh information receiving unit and token renewal are single
Member.Wherein, login unit is used to send user authentication information and identification code to user profile receiving unit;User authentication unit is used
According to user authentication information completion user authentication;Token returning unit is used to return to interim token after user is by certification extremely
First token acquiring unit;Memory cell is used to store in identification code to memory after user is by certification;Service call list
Member initiates service invocation request using interim token to service request reception unit;Outdated information returning unit is in interim token mistake
Token outdated information is returned after phase to service call unit;It is expired in service call unit reception token that token updates request unit
Identification code is sent to fresh information receiving unit after information;The identification that token updating block is sent to token renewal request unit
Code is matched with the identification code preserved in memory, if the identification code that token renewal request unit is sent matches in memory
Success, then return to new interim token to the second token acquiring unit.
From above-described embodiment, it is out of date whether the present invention includes interim token in the information by judging return
Information, if the information returned includes token outdated information, identification code is sent to authorization control device again, and controlled by authorizing
Device processed matches to identification code with the identification code that it is preserved, if identification code is in authorization control device, the match is successful, receives
The new interim token that authorization control device returns.So that prohibit the use of cookie or cookie even in client browser
When being removed by client user, still can by the identification code of transmission and the identification code being stored in memory the match is successful and
The interface of authorization control device is called, so as to timing automatic exchange token, to be improved to realize access mandate control device
The reliability of system intelligence and system operation.
Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention,
And can be practiced according to the content of specification, and in order to allow the above and other objects, features and advantages of the present invention can
Become apparent, below especially exemplified by preferred embodiment, and coordinate accompanying drawing, describe in detail as follows.
Brief description of the drawings
Fig. 1 is the step flow chart for the authentication control method that the embodiment of the present invention proposes;
Fig. 2 is the step flow chart for the authentication control method that another embodiment of the present invention proposes;
Fig. 3 is the main frame block diagram for the authorization control device that the embodiment of the present invention proposes;
Fig. 4 is the main frame block diagram for the authorization control device that another embodiment of the present invention proposes;
Fig. 5 is the step flow chart for the authorization requests method that the embodiment of the present invention proposes;
Fig. 6 is the step flow chart for the authorization requests method that another embodiment of the present invention proposes;
Fig. 7 is the main frame block diagram for the authorization requests device that the embodiment of the present invention proposes;
Fig. 8 is the main frame block diagram for the authorization control system that the embodiment of the present invention proposes.
Embodiment
Further to illustrate the present invention to reach the technological means and effect that predetermined goal of the invention is taken, below in conjunction with
Accompanying drawing and preferred embodiment, to according to authentication control method proposed by the present invention, authorization control device, authorization requests method, award
Request unit and authorization control system its embodiment, structure, feature and effect are weighed, is described in detail as after.
For the present invention foregoing and other technology contents, feature and effect, in the following preferable reality coordinated with reference to schema
Applying during example describes in detail to be clearly presented.By the explanation of embodiment, when predetermined mesh can be reached to the present invention
The technological means taken and effect be able to more deeply and it is specific understand, but institute's accompanying drawings are only to provide with reference to saying
It is bright to be used, not it is used for being any limitation as the present invention.
Fig. 1 is the step flow chart for the authentication control method that the embodiment of the present invention proposes.Referring to Fig. 1, the present invention is implemented
The authentication control method of example may include following steps S101-S111:
Step S101:Receive user authentication information and the identification code that third-party application is sent.
In this step, user authentication information can include the information such as user name, password.Identification code can include user's
ID, the third-party application information such as ID.
Step S102:User authentication is carried out according to user authentication information.
In this step, if user authentication information is user name and password, if user name and password are correct, judge
Certification is by conversely, be then judged as that certification does not pass through.
Step S103:Interim token is returned if to third-party application if user authentication and preserves identification code to memory
In.
In this step, if user authentication is by that can also preserve the access time of third-party application into memory.
Step S107:The service invocation request that third-party application is sent is received, service invocation request includes interim token.
In this step, service invocation request can be for the interface of request call authorization control device, such as API etc..
Step S109:Returned if interim token is out of date token outdated information to third-party application and receive third party should
With the identification code of return.
In this step, identification code includes the information such as the ID of the ID of user, third-party application.
Step S111:The identification code returned to third-party application matches with the identification code preserved in memory, if the
The match is successful in memory for the identification code that tripartite's application returns, then returns to new interim token to third-party application.
In this step, if also returning to the information such as new refreshing token, new token out-of-service time after the match is successful to the 3rd
Fang Yingyong.
In embodiments of the present invention, the present invention returns to token outdated information to third-party application if interim token is out of date
And the identification code of third-party application return is received, then the identification code preserved in the identification code and memory returned to third-party application
Matched, if the match is successful in memory for the identification code of third-party application return, return to new interim token to the 3rd
Fang Yingyong.So that when client browser prohibits the use of cookie or cookie is removed by client user, still
Can the match is successful to call the interface of authorization control device by the identification code of transmission and the identification code being stored in memory
To realize access mandate control device, so as to timing automatic exchange token, system intelligence and system operation are improved
Reliability.
Fig. 2 is the step flow chart of authentication control method provided in an embodiment of the present invention.Fig. 2 is changed on the basis of Fig. 1
And then come.Referring to Fig. 2, the authentication control method of the embodiment of the present invention may include following steps S201-S217:
Step S201:Receive user authentication information and the identification code that third-party application is sent.
In this step, user authentication information can include the information such as user name, password.Identification code can include user's
ID, the third-party application information such as ID.
Step S202:According to user authentication information carry out user authentication, judge certification whether by, if certification by,
Carry out step S203.
In this step, if user authentication information is user name and password, if user name and password are correct, judge
Certification is by conversely, be then judged as that certification does not pass through.
Step is specifically may also include after step S202:
Step S205:If certification is not by being sent to the unsanctioned information of third-party application certification, terminating.
Step S203:Interim token is returned if to third-party application if user authentication and preserves identification code to memory
In.
In this step, if user authentication is by that can also preserve the access time of third-party application into memory.
Step is specifically may also include in step S203:It is sent to the information that third-party application certification passes through.
Step S207:The service invocation request that third-party application is sent is received, service invocation request includes interim token.
In this step, service invocation request can be for the interface of request call authorization control device, such as API etc..
Step S209:Judge whether interim token is out of date.If interim token is out of date, step S210 is carried out.If face
When token it is not out of date, then continue step S209.
In this step, the usage time of interim token can be judged interim token compared with the token out-of-service time
It is whether out of date, if the usage time of interim token reaches the token out-of-service time, it is judged as that interim token is out of date, if temporarily
The usage time of token does not reach the token out-of-service time, then is judged as that interim token is not out of date.
Step S210:Returned if interim token is out of date token outdated information to third-party application and receive third party should
With the identification code of return.
In this step, identification code includes the information such as the ID of the ID of user, third-party application.
Step S211:The identification code returned to third-party application matches with the identification code preserved in memory, judges
Whether the match is successful, if the match is successful in memory for the identification code of third-party application return, carries out step S213.
In this step, the identification code that third-party application is returned is compared with the identification code stored in memory with judgement
Whether the match is successful, if identification code includes the ID of ID and third-party application, if in the identification code that third-party application returns
ID and third-party application ID and memory in ID in the identification code that stores and third-party application ID it is right respectively
Should be identical, then it is judged as that the match is successful, conversely, being then judged as that the match is successful.
Step S213:New interim token is returned if the match is successful to third-party application.
In this step, if also returning to the information such as new refreshing token, new token out-of-service time after the match is successful to the 3rd
Fang Yingyong.
Step is specifically may also include after step S211:
Step S215:If the match is successful, the information that the match is successful is sent to third-party application, is terminated.
Step is specifically may also include in step S213:
Return success to third-party application;Receive the token renewal request that third-party application is sent;And according to order
Board renewal request returns to new interim token.
Step is specifically may also include after step S213:
Step S217:Corresponding after request the knowledge that is stored in memory is deleted receiving publishing for third-party application transmission
Other code.
In this step, identification code can include the letter such as network address of the ID of user, the ID of third-party application, third-party application
Breath.
In embodiments of the present invention, the present invention is by judging whether interim token is out of date, if interim token is out of date
Token outdated information is returned to third-party application and receives the identification code of third-party application return, then third-party application is returned
Identification code is matched with the identification code preserved in memory, if the identification code that third-party application returns matches into memory
Work(, then new interim token is returned to third-party application.So that even in client browser prohibit the use of cookie or
When cookie is removed by client user, still it can be matched by the identification code of transmission with the identification code being stored in memory
Success and call the interface of authorization control device to realize access mandate control device, so as to timing automatic exchange token,
Improve the reliability of system intelligence and system operation.
Fig. 3 is the main frame block diagram for the authorization control device that the embodiment of the present invention proposes.Referring to Fig. 3, authorization control
Device includes:User profile receiving unit 301, user authentication unit 303, token returning unit 305, memory cell 307, service
Request reception unit 309, outdated information returning unit 311, fresh information receiving unit 313 and token updating block 315.
User profile receiving unit 301, for receiving the user authentication information and identification code of third-party application transmission.
User authentication unit 303, for carrying out user authentication according to user authentication information.
Token returning unit 305, for returning to interim token if to third-party application if user authentication.
Memory cell 307, for preserving identification code into memory.
Service request reception unit 309, for receiving the service invocation request of third-party application transmission, service invocation request
Including interim token.
Outdated information returning unit 311, for returned if interim token is out of date token outdated information to third party should
With.
Fresh information receiving unit 313, for receiving the identification code of third-party application transmission.
Token updating block 315, the identification code for being preserved in the identification code and memory that are sent to third-party application are entered
Row matching, if the match is successful in memory for the identification code of third-party application return, new interim token is returned to third party
Using.
In embodiments of the present invention, the present invention returns to token outdated information to third-party application if interim token is out of date
And the identification code of third-party application return is received, then the identification code preserved in the identification code and memory returned to third-party application
Matched, if the match is successful in memory for the identification code of third-party application return, return to new interim token to the 3rd
Fang Yingyong.So that when client browser prohibits the use of cookie or cookie is removed by client user, still
Can the match is successful to call the interface of authorization control device by the identification code of transmission and the identification code being stored in memory
To realize access mandate control device, so as to timing automatic exchange token, system intelligence and system operation are improved
Reliability.
Fig. 4 is the main frame block diagram for the authorization control device that another embodiment of the present invention proposes.Fig. 4 is the base in Fig. 3
Improved on plinth.Referring to Fig. 4, authorization control device includes:User profile receiving unit 401, user authentication unit
403rd, token returning unit 405, memory cell 407, service request reception unit 409, outdated information returning unit 411, renewal
Information receiving unit 413 and token updating block 415.
User profile receiving unit 401, for receiving the user authentication information and identification code of third-party application transmission.
User authentication unit 403, for carrying out user authentication according to user authentication information.
In addition, user authentication unit 403, be additionally operable to judge certification whether by, user authentication not by when, be sent to
The unsanctioned information of third-party application certification, if certification is by performing token returning unit 405.
Token returning unit 405, for returning to interim token if to third-party application if user authentication.
Memory cell 407, for preserving identification code into memory.
Service request reception unit 409, for receiving the service invocation request of third-party application transmission, service invocation request
Including interim token.
Outdated information returning unit 411, for returned if interim token is out of date token outdated information to third party should
With.
In addition, outdated information returning unit 411, is additionally operable to judge whether interim token is out of date.If interim token mistake
Phase, then token outdated information is returned to third-party application, if interim token is not out of date, continues to judge.
Fresh information receiving unit 413, for receiving the identification code of third-party application transmission.
Token updating block 415, the identification code for being preserved in the identification code and memory that are sent to third-party application are entered
Row matching, if the match is successful in memory for the identification code of third-party application return, new interim token is returned to third party
Using.
In addition, token updating block 415, is additionally operable to return success to third-party application;Receive third-party application hair
The token renewal request sent;Request is updated according to token and returns to new interim token.
In addition, token updating block 415, is additionally operable to return if the match is successful and refreshes token to third-party application.If not
The match is successful, then sends the information that the match is successful to third-party application.
In addition, memory cell 407, if being additionally operable to user's checking by also preserving access time.
In addition, authorization control device can also include:Delete unit 417.
Delete unit 417, for receive third-party application transmission publish request after corresponding delete be stored in storage
Identification code in device.
In embodiments of the present invention, the present invention is by judging whether interim token is out of date, if interim token is out of date
Token outdated information is returned to third-party application and receives the identification code of third-party application return, then third-party application is returned
Identification code is matched with the identification code preserved in memory, if the identification code that third-party application returns matches into memory
Work(, then new interim token is returned to third-party application.So that even in client browser prohibit the use of cookie or
When cookie is removed by client user, still it can be matched by the identification code of transmission with the identification code being stored in memory
Success and call the interface of authorization control device to realize access mandate control device, so as to timing automatic exchange token,
Improve the reliability of system intelligence and system operation.
Fig. 5 is the step flow chart of the authorization requests method for the third-party application that the embodiment of the present invention proposes.Refer to figure
5, the authorization requests method of the embodiment of the present invention may include following steps S501-S515:
Step S501:User authentication information and identification code are sent to authorization control device, and is carried out by authorization control device
User authentication and preservation identification code.
In this step, authorization control device can be server, open platform, website etc..User authentication information can wrap
Include the information such as user name, password.Identification code can include the ID of user, the ID of third-party application, the network address of third-party application, visit
Ask the information such as time.
Step S505:The interim token that authorization control device returns is obtained after authorization control device is by user authentication.
In this step, the refreshing of authorization control device return can also be obtained after authorization control device is by user authentication
The information such as token, token out-of-service time.
Step S509:Service invocation request is initiated to authorization control device using interim token and receives authorization control device
The information of return.
In this step, service invocation request can be for the interface of request call authorization control device, such as API etc..Authorize
The information that control device returns can include information returned after token outdated information or service call etc..
Step S513:If the information returned includes token outdated information, identification code is sent again to authorization control and filled
Put, and identification code is matched with the identification code that it is preserved by authorization control device.
In this step, identification code can include the ID of user, first ID applied etc..
Step S515:If identification code is in authorization control device, the match is successful, and receive that authorization control device returns is new
Interim token.
In this step, the new refreshing of authorization control device return can also be received after the match is successful in authorization control device
Token, new token out-of-service time etc..
In embodiments of the present invention, if the information that the present invention returns includes token outdated information, identification code is sent out again
Authorization control device is delivered to, and identification code is matched with the identification code that it is preserved by authorization control device, if identification code exists
The match is successful for authorization control device, then receives the new interim token that authorization control device returns.It is so that clear even in client
When device of looking at prohibits the use of cookie or the cookie to be removed by client user, identification code that still can be by transmission and storage
The match is successful and calls the interface of authorization control device to realize access mandate control device for identification code in memory, so as to
Can timing automatic exchange token, improve the reliability of system intelligence and system operation.
Fig. 6 is the step flow chart of the authorization requests method of third-party application provided in an embodiment of the present invention.Fig. 6 is to scheme
Improved on the basis of 5.Referring to Fig. 6, the authorization requests method of the embodiment of the present invention may include following steps S601-
S615:
Step S601:User authentication information and identification code are sent to authorization control device, and is carried out by authorization control device
User authentication and preservation identification code.
In this step, authorization control device can be server, open platform, website etc..User authentication information can wrap
Include the information such as user name, password.Identification code can include the ID of user, the ID of third-party application, the network address of third-party application, visit
Ask the information such as time.
Step is specifically may also include after step S601:
Step S603:Judge whether to receive the information that the certification of authorization control device return passes through, if so, then being walked
Rapid S605, if it is not, then terminating.
Step S605:The interim token that authorization control device returns is obtained after authorization control device is by user authentication.
In this step, the refreshing of authorization control device return can also be obtained after authorization control device is by user authentication
The information such as token, token out-of-service time.
Step is specifically may also include in step S605:
After the information that the user authentication for receiving the return of authorization control device passes through token is sent to authorization control device
Obtain request;And receive the interim token that authorization control device returns.
Step S609:Service invocation request is initiated to authorization control device using interim token and receives authorization control device
The information of return.
In this step, service invocation request can be for the interface of request call authorization control device, such as API etc..Authorize
The information that control device returns can include information returned after token outdated information or service call etc..
Step is specifically may also include after step S609:
Step S611:Whether include interim token information out of date in the information for judging to return, if so, then being walked
Rapid S613.If it is not, then continue executing with S611.
Step S613:If the information returned includes token outdated information, identification code is sent again to authorization control and filled
Put, and identification code is matched with the identification code that it is preserved by authorization control device.
In this step, identification code can include the ID of user, first ID applied etc..
Step S615:If identification code is in authorization control device, the match is successful, and receive that authorization control device returns is new
Interim token.
In this step, the new refreshing token of authorization control device return, new order can also be received after the match is successful
Board out-of-service time etc..
In embodiments of the present invention, whether to include interim token out of date in information of the present invention by judging return
Information, if the information returned includes token outdated information, identification code is sent to authorization control device again, and controlled by authorizing
Device processed matches to identification code with the identification code that it is preserved, if identification code is in authorization control device, the match is successful, receives
The new interim token that authorization control device returns.So that prohibit the use of cookie or cookie even in client browser
When being removed by client user, still can by the identification code of transmission and the identification code being stored in memory the match is successful and
The interface of authorization control device is called, so as to timing automatic exchange token, to be improved to realize access mandate control device
The reliability of system intelligence and system operation.
Fig. 7 is the main frame block diagram for the authorization requests device that the embodiment of the present invention proposes.Referring to Fig. 7, authorization requests
Device includes:Login unit 701, the first token acquiring unit 703, service call unit 705, token renewal request unit 707
And the second token acquiring unit 709.
Login unit 701, for sending user authentication information and identification code to authorization control device, and filled by authorization control
Put and carry out user authentication and preservation identification code.
First token acquiring unit 703, in authorization control device by user authentication after obtain authorization control device
The interim token returned.
Service call unit 705, for initiating service invocation request to authorization control device using interim token and receiving
The information that authorization control device returns.
Token updates request unit 707, if including token outdated information for information, identification code is sent again to awarding
Control device is weighed, and identification code is matched with the identification code that it is preserved by control device.
Second token acquiring unit 709, if the match is successful in authorization control device for identification code, obtain authorization control
The new interim token that device returns.
In addition, the first token acquiring unit 803, the certification for being additionally operable to judge whether to receive the transmission of authorization control device is led to
The information crossed, if so, then obtaining the interim token that authorization control device returns.If it is not, then terminate.
In addition, token updates request unit 807, whether the information for being additionally operable to judge to return includes token outdated information,
If so, then identification code is sent again to authorization control device with by control device in saved identification code retrieval
Code.If it is not, then continue to judge.
In embodiments of the present invention, whether to include interim token out of date in information of the present invention by judging return
Information, if the information returned includes token outdated information, identification code is sent to authorization control device again, and controlled by authorizing
Device processed matches to identification code with the identification code that it is preserved, if identification code is in authorization control device, the match is successful, receives
The new interim token that authorization control device returns.So that prohibit the use of cookie or cookie even in client browser
When being removed by client user, still can by the identification code of transmission and the identification code being stored in memory the match is successful and
The interface of authorization control device is called, so as to timing automatic exchange token, to be improved to realize access mandate control device
The reliability of system intelligence and system operation.
Fig. 8 is the main frame block diagram for the authorization control system that another embodiment of the present invention proposes.Referring to Fig. 8, authorize
Control system includes:Authorization requests device and authorization control device.Wherein, authorization requests device includes login unit 801, the
One token acquiring unit 803, service call unit 805, the token renewal token acquiring unit 809 of request unit 807 and second.
Authorization control device includes user profile receiving unit 851, user authentication unit 853, token returning unit 855, memory cell
857th, service request reception unit 859, outdated information returning unit 861, fresh information receiving unit 863 and token renewal are single
Member 865.
Login unit 801, for sending user authentication information and identification code to user profile receiving unit 851.
User authentication unit 853, for completing user authentication according to user authentication information.
Token returning unit 855, in user by certification after return to interim token to the first token acquiring unit
803。
Memory cell 857, in user by certification after store identification code to memory in.
Service call unit 805, service invocation request is initiated to service request reception unit 859 using interim token.
Outdated information returning unit 861, token outdated information is returned to after interim token is expired to service call unit
805。
Token update request unit 807, service call unit 805 receive token outdated information after by identification code send to
Fresh information receiving unit 863.
Token updating block 865, the identification code sent to token renewal request unit 807 and the identification preserved in memory
Code is matched, if the match is successful in memory for the identification code that sends of token renewal request unit 807, is returned new interim
Token is to the second token acquiring unit 809.
In addition, token updating block 865, updates request unit for being return success after the match is successful to token
807。
In addition, the second token acquiring unit 809, is asked simultaneously after token renewal request unit 807 receives successful information
Receive the new interim token that token updating block 865 returns.
In addition, token updating block 865, is additionally operable to return if the match is successful and refreshes token to the second token acquiring unit
809。
In addition, authorization control device also includes deleting unit 867, for receiving publishing for authorization requests device transmission
It is corresponding after request to delete the identification code being stored in memory.
In embodiments of the present invention, the present invention returns to order by outdated information returning unit 861 after interim token is expired
For board outdated information to service call unit 805, fresh information receiving unit 863 receives what token renewal request unit 807 was sent
Identification code, the identification that preserves in identification code and memory that token updating block 865 is sent to token renewal request unit 807 again
Code is matched, if the match is successful in memory for the identification code that sends of token renewal request unit 807, is returned new interim
Token is to the second token acquiring unit 809.So that prohibit the use of cookie or cookie objective even in client browser
, still can the match is successful to call by the identification code of transmission and the identification code being stored in memory when family end subscriber is removed
The interface of authorization control device, so as to timing automatic exchange token, improves system to realize access mandate control device
Intelligent and system operation reliability.
One of ordinary skill in the art will appreciate that realize all or part of flow in above-described embodiment method, being can be with
The hardware of correlation is controlled to complete by computer program, described program can be stored in a computer read/write memory medium
In, the program is upon execution, it may include such as the flow of the embodiment of above-mentioned each method.Wherein, described storage medium can be magnetic
Dish, CD, read-only memory(Read-Only Memory, ROM)Or random access memory(Random Access
Memory, RAM)Deng.
The above described is only a preferred embodiment of the present invention, any formal limitation not is made to the present invention, though
So the present invention is disclosed above with preferred embodiment, but is not limited to the present invention, any to be familiar with this professional technology people
Member, without departing from the scope of the present invention, when the technology contents using the disclosure above make a little change or modification
For the equivalent embodiment of equivalent variations, as long as being the technical spirit pair according to the present invention without departing from technical solution of the present invention content
Any simple modification, equivalent change and modification that above example is made, in the range of still falling within technical solution of the present invention.
Claims (20)
1. a kind of authentication control method, including:
Receive user authentication information and the identification code that third-party application is sent;
User authentication is carried out according to the user authentication information;
Interim token is returned if to the third-party application if user authentication and preserves the identification code into memory;
The service invocation request that the third-party application is sent is received, the service invocation request includes the interim token;
Returned if the interim token is out of date token outdated information to the third-party application and receive the third party should
With the identification code of return;
The identification code returned to the third-party application matches with the identification code preserved in the memory, if the described 3rd
The match is successful in the memory for the identification code that Fang Yingyong is returned, then returns to new interim token to the third-party application.
2. authentication control method as claimed in claim 1, it is characterised in that also include:
The knowledge that is stored in the memory is deleted publishing of receiving that the third-party application sends is corresponding after request
Other code.
3. authentication control method as claimed in claim 1, it is characterised in that if the identification that the third-party application returns
The match is successful includes in the memory for code:
Return success to the third-party application;
Receive the token renewal request that the third-party application is sent;
Request is updated according to the token and returns to the new interim token.
4. authentication control method as claimed in claim 1, it is characterised in that also include:If user authentication is accessed by preserving
Time.
5. authentication control method as claimed in claim 1, it is characterised in that to the third-party application return identification code with
The identification code preserved in the memory is matched, if the identification code that the third-party application returns is in the memory
With success, then return and refresh token to the third-party application.
6. a kind of authorization control device, including:
User profile receiving unit, for receiving the user authentication information and identification code of third-party application transmission;
User authentication unit, for carrying out user authentication according to the user authentication information;
Token returning unit, for returning to interim token if to the third-party application if user authentication;
Memory cell, for preserving the identification code into memory;
Service request reception unit, for receiving the service invocation request of third-party application transmission, the service invocation request bag
Include the interim token;
Outdated information returning unit, for returned if the interim token is out of date token outdated information to the third party should
With;
Fresh information receiving unit, the identification code sent for receiving the third-party application;And
Token updating block, for entering to the identification code that the third-party application is sent with the identification code preserved in the memory
Row matching, if the match is successful in the memory for the identification code of third-party application return, return to new interim token
To the third-party application.
7. authorization control device as claimed in claim 6, it is characterised in that also include deleting unit, for receiving
State publishing for third-party application transmission and corresponding after request delete the identification code being stored in the memory.
8. authorization control device as claimed in claim 6, it is characterised in that the token updating block is used for:
Return success to the third-party application;
Receive the token renewal request that the third-party application is sent;
Request is updated according to the token and returns to the new interim token.
9. authorization control device as claimed in claim 6, it is characterised in that the memory cell is additionally operable to:If user's checking
By also preserving access time.
10. authorization control device as claimed in claim 6, it is characterised in that if the token updating block be additionally operable to it is described
The match is successful in the memory then returns and refresh token to the third-party application for the identification code that third-party application returns.
11. a kind of authorization requests method of third-party application, including:
Send user authentication information and identification code to authorization control device, and by the authorization control device carry out user authentication and
Preserve the identification code;
The interim token that the authorization control device returns is obtained after the authorization control device is by user authentication;
Service invocation request is initiated to the authorization control device using the interim token and receives the authorization control device
The information of return;
If described information includes token outdated information, the identification code is sent to the authorization control device again, and by
The control device matches to the identification code with the identification code that it is preserved;And if the identification code authorizes control described
The match is successful for device processed, then receives the new interim token that the authorization control device returns.
12. the authorization requests method of third-party application as claimed in claim 11, it is characterised in that filled in the authorization control
Put the interim token returned by obtaining the authorization control device after user authentication;Including:
Sent after the information that the user authentication for receiving the authorization control device return passes through to the authorization control device
Token obtains request;And
Receive the interim token that the authorization control device returns.
13. the authorization requests method of third-party application as claimed in claim 11, it is characterised in that controlled receiving described authorize
After the new interim token that device processed returns, further comprise:Token renewal request is sent to the authorization control device, and is connect
Receive the refreshing token that the authorization control device returns.
14. a kind of authorization requests device, including:
Login unit, for sending user authentication information and identification code to authorization control device, and by the authorization control device
Carry out user authentication and preserve the identification code;
First token acquiring unit, in the authorization control device by user authentication after obtain the authorization control device
The interim token returned;
Service call unit, for initiating service invocation request to the authorization control device using the interim token and receiving
The information that the authorization control device returns;
Token update request unit, if including token outdated information for described information, by the identification code send again to
The authorization control device, and the identification code is matched with the identification code that it is preserved by the control device;And
Second token acquiring unit, if in the authorization control device, the match is successful for the identification code, awarded described in acquisition
Weigh the new interim token that control device returns.
15. authorization requests device as claimed in claim 14, it is characterised in that the first token acquiring unit is used for:
Sent after the information that the user authentication for receiving the authorization control device return passes through to the authorization control device
Token obtains request;And
Receive the interim token that the authorization control device returns.
16. authorization requests device as claimed in claim 14, it is characterised in that if the second token acquiring unit is additionally operable to
The match is successful in the authorization control device for the identification code, then receives the refreshing token that the authorization control device returns.
17. a kind of authorization control system, including:Authorization requests device and authorization control device;
The authorization requests device includes login unit, the first token acquiring unit, service call unit, token renewal request unit
And the second token acquiring unit;
The authorization control device includes user profile receiving unit, user authentication unit, token returning unit, memory cell, clothes
Business request reception unit, outdated information returning unit, fresh information receiving unit and token updating block;
The login unit is used to send user authentication information and identification code to the user profile receiving unit;
The user authentication unit is used to complete user authentication according to the user authentication information;
The token returning unit is used to return to interim token after user is by certification to the first token acquiring unit;
The memory cell is used to store after user is by certification in the identification code to memory;
The service call unit initiates service invocation request using the interim token to the service request reception unit;
The outdated information returning unit returns to token outdated information to the service call unit after the interim token is expired;
Token renewal request unit sends the identification code to this after the service call unit receives the token outdated information
Fresh information receiving unit;
The identification code that the token updating block is sent to token renewal request unit is entered with the identification code preserved in the memory
Row matching, if the match is successful in the memory for the identification code of token renewal request unit transmission, return to new interim order
Board is to the second token acquiring unit.
18. authorization control system as claimed in claim 17, it is characterised in that the authorization control device also includes deleting list
Member, for deleting the institute being stored in the memory publishing of receiving that the authorization requests device sends is corresponding after request
State identification code.
19. authorization control system as claimed in claim 17, it is characterised in that the token updating block be used for matching into
Return success after work(to the token and update request unit;
The second token acquiring unit is asked and received after token renewal request unit receives the successful information
The new interim token that the token updating block returns.
20. authorization control system as claimed in claim 17, it is characterised in that if the token updating block is additionally operable to matching
Successful then return refreshes token to the second token acquiring unit.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210275220.6A CN103581140B (en) | 2012-08-03 | 2012-08-03 | Authentication control method and device and system, authorization requests method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210275220.6A CN103581140B (en) | 2012-08-03 | 2012-08-03 | Authentication control method and device and system, authorization requests method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103581140A CN103581140A (en) | 2014-02-12 |
| CN103581140B true CN103581140B (en) | 2018-02-27 |
Family
ID=50052077
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210275220.6A Active CN103581140B (en) | 2012-08-03 | 2012-08-03 | Authentication control method and device and system, authorization requests method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103581140B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109787984A (en) * | 2019-01-24 | 2019-05-21 | 北京亿幕信息技术有限公司 | A kind of third party authorizes token management method and system |
Families Citing this family (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10404699B2 (en) * | 2014-02-18 | 2019-09-03 | Oracle International Corporation | Facilitating third parties to perform batch processing of requests requiring authorization from resource owners for repeat access to resources |
| CN105323222B (en) * | 2014-07-11 | 2018-08-24 | 博雅网络游戏开发(深圳)有限公司 | Login validation method and system |
| CN104113549B (en) * | 2014-07-28 | 2017-07-18 | 百度在线网络技术(北京)有限公司 | A kind of platform authorization method, platform service end and applications client and system |
| CN106209735A (en) * | 2015-04-30 | 2016-12-07 | 中国移动通信集团公司 | A kind of information processing method, device and Electronic Health Record system |
| CN104980925B (en) * | 2015-06-01 | 2019-05-28 | 走遍世界(北京)信息技术有限公司 | The authentication method and device of user's request |
| CN105072608B (en) * | 2015-06-30 | 2019-02-12 | 青岛海信移动通信技术股份有限公司 | A kind of method and device of administrative authentication token |
| CN106341234B (en) * | 2015-07-17 | 2020-09-11 | 华为技术有限公司 | Authorization method and device |
| CN106850392B (en) * | 2015-12-04 | 2020-06-02 | 腾讯科技(深圳)有限公司 | Message processing method and device and message receiving method and device |
| CN106506498B (en) * | 2016-11-07 | 2020-07-28 | 安徽四创电子股份有限公司 | Data call authorization authentication method between systems |
| CN107528843A (en) * | 2017-08-24 | 2017-12-29 | 山东浪潮通软信息科技有限公司 | The processing method and processing unit of a kind of network request |
| CN107920063A (en) * | 2017-11-07 | 2018-04-17 | 杭州安恒信息技术有限公司 | A kind of method of online updating tokenID |
| CN110061952B (en) * | 2018-01-19 | 2021-08-06 | 腾讯科技(深圳)有限公司 | Information processing method, information processing apparatus, storage medium, and electronic apparatus |
| CN108768991B (en) * | 2018-05-18 | 2020-08-04 | 阿里巴巴集团控股有限公司 | Real person authentication method and system |
| CN109688156A (en) * | 2019-01-10 | 2019-04-26 | 浪潮软件股份有限公司 | It is a kind of for the HTTP Token authentication method of CMSP and connection method |
| CN112491778A (en) * | 2019-09-11 | 2021-03-12 | 北京京东尚科信息技术有限公司 | Authentication method, device, system and medium |
| CN111538966B (en) * | 2020-04-17 | 2024-02-23 | 中移(杭州)信息技术有限公司 | Access method, access device, server and storage medium |
| CN113190808A (en) * | 2021-03-31 | 2021-07-30 | 北京达佳互联信息技术有限公司 | Login method, login device, electronic equipment and storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102394887A (en) * | 2011-11-10 | 2012-03-28 | 杭州东信北邮信息技术有限公司 | OAuth protocol-based safety certificate method of open platform and system thereof |
| CN102546532A (en) * | 2010-12-07 | 2012-07-04 | 中国移动通信集团公司 | Capacity calling method, capacity calling request device, capacity calling platform and capacity calling system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8819424B2 (en) * | 2010-09-30 | 2014-08-26 | Microsoft Corporation | Token-based authentication using middle tier |
-
2012
- 2012-08-03 CN CN201210275220.6A patent/CN103581140B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102546532A (en) * | 2010-12-07 | 2012-07-04 | 中国移动通信集团公司 | Capacity calling method, capacity calling request device, capacity calling platform and capacity calling system |
| CN102394887A (en) * | 2011-11-10 | 2012-03-28 | 杭州东信北邮信息技术有限公司 | OAuth protocol-based safety certificate method of open platform and system thereof |
Non-Patent Citations (3)
| Title |
|---|
| Oauth Web Authorization Protocol;Barry Leiba;《IEEE Internet Computing》;20120109;第6卷(第1期);全文 * |
| 基于OAuth2.0的认真授权技术;时子庆;《计算机系统应用》;20120315;第21卷(第3期);全文 * |
| 基于国内开放平台的Oauth认证框架研究;刘镝;《信息通信技术》;20111231;全文 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109787984A (en) * | 2019-01-24 | 2019-05-21 | 北京亿幕信息技术有限公司 | A kind of third party authorizes token management method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103581140A (en) | 2014-02-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103581140B (en) | Authentication control method and device and system, authorization requests method and device | |
| CN104980412B (en) | A kind of applications client, server-side and corresponding portal authentication method | |
| CN106134143B (en) | Method, apparatus and system for dynamic network access-in management | |
| JP6908288B2 (en) | Systems and methods for connecting dissimilar computer processors via standard interfaces | |
| US10805301B2 (en) | Securely managing digital assistants that access third-party applications | |
| US20220338964A9 (en) | Securely managing digital assistants that access third-party applications | |
| CN107426168A (en) | A kind of Secure Network Assecc processing method and processing device | |
| US11856028B2 (en) | Systems and methods for in-session refresh of entitlements associated with web applications | |
| US11128625B2 (en) | Identity management connecting principal identities to alias identities having authorization scopes | |
| CN104580074B (en) | The login method of client application and its corresponding server | |
| EP3185513A1 (en) | Service processing method, apparatus and server | |
| US10148605B2 (en) | Method for processing invitation information and service server, mobile communication terminal and computer-readable recording medium for performing the same | |
| JP2006502496A (en) | Method and system for communicating in a client-server network | |
| CN102413151B (en) | Network resource sharing method and system | |
| CN108200099A (en) | Mobile application, personal status relationship management | |
| CN106096343A (en) | Message access control method and equipment | |
| WO2015180530A1 (en) | Information processing device and method for service handling | |
| CN103269349A (en) | Social log-in method, system and device | |
| CN106933871A (en) | Short linking processing method, device and short linked server | |
| EP3306904B1 (en) | System and method for automatic recharging of a virtual resource | |
| CN108280237B (en) | Gray scale publishing method, device and system and computer storage medium | |
| CN105612731B (en) | It may have access to application state across accredited and untrusted platform roaming internet | |
| CN109669718A (en) | System permission configuration method, device, equipment and storage medium | |
| CN106209727B (en) | Session access method and device | |
| CN101764808A (en) | Authentication processing method and system for automatic login as well as server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |