CN105099704A - Biometric identification-based OAuth service - Google Patents
Biometric identification-based OAuth service Download PDFInfo
- Publication number
- CN105099704A CN105099704A CN201510493553.XA CN201510493553A CN105099704A CN 105099704 A CN105099704 A CN 105099704A CN 201510493553 A CN201510493553 A CN 201510493553A CN 105099704 A CN105099704 A CN 105099704A
- Authority
- CN
- China
- Prior art keywords
- terminal
- user
- oauth
- information
- mode
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Mobile Radio Communication Systems (AREA)
- Telephonic Communication Services (AREA)
Abstract
The invention discloses a biometric identification-based OAuth service, which comprises a terminal module, a system OAuth service, a third party application and the like. A user is registered on a system service platform for providing OAuth; a user account, biometric identification information and a terminal for authorization are registered; the system service platform opens the OAuth service to the outside; when the user accesses the third party application, login and authorization through OAuth service are selected to be carried out; the system routes a user login request to the terminal specified by the user and the user is reminded for authorization; if the user agrees on authorization, biometric identification is carried out on the terminal to acquire user biometric identification information, and whether the biometric identification information belongs to the user himself or herself is judged; if the user refuses authorization, refusal is directly selected, after the system service platform acquires identification information or refusal information of the user, whether the third party application platform allows login or refuses login is indicated. Through extending the OAuth service to the heterogeneous terminal and using the biometric identification ability of the heterogeneous device, a convenient OAuth service experience is provided for the user.
Description
Technical field
The present invention relates to the Internet and mobile communication terminal technical field, refer to that a kind of OAuth based on bio-identification serves especially.
Background technology
Along with Internet technology and the development, particularly the Internet of mobile communication technology and the development of intelligent terminal technology, for a kind of OAuth service based on bio-identification provides feasibility.
At present, along with the development of wireless Internet and the Internet, application is more and more, and user needs to log in different application, and need under normal circumstances to register in different application, very loaded down with trivial details and username and password is difficult to remember one by one.
And the development of OAuth technology, possibility is provided in third-party application login for improving user, user is when logging in third-party application, can log in by choice for use OAuth, namely may have access to third-party application by OAuth, thus do not need to carry out registration in third-party application and directly can license third-party application and obtain user profile.
And OAuth still needs user to log on OAuth service platform, user still needs authorizing interface input username and password at OAuth at every turn, by the step using username and password still to there is certain security risk and hand filling username and password, coefficient of safety and Consumer's Experience still have the space that can promote, secondly, carry out in the same software environment of OAuth service usually just on same station terminal equipment, cross-platformly can not carry out authorization service with software environment, portable and the integrated bio recognition capability of mobile terminal cannot be utilized to carry out the feature of user's identification.
Along with biological identification technology is increasingly mature, terminal also can be carried out integrated, the most known to user is the fingerprint recognition of i Phone, and user can be unlocked by fingerprint recognition very easily, and iris recognition, the biological identification technologies such as hand vein recognition are also ripe gradually, be integrated on intelligent terminal gradually, and current topmost application is only the unblock carrying out mobile phone, for biological identification technology, range of application is too narrow, could not the technology of applying biological identification well.
Transfer on the mobile intelligent terminal of isomery by the step that OAuth is authorized, and by intelligent terminal with bio-identification function, comprise fingerprint, vein, the various bio-identification mode such as iris, obtain the biometric information of user, by biometric information identification user, and using recognition result as authorization, thus user can to reduce or exempt in traditional OAuth mode manually input username and password number of times and break through OAuth can not the shortcoming of mandate of striding equipment, user can identify that the biological characteristic of oneself carries out the mandate of third-party application on mobile terminals, be very easy to the use of user at third-party application.
In view of this, the object of the invention is to propose one simple, a kind of OAuth based on bio-identification merging the Internet and intelligent terminal serves.
Summary of the invention
A kind of OAuth based on bio-identification serves, and comprises following steps,
1) user registers in the system service platform of OAuth;
2) system service platform externally open OAuth service;
3) user accesses third-party application, selects to be authorized by OAuth system service platform;
4) OAuth system service platform determines the Intelligent target terminal providing mandate;
5) authorization requests of user is routed to Intelligent target terminal by OAuth system service platform;
6) whether user selects to agree to authorize on intelligent terminal, as agreed to, then gathers biometric information at intelligent terminal, as selected refusal or not doing any operation then for refusal is authorized;
7) system is according to the result gathered and identify, determines whether the biometric information of registered user, after system service platform obtains the recognition result of user or the operation of refusal mandate, the platform Authorization result that instruction third-party application is corresponding.
Further, passing through the method that provided a kind of OAuth based on bio-identification serves provides powerful guarantee for the business development of a kind of application access easily and mandate, meets the requirement of user each side, promotes user friendly experience.
For achieving the above object, one aspect of the present invention provides a kind of method that OAuth based on bio-identification serves, and the method comprises:
Registration packet is containing user's registration and endpoint registration;
First, user is at the system service platform information of registered users of OAuth and end message, systematic conservation user's registration information, comprise user name, user cipher, various userspersonal informations under user's sex and various conventional Registration mode, also unique in the generation system user ID of simultaneity factor, user cipher can log in as auxiliary user and device logs to the means of OAuth platform, user still can use the mode of traditional username and password to log in OAuth service platform;
Secondly, the biometric information of user is gathered by client terminals, comprise fingerprint, vein, one or more of iris and various terminal support and the biometric information that can gather, for the biometric information gathered, according to the setting of system safety rank and user, rear preservation is processed to these information, preserves position and can be at terminal equipment or upload to system or be kept at terminal and system simultaneously, as the foundation that user identifies;
Endpoint registration is then that user uses the user account of registration to sign in system platform on the terminal device, gather and preserve the feature identification information of terminal to system, the descriptor of terminal is set, user can register one or more terminal equipment for authorizing, the terminal equipment of the user account after registration and user's registration is bound, and terminal device logs is to system and under operating in the account name of registered user.
In the embodiment that a kind of OAuth based on bio-identification provided by the invention serves, the method also comprises:
The open OAuth service of system service platform, the OAuth service of third-party application connecting system service platform, the access option providing OAuth to serve, the mode request mandate that user selects OAuth to serve on the interface of third-party application, third-party application jumps to the mandate interface that OAuth service platform provides, next step, the object terminal equipment of OAuth service platform determination route request information.
After user's selection is authorized by OAuth platform, third-party application jumps to OAuth interface, determines route messages and the target terminal providing mandate, determines that mode comprises manual mode and automatic mode;
Manual mode comprises text search and wireless search mode, text search is input descriptive matter in which there, comprise the feature interpretation information of target terminal, the account name information of association, the access coding of terminal, and can the various descriptors of GC group connector or user characteristics, the access coding of terminal is that system assignment is to the digital coding of terminal uniqueness, system is mapped to the uniqueness characteristic information of intrasystem terminal, user inputs a digital coding simply and namely finds this terminal by system, the discovery flow process of terminal is simplified with this, system is by searching for user's input characters, find out meet input characters describe terminal or operate in input account name under terminal list, user selects in Search Results, or select in used terminal history list,
Wireless search mode comprises based on NFC, bluetooth, the search of WiFi or WiFi-Direct and DLNA, terminal not in short-distance wireless hunting zone or off-line, this terminal cannot be searched out, this terminal in historical search record is rendered as down state, when using first, user need search out available terminal by the mode of wireless search or text search, according to the security settings of terminal access, when terminal profile needs input access code, input access code is to connect this terminal, the information of the terminal successfully connected can be kept in third-party application client, can directly select from history terminal list when next time uses,
Automated manner is the link information that user arranged and preserved target terminal, access code as the aforementioned, arrange search out or the terminal of specifying as trusted terminal equipment, OAuth platform will be attempted connecting and verifying this terminal equipment automatically, when meeting the security setting of terminal connection and verifying that this terminal equipment is the terminal equipment in system registry, certainly being dynamically connected with Forward-reques message to this terminal.
The logging request of user is routed to the terminal that user specifies by system, system is after determining to provide the target terminal of authorization function, system attempts connecting and forward authorization request message to this terminal, as fail the forwarding term of validity of specifying in system time in successful forwarding messages, this retransmission failure, user can set and select multiple terminal, the next terminal of multiple terminal lists that user selects can be forwarded in order, until message forwards success or proves an abortion when first terminal retransmission failure.
After the terminal that authorization request message success routing forwarding sets to user, terminal reminding user, comprise display notification message, vibration terminal, the mode played sound, reminding user operates, select whether to agree to authorize, user authorizes as agreed to, then in terminal collection and the biometric information obtaining user, after acquisition, according to the verification mode to the biometric information obtained of default, comprise the checking that terminal local is verified and is sent to service end, the user biological identifying information obtained is verified, whether checking is the biometric information of registered user corresponding to this terminal, as in the term of validity of authorization request message, user does not carry out Authorized operation in terminal, directly refusal is authorized, the words of authentication failed and the failure of acquisition user biological identifying information are then refused to authorize.
In the embodiment that a kind of OAuth based on bio-identification provided by the invention serves, the method also comprises:
According to the setting of system to data processing method, the biometric data of the registered user collected is processed, processing mode comprises data Hash, data encryption, digital signature and variously possess irreversible and processing mode that is uniqueness, in the terminal that data after process are kept at collection or upload to system platform and preserve, as the foundation of authentication of users biometric information, and the ID users of the data and system of user biological identification is carried out binding and mapping.
In the embodiment that a kind of OAuth based on bio-identification provided by the invention serves, the method also comprises:
User can register and bind single or multiple terminal as the terminal of authorizing, the mode of binding is the hardware characteristics identifying information obtaining terminal, map with user account, whether arrange allows same user account to log on multiple equipment simultaneously, hardware characteristics identifying information comprises fuselage code, MAC Address, IMEI or MEID, the hardware identification information of the various uniquenesss in SIM card sequence number and terminal, user successfully select authorize terminal and after being authorized by this terminal, this end message can be kept at client and the system of third-party application, and when user needs to authorize next time, this terminal will appear at history terminal list, user can directly select this terminal as target terminal, user also can delete the end message of preservation.
Terminal gathers biometric information, biometric information is verified, arrange according to system safety, can verify in terminal or in system, whether the biometric information that checking gathers is the biometric information of registered user corresponding to this terminal, the mode of checking is after the biometric information of the user of collection being adopted and carrying out with identical data processing method when registering calculating and process, compare with the verification msg of preserving, obtain corresponding information of registered users, then, whether the terminal device information of comparison collection is the terminal equipment that registered user binds under one's name, both comparisons are unanimously then thought and are verified, simultaneously, also the combination of multiple identifying information can be verified, combination possesses order, by the recognition result of biometric information and the precedence of identification as basis of characterization, recognition result and identify that order is all consistent just can be verified, the fail safe of checking can be improved further with this.
Have the following advantages specifically:
Convenient:
By merging mobile terminal, utilize the portable of mobile terminal device and the recognition capability possessing biological characteristic, the scope of authority of traditional OAuth is expanded on mobile terminal from traditional PC, can conveniently by bio-identification as long as user has registered user profile on the platform of OAuth, comprise fingerprint, vein, the bio-identification modes such as iris, OAuth mandate is carried out to third-party application, thus avoid and register respectively in different application, log in and all need to input at every turn the trouble of username and password, use convenient.
Safer:
The biometric information of user, after treatment, initial data is no longer preserved, and the biometric data be through after process of terminal or systematic conservation, cannot reduce, fail safe is guaranteed.
Secondly, user logs in not to be needed to input username and password, and by the mode of bio-identification, as fingerprint, carry out authorizing and logging in, reduce or avoid the stolen problem of username and password, user uses the fail safe of various application to be greatly improved.
Description of the invention provides in order to example with for the purpose of illustrating, and is not exhaustively or limit the invention to disclosed form.Many modifications and variations are obvious for the ordinary skill in the art.Selecting and describing embodiment is in order to principle of the present invention and practical application are better described, and enables those of ordinary skill in the art understand the present invention thus design the various embodiments with various amendment being suitable for special-purpose.
Accompanying drawing explanation
Accompanying drawing described herein is used to provide a further understanding of the present invention, and form a application's part, schematic description and description of the present invention, for explaining the present invention, does not form inappropriate limitation of the present invention.In the accompanying drawings:
Fig. 1 is present system schematic network structure.
Fig. 2 is present system modular structure schematic diagram.
Fig. 3 is user's register flow path schematic diagram of the present invention.
Fig. 4 is that terminal of the present invention selects schematic flow sheet.
Fig. 5 is OAuth operation flow schematic diagram of the present invention.
Embodiment
With reference to the accompanying drawings the present invention is described more fully, exemplary embodiment of the present invention is wherein described.
For achieving the above object, propose a kind of OAuth based on bio-identification to serve.
Below by way of by reference to the accompanying drawings, embodiments of the present invention are described.
Realize the key point that a kind of OAuth based on bio-identification serves as follows:
Biometric data process and mapping:
Based on the setting of level of security, the user biological identification data read, as a rule, do not preserve the data of original reading, but after treatment, be kept at terminal or upload the system of preservation, data after process and the unique information of user map, namely map one by one at the uniqueness recognition user information of system with user, comprise user ID, user name.
The mode of data processing comprises hash Hash, data encryption, the processing modes such as digital signature, it is characterized in that processing mode is irreversible after needing to ensure data processing, namely can not be reduced, keep data in intrasystem uniqueness simultaneously.
User and endpoint registration:
User registers in system, there is provided and information of registered users, and gather subscriber terminal equipment characteristic information by client terminals, comprise fuselage code, IMEI, the recognition feature data of uniqueness in the terminals such as termination number, are kept at system after system verification user and carry out mapping and associating with user profile.
Determine target authorisation device:
First, user needs the registration carrying out equipment in system, system will obtain the feature identification information of user's designated equipment, the title of equipment, the user account information of binding, be kept at system after facility registration, terminal will operate in the user account of binding under one's name, meanwhile, the hardware characteristics identifying information of terminal and user account information are bound by system.
Before use business, user registers delegatable terminal, and name for this terminal, as the title such as phone number into uniqueness can be used, as My_IPHONE_13900215678, this title will be unique in system, similar user name, and later user can by searching this terminal of name lookup of this terminal.
After endpoint registration success, system also using for this terminal distribution digital coding as search this terminal shortcut, this terminal coding and terminal name, the uniqueness characteristic identifying information of terminal, as the information such as MAC Address are bound, by input access coding, user can find terminal equipment simply.Greatly can simplify the flow process of user's designated equipment like this.
After registered user and terminal success, user carries out authorizing in selection OAuth service, and system, after the authorization request message of acquisition from third-party application platform, needs the destination determining route messages, namely needs to determine target authorisation device.
Determine that the mode of the target authorisation device of the destination of route messages has input characters or account name to search for, short-distance wireless is searched for, and uses historical search list to select the mode of terminal.
Under the mode of input characters, before using first, user needs input characters on the OAuth service interface of third-party application embedding, comprising can for the facility information of authorizing, as the user account information of device name, mapping, terminal is encoded by the access that system is given, and after input, system can search the equipment meeting search condition, and user selects device request to be connected to this equipment and by system forwards authorization request message in the equipment meeting search condition.
In order to simplify search and the mode be connected, terminal can also be used to access coding, the access coding of terminal is that system assignment is to terminal digital coding, this coding is for each terminal, unique in system, the various uniqueness characteristic information of itself and terminal carry out mapping and binding by system, as the terminal uniqueness characteristic information such as hardware mac address of terminal, and the dynamic link informations such as the IP address of terminal can be found with this, can initiate connect or directly send message to this terminal after finding the dynamic connection information such as IP address, a digitally coded mode is inputted simply by user, enormously simplify the discovery of the terminal under manual connected mode and the flow process of connection, improve the experience of user,
The all right search subscriber account of mode of search, search is registered in the terminal equipment under this family account name, and is not necessarily search terminal information.
System can also by the mode of short-distance wireless, comprise bluetooth, NFC, WIFI or WIFI-Direct, the various short-distance wireless such as DLNA or based on wireless equipment location and search technique, equipment near search, selects device request to be connected to this equipment and by system forwards authorization request message in the equipment searched.
According to the setting of user security rank, user can also specify the access code of this terminal equipment of access, access code is different from access coding, be equivalent to the password being connected to this terminal, when system contemplates is connected to this equipment, user needs to input access code on system service platform OAuth interface, otherwise this terminal equipment is by the connection of refusal system and receipt message, also can set without the need to access code on mobile terminals, system can be directly connected to this terminal equipment and without the need to inputting access code, or the used access code of systematic conservation user, system will provide access code when again connecting this equipment automatically, and input without the need to user, or specify informed source trusty and destination, as can be the equipment of designated user place third-party application client and specific terminal equipment be trusted device, the hardware characteristics value that trust mode contains comparison client device and terminal equipment carries out the mode such as verifying, client device and system and mobile terminal device are trusted mutually, mobile terminal is after receiving the message being derived from the request that this equipment sends, be belief message depending on this message, user specifies the message being forwarded to this equipment will be forwarded directly on mobile device not to be needed to verify access code.
By specifying credible equipment and preserving the modes such as access code, terminal can sign in system automatically, and keeping system specifies the state of the long-term login in the term of validity, and without the need to all logging at every turn, when terminal is online, the message of system forwards can be routed directly to this equipment, and do not need to keep in system, waiting system forwards after reaching the standard grade again, this mode when the artificial equipment of user and environment be safety controlled, can mode by default, user-friendly with this.
Information needed for the connection of used equipment will be kept on the client device of third-party application, and possesses certain term of validity, and in the term of validity, when user needs designated equipment again, user just can directly select this equipment without the need to again carrying out searching.
Select to carry out by intelligent terminal the words that bio-identification carries out OAuth user, system is searched and to be specified when specifically can carry out the terminal equipment of authorizing when user registers on platform, the mode of the hardware device features data that comparison is searched, or search operates in the terminal under current designated user account name, the end message that user selects at every turn all will be kept at system and user accesses on the equipment of third-party application, comprise the title of terminal, the characteristic information of terminal, user uses and can directly select this terminal next time, the words that this equipment as selected does not log in, then can not use this equipment.
Secondly, can only authorize in particular terminal if user specifies, then only find the online intelligent terminal meeting the feature of this particular terminal, words as not online in this terminal of system discovery, then to be given notice message by offline mode, deferred information is that the message of transmission is sent to outbox and keeps in by system, the temporary time limit specifies the term of validity by system, in the term of validity, user terminal can receive this message after reaching the standard grade, or to registration termination number send the modes such as note send log messages prompting user log on the terminal, otherwise this terminal cannot be used.
After determining target terminal, system can attempt connecting this terminal and routing forwarding message.
Message routing:
After successfully finding and be connected to the authorisation device that user specifies, system will carry out message forwarding, the i.e. route of message, the authorization request message of the third-party application of accessing from user being forwarded is routed on this equipment, after this equipment receives the authorization messages of system propelling movement, prompting user is carried out the operation of authorizing.
Notification message possesses the term of validity, and within the term of validity of default, user carries out operation is just effective, if the terminal that user specifies is not reached the standard grade before the deadline, cause message to be exceeded the time limit, message will lose efficacy, and system is by the operation based on this message of refusal user.
User profile is verified:
After terminal receives the authorization request message of system forwards, terminal in every way reminding user authorize, comprise vibrations, the modes such as sound, after user views message, as determined to authorize, the single or multiple biometric feature information of user are then gathered by terminal, and according to the security setting of system, carry out identifying and comparison in terminal, or the system of uploading to carries out identifying and comparison, comparison can be the comparison of single biometric information or the comparison of multiple orderly recognition result, such as, the identifying information of the single finger of comparison or contrast forefinger, the recognition result having precedence of thumbprint, according to the result identified, terminal is verified, the terminal equipment of the registered user registration under one's name of checking whether belonging to recognition result, send according to the result and authorize success or authorization failure message.
Below the structure of system and flow process are described.
As shown in Figure 1, the topology that a kind of OAuth based on bio-identification serves mainly comprises:
Access terminal 100:
User accesses the terminal equipment that third-party application uses, as computer, dull and stereotyped, the equipment such as smart mobile phone, and user is from access device access third-party application.
Mobile terminal 101:
Mobile terminal device is the intelligent terminal of the biological support feature identification that user specifies, and is commonly referred to as the Portable intelligent terminal devices such as smart mobile phone.
Internet and communication network 102:
Comprise the Internet and communication network, provide the passage of data access and access and the carrying of communication service capabilities, as fixed broadband, WIFI data channel, mobile communication voice and short message channel, by internet transmission data and bearer service.
Third-party application 103:
The third-party application of user's access, in the present system, needs the OAuth of embedded system to serve.
OAuth service platform 104:
The OAuth service platform of system, for each third-party application platform provides the OAuth of system to serve.
Fig. 2 shows for present system modular structure schematic diagram.
Access equipment end:
Access client 200:
User accesses the client of third-party application on the equipment of access, can be the client of browser mode, also can be the client-side program of local runtime, access third-party application by access client.
Mobile terminal side:
Acquisition module 201:
End side gathers the functional module of user biological recognition feature, comprises fingerprint, vein, and iris etc. can the biological characteristic of uniqueness difference user.
Memory module 202:
Store the functional module of user biological feature identification information, the information of storage can be data or the living things feature recognition data after treatment of original collection.
Processing module 203:
The functional module of the user biological biometric data that process on subscriber terminal equipment obtains, processes the data gathered, comprises encryption, signature, the processing modes such as hash, ensures the irreversible and uniqueness of the data after process.
Identification module 204:
User terminal identifies the living things feature recognition data of collection, with user information correlation, after obtaining the uniqueness identification data of user, identify it is which user.
Authorization module 205:
To the functional module that user authorizes in the authorization requests of third-party application platform on user terminal, comprise and notify that user authorizes, whether obtain the operation information of subscriber authorisation, judging that whether subscriber authorisation is correct, is the various logical operations relating to mandate such as user's mandate.
Line module 206:
User function module on user terminal, comprises user's registration.User profile is safeguarded, the functional module that user authority setting etc. are relevant with user account.
The Internet and communication network 207:
Comprise the Internet and communication network, the passage of data access and access is provided.
Third-party application terrace part:
Authorize interface 208:
Granted access interface between third-party application platform and third-party application client, third-party application client initiates authorization requests by authorizing interface.
OAuth interface 209:
The request interface that the OAuth of third-party application and OAuth service platform serves, is initiated to the request of the OAuth service of OAuth service platform, and receives the response message of OAuth service platform by OAuth service interface.
OAuth service platform part:
Service access interface 210:
The interface that system service outwardly opens, mutual by service access interface and third-party application platform and mobile terminal side calling of carrying out serving and message.
Database 211:
The database of system end, the various data of saved system end, comprise user profile, log-on message, and terminal feature data message and various system end need the data of preserving.
Registration service 212:
User's registration service of system end, for user provides the function of registration, the information of information of registered users and user terminal.
Authorization service 213:
The authorization service of system end, according to the Authorized operation of user at mobile terminal side, authorizes in the authorization requests of system end to third-party application.
Management configuration module 214:
The management of system end and configuration feature module, management and configuration miscellaneous service parameter.
Data processing module 215:
The data processing module of system end, the functional module of untreated user biological biometric data that process obtains, processes the data gathered, comprises encryption, signature, the processing modes such as hash, ensures the irreversible and uniqueness of the data after process.
System door 216:
The portal interface of system, carrying user and the service logic of system and the passage of access.
Fig. 3 shows for user's register flow path schematic diagram of the present invention.
As shown in the figure, user equipment registration flow process comprises following steps:
Step 301: user is request registration user account on mobile terminals;
Step 302: terminal gathers user biological identifying information and facility information;
Step 303: whether the information that system verification user provides meets registration requirement;
Step 304: then preserve user log-on data as met, generates user account and corresponding account data, user bound biometric information and user account information and terminal feature identifying information;
Step 305: if do not met then reporting errors information, this register flow path terminates;
Fig. 4 shows for equipment search and the operation flow be connected, and comprises following steps:
Step 1, user select the obtain manner of equipment, comprise the information such as short-distance wireless search, input equipment title, or select used equipment last time;
Step 2, system judges the equipment way of search of user, as being short-distance wireless search, the mode of the short-distance wireless then supported by the access equipment of user place third-party application, comprise bluetooth, NFC, WIFI, equipment near the technological scanning such as WIFI-Direct, as the then search subscriber input characters of the search for input characters, comprise user account information, access coding, facility information, search for the terminal equipment satisfied condition, then change this access by system be encoded to the registration of terminal equipment and characteristic information finds corresponding device as inputted access coding, as the mode for inputting accounts information, then search is currently operating at account terminal equipment under one's name, as the words of input equipment information, then search meets the equipment that facility information describes, as the device name of the uniqueness specified in system of equipment, the list of devices provided as user's selective system then directly selects this equipment, words as not online in equipment, this equipment will be in down state, user cannot select this equipment,
The equipment that step 3, systematic search are corresponding, as being successfully searched equipment, then attempts being connected to this equipment, any one equipment is found as failed, or user does not input any information, or when not having the list of any one equipment preserved and Search Results to be empty, then connection failure;
The equipment that the equipment connection that step 4, system attempt indicating user place access third-party application is selected to user, the equipment be connected is according to the security setting preserved, judge whether to need access code, as needs access code, user is then pointed out to input on the equipment be connected, as unwanted words then allow to connect;
Step 5, input access code as needed, user is after input, and whether terminal judges is correct, as correct words then allow to be connected to this terminal equipment, can forward and route messages to this equipment after successful connection;
Give one example the use flow process illustrating that a kind of OAuth based on bio-identification of user of the present invention serves below, as shown in Figure 5, in this embodiment, comprise the following steps:
Step 1. user accesses third-party application, needs user to carry out granted access;
Step 2. third-party application is shown and indicating user selects authorization;
After step 3. user selects OAuth method of service, third-party application interface jumps to OAuth authorization of service interface;
Step 4.OAuth service system receives the authorization request message of user;
The target terminal equipment of step 5. system determination forwarding messages, by search, comprise the mode of word or short-distance wireless, or user selects the mode of history terminal, determine target terminal, as found the terminal of one or more registration, prompting user selects the terminal that can authorize, as do not found, any terminal that can authorize then proceeds to failure handling flow process and return authorization failed message, and system will perform the flow process of refusal mandate;
Step 6. system is attempted connecting terminal and is forwarded authorization request message in the terminal of the mandate of successful connection rear line selection;
After step 7. terminal receives message, prompting user carries out the operation of authorizing;
Step 8. user selects whether carry out Authorized operation, as allowed Authorized operation, then carries out the collection of biological information, and as the collection of fingerprint, as refusal Authorized operation, terminal returns refuse information, and system carries out failure handling flow process;
Step 9. is according to the RM to the living things feature recognition data gathered, the identification of biological attribute data is carried out in end side or system end, and the information of the result identified and terminal equipment is verified, judge whether recognition result and terminal equipment are same registered user.
Step 10., according to the result of checking, sends Authorization result message to third-party application platform, and whether third-party application platform successfully allows user's access or refusal user access according to Authorization result.
Claims (9)
1., based on the method that the OAuth of bio-identification serves, it is characterized in that, comprise following steps,
1) user registers in the system service platform of OAuth;
2) system service platform externally open OAuth service;
3) user accesses third-party application, selects to be authorized by OAuth system service platform;
4) OAuth system service platform determines the Intelligent target terminal providing mandate;
5) authorization requests of user is routed to Intelligent target terminal by OAuth system service platform;
6) whether user selects to agree to authorize on intelligent terminal, as agreed to, then gathers biometric information at intelligent terminal, as selected refusal or not doing any operation then for refusal is authorized;
7) system is according to the result gathered and identify, determines whether the biometric information of registered user, after system service platform obtains the recognition result of user or the operation of refusal mandate, the platform Authorization result that instruction third-party application is corresponding.
2. a kind of OAuth based on bio-identification method of serving as claimed in claim 1, it is characterized in that, user registers in the system service platform of OAuth, and registration packet is containing user's registration and endpoint registration;
First, user is at the system service platform information of registered users of OAuth and end message, systematic conservation user's registration information, comprise user name, user cipher, the various userspersonal informations under user's sex and various conventional Registration mode, simultaneously, also unique in the generation system user ID of system, user cipher can log in as auxiliary user and device logs to the means of OAuth platform, user still can use the mode of traditional username and password to log in OAuth service platform;
Secondly, the biometric information of user is gathered by client terminals, comprise fingerprint, vein, one or more of iris and various terminal support and the biometric information that can gather, for the biometric information gathered, according to the setting of system safety rank and user, rear preservation is processed to these information, preserves position and can be at terminal equipment or upload to system or be kept at terminal and system simultaneously, as the foundation that user identifies;
Endpoint registration is then that user uses the user account of registration to sign in system platform on the terminal device, gather and preserve the feature identification information of terminal to system, the descriptor of terminal is set, user can register one or more terminal equipment for authorizing, the terminal equipment of the user account after registration and user's registration is bound, and terminal device logs is to system and under operating in the account name of registered user.
3. a kind of OAuth based on bio-identification method of serving as claimed in claim 1, it is characterized in that, the open OAuth service of system service platform, the OAuth service of third-party application connecting system service platform, the access option providing OAuth to serve, the mode request mandate that user selects OAuth to serve on the interface of third-party application, third-party application jumps to the mandate interface that OAuth service platform provides, next step, the object terminal equipment of OAuth service platform determination route request information.
4. a kind of OAuth based on bio-identification method of serving as claimed in claim 1, it is characterized in that, after user's selection is authorized by OAuth platform, third-party application jumps to OAuth interface, determine route messages and the target terminal that mandate is provided, determine that mode comprises manual mode and automatic mode;
Manual mode comprises text search and wireless search mode, text search is input descriptive matter in which there, comprise the feature interpretation information of target terminal, the account name information of association, the access coding of terminal, and can the various descriptors of GC group connector or user characteristics, the access coding of terminal is that system assignment is to the digital coding of terminal uniqueness, system is mapped to the uniqueness characteristic information of intrasystem terminal, user inputs a digital coding simply and namely finds this terminal by system, the discovery flow process of terminal is simplified with this, system is by searching for user's input characters, find out meet input characters describe terminal or operate in input account name under terminal list, user selects in Search Results, or select in used terminal history list,
Wireless search mode comprises based on NFC, bluetooth, the search of WiFi or WiFi-Direct and DLNA, terminal not in short-distance wireless hunting zone or off-line, this terminal cannot be searched out, this terminal in historical search record is rendered as down state, when using first, user need search out available terminal by the mode of wireless search or text search, according to the security settings of terminal access, when terminal profile needs input access code, input access code is to connect this terminal, the information of the terminal successfully connected can be kept in third-party application client, can directly select from history terminal list when next time uses,
Automated manner is the link information that user arranged and preserved target terminal, access code as the aforementioned, arrange search out or the terminal of specifying as trusted terminal equipment, OAuth platform will be attempted connecting and verifying this terminal equipment automatically, when meeting the security setting of terminal connection and verifying that this terminal equipment is the terminal equipment in system registry, certainly being dynamically connected with Forward-reques message to this terminal.
5. a kind of OAuth based on bio-identification method of serving as claimed in claim 1, it is characterized in that, the logging request of user is routed to the terminal that user specifies by system, system is after determining to provide the target terminal of authorization function, system attempts connecting and forward authorization request message to this terminal, as fail the forwarding term of validity of specifying in system time in successful forwarding messages, this retransmission failure, user can set and select multiple terminal, the next terminal of multiple terminal lists that user selects can be forwarded in order when first terminal retransmission failure, until message forwards success or proves an abortion.
6. a kind of OAuth based on bio-identification method of serving as claimed in claim 1, it is characterized in that, after the terminal that authorization request message success routing forwarding sets to user, terminal reminding user, comprise display notification message, vibration terminal, the mode played sound, reminding user operates, select whether to agree to authorize, user authorizes as agreed to, then in terminal collection and the biometric information obtaining user, after acquisition, according to the verification mode to the biometric information obtained of default, comprise the checking that terminal local is verified and is sent to service end, the user biological identifying information obtained is verified, whether checking is the biometric information of registered user corresponding to this terminal, as in the term of validity of authorization request message, user does not carry out Authorized operation in terminal, directly refusal is authorized, the words of authentication failed and the failure of acquisition user biological identifying information are then refused to authorize.
7. a kind of OAuth based on bio-identification method of serving as claimed in claim 2, it is characterized in that, according to the setting of system to data processing method, the biometric data of the registered user collected is processed, processing mode comprises data Hash, data encryption, digital signature and variously possess irreversible and processing mode that is uniqueness, in the terminal that data after process are kept at collection or upload to system platform and preserve, as the foundation of authentication of users biometric information, and the ID users of the data and system of user biological identification is carried out binding and mapping.
8. a kind of OAuth based on bio-identification method of serving as claimed in claim 2, it is characterized in that, user can register and bind single or multiple terminal as the terminal of authorizing, the mode of binding is the hardware characteristics identifying information obtaining terminal, map with user account, whether arrange allows same user account to log on multiple equipment simultaneously, hardware characteristics identifying information comprises fuselage code, MAC Address, IMEI or MEID, the hardware identification information of the various uniquenesss in SIM card sequence number and terminal, user successfully select authorize terminal and after being authorized by this terminal, this end message can be kept at client and the system of third-party application, and when user needs to authorize next time, this terminal will appear at history terminal list, user can directly select this terminal as target terminal, user also can delete the end message of preservation.
9. a kind of OAuth based on bio-identification method of serving as claimed in claim 6, it is characterized in that, terminal gathers biometric information, biometric information is verified, arrange according to system safety, can verify in terminal or in system, whether the biometric information that checking gathers is the biometric information of registered user corresponding to this terminal, the mode of checking is after the biometric information of the user of collection being adopted and carrying out with identical data processing method when registering calculating and process, compare with the verification msg of preserving, obtain corresponding information of registered users, then, whether the terminal device information of comparison collection is the terminal equipment that registered user binds under one's name, both comparisons are unanimously then thought and are verified, simultaneously, also the combination of multiple identifying information can be verified, combination possesses order, by the recognition result of biometric information and the precedence of identification as basis of characterization, recognition result and identify that order is all consistent just can be verified, the fail safe of checking can be improved further with this.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510493553.XA CN105099704B (en) | 2015-08-13 | 2015-08-13 | A kind of OAuth service based on bio-identification |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510493553.XA CN105099704B (en) | 2015-08-13 | 2015-08-13 | A kind of OAuth service based on bio-identification |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105099704A true CN105099704A (en) | 2015-11-25 |
| CN105099704B CN105099704B (en) | 2018-12-28 |
Family
ID=54579336
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510493553.XA Active CN105099704B (en) | 2015-08-13 | 2015-08-13 | A kind of OAuth service based on bio-identification |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105099704B (en) |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105931498A (en) * | 2016-06-06 | 2016-09-07 | 杭州领课科技有限公司 | Operation method of mobile terminal-foreign language learning platform |
| CN106656952A (en) * | 2016-09-21 | 2017-05-10 | 北京神州绿盟信息安全科技股份有限公司 | Authentication method, device and system for registration equipment |
| CN106778523A (en) * | 2016-11-25 | 2017-05-31 | 努比亚技术有限公司 | Fingerprint input method and device |
| CN106982221A (en) * | 2017-04-24 | 2017-07-25 | 上海斐讯数据通信技术有限公司 | A kind of network authentication method, system and intelligent terminal |
| CN107180177A (en) * | 2016-03-10 | 2017-09-19 | 阿里巴巴集团控股有限公司 | The method and apparatus for obtaining user profile |
| WO2017173652A1 (en) * | 2016-04-08 | 2017-10-12 | 汤美 | Internet-based educational device restriction method and system |
| CN108293187A (en) * | 2016-02-10 | 2018-07-17 | 加拿大Bc省温哥华迷锋企业有限公司 | Using bio-identification come certification or the user of registration wearable device |
| CN108650246A (en) * | 2018-04-25 | 2018-10-12 | 广州逗号智能零售有限公司 | A kind of third party's account logon method, apparatus and system |
| CN109981804A (en) * | 2017-12-28 | 2019-07-05 | 中国移动通信集团安徽有限公司 | Generation, recognition methods, system, equipment and the medium of terminal device identification id |
| CN110119610A (en) * | 2019-05-23 | 2019-08-13 | 湖北东方星海科技实业有限公司 | A kind of multiple-biological characteristic information safety certification detection method |
| CN111291358A (en) * | 2020-03-07 | 2020-06-16 | 深圳市中天网景科技有限公司 | Authority authentication method, system, equipment and medium |
| CN111352501A (en) * | 2019-12-09 | 2020-06-30 | 华为技术有限公司 | Service interaction method and device |
| CN111654468A (en) * | 2020-04-29 | 2020-09-11 | 平安国际智慧城市科技股份有限公司 | Secret-free login method, device, equipment and storage medium |
| CN111753170A (en) * | 2020-07-04 | 2020-10-09 | 广州智云尚大数据科技有限公司 | Big data quick retrieval system and method |
| CN111784355A (en) * | 2020-07-17 | 2020-10-16 | 支付宝(杭州)信息技术有限公司 | Transaction security verification method and device based on edge calculation |
| CN111931160A (en) * | 2020-08-13 | 2020-11-13 | 苏州朗动网络科技有限公司 | Authority verification method, device, terminal and storage medium |
| CN112600856A (en) * | 2020-12-28 | 2021-04-02 | 青岛海尔科技有限公司 | Equipment authorization method and device, storage medium and electronic device |
| CN113132362A (en) * | 2021-03-31 | 2021-07-16 | 青岛中瑞汽车服务有限公司 | Trusted authorization method, trusted authorization device, electronic equipment and storage medium |
| CN114724279A (en) * | 2022-03-21 | 2022-07-08 | 贵州卓霖科技有限公司 | Information acquisition method and device based on coded lock, electronic equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102394887A (en) * | 2011-11-10 | 2012-03-28 | 杭州东信北邮信息技术有限公司 | OAuth protocol-based safety certificate method of open platform and system thereof |
| CN102761537A (en) * | 2012-03-29 | 2012-10-31 | 北京奇虎科技有限公司 | Method and system for authentication and authorization on basis of client-side plug-in |
| US20130086645A1 (en) * | 2011-09-29 | 2013-04-04 | Oracle International Corporation | Oauth framework |
| CN103888265A (en) * | 2014-04-11 | 2014-06-25 | 上海博路信息技术有限公司 | Login system and method based on mobile terminal |
| CN104601594A (en) * | 2015-02-04 | 2015-05-06 | 北京云安世纪科技有限公司 | Identity authentication device and method of OTP (one time password) token-based equipment based on two-dimension codes |
-
2015
- 2015-08-13 CN CN201510493553.XA patent/CN105099704B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130086645A1 (en) * | 2011-09-29 | 2013-04-04 | Oracle International Corporation | Oauth framework |
| CN102394887A (en) * | 2011-11-10 | 2012-03-28 | 杭州东信北邮信息技术有限公司 | OAuth protocol-based safety certificate method of open platform and system thereof |
| CN102761537A (en) * | 2012-03-29 | 2012-10-31 | 北京奇虎科技有限公司 | Method and system for authentication and authorization on basis of client-side plug-in |
| CN103888265A (en) * | 2014-04-11 | 2014-06-25 | 上海博路信息技术有限公司 | Login system and method based on mobile terminal |
| CN104601594A (en) * | 2015-02-04 | 2015-05-06 | 北京云安世纪科技有限公司 | Identity authentication device and method of OTP (one time password) token-based equipment based on two-dimension codes |
Cited By (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108293187A (en) * | 2016-02-10 | 2018-07-17 | 加拿大Bc省温哥华迷锋企业有限公司 | Using bio-identification come certification or the user of registration wearable device |
| CN107180177A (en) * | 2016-03-10 | 2017-09-19 | 阿里巴巴集团控股有限公司 | The method and apparatus for obtaining user profile |
| WO2017173652A1 (en) * | 2016-04-08 | 2017-10-12 | 汤美 | Internet-based educational device restriction method and system |
| CN105931498A (en) * | 2016-06-06 | 2016-09-07 | 杭州领课科技有限公司 | Operation method of mobile terminal-foreign language learning platform |
| CN106656952A (en) * | 2016-09-21 | 2017-05-10 | 北京神州绿盟信息安全科技股份有限公司 | Authentication method, device and system for registration equipment |
| CN106656952B (en) * | 2016-09-21 | 2020-11-20 | 北京神州绿盟信息安全科技股份有限公司 | Authentication method, device and system for login equipment |
| CN106778523A (en) * | 2016-11-25 | 2017-05-31 | 努比亚技术有限公司 | Fingerprint input method and device |
| CN106982221A (en) * | 2017-04-24 | 2017-07-25 | 上海斐讯数据通信技术有限公司 | A kind of network authentication method, system and intelligent terminal |
| CN109981804A (en) * | 2017-12-28 | 2019-07-05 | 中国移动通信集团安徽有限公司 | Generation, recognition methods, system, equipment and the medium of terminal device identification id |
| CN108650246A (en) * | 2018-04-25 | 2018-10-12 | 广州逗号智能零售有限公司 | A kind of third party's account logon method, apparatus and system |
| CN110119610A (en) * | 2019-05-23 | 2019-08-13 | 湖北东方星海科技实业有限公司 | A kind of multiple-biological characteristic information safety certification detection method |
| CN111352501A (en) * | 2019-12-09 | 2020-06-30 | 华为技术有限公司 | Service interaction method and device |
| CN111291358A (en) * | 2020-03-07 | 2020-06-16 | 深圳市中天网景科技有限公司 | Authority authentication method, system, equipment and medium |
| CN111654468A (en) * | 2020-04-29 | 2020-09-11 | 平安国际智慧城市科技股份有限公司 | Secret-free login method, device, equipment and storage medium |
| CN111753170A (en) * | 2020-07-04 | 2020-10-09 | 广州智云尚大数据科技有限公司 | Big data quick retrieval system and method |
| CN111753170B (en) * | 2020-07-04 | 2021-08-17 | 上海德吾信息科技有限公司 | Big data quick retrieval system and method |
| CN111784355A (en) * | 2020-07-17 | 2020-10-16 | 支付宝(杭州)信息技术有限公司 | Transaction security verification method and device based on edge calculation |
| CN111784355B (en) * | 2020-07-17 | 2023-03-10 | 支付宝(杭州)信息技术有限公司 | Transaction security verification method and device based on edge calculation |
| CN111931160A (en) * | 2020-08-13 | 2020-11-13 | 苏州朗动网络科技有限公司 | Authority verification method, device, terminal and storage medium |
| CN111931160B (en) * | 2020-08-13 | 2024-03-29 | 企查查科技股份有限公司 | Authority verification method, authority verification device, terminal and storage medium |
| CN112600856A (en) * | 2020-12-28 | 2021-04-02 | 青岛海尔科技有限公司 | Equipment authorization method and device, storage medium and electronic device |
| CN113132362A (en) * | 2021-03-31 | 2021-07-16 | 青岛中瑞汽车服务有限公司 | Trusted authorization method, trusted authorization device, electronic equipment and storage medium |
| CN113132362B (en) * | 2021-03-31 | 2022-03-22 | 青岛中瑞汽车服务有限公司 | Trusted authorization method, trusted authorization device, electronic equipment and storage medium |
| CN114724279A (en) * | 2022-03-21 | 2022-07-08 | 贵州卓霖科技有限公司 | Information acquisition method and device based on coded lock, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105099704B (en) | 2018-12-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105099704A (en) | Biometric identification-based OAuth service | |
| KR102242766B1 (en) | Identity registration method and device | |
| KR101361161B1 (en) | System and method for reinforcing authentication using context information for mobile cloud | |
| EP2651097B1 (en) | Method of authenticating a user at a service on a service server, application and system | |
| US9451454B2 (en) | Mobile device identification for secure device access | |
| DK2924944T3 (en) | Presence authentication | |
| US9787678B2 (en) | Multifactor authentication for mail server access | |
| CN102215250A (en) | Automatic form filling method for mobile communication equipment terminal, server and client | |
| JP2018170010A (en) | Terminal authentication method and device to be used for mobile communication system | |
| CN109792601B (en) | Method and equipment for deleting eUICC configuration file | |
| US10951616B2 (en) | Proximity-based device authentication | |
| US11032272B2 (en) | Mobile number verification for mobile network-based authentication | |
| CN117336053A (en) | Access control method, device and storage medium | |
| JP6122924B2 (en) | Providing device, terminal device, providing method, providing program, and authentication processing system | |
| US10412585B2 (en) | User identity authentication method and device | |
| KR102393500B1 (en) | Login system and authentication method | |
| KR20220100886A (en) | A method for authenticating users on a network slice | |
| CN108307678B (en) | Method and system for granting or not granting connection requests | |
| EP3459269B1 (en) | Method for provisioning an applet with credentials of a terminal application provided by an application server and corresponding ota platform | |
| CN107454557B (en) | Router connection method and system | |
| CN106851639B (en) | WiFi access method and access point | |
| CN108769080B (en) | Method and system for logging in website by mobile terminal and website server | |
| CN112887982B (en) | Intelligent authority management method, system, terminal and storage medium based on network | |
| CN111542055B (en) | Information interaction method, device, equipment and computer readable storage medium | |
| JP6240349B2 (en) | Providing device, providing method, providing program, and authentication processing system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |