CN106330813A - Method, device and system for processing authorization - Google Patents

Method, device and system for processing authorization Download PDF

Info

Publication number
CN106330813A
CN106330813A CN201510333657.4A CN201510333657A CN106330813A CN 106330813 A CN106330813 A CN 106330813A CN 201510333657 A CN201510333657 A CN 201510333657A CN 106330813 A CN106330813 A CN 106330813A
Authority
CN
China
Prior art keywords
described
group
user
resource
id
Prior art date
Application number
CN201510333657.4A
Other languages
Chinese (zh)
Inventor
周飞
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to CN201510333657.4A priority Critical patent/CN106330813A/en
Publication of CN106330813A publication Critical patent/CN106330813A/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • H04L63/0876Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • H04L63/0884Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to network resources
    • H04L63/104Grouping of entities

Abstract

The invention provides a method, a device and a system for processing authorization. The method of processing authorization comprises steps: an authorization request sent by a first user through a first client is received, wherein the authorization request comprises a user identity (ID) of the first user and the identity of a resource requested to be accessed; according to the user ID of the first user, information of a group to which the first user belongs is determined; according to a saved authorization record, the group is determined to already acquire the authorization from the resource owner corresponding to the identity of the resource; and a first access token is generated, and the first access token is sent to the first client. The method provided by the invention effectively solves the technical problem that when multiple users access the resource, the resource owner needs to perform multiple times of authorization.

Description

A kind of method, apparatus and system processing mandate

Technical field

The present invention relates to communication technical field, particularly relate to a kind of method, apparatus and system processing mandate.

Background technology

Along with the fast development of the Internet, various national one throw the net, the theory thrown the net in the whole world one is popularized rapidly, Each province of operator, each base stand alone as the situation of war and can not meet user's request, and various Competence Centers should Transport and give birth to.As China Mobile's customer center is managed collectively all user profile, other application needs to obtain user By accessing the interface that customer center provides during information, it is achieved user profile centralized management, by user resources Concentrate, the bigger value playing its big data.Competence Center is concentrating the resource data that this ability is relevant After, in addition it is also necessary to these data openings are accessed to third party's client (hereinafter referred: client).Opening Putting in access, the safety of data is most important.OAuth2.0 is as simple, safe, open recognizing Card authorized agreement, can be introduced by Competence Center and be used for solving the open safety problem of data.

The resource of Competence Center is the most all shielded, and in OAuth agreement, client is not directly to make Access locked resource with the privately owned certificate of resource owner, but obtain an access token one Represent a certain specific function territory (scope of authority), persistent period and the character string of other attribute.Access token Generated under the suggestion of resource owner by certificate server and be distributed to client.Client uses and accesses order Board accesses by the locked resource of Resource Server trustship.

Concrete, when user is by client-access resource, flow process is as follows:

1, client authorizes to certificate server request;

2, the request of client is directed to Resource Owner by certificate server, and request Resource Owner authorize;

3, after Resource Owner audits request message, agree to authorize;

4, after certificate server receives the message agreeing to authorize that Resource Owner returns, generate and to client End provides access token;

5, client is carried access token and is asked access resource information to Resource Server;

6, Resource Server returns resource information to client.

During it will be seen that each user asks to access resource, for the sake of security, it is required for being directed to Resource Owner authorizes, and this considerably increases the mandate workload of Resource Owner.

Summary of the invention

The invention provides a kind of method, apparatus and system processing mandate, access solving multiple user During resource information, need the technical problem of the many sub-authorizations of the Resource Owner belonging to resource information.

First aspect, the present invention provides a kind of authorization method, including: receive first user by the first client The authorization requests that end sends, described authorization requests includes that ID ID of described first user and request access The mark of resource;According to the ID of described first user, determine the group of group belonging to described first user Group information;According to the authority record preserved, determine that described group has obtained the mark correspondence of described resource The mandate of Resource Owner;Generate the first access token, and described first access token is sent to described One client.

In conjunction with first aspect, in the first possible implementation of first aspect, described according to described The ID of one user, determines the group information of group belonging to described first user, particularly as follows: take to group Business device sends group's query messages of the ID comprising described first user;Receive described cluster server to return The group returned confirms message, and described group confirms that message includes the group information belonging to described first user, its In, described group information includes the group identification of the group belonging to described first user.

In conjunction with first aspect, in the implementation that the second of first aspect is possible, described according to described The ID of one user, determines the group information of group belonging to described first user, particularly as follows: inquiry this locality The group data storehouse preserved, described group data storehouse includes group identification and the corresponding group member letter preserved Breath;According to the ID of described first user, determine the group identification of group belonging to described first user.

Can in conjunction with the first possible implementation of first aspect or first aspect or the second of first aspect The implementation of energy, in the third possible implementation of first aspect, at described reception first user By before the authorization requests that the first client sends, described method also includes: receive the second user by the The authorization requests that two clients send, described authorization requests includes the ID of described second user and described money The mark in source;According to the ID of described second user, determine that described second user belongs to described group;Really Fixed described group does not obtains the mandate of described Resource Owner;Certification request is sent to described Resource Owner, Described certification request includes described group information;Receive the authentication response that described Resource Owner returns, described Authentication response includes that described Resource Owner agrees to the instruction information authorizing described group;Preserve described group Obtain the authority record of the access rights of the resource of the mark correspondence of described resource;Generate the second access token, And described second access token is sent to described second client.

In conjunction with the first of first aspect or first aspect to the third possible implementation, in first party In the 4th kind of possible implementation in face, the described ID according to described first user, determine described Before the group information of group belonging to one user, described method also comprises determining that described Resource Owner does not has To described first user mandate.

Second aspect, it is provided that a kind of certificate server, including: receiver module, it is used for receiving first user The authorization requests sent by the first client, described authorization requests includes the ID of described first user The mark of the resource that ID and request access;Determine module, be used for first received according to described receiver module The ID of user, determines the group information of group belonging to described first user;According to the authority record preserved, Determine that described group has obtained the mandate of the Resource Owner of the mark correspondence of described resource;Sending module, For generating the first access token, described first access token is sent to described first client.

In conjunction with second aspect, in the first possible implementation of second aspect, described determine that module is used In the ID according to described first user, determine the group information of group belonging to described first user, specifically For: group's query messages of the ID comprising described first user is sent to cluster server;Receive described The group that cluster server returns confirms message, and described group confirms that message includes belonging to described first user Group information, wherein, described group information includes the group identification of the group belonging to described first user.

In conjunction with second aspect, in the implementation that the second of second aspect is possible, described determine that module is used In the ID according to described first user, determine the group information of group belonging to described first user, specifically For: inquiring about the group data storehouse that this locality preserves, described group data storehouse includes group identification and the correspondence preserved Group member information;According to the ID of described first user, determine the group of group belonging to described first user Group mark.

Can in conjunction with the first possible implementation of second aspect or second aspect or the second of second aspect The implementation of energy, in the third possible implementation of second aspect, described certificate server also wraps Include: described receiver module, be additionally operable to receive the authorization requests that the second user is sent by the second client, institute State authorization requests and include ID and the mark of described resource of described second user;Described determine module, also The ID of the second user for receiving according to described receiver module, determines that described second user belongs to described Group;Determine that described group does not obtains the mandate of described Resource Owner;Described sending module, be additionally operable to Described Resource Owner sends certification request, and described certification request includes described group information;Described reception mould Block, is additionally operable to receive the authentication response that described Resource Owner returns, and described authentication response includes described resource The owner agrees to the instruction information authorizing described group;Preserve module, be used for preserving described group and obtain institute State the authority record of the access rights of the resource of the mark correspondence of resource;Described sending module, is additionally operable to generate Second access token, is sent to described second client by described second access token.

In conjunction with the first of second aspect or second aspect to the third possible implementation, in second party In the 4th kind of possible implementation in face, determine module described, for the use according to described first user Family ID, before determining the group information of group belonging to described first user, described determines that module is additionally operable to, really Fixed described Resource Owner is not to described first user mandate.

The third aspect, additionally provides a kind of system processing mandate, including the first client, for certification Server sends authorization requests, and described authorization requests includes ID ID of first user and asks access The mark of resource;Certificate server, for receiving the authorization requests that first user is sent by the first client, Described authorization requests includes ID ID of described first user and the mark of the resource of request access;According to The ID of described first user, determines the group information of group belonging to described first user;According to preserve Authority record, determines that described group has obtained the mandate of the Resource Owner of the mark correspondence of described resource; Generate the first access token, and described first access token is sent to described first client.

In conjunction with the third aspect, in the first possible implementation of the third aspect, described system also includes: Second client, for sending authorization requests to certificate server, described authorization requests includes the second user's ID ID and the mark of described resource;Described certificate server, is additionally operable to receive the second user by the The authorization requests that two clients send, described authorization requests includes the ID of described second user and described money The mark in source;According to the ID of described second user, determine that described second user belongs to described group;Really Fixed described group does not obtains the mandate of described Resource Owner;Certification request is sent to described Resource Owner, Described certification request includes described group information;Receive the authentication response that described Resource Owner returns, described Authentication response includes that described Resource Owner agrees to the instruction information authorizing described group;Preserve described group Obtain the authority record of the access rights of the resource of the mark correspondence of described resource;Generate the second access token, And described second access token is sent to described second client.

The technical scheme provided according to the present invention, owing to group is authorized by Resource Owner, and And certificate server saves the authority record of group and this resource, so when other groups composition in this group When member is for this resource request mandate, certificate server needs not continue to Resource Owner's application license, directly Connect and return to client according to corresponding authority record generation access token, thus effectively alleviate resource institute The mandate burden of the person of having.

Accompanying drawing explanation

A kind of system block diagram processing mandate that Fig. 1 is provided by one embodiment of the invention;

The flow chart of a kind of method processing mandate that Fig. 2 is provided by one embodiment of the invention;

A kind of method exemplary signaling diagram processing mandate that Fig. 3 is provided by one embodiment of the invention;

The method exemplary signaling diagram that another process that Fig. 4 is provided by one embodiment of the invention authorizes;

The structural representation of a kind of certificate server that Fig. 5 is provided by one embodiment of the invention;

The another kind of structural representation of a kind of certificate server that Fig. 6 is provided by one embodiment of the invention;

A kind of system structure schematic diagram processing mandate that Fig. 7 is provided by one embodiment of the invention.

Detailed description of the invention

For making the object, technical solutions and advantages of the present invention clearer, below in conjunction with the accompanying drawings to the present invention Specific embodiment is described in further detail.In order to understand the present invention, in the following detailed description comprehensively Refer to numerous detail.It will be appreciated by those skilled in the art that the present invention can be without these Detail realizes.In other instances, it is not described in detail known method, process, assembly and circuit Deng, in order to avoid causing embodiment unnecessarily to obscure.Obviously, embodiments described below is the present invention one Section Example rather than whole embodiments.Based on the embodiment in the present invention, the common skill in this area The every other embodiment that art personnel are obtained under not making creative work premise, broadly falls into this The scope of bright protection.

It should be noted that the embodiment of the present invention when described in certificate server, cluster server and The correlation function of Resource Server can be realized by the difference in functionality module of same equipment, it is also possible to by not Same equipment realizes respectively, and this is not construed as limiting by the present invention.

Additionally, in some flow processs being described below, contain the multiple behaviour occurred according to particular order Make, but it should be clearly understood that these operations can not perform according to its order occurred in this article Or executed in parallel, the sequence number of operation such as 101,102 etc., it is only used for distinguishing each different behaviour Making, sequence number itself does not represent any execution sequence.It addition, these flow processs can include more or less Operation, and these operations can perform or executed in parallel in order.It should be noted that herein " first ", " second " etc. describe, be for distinguishing different message, equipment, module etc., no Representing sequencing, not limiting " first " and " second " is different types.

Fig. 1 is based on the system block diagram processing mandate that one embodiment of the invention is provided.This system comprises many Individual communication equipment, is in communication with each other by wired or cordless communication network.Wherein,

Client 102: generally refer to be supplied to user for obtaining the money authorizing and accessing on Resource Server The application of source information.

Resource Server 104: be used for storing resource information (such as picture, video, consumption information etc.), and carry For the server accessed.When user accesses the resource information on Resource Server by client request, must Must provide and set up, with self, the access token having the certificate server of trusting relationship to provide, Resource Server is verified By rear, return, to user, the resource information that request accesses.

Certificate server 106: service provider is specifically used to process user authentication, accesses for client granting The server of token.Can close with Resource Server and set, it is also possible to solely set.

Cluster server 108: be used for storing the relation of user and group.Concrete, can be system administration Member, Resource Owner or other there is the user accessing cluster server authority to arrange user and group Relation.Such as, user A logs in cluster server, and arranges group X, and group X on cluster server Including user A, user B and user C, then just store user A, user B, user C on cluster server Relation with group X.After group creating is good, the founder of group can authorize other users to this establishment Group be managed.It should be noted that the concrete mode creating and managing group is not done by the present invention Limit.

Resource Owner 110: the owner of resource information (such as picture, video, consumption information etc.), its When its user accesses the resource information being stored on Resource Server, need to first pass through Resource Owner's license, On the premise of Resource Owner agrees to authorize, certificate server just understands the License Info according to Resource Owner, Access token is generated for client.

Authorization method, the realization of Apparatus and system that the application relates to is described in detail below in conjunction with accompanying drawing.

The flow chart of a kind of authorization method that Fig. 2 provides for the present invention.In this embodiment, it is provided that Yong Hutong Cross the licensing process of resource information on client-access Resource Server.During implementing, at this The method that reason authorizes can be performed by certificate server.Described certificate server is for permitting Resource Owner In the case of, provide access token for client.Client makes by showing described access to Resource Server Board accesses shielded resource.This certificate server can close with Resource Server and set, it is also possible to as one Individual single equipment exists.After certificate server receives the authorization requests that client sends, according to mandate ID in request, first determines the group belonging to user.If this group has obtained mandate, then recognize Card server directly sends access token to user, without again to Resource Owner's application license;As Really this group of this group also there is no the license of Resource Owner, then certificate server is first to Resource Owner Described group is permitted by application, if Resource Owner agrees to authorize described group, then and authentication service Device preserves the authority record of the resource that described group accesses with request, and generates access token, returns to client End.Concrete, described method includes:

Step 202: receive the authorization requests that first user is sent, described authorization requests bag by the first client Include ID ID of described first user and the mark of the resource of request access;

Concrete, described client can be the application software developed of third party or browser plug-in.User Send authorization requests by client to certificate server, and in this authorization requests, carry ID and ask Seeking the mark of the resource of access, wherein asking the mark of the resource accessed can be unified money corresponding to this resource Source mark (URI, Uniform Resource Identifier).Certificate server is according to the request in authorization requests The mark of the resource accessed may determine that the Resource Owner that this resource is corresponding, and the user corresponding when ID goes back During the access rights of the resource that the mark of the resource that the request that do not obtains accesses is corresponding, certificate server will be to Resource Owner applies for authorization, and only when Resource Owner agrees to authorize user, certification takes Business device just can generate access token, and is sent to client, and otherwise user applies for that the request authorized will be refused Absolutely, thus user cannot access the resource desired access to.

Step 204: according to the ID of described first user, determines the group of group belonging to described first user Group information;

Optionally, preserving a group data storehouse on certificate server, this group data storehouse have recorded group Group information, described group information includes the group member information that group name and this group comprise.Described group Group membership's information can be specifically group member mark or the description information of other group member feature.Described According to the ID of described first user, determine the group information of group belonging to described first user, particularly as follows: Inquire about described group data storehouse, it is thus achieved that group member comprises the group information of the ID of described first user.

Optionally, in authoring system, separately setting a cluster server, described cluster server have recorded group Group information.The described ID according to described first user, determines the group of group belonging to described first user Information, particularly as follows: send group's query messages of the ID comprising described first user to cluster server; Receiving group's confirmation message that described cluster server returns, described group confirms that message includes that described first uses Group information belonging to family.It should be noted that in implementing, cluster server returns to certification clothes The group information of business device can only include the group identification of the group belonging to described first user, it is also possible to enters one Step also includes the group member mark of the group belonging to described first user.Optionally, when receiving group's letter When breath includes group identification and group member mark, the group information received can be preserved by certificate server To local data base, when certificate server receives authorization requests next time, need inquiry group belonging to ID During group information, preferentially inquire about local data base, if local data base does not record, take to group the most again Business device sends group's query messages.

Optionally, before the step 204, described authorization method also includes: certificate server determines that request is visited Resource Owner corresponding to the resource asked be not to described first user mandate.In the scheme that the present invention provides, When certificate server receives the authorization requests that user is sent by client, can first judge that resource has Whether person carried out mandate to this user, if this user access resources is authorized by resource owner, The most directly perform step 214.If this user access resources is not authorized by resource owner, then need Determine whether whether this Resource Owner is authorized certain group comprising this user.When resource institute The person of having accesses resource to group X and is authorized, then the group member as this group X accesses this resource Time, then without applying for the mandate of Resource Owner again.

Wherein, certificate server determines whether Resource Owner corresponding to resource that request accesses is carried out user Crossing the method authorized and belong to prior art, the present invention repeats no more.

Step 206: according to the authority record preserved, determines that described group has obtained the mark of described resource right The mandate of the Resource Owner answered;

The authority record of group's gain access, institute is preserved in authenticator this locality or remote data storehouse Stating authority record can be with the form being following mapping table, it is also possible to being other any forms, the present invention is to mandate The concrete form of record does not limits.

Group name Access resource Group A Resource 1 Group B Resource 2

When, after the group that certificate server determines belonging to first user, inquiring about authority record, when in authority record When there is the mandate relation between the resource of the group belonging to first user and request access, it is determined that first uses Group belonging to first user is authorized by the Resource Owner that the resource of family request access is corresponding.

Step 208: generate the first access token, and described first access token is sent to described first client End.

Concrete, after determining the mandate that the group belonging to first user has obtained Resource Owner, certification Server can directly generate access token, and the access token of generation is returned to the first client, in order to In first user by the first client-access resource.

Optionally, certificate server receive first user by first client send authorization requests before, Other group members in the group that described first user is corresponding, such as the second user, also request accesses this resource Time, described authorization method also includes: receive the authorization requests that the second user is sent, institute by the second client State authorization requests and include the ID of described second user and the mark of the resource of described request access;According to institute State the ID of the second user, determine that described second user belongs to described group;Mandate according to described preservation Record, determines that described group does not obtains the mandate of described Resource Owner;Send to described Resource Owner and recognize Card request, described certification request includes described group information;Receive the certification sound that described Resource Owner returns Should, described authentication response includes that described Resource Owner agrees to the instruction information authorizing described group;Preserve Described group obtains the authority record of the access rights of the resource of the mark correspondence of described resource;Generate the second visit Ask token, and described second access token is sent to described second client.It should be noted that first Client and the second client can be same client can also be different clients, the present invention is to this It is not construed as limiting.Concrete, when determining the mandate that described group does not obtains Resource Owner, certificate server Sending certification request to Resource Owner, request Resource Owner authorize the group belonging to first user. Determine the scope of authorization object for the ease of Resource Owner, the group information in certification request is except including group Group name, it is also possible to farther include group member mark.

Indicate the owner of described resource to disagree described group is awarded when described authentication response message comprises During the instruction information weighed, the authorization requests that described authorisation device is rejected, authorization flow terminates.When recognizing Card server receive Resource Owner return agreement described group is authorized instruction information time, recognize Card server preserves described group and obtains the authority record of resource access rights.Step can be used in implementing The form of mapping table in rapid 206.

In the authorization method that the present embodiment provides, owing to group is authorized by Resource Owner, And certificate server saves the authority record of group and this resource, so when other groups in this group When member is for this resource request mandate, certificate server needs not continue to Resource Owner's application license, Directly generate access token according to corresponding authority record and return to client, thus effectively alleviate resource Possessory mandate is born.

Fig. 3 is a kind of method exemplary signaling diagram processing mandate that one embodiment of the invention is provided.At this In embodiment, the resource that user is stored on Resource Server by client-access.Client can be passed through At least one in account number cipher, biological characteristic authentication or other identification authentication mode, enters the identity of user Row certification.The authentication information of each user of client maintenance, and each user have one unique ID.

When multiple users access the resource on Resource Server, bear to alleviate the mandate of Resource Owner Load, can be set up group for the plurality of user by system manager in embodiments of the present invention on cluster server Group.Resource Owner has only to group is carried out a sub-authorization, and the member in group just can obtain access The authority of resource.Such as, in same project team, project data is uploaded onto the server by certain group member X On, then this group member X is exactly Resource Owner.System manager can be this project team on cluster server Setting up group, group member includes all members of this project team, it is assumed that have A, B and C tri-in this group Individual member, it should be noted that can include Resource Owner X, it is also possible to no in the group member of this group Including, the present invention does not limits, and the most described method includes:

Step 301: user A sends authorization requests, described authorization requests by client to certificate server The universal resource identifier URI of the resource desired access to including user A and ID A;

Step 302: certificate server sends group relation inquiry request to cluster server, described group closes It is that inquiry request includes described ID A;

Step 303: cluster server returns group relation inquiry response to certificate server, described group closes It it is the inquiry response group information that includes belonging to described user A;

Concrete, cluster server, according to ID, determines the group belonging to described user.A kind of possible Implementation in, cluster server is preserved the corresponding relation of group name and group member list, Cluster server, according to receiving ID, travels through described corresponding relation, determines that described ID belongs to Group member list and the group name of correspondence.Described group information includes group name, optionally, Described group information further comprises the group member list that this group name is corresponding.

Step 304: certificate server determines this group's with no authorized record belonging to user A;

Concrete, certificate server can be inquired about the group of local preservation and close with the mandate asking the resource accessed Being mapping table, described mandate relation mapping table have recorded the group of acquisition mandate and the right of the resource of request access Should be related to.When group's also with no authorized record belonging to certificate server determines this user, show this user Being the user of first application this resource of access in group, now certificate server is providing token for this user Before, need first to obtain the authorization of Resource Owner.

Step 305: certificate server sends certification request to Resource Owner, described certification request includes institute State group information;

Step 306-step 307: Resource Owner, according to group information, determines the scope of authority, and to certification Server return authentication responds;

Concrete, Resource Owner, according to group information, determines that agreement authorizes, and returns to certificate server Authentication response, described authentication response includes authentication information and the authorization letter of described Resource Owner Breath.

Optionally, if also including group member list in described group information, then Resource Owner can obtain Know the member that group includes, in the case of determining that member that group includes is the most believable, agree to described group Authorize.

Step 308: certificate server preserves group's authority record, and generates access token;

Concrete, the authentication comprised in the authentication response that certificate server returns according to Resource Owner is believed Breath determines that the identity of described Resource Owner is legal, and according to described authorization information, determines that resource owns Person agrees to authorize this group, then preserve group's authority record, and generate access token.

Step 309: certificate server is to client backward reference token;

Step 310-step 311: client please by sending the resource carrying access token to Resource Server Seek message, obtain resource information.

Concrete, user A carries the resource request of access token by client to Resource Server transmission, After Resource Server authentication-access token is legal, the resource of user's request can be returned to client, and pass through Client represents the resource of request to user A.

Further, Fig. 4 is a kind of exemplary letter of method processing mandate that one embodiment of the invention is provided Order figure.When user B or C in the group of embodiment described in Fig. 3 also accesses the resource on Resource Server Time, certificate server determines the group belonging to user B or C, and determines that Resource Owner is to this group Authorized, so certificate server will directly generate access token, and the access token generated is sent To client.Concrete,

Step 401-step 403 is identical with step 301-step 303, and related content refers to described in Fig. 3 real Execute the associated description of example, repeat no more here.

Step 404: determine the existing authority record of this group.

Concrete, certificate server can inquire about awarding of group's gain access of this locality or far-end preservation Power record, described authority record can be with the form being mapping table described in step 206.When certificate server is true When determining the group's also with no authorized record belonging to this user, show that this user is that in group, first application accesses The user of this resource, now certificate server is before providing token for this user, needs first to obtain resource institute The authorization of the person of having.In the embodiment described in figure 3, applied for accessing due to the user A in group This resource, so that group obtains the mandate of resource owner, and certificate server saves group Authority record.

Step 405: generate access token;

Step 406-step 408 is identical with step 309-step 311, and related content refers to described in Fig. 3 real Execute the associated description of example, repeat no more here.

In the embodiment of the present invention, certificate server saves awarding of group's gain access at local or far-end Power record, when the mandate relation existed in authority record between group G and resource S, shows that resource owns This group G is authorized by person, when the member in this group G applies for accessing the access order of resource S During board, certificate server directly generates access token, without again going to apply for the mandate of Resource Owner. Based on this authorization method, Resource Owner has only to carry out a sub-authorization, and multiple user can be allowed to access Resource, thus alleviate the mandate burden of Resource Owner greatly.

It should be noted that for aforesaid each method embodiment, in order to be briefly described, therefore by its all table Stating as a series of combination of actions, but those skilled in the art should know, the present invention is by being retouched The restriction of the sequence of movement stated because according to the present invention, some step can use other orders or with Shi Jinhang.Secondly, those skilled in the art also should know, embodiment described in this description all belongs to In preferred embodiment, necessary to involved action and the module not necessarily present invention.

The following equipment that embodiment of the present invention offer is provided again and system.

Fig. 5 is the structural representation of a kind of certificate server that one embodiment of the invention is provided.Such as Fig. 5 Shown in, authorisation device includes receiver module 502, determines module 504 and sending module 506.

Receiver module 502, for receiving the authorization requests that first user is sent by the first client, described Authorization requests includes ID ID of described first user and the mark of the resource of request access.

Determine module 504, the ID of the first user for receiving according to described receiver module 502, Determine the group information of group belonging to described first user;According to the authority record preserved, determine described group Obtain the mandate of the Resource Owner of the mark correspondence of described resource;

Wherein, described determine that module 504, for the ID according to described first user, determines described first The group information of group belonging to user, particularly as follows: send the use comprising described first user to cluster server Group's query messages of family ID;Receiving group's confirmation message that described cluster server returns, described group is true Recognizing message and include the group information belonging to described first user, wherein, described group information includes described first The group identification of the group belonging to user;Or, the group data storehouse that inquiry this locality preserves, described group data Storehouse includes group identification and the group member information of correspondence preserved;According to the ID of described first user, Determine the group identification of group belonging to described first user.

During realizing, determine that module 504 is specifically for realizing embodiment step 204-step described in Fig. 2 Method described in rapid 206, related content can refer to embodiment associated description described in Fig. 2, the most superfluous State.

Sending module 506, for generating the first access token, is sent to described by described first access token First client.

During implementing, receiving first user by the first client transmission at receiver module 502 Authorization requests before, other group members in the group that described first user is corresponding, such as the second user, Also, when request accesses this resource, described receiver module 502 is additionally operable to receive the second user by the second client The authorization requests sent, described authorization requests includes what the ID of described second user and described request accessed The mark of resource;Described determine module 504, be additionally operable to the second user received according to described receiver module 502 ID, determine that described second user belongs to described group;Determine that described group does not obtains described resource institute The mandate of the person of having;Described sending module 506 is additionally operable to send certification request to described Resource Owner, described Certification request includes described group information;Described receiver module 502 is additionally operable to receive described Resource Owner and returns The authentication response returned, described authentication response includes that described Resource Owner agrees to the instruction authorizing described group Information;Described certificate server also includes preserving module 508, obtains described resource for preserving described group The authority record of the access rights of the resource that mark is corresponding;Described sending module, is additionally operable to generate the second access Token, and described second access token is sent to described second client.It should be noted that the first visitor Family end and the second client can be same client can also be different clients, the present invention is to this not It is construed as limiting.Concrete, when determining the mandate that described group does not obtains Resource Owner, certificate server to Resource Owner sends certification request, and request Resource Owner authorize the group belonging to first user. Determine the scope of authorization object for the ease of Resource Owner, the group information in certification request is except including group Group name, it is also possible to farther include group member mark.

The authentication response message received when described receiver module 502 comprises and indicates the owner of described resource not When agreeing to the instruction information that described group is authorized, the authorization requests that described authorisation device is rejected, Authorization flow terminates.When described receiver module 502 receives the agreement of Resource Owner's return to described group When carrying out the instruction information authorized, preserve module 508 and preserve the mandate of described group acquisition resource access rights Record.Implementing can be to use the form of mapping table in step 206.

In the authorization method that the present embodiment provides, owing to group is authorized by Resource Owner, And certificate server saves the authority record of group and this resource, so when other groups in this group When member is for this resource request mandate, certificate server needs not continue to Resource Owner's application license, Directly generate access token according to corresponding authority record and return to client, thus effectively alleviate resource Possessory mandate is born.

Shown in Fig. 6 is the another kind of structural representation of a kind of certificate server that one embodiment of the invention provides, Using general-purpose computing system structure, the program code performing the present invention program preserves in memory, and by Processor controls to perform.Process the equipment authorized and include bus, processor (602), memorizer (604), Communication interface (606).

Bus can include a path, transmits information between computer all parts.

Processor 602 can be a general central processor (CPU), microprocessor, application-specific collection Become circuit application-specific integrated circuit (ASIC), or one or more for controlling this The integrated circuit that bright scheme processes performs.One or more memorizeies that computer system includes, Ke Yishi Read only memory read-only memory (ROM) maybe can store the other kinds of quiet of static information and instruction State storage device, random access memory random access memory (RAM) or can store information and The other kinds of dynamic memory of instruction, it is also possible to be disk memory.These memorizeies pass through bus It is connected with processor.

Communication interface 606, it is possible to use the device of any transceiver one class, in order to other equipment or communication network Network communicates, such as Ethernet, wireless access network (RAN), WLAN (WLAN) etc.

Memorizer 604, such as RAM, preserves operating system and performs the program of the present invention program.Operation system System is for controlling the operation of other programs, the program of management system resource.Perform the program generation of the present invention program Code preserves in memory, and is controlled to perform by processor.

A kind of method that in memorizer 604, the program of storage performs mandate for instruction processing unit, including: connect Receiving the authorization requests that first user is sent by the first client, described authorization requests includes described first user ID ID and the mark of resource that accesses of request;According to the ID of described first user, determine institute State the group information of group belonging to first user;According to the authority record preserved, determine that described group has obtained Obtain the mandate of the Resource Owner of the mark correspondence of described resource;Generate the first access token, and by described One access token is sent to described first client.

It is understood that a kind of equipment processing mandate of the present embodiment can be used for the method described in Fig. 2 that realizes All functions in embodiment, it implements process and is referred to the associated description of said method embodiment, Here is omitted.

Fig. 7 is a kind of system structure schematic diagram processing mandate that one embodiment of the invention is provided.Such as figure Shown in 6, this system includes the first client 702 and certificate server 704.

First client 702, for sending authorization requests to certificate server, described authorization requests includes first The mark of the resource that ID ID of user and request access;

Certificate server 704, for receiving the authorization requests that first user is sent by the first client, described Authorization requests includes ID ID of described first user and the mark of the resource of request access;According to described The ID of first user, determines the group information of group belonging to described first user;According to the mandate preserved Record, determines that described group has obtained the mandate of the Resource Owner of the mark correspondence of described resource;Generate First access token, and described first access token is sent to described first client.

Optionally, described system also includes: the second client 706, asks for sending to authorize to certificate server Asking, described authorization requests includes ID ID and the mark of described resource of the second user;

Described certificate server 704, being additionally operable to receive the second user please by the mandate that the second client sends Asking, described authorization requests includes ID and the mark of described resource of described second user;According to described The ID of two users, determines that described second user belongs to described group;Determine that described group does not obtains described The mandate of Resource Owner;Sending certification request to described Resource Owner, described certification request includes described Group information;Receiving the authentication response that described Resource Owner returns, described authentication response includes described resource The owner agrees to the instruction information authorizing described group;The mark preserving the described group described resource of acquisition is right The authority record of the access rights of the resource answered;Generate the second access token, and by described second access token It is sent to described second client.

It should be noted that the first client 702 and the second client 706 can be same client also Can be different clients, this be not construed as limiting by the present invention.

About the more detailed description of certificate server 704, refer to the authentication service shown in Figure 5 The description of device, related content does not repeats them here.

The contents such as the information between the said equipment and intrasystem each module is mutual, execution process, due to this Inventive method embodiment is based on same design, and particular content can be found in the narration in the inventive method embodiment, Here is omitted.

One of ordinary skill in the art will appreciate that all or part of flow process realizing in above-described embodiment method, Can be by computer program and complete to instruct relevant hardware, above-mentioned program can be stored in a calculating In machine read/write memory medium, this program is upon execution, it may include such as the flow process of the embodiment of above-mentioned each method. Wherein, above-mentioned storage medium can be magnetic disc, CD, read-only store-memory body (ROM:Read-Only Or random store-memory body (RAM:Random Access Memory) etc. Memory).

Principle and the embodiment of the present invention are set forth by specific case used herein, above enforcement The explanation of example is only intended to help to understand method and the thought thereof of the present invention;General simultaneously for this area Technical staff, according to the thought of the present invention, the most all will change, In sum, this specification content should not be construed as limitation of the present invention.

Claims (12)

1. an authorization method, it is characterised in that including:
Receiving the authorization requests that first user is sent by the first client, described authorization requests includes institute State ID ID of first user and the mark of the resource of request access;
According to the ID of described first user, determine the group information of group belonging to described first user;
According to the authority record preserved, determine that described group has obtained the mark correspondence of described resource The mandate of Resource Owner;
Generate the first access token, and described first access token is sent to described first client.
2. the method for claim 1, it is characterised in that the described user according to described first user ID, determines the group information of group belonging to described first user, particularly as follows:
Group's query messages of the ID comprising described first user is sent to cluster server;
Receiving group's confirmation message that described cluster server returns, described group confirms that message includes institute Stating the group information belonging to first user, wherein, described group information includes belonging to described first user The group identification of group.
3. the method for claim 1, it is characterised in that the described user according to described first user ID, determines the group information of group belonging to described first user, particularly as follows:
Inquiry this locality preserve group data storehouse, described group data storehouse include preserve group identification and Corresponding group member information;
According to the ID of described first user, determine that the group of the group belonging to described first user marks Know.
4. the method as described in claim 1-3 is arbitrary, it is characterised in that lead at described reception first user Before crossing the authorization requests that the first client sends, described method also includes:
Receiving the authorization requests that the second user is sent by the second client, described authorization requests includes institute State ID and the mark of described resource of the second user;
According to the ID of described second user, determine that described second user belongs to described group;
Determine that described group does not obtains the mandate of described Resource Owner;
Sending certification request to described Resource Owner, described certification request includes described group information;
Receiving the authentication response that described Resource Owner returns, described authentication response includes described resource institute The person of having agrees to the instruction information authorizing described group;
Preserve the mandate note that described group obtains the access rights identifying corresponding resource of described resource Record;
Generate the second access token, and described second access token is sent to described second client.
5. the method as described in claim 1-4 is arbitrary, it is characterised in that use according to described first described The ID at family, before determining the group information of group belonging to described first user, described method is also wrapped Include:
Determine that described Resource Owner is not to described first user mandate.
6. a certificate server, for being authorized user by client-access resource, its feature exists In, including:
Receiver module, for receiving the authorization requests that first user is sent, described mandate by the first client Request includes ID ID of described first user and the mark of the resource of request access;
Determine module, the ID of the first user for receiving according to described receiver module, determine described The group information of group belonging to first user;According to the authority record preserved, determine that described group has obtained The mandate of the Resource Owner of the mark correspondence of described resource;
Sending module, for generating the first access token, is sent to described first by described first access token Client.
7. certificate server as claimed in claim 6, it is characterised in that described determine that module is for basis The ID of described first user, determines the group information of group belonging to described first user, particularly as follows:
Group's query messages of the ID comprising described first user is sent to cluster server;
Receiving the group that described cluster server returns and confirm message, described group confirms that message includes described the Group information belonging to one user, wherein, described group information includes the group belonging to described first user Group identification.
8. certificate server as claimed in claim 6, it is characterised in that described determine that module is for basis The ID of described first user, determines the group information of group belonging to described first user, particularly as follows:
Inquiring about the group data storehouse that this locality preserves, described group data storehouse includes group identification and the correspondence preserved Group member information;
According to the ID of described first user, determine the group identification of group belonging to described first user.
9. the certificate server as described in claim 6-8 is arbitrary, it is characterised in that described certificate server Also include:
Described receiver module, is additionally operable to receive the authorization requests that the second user is sent, institute by the second client State authorization requests and include ID and the mark of described resource of described second user;
Described determine module, be additionally operable to the ID of the second user received according to described receiver module, determine Described second user belongs to described group;Determine that described group does not obtains the mandate of described Resource Owner;
Described sending module, is additionally operable to send certification request, described certification request bag to described Resource Owner Include described group information;
Described receiver module, is additionally operable to receive the authentication response that described Resource Owner returns, and described certification rings Should include that described Resource Owner agrees to the instruction information authorizing described group;
Preserve module, obtain the access rights identifying corresponding resource of described resource for preserving described group Authority record;
Described sending module, is additionally operable to generate the second access token, and described second access token is sent to institute State the second client.
10. the certificate server as described in claim 6-9 is arbitrary, it is characterised in that determine module described, For the ID according to described first user, before determining the group information of group belonging to described first user, Described determine that module is additionally operable to, determine that described Resource Owner is not to described first user mandate.
11. 1 kinds of systems processing mandate, it is characterised in that including:
First client, for sending authorization requests to certificate server, described authorization requests includes the first use The mark of the resource that ID ID at family and request access;
Certificate server, for receive first user by first client send authorization requests, described in award Power request includes ID ID of described first user and the mark of the resource of request access;According to described The ID of one user, determines the group information of group belonging to described first user;According to the mandate note preserved Record, determines that described group has obtained the mandate of the Resource Owner of the mark correspondence of described resource;Generate the One access token, and described first access token is sent to described first client.
12. systems as claimed in claim 11, it is characterised in that described system also includes:
Second client, for sending authorization requests to certificate server, described authorization requests includes the second use ID ID at family and the mark of described resource;
Described certificate server, is additionally operable to receive the authorization requests that the second user is sent by the second client, Described authorization requests includes ID and the mark of described resource of described second user;Use according to described second The ID at family, determines that described second user belongs to described group;Determine that described group does not obtains described resource Possessory mandate;Sending certification request to described Resource Owner, described certification request includes described group Information;Receiving the authentication response that described Resource Owner returns, described authentication response includes that described resource owns Person agrees to the instruction information authorizing described group;Preserve the mark correspondence of the described group described resource of acquisition The authority record of the access rights of resource;Generate the second access token, and described second access token is sent To described second client.
CN201510333657.4A 2015-06-16 2015-06-16 Method, device and system for processing authorization CN106330813A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510333657.4A CN106330813A (en) 2015-06-16 2015-06-16 Method, device and system for processing authorization

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510333657.4A CN106330813A (en) 2015-06-16 2015-06-16 Method, device and system for processing authorization

Publications (1)

Publication Number Publication Date
CN106330813A true CN106330813A (en) 2017-01-11

Family

ID=57732341

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510333657.4A CN106330813A (en) 2015-06-16 2015-06-16 Method, device and system for processing authorization

Country Status (1)

Country Link
CN (1) CN106330813A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018129699A1 (en) * 2017-01-13 2018-07-19 Qualcomm Incorporated Logical channel prioritization and mapping to different numerologies

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101771677A (en) * 2008-12-31 2010-07-07 华为技术有限公司 Method for providing resource for access user, server and system thereof
CN102405630A (en) * 2009-04-20 2012-04-04 交互数字专利控股公司 System of multiple domains and domain ownership
CN103716326A (en) * 2013-12-31 2014-04-09 华为技术有限公司 Resource access method and URG

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101771677A (en) * 2008-12-31 2010-07-07 华为技术有限公司 Method for providing resource for access user, server and system thereof
CN102405630A (en) * 2009-04-20 2012-04-04 交互数字专利控股公司 System of multiple domains and domain ownership
CN103716326A (en) * 2013-12-31 2014-04-09 华为技术有限公司 Resource access method and URG

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018129699A1 (en) * 2017-01-13 2018-07-19 Qualcomm Incorporated Logical channel prioritization and mapping to different numerologies

Similar Documents

Publication Publication Date Title
JP4579546B2 (en) Method and apparatus for handling user identifier in single sign-on service
US8800003B2 (en) Trusted device-specific authentication
US7571473B1 (en) Identity management system and method
US7275260B2 (en) Enhanced privacy protection in identification in a data communications network
KR20130085560A (en) Method and apparatus for providing a cloud based digital rights management service and system thereof
US20030084172A1 (en) Identification and privacy in the World Wide Web
US20030084171A1 (en) User access control to distributed resources on a data communications network
US7085840B2 (en) Enhanced quality of identification in a data communications network
CN102449976B (en) System and method for accessing private digital content
US9558228B2 (en) Client computer for querying a database stored on a server via a network
US20040103203A1 (en) Methods and systems for sharing a network resource with a user without current access
US20130232541A1 (en) Policy-driven approach to managing privileged/shared identity in an enterprise
JP2013246655A (en) Approval server, client device, server cooperation system and token management method
CN101771532B (en) Method, device and system for realizing resource sharing
US8650622B2 (en) Methods and arrangements for authorizing and authentication interworking
TW200820716A (en) Method and apparatus for providing trusted single sign-on access to applications and internet-based services
EP1440358A2 (en) Portability and privacy with data communications network browsing
US9507949B2 (en) Device and methods for management and access of distributed data sources
US8544072B1 (en) Single sign-on service
CN101719238A (en) Method and system for managing, authenticating and authorizing unified identities
CN103023918B (en) The mthods, systems and devices logged in are provided for multiple network services are unified
US20130019295A1 (en) Method and system for open authentication
CN103795692B (en) Open authorization method, system and certification authority server
US9450963B2 (en) Multiple resource servers interacting with single OAuth server
CN102195957A (en) Resource sharing method, device and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20170111