CN106973041B - A kind of method that issuing authentication authority, system and certificate server - Google Patents
A kind of method that issuing authentication authority, system and certificate server Download PDFInfo
- Publication number
- CN106973041B CN106973041B CN201710121273.5A CN201710121273A CN106973041B CN 106973041 B CN106973041 B CN 106973041B CN 201710121273 A CN201710121273 A CN 201710121273A CN 106973041 B CN106973041 B CN 106973041B
- Authority
- CN
- China
- Prior art keywords
- authentication
- authority
- server
- application
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 41
- 238000013475 authorization Methods 0.000 claims abstract description 171
- 238000001629 sign test Methods 0.000 claims description 64
- 230000004044 response Effects 0.000 claims description 51
- 230000005540 biological transmission Effects 0.000 claims description 17
- 235000009421 Myristica fragrans Nutrition 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 239000009153 huxin Substances 0.000 description 2
- 239000001115 mace Substances 0.000 description 2
- 229910052709 silver Inorganic materials 0.000 description 2
- 239000004332 silver Substances 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
Abstract
The present invention relates to the communications field, in particular to a kind of method for issuing authentication authority, system and certificate server;This method specifically includes: certificate server receives the authentication request that application server is sent, and when user inputs user information from the user authentication page, judges whether user information is legal, is, generates authorization code, and send an authorization to application server;When certificate server receives authentication authority application, according in authentication authority application identities and applied cryptography judge whether application server legal, and judge whether the authorization code in authentication authority is effective, when judgement, which is, is, certificate server authenticates authority according to application identities, certificate server mark and user information organizational identities, and signed with private key to authentication authority, signature result and authentication authority are sent to application server.The invention enables families to log in cost that is more convenient, and reducing website oneself creation member system and login function.
Description
Technical field
The present invention relates to the communications field, in particular to a kind of method for issuing authentication authority, system and authentication service
Device.
Background technique
In the prior art user for the first time using the service of certain website when generally require process by cumbersome register account number,
Website register account number generally passes through two ways, the first is by the free letter of user or data as account, simultaneously
Need to fill in numerous user informations;And memory a large amount of website account is then faced after user is in multiple website register account numbers
Trouble, need to re-register website account if user forgets website account;Second way user can also be by existing
Email address carry out registration of website account, but user often receives more spams, poor user experience.Each mention
Require to establish oneself member system and login function, the development cost of increased website for the website of service.
Summary of the invention
The present invention provides a kind of method for issuing authentication authority, system and certificate server,
A method of issuing authentication authority, comprising:
Step S1, after receiving the access request of user's triggering, application server jumps to the user authentication page, and to
Certificate server sends authentication request;
Step S2, when user inputs user information from the user authentication page, certificate server is obtained from the user authentication page
User information is taken, and judges whether user information is legal, is, generates authorization code, and enabling legislation is returned into application server,
Step S3 is executed, is otherwise terminated;
Step S3, application server is according to authorization code and in the application identities of present certificate server registration and using close
Code character, which is knitted, obtains the request of authentication authority, and will acquire the request of authentication authority and be sent to certificate server;
Step S4, certificate server is answered according to the application identities and applied cryptography judgement that obtain in the request of authentication authority
Whether server is legal, and judges whether the authorization code obtained in the request of authentication authority is effective, when judgement is to be
Shi Zhihang step S5, otherwise terminates;
Step S5, certificate server is according to application identities, certificate server mark and the certification of user information organizational identities with
According to, and signed using private key to authentication authority, signature result and authentication authority are sent to application server;
Step S6, application server carries out sign test to signature signature result using public key, if sign test passes through, by the identity
Certification authority is bound with user.
A method of issuing authentication authority, comprising:
Step R1, certificate server receives the authentication request that application server is sent, when user is defeated from the user authentication page
When access customer information, user information is obtained from the user authentication page, and judge whether user information is legal, is, generate authorization
Code, and authorization code is returned into application server, step R2 is executed, is otherwise terminated;
Step R2, when certificate server receives the acquisition authentication authority request of application server transmission, according to
Whether application identities and applied cryptography in acquisition authentication authority request judge application server legal, and judge to obtain body
Whether the authorization code in part certification authority request is effective, and step R3 is executed when judgement, which is, is, is otherwise terminated;
Step R3, certificate server is according to application identities, certificate server mark and the certification of user information organizational identities with
According to, and signed using private key to authentication authority, signature result and authentication authority are sent to application server.
A kind of system for issuing authentication authority, including certificate server and application server;
Application server specifically includes:
First sending module jumps to the user authentication page for receiving the access request of user's triggering, and to
Certificate server sends authentication request;It is also used to for the acquired authentication authority request of the first tissue modular organisation being sent to
The certificate server;
Second receiving module, for receiving the authorization code of certificate server transmission;It is also used to receive certificate server
The signature result and authentication authority of transmission;
The first tissue module, authorization code for being received according to the second receiving module and is infused in advance in certificate server
The application identities and applied cryptography tissue of volume obtain the request of authentication authority;
Binding module, the signature result sign test for being received using public key to second receiving module, if testing
Label pass through, and the authentication authority that second receiving module is received is bound with user;
Certificate server specifically includes:
First receiving module, for receiving the authentication request of application server transmission;It is also used to receive application server hair
The acquisition authentication authority request sent;
Subscriber information module is obtained, after user inputs user information from the user authentication page, is used for from user authentication
The page obtains the user information
First judgment module after receiving authentication request for the first receiving module, judges to obtain subscriber information module
Whether the user information got is legal;
Authorization code generation module, for generating authorization code after first judgment module determines that user information is legal;
First sending module, the authorization code for generating authorization code generation module are sent to application server;It is also used to
The authentication authority of signature result and minor microstructure modular organisation that signature blocks are signed is sent to application server;
Second judgment module, the acquisition authentication authority request for being received according to first receiving module
In the application identities and the applied cryptography whether judge the application server legal, and judge that described first connects
Whether the authorization code received in the acquisition authentication authority request that module receives is effective;
Minor microstructure module, for when the second judgment module determine application server it is legal and when authorization code is effective according to the
What one receiving module received obtains application identities, certificate server mark and the acquisition user's letter in the request of authentication authority
The user information organizational identities certification authority that breath module is got;
Signature blocks, for being signed to obtain to the authentication authority that minor microstructure modular organisation obtains using private key
Signature result.
A kind of certificate server for issuing authentication authority, comprising:
First receiving module, for receiving the authentication request of application server transmission;It is also used to receive application server hair
The acquisition authentication authority request sent;
Subscriber information module is obtained, when user inputs user information from the user authentication page, is used for from user authentication page
Face obtains user information;
First judgment module obtains subscriber information module for judging when the first receiving module receives authentication request
Whether the user information got is legal;
Authorization code generation module, for generating authorization code after first judgment module determines that user information is legal;
First sending module, the authorization code for generating authorization code generation module are sent to application server;It is also used to
The authentication authority of signature result and minor microstructure modular organisation that signature blocks are signed is sent to application server;
Second judgment module, the acquisition authentication authority request for being received according to first receiving module
In the application identities and the applied cryptography whether judge the application server legal, and judge that described first connects
Whether the authorization code received in the acquisition authentication authority request that module receives is effective;
Minor microstructure module, for when the second judgment module determine application server it is legal and when authorization code is effective according to the
What one receiving module received obtains application identities, certificate server mark and the acquisition user's letter in the request of authentication authority
The user information organizational identities certification authority that breath module is got;
Signature blocks, for being signed to obtain to the authentication authority that minor microstructure modular organisation obtains using private key
Signature result.
The invention has the benefit that simplifying the process of user's registration Website login, avoids repeated registration, fills in body
The complicated processes of part data, so that user's login is more efficient and convenient, user does not need to remember a large amount of website account, and user is only
The website freedom that any support authentication authority logs in need to can be logged in by enrollment status certification authority on certificate server
It logs in, and reduce the member system of creation oneself and the cost of login function to provide the website of service.
Detailed description of the invention
Illustrate the embodiment of the present invention or technical solution in the prior art in order to clearer, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with
It obtains other drawings based on these drawings.
Fig. 1 is a kind of flow chart for method for issuing authentication authority that the embodiment of the present invention 1 provides;
Fig. 2 and Fig. 3 is a kind of flow chart for method for issuing authentication authority that the embodiment of the present invention 2 provides;
Fig. 4 is a kind of block diagram for system for issuing authentication authority that the embodiment of the present invention 3 provides;
Fig. 5 is a kind of block diagram for certificate server for issuing authentication authority that the embodiment of the present invention 4 provides.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, those skilled in the art's every other implementation obtained without making creative work
Example, shall fall within the protection scope of the present invention.
Embodiment 1
The present embodiment provides a kind of methods for issuing authentication authority, specifically include:
Step S1, after receiving the access request of user's triggering, application server jumps to the user authentication page, and to
Certificate server sends authentication request;
Step S2, when user inputs user information from the user authentication page, certificate server is obtained from the user authentication page
User information is taken, and judges whether user information is legal, is, generates authorization code, and enabling legislation is returned into application server,
Step S3 is executed, is otherwise terminated;
It further gives, includes: Redirect URL in authentication request;
Authorization code is returned into application server specifically: authorization code is returned into application server according to Redirect URL.
Preferably, between step S1 and step S2 further include: certificate server judges the institute in authentication request, and it is necessary to join
Whether number all exists and effectively, is to then follow the steps S2, otherwise returns to failed authentication response to application server, terminates.
Further, judge whether all call parameters in authentication request all exist and effectively specifically include:
Step A1, whether certificate server judges comprising application identities and Redirect URL in authentication request, is to execute step
Otherwise rapid A2 returns to failed authentication response to application server, terminates;
Step A2, certificate server obtains application identities from authentication request, judges application server according to application identities
It is whether registered, it is to then follow the steps A3, otherwise returns to failed authentication response to application server, terminate;
Step A3, certificate server obtains the pre-registered Redirect URL of application server according to application identities, and judges
Whether the Redirect URL in authentication request matches with the Redirect URL prestored, is to then follow the steps S2, otherwise to application service
Device returns to failed authentication response, terminates.
Step S3, application server is according to authorization code and close in the application identities of certificate server registration and application in advance
Code character, which is knitted, obtains the request of authentication authority, and will acquire the request of authentication authority and be sent to certificate server;
Step S4, certificate server is answered according to the application identities and applied cryptography judgement that obtain in the request of authentication authority
It is whether legal with server, and judge whether the authorization code obtained in the request of authentication authority is effective, when judgement, which is, is
Step S5 is executed, is otherwise terminated;
Preferably, step S3 is specifically included:
Step B1, the application identities and applied cryptography in advance in certificate server registration are carried out encryption life by application server
At application cryptogram information;
Step B2, application server obtains the request of authentication authority according to application cryptogram information and authorization code tissue, and
It will acquire the request of authentication authority and be sent to certificate server;
Step S4 is specifically included: certificate server obtains application cryptogram information from acquisition authentication authority request, right
Be applied mark and the applied cryptography is decrypted in application cryptogram information, according to application identities and applied cryptography judgement application
Whether server is legal, and judges whether the authorization code obtained in the request of authentication authority is effective, holds when judgement, which is, is
Row step S5, otherwise terminates.
Step S5, certificate server is according to application identities, certificate server mark and the certification of user information organizational identities with
According to, and signed using private key to authentication authority, signature result and authentication authority are sent to application server;
Step S6, application server carries out sign test to signature result using public key, if sign test passes through, by authentication authority
It is bound with user.
Specifically, authentication authority is bound with user specifically: the application server is from proof-of-identity
Obtain user information, and by user information it is corresponding with authentication authority store.
Optionally, authentication authority is bound with user specifically: application server distributes character string as use
Family mark, carries out corresponding storage with authentication authority for user identifier.
Preferably, in authentication request further include: the scope of resource requested access to;
Step S5 is specifically included: certificate server generates access authority, the scope of resource that will be accessed authority and request access to
Corresponding storage;And authority is authenticated according to application identities, certificate server mark and user information organizational identities, and use private key pair
Authentication authority is signed, and authentication authority, signature result and access authority are sent to application server;
After step S6 further include: application server uses the access authority money that acquisition request accesses from certificate server
Resource in source range.
Preferably, application server uses public key to signature result sign test in step S6, if after sign test passes through, it will be described
Before authentication authority and user bind further include: application server judges that the application identities in authentication authority are
It is no legal, it is to continue to execute to bind authentication authority with user, otherwise returns to authentication to certificate server
Invalid credentials information terminates.
Further, after determining that user information is legal in step S2, before generation authorization code further include: certificate server root
User's authorization page is jumped to according to the scope of resource requested access to, whether available to asking is judged from user's authorization page
The permission authorization message for seeking the scope of resource of access is to generate authorization code, otherwise returns to failed authentication to application server and rings
It answers.
Preferably, step S5 is specifically included: certificate server obtains the current server time as authentication authority hair
The time is sent, is authenticated according to application identities, certificate server mark, user information and authentication authority sending time organizational identities
Authority, and signed using private key to authentication authority, authentication authority, signature result and access authority are sent to
Application server.
In step S6 application server using public key to signature result sign test, if sign test by obtain authentication authority it
Afterwards, before authentication authority and user being bound further include: application server judges the identity in authentication authority
Authority sending time is authenticated whether earlier than the first preset time, is then to send the authentication authority to the certificate server
Invalid information terminates;Otherwise it continues to execute and described binds the authentication authority with user.
Preferably, when step S2 determines that user is legal further include: obtain server current time and used as authentication terminal
The family time;
Step S5 is specifically included: certificate server is according to application identities, certificate server mark, user information and identifies eventually
End subscriber time organizational identities authenticate authority, and are signed using private key to authentication authority, by signature result and identity
Certification authority is sent to application server;
In step S6 application server using public key to signature result sign test, if sign test by obtain authentication authority it
Afterwards, before authentication authority and user being bound further include: application server judges the identification in authentication authority
Whether terminal user's time is then to send authentication invalid credentials information to certificate server earlier than the second preset time;It is no
It then continues to execute and binds authentication authority with user.
Preferably, specifically include in step S5: certificate server is according to application identities, certificate server mark, Yong Huxin
Breath and authentication authority validity period organizational identities authenticate authority, and are signed using private key to authentication authority, will sign
Name result and authentication authority are sent to application server;
In step S6 application server using public key to signature result sign test, if after sign test passes through, by authentication with
According to before being bound with user further include: whether application server judges the current server time earlier than authentication authority
Validity period is to continue to execute to bind the authentication authority with user, otherwise returns to identity to authentication service and recognizes
Demonstrate,prove invalid credentials information.
The present embodiment provides a kind of method for issuing authentication authority again, referring to Fig. 1, comprising:
Step R1, certificate server receives the authentication request that application server is sent, when user is defeated from the user authentication page
When access customer information, user information is obtained from the user authentication page, and judge whether user information is legal, is, generate authorization
Code, and authorization code is returned into application server, step R2 is executed, otherwise returns to failed authentication response, knot to application server
Beam;
Specifically, including: Redirect URL in authentication request;
Authorization code is returned into application server specifically: authorization code is returned into application server according to Redirect URL.
Preferably, after determining that the user information is legal in step R1, before generation authorization code further include: certificate server
User's authorization page is jumped to according to the scope of resource requested access to, is judged whether available to right from user's authorization page
The permission authorization message of the scope of resource requested access to is to generate authorization code, otherwise returns to failed authentication to application server
Response terminates.
Preferably, after certificate server receives authentication request in step R1, user's letter is obtained from the user authentication page
Before breath further include: certificate server judges whether all call parameters in authentication request all exist and effectively, is to continue
It executes from the user authentication page and obtains user information, otherwise return to failed authentication response to application server, terminate.
Specifically, judging whether all call parameters in the authentication request all exist and effectively specifically include:
Step C1, whether certificate server judges comprising application identities and Redirect URL in authentication request, is to execute step
Otherwise rapid C2 returns to failed authentication response to application server, terminates;
Step C2, certificate server obtains application identities from authentication request, judges application server according to application identities
It is whether registered, it is to then follow the steps C3, otherwise returns to failed authentication response to application server, terminate;
Step C3, certificate server obtains the pre-registered Redirect URL of application server according to application identities, and judges
Whether the Redirect URL in authentication request matches with the Redirect URL prestored, is to then follow the steps C2, otherwise to application service
Device returns to failed authentication response, terminates.
Step R2, when certificate server receives the acquisition authentication authority request of application server transmission, according to
Whether application identities and applied cryptography in acquisition authentication authority request judge application server legal, and judge to obtain body
Whether the authorization code in part certification authority request is effective, and step R3 is executed when judgement, which is, is, is otherwise returned to application server
Failed authentication response is returned, is terminated;
Specifically, step R2 is specifically included: certificate server obtains application cryptogram from acquisition authentication authority request
Information is decrypted be applied mark and applied cryptography to using cipher-text information, is judged according to application identities and applied cryptography
Whether application server is legal, and judges whether the authorization code obtained in the request of authentication authority is effective, when judgement is to be
Otherwise Shi Zhihang step R3 returns to failed authentication response to application server, terminates.
Step R3, certificate server is according to application identities, certificate server mark and the certification of user information organizational identities with
According to, and signed using private key to authentication authority, signature result is sent to application server.
If in authentication request further include: the scope of resource requested access to;
Step R3 is specifically included: certificate server generates access authority, the scope of resource that will be accessed authority and request access to
Corresponding storage;And authority is authenticated according to application identities, certificate server mark and user information organizational identities, and use private key pair
Authentication authority and access authority are signed, and signature result and access authority are sent to application server.
Optionally, step R3 is specifically included: certificate server obtains the current server time as authentication authority hair
The time is sent, is authenticated according to application identities, certificate server mark, user information and authentication authority sending time organizational identities
Authority, and signed using private key to authentication authority, signature result is sent to the application server.
Optionally, when determining that user is legal in step R1 further include: obtain server current time and used as authentication terminal
The family time;
Step R3 is specifically included: certificate server is according to the application identities, certificate server mark, user information and mirror
Other terminal user's time organizational identities authenticate authority, and are signed using private key to authentication authority, and signature result is sent out
Give application server.
Optionally, specifically include in step R3: certificate server is according to application identities, certificate server mark, Yong Huxin
Breath and authentication authority validity period organizational identities authenticate authority, and are signed using private key to authentication authority, will sign
Name result is sent to application server.
Embodiment 2
The present embodiment provides a kind of methods for issuing authentication authority, as shown in Figures 2 and 3, comprising:
Terminal user needs to register user information to certificate server in advance, and the user information specifically includes user name and close
Code;Certificate server needs to distribute unique terminal user identification for terminal user.
Application server needs the Redirect URL to certificate server registration application server and certificate server institute in advance
It is required that other information, other information required by certificate server includes Apply Names, applied cryptography;Certificate server is to answer
Unique application identities are distributed with server;And application server should negotiate authentication authority with certificate server in advance
The information such as public private key pair.
Step 101, application server jump to the user authentication page after receiving the access request of user's triggering, and
Tissue includes scope of resource, the respond style, application identities, the authentication request of Redirect URL requested access to.
The scope of resource requested access to need to include parameter preset, be an ID authentication request for identifying this request;It rings
Type is answered to be used to determine currently used user authentication mode, such as when using authorization code identification flow, respond style tool
Body is code;Preferably, authentication request further include: status indicator, the value is to other outside certificate server and application server
Using invisible.
In the present embodiment, authentication request specifically:
HTTP/1.1 302 Found
Location:https: //server.example.com/authorize?
Response_type=code&scope=openid%20profile%20email&client _ id=s6Bh
DRkqt3&state=af0ifjsldkj&redirect_uri=https: //client.example.org/cb?
Wherein, response_type=code shows that respond style is authorization code;Scope=openid%
20profile%20email shows that the scope of resource requested access to is authentication request, and the scope of resource requested access to is eventually
End subscriber mark and email address;Client_id=s6BhdRkqt3 shows that relying party is identified as s6BhdRkqt3;State=
Af0ifjsldkj shows that status indicator is af0ifjsldkj;Redirect_uri=https: //
Client.example.org/cb? show that Redirect URL is https%3A%2F%2Fclient.example.org%
2Fcb。
Authentication request is sent to certificate server by step 102, application server.
Step 103, certificate server judge in authentication request whether all mandatory parameters all exist and effectively, are to execute
Step 104;Otherwise failed authentication response is returned to application server, terminated.
Step 103 specifically includes:
Step 103-1, recognize certificate server whether to judge in authentication request comprising application identities and Redirect URL;It is then
Step 103-2 is executed, otherwise failed authentication response is returned to the application server, terminates.
Step 103-2, certificate server obtains application identities from authentication request, judges whether application server has been infused
Volume mistake, is to then follow the steps 103-3, otherwise returns to failed authentication response to the application server, terminates.
Step 103-3, certificate server obtains the pre-registered Redirect URL of application server according to application identities, and
Judge whether the Redirect URL in authentication request matches with the Redirect URL prestored, is to then follow the steps 104, otherwise to application
Server returns to failed authentication response, terminates.
Step 104, when user inputs user information from the user authentication page, certificate server is from the user authentication page
Middle acquisition user information, and judge whether user information is legal, is, server current time is obtained as authentication terminal user
Time executes step 105, otherwise returns to failed authentication response to application server, terminates.
Step 105, certificate server jump to user's authorization page according to the scope of resource requested access to, judge from user
In authorization page whether the available permission authorization message to the scope of resource requested access to;It is to then follow the steps 106, it is no
Failed authentication response then is returned to application server, is terminated
Step 106, certificate server generate authorization code, and authorization code and application identities and Redirect URL are bound, and according to
Redirect URL and authorization code generate authentication success response, and authentication success response is sent to application server.
Specifically, certificate server generates random string as authorization code, for example, the authorization code generated in the present embodiment
For SplxlOBeZQQYbYS6WxSbIA.
Authentication Response specifically:
HTTP/1.1 302 Found
Location:https: //client.example.org/cb? code=SplxlOBeZQQYbYS6WxSb IA&
State=af0ifjsldkj
Wherein https: //client.example.org/cb? for the Redirect URL that application server prestores, code=
SplxlOBeZQQYbYS6WxSbIA shows that the authorization code that certificate server generates is SplxlOBeZQQYbYS6WxSbIA;
It preferably, further include status indicator in Authentication Response.
Application identities and applied cryptography are carried out encryption and generate application cryptogram information by step 107, application server;
Step 108, application server generate authentication authority according to application cryptogram information, authorization code and Redirect URL
Request, and the request of authentication authority is transmitted across to certificate server;
The request of authentication authority is obtained to specifically include
POST/token HTTP/1.1
Host:server.example.com
Content-Type:application/x-www-form-urlencoded
Authorization:Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbI A&redire
Ct_uri=https%3A%2F%2Fclient.example.org%2Fcb
Step 109, certificate server are from acquisition application cryptogram information in the request of authentication authority is obtained, to application cryptogram
Information, which is decrypted, generates application identities and applied cryptography;
Step 110, certificate server judge whether the application server is legal, is according to application identities and applied cryptography
111 are thened follow the steps, otherwise failed authentication response is returned to application server, terminates.
Specifically, certificate server judge whether can to inquire the application identities decrypted with application cryptogram information and
The consistent information of applied cryptography is to determine that application server is legal;Otherwise failed authentication response, knot are returned to application server
Beam.
Step 111, the Redirect URL in certificate server judgement acquisition authentication authority request and application server are pre-
Whether the Redirect URL first registered is consistent, is to then follow the steps 112, otherwise returns to failed authentication to the application server and rings
It answers, terminates
Step 112, certificate server obtain authorization code from acquisition authentication authority request, judge whether authorization code has
Effect, is to then follow the steps 113, returns to failed authentication response to application server, terminates.
Specifically, the authorization code that certificate server judgement is bound with application identifier is obtained with from acquisition certification authority request
Whether the authorization code got is consistent, is, determines that authorization code is effective, otherwise determines that authorization code is invalid.
Step 113, certificate server obtain Time Of Release of the current server time as authentication authority;
Step 114, certificate server are according to application identities, certificate server mark and user information, authentication authority
Validity period provides authentication authority time, authentication terminal user time organizational identities certification authority;
It should be understood that authentication authority validity period, provide the authentication authority time, authentication terminal user when
Between be 0 to divide 0 second number of seconds to Time Of Release when JSON number was represented from 1 day 0 January in 1970;Authentication service in the present embodiment
The authentication authority that device generates specifically: " iss ": " https: //server.example.com ", " sub ": "
24400320","aud":"s6BhdRkqt3","nonce":"n-0S6_WzA2Mj","exp":1311281970,"iat":
1311280970, " auth_time ": 1311280969, " acr ": " urn:mace:incommon:iap:silver " } wherein "
Iss ": " https: //server.example.com " shows that certificate server is identified as https: //
server.example.com;" sub ": " 24400320 " show that user information is 24400320;"aud":"s6BhdRkqt3"
Show that application server identifier is s6BhdRkqt3;" exp ": 1311281970 show authentication authority validity period;"iat":
1311280970, show to provide authentication authority time " auth_time ": 1311280969 when showing authentication terminal user
Between;
Step 115, certificate server are signed to obtain signature result using private key to authentication authority;
Specifically, signature algorithm can be RHA256withRSA algorithm.In addition to this it is possible to be other algorithms, such as
SHA1withRSA, SM2 signature algorithm etc..
Step 116, certificate server generate access authority;It is raw according to authentication authority, signature result and access authority
It is responded at authentication authority is obtained;And it is sent to application server and obtains the response of authentication authority.
Specifically, obtaining the response of authentication authority includes: access authority, access type, access authority in the present embodiment
Validity period updates authority, signature result.
Preferably, the head for obtaining the response of authentication authority should indicate that all the elements in response will not be all buffered
And all the elements will not be all cached in temporary file.
In the present embodiment, certification authority response is obtained specifically:
HTTP/1.1 200OK
Content-Type:application/json
Cache-Control:no-store
Pragma:no-cache
{"access_token":"SlAV32hkKG","token_type":"Bearer","refresh_token":"
8xLOxBtZp8","expires_in":3600,"iss":"https://server.example.com","sub":"
24400320","aud":"s6BhdRkqt3","nonce":"n-0S6_WzA2Mj","exp":1311281970,"iat":
1311280970,"auth_time":1311280969,"acr":"urn:mace:incommon:iap:silver""id_
token":"eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzcyI6ICJodHRwOi8vc
2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5NzYxMDAxIiwKICJhdWQiOiAiczZCa
GRSa3F0MyIsCiAibm9uY2UiOiAibi0wUzZfV3pBMk1qIiwKICJleHAiOiAxMzExMjgxOTcwLAogI
mlhdCI6IDEzMTEyODA5NzAKfQ.ggW8hZ1EuVLuxNuuIJKX_V8a_
OMXzR0EHR9R6jgdqrOOF4daGU96Sr_P6qJp6IcmD3HP99Obi1PRs-cwh3LO-p146waJ8IhehcwL7
F09JdijmBqkvPeB2T9CJNqeGpe-gccMg4vfKjkM8FcGvnzZUN4_KSP0aAp1tOJ1zZwgjxqGByKHi
OtX7TpdQyHE5lcMiKPXfEIQILVq0pc_E2DzL7emopWoaoZTF_m0_N0YzFC6g6EJbOEoRoSK5hoDa
lrcvRYLSrQAZZKfl yuVCyixEoV9GfNQC3_osjzw2PAithfubEEBLuVVk4XUVrWOLrLl0nx7RkKU
8NXNHq-rvKMzqg"}
Wherein, access authority access_token is specially SlAV32hkKG;Access type token_type is specially
Bearer, access authority validity period expires_in are 3600 minutes, update authority refresh_token is specially
8xLOxBtZp8, the value that signature result is id_token.
Step 117, application server obtain signature result from acquisition authentication authority response, use application server
The public key specified when registration carries out sign test to signature result, if sign test passes through, executes step 118, otherwise carries out error handle;
Step 118, application server judge whether the application identities in authentication authority are correct, are to then follow the steps
119, otherwise authentication invalid credentials information is sent to certificate server.
Specifically, application server judges certification clothes when application identities and application server registers in authentication authority
Whether the application identities that device distributes of being engaged in are consistent, are to determine that application identities are correct, otherwise determine that application identities are incorrect.
Step 119, application server obtain authentication authority validity period from authentication authority, judge current time
It is to then follow the steps 120 whether earlier than authentication authority validity period;Otherwise to certificate server send authentication authority without
Imitate information.
Step 120, application server are obtained from authentication authority provides the authentication authority time, judges to provide body
Whether part certification authority time is then to send authentication invalid credentials information to certificate server earlier than the first preset time;
It is no to then follow the steps 121.
Step 121, application server obtain authentication terminal user time from authentication authority, judge that authentication terminal is used
Whether the family time is then to send authentication invalid credentials information to certificate server earlier than the second preset time;Otherwise by body
Part certification authority and user bind.
Specifically, authentication authority is bound with user specifically: application server is obtained from proof-of-identity
User information, and by user information it is corresponding with authentication authority storage.
Authentication authority to be bound with user specifically: application server distributes character string as user identifier,
User identifier is subjected to corresponding storage with authentication authority.
It should be noted that application server completes terminal user and completes authentication, and can be for eventually after step 121
End subscriber provides corresponding service or access authority obtaining step 105 from certificate server can be used in application server
By the resource of terminal user authorization in the certificate server.
Further, the step 118, step 119, step 120 and step 121 application server are sent out to certificate server
Application server can also be performed to certificate server transmission re-authentication terminal user after sending terminal user identity authentication failure
Request.
Embodiment 3
The present embodiment provides a kind of systems for issuing authentication authority, referring to fig. 4, including application server and certification clothes
Business device;
Application server specifically includes:
First sending module jumps to the user authentication page for receiving the access request of user's triggering, and to certification
Server sends authentication request;It is also used to the acquired authentication authority request of the first tissue modular organisation being sent to certification
Server;
Second receiving module, for receiving the authorization code of certificate server transmission;It is also used to receive certificate server transmission
Signature result and authentication authority;
The first tissue module, authorization code for being received according to the second receiving module and is infused in advance in certificate server
The application identities and applied cryptography tissue of volume obtain the request of authentication authority;
Binding module, the signature result sign test for being received using public key to second receiving module, if testing
Label pass through, and the authentication authority that second receiving module is received is bound with user;
Specifically, binding module is specifically used for, the label for being received using public key to second receiving module
Name result sign test obtains user information if sign test passes through from authentication authority, and by user information and authentication authority
Corresponding storage.
Specifically, binding module is specifically used for, the label for being received using public key to second receiving module
Name result sign test is distributed character string as user identifier, user identifier is carried out with authentication authority corresponding if sign test passes through
Storage.
Preferably, binding module specifically includes:
Sign test submodule, the signature result sign test for being received using public key to second receiving module;
6th judging submodule judges that second receiving module connects if pass through for the sign test submodule sign test
Whether the application identities in authentication authority received are legal;
Submodule is bound, is used for when the 6th judging submodule determines that the application identities are legal, by the identity
Certification authority is bound with user;
First sending module, be also used to when the 6th judging submodule determines that the application identities are illegal to
The certificate server sends authentication invalid credentials information.
Certificate server specifically includes:
First receiving module, for receiving the authentication request of application server transmission;It is also used to receive application server hair
The acquisition authentication authority request sent;
Subscriber information module is obtained, after user inputs user information from the user authentication page, is used for from user authentication
The page obtains user information;
First judgment module after receiving authentication request for the first receiving module, judges to obtain subscriber information module
Whether the user information got is legal;
Authorization code generation module, for generating authorization code after first judgment module determines that user information is legal;
Second sending module, the authorization code for generating authorization code generation module are sent to application server;It is also used to
The authentication authority of signature result and minor microstructure modular organisation that signature blocks are signed is sent to application server;
Specifically, further including Redirect URL in the authentication request that the first receiving module receives;
Second sending module is sent to specifically for the authorization code for generating authorization code generation module according to Redirect URL
Application server.
Second judgment module, the application obtained in the request of authentication authority for being received according to the first receiving module
Whether mark and applied cryptography judge application server legal, and the acquisition identity for judging that first receiving module receives is recognized
Whether the authorization code demonstrate,proved in authority request is effective;
Minor microstructure module, for when the second judgment module determine application server it is legal and when authorization code is effective according to the
What one receiving module received obtains application identities, certificate server mark and the acquisition user's letter in the request of authentication authority
The user information organizational identities certification authority that breath module is got;
Signature blocks, for being signed to obtain to the authentication authority that minor microstructure modular organisation obtains using private key
Signature result.
Preferably, certificate server further include: third judgment module, for judging what first receiving module received
Whether all call parameters in authentication request all exist and effectively;
First judgment module, for when all call parameters presence in third judgment module judgement authentication request and effectively
When, whether the user information for judging that acquisition subscriber information module is got is legal.
Second sending module, be also used to third judgment module determine authentication request in all call parameters not all exist or
Failed authentication response is sent to application server when not all effective.
It is that third judgment module specifically includes in more detail:
First judging submodule, for whether judging in authentication request that the first receiving module receives comprising application identities
And Redirect URL;
Second judgment submodule determines to include application identities and redirection in authentication request for the first judging submodule
Application identities are obtained when URL from authentication request, judge whether application server is registered according to application identities;
Third judging submodule is used for when second judgment submodule determines that application server is registered according to application
Mark obtains the Redirect URL prestored, obtains the pre-registered Redirect URL of application server according to application identities, and judge
Whether the Redirect URL in authentication request matches with the Redirect URL prestored;
First judgment module determines Redirect URL and institute in the authentication request specifically for third judging submodule
When stating the Redirect URL matching prestored, whether the user information for judging that acquisition subscriber information module is got is legal;
Second sending module, be also used to third judging submodule module determine authentication request in Redirect URL with prestore
Redirect URL mismatch when to application server send failed authentication response.
Preferably, in the authentication request that the first receiving module receives further include: the scope of resource requested access to;
Minor microstructure module is specifically used for raw when the second judgment module determines that application server is legal and authorization code is effective
At access authority, by the storage corresponding with the scope of resource requested access to of access authority;And received according to the first receiving module
It obtains the application identities in the request of authentication authority, certificate server mark and obtains the user that subscriber information module is got
Information organizational identities authenticate authority;
Second sending module is also used to the access authority being sent to application server.
Application server further include: access resource module, for using access authority acquisition request from certificate server
Resource in the scope of resource of access.
Preferably, the certificate server further include:
4th judgment module, the resource model requested access in the authentication request for being received according to the first receiving module
It encloses and jumps to user's authorization page, judge whether available to the scope of resource requested access to from user's authorization page
Allow authorization message;
Authorization code generation module, for determining to receive the permission to the scope of resource requested access to when the 4th judgment module
Authorization code is generated when authorization message;
Second sending module is also used to the 4th judgment module and determines to be not received by permitting to the scope of resource requested access to
Perhaps failed authentication response is sent to application server when authorization message.
Preferably, the first tissue module specifically includes:
Submodule is encrypted, for the application identities and applied cryptography in advance in certificate server registration to be carried out encryption generation
Application cryptogram information;
The first tissue submodule, application cryptogram information, the first receiving module for being generated according to encryption submodule receive
The authorization code and Redirect URL arrived, which generates, obtains the request of authentication authority;
First sending module, the acquisition authentication authority request for generating the first tissue submodule are sent to certification
Server;
Second judgment module specifically includes:
Submodule is decrypted, for obtaining application cryptogram letter from the acquisition authentication authority request in the second receiving module
Breath generates application identities and applied cryptography to being decrypted using cipher-text information;
4th judging submodule, for according to the application identities decrypted of decryption submodule and applied cryptography judgement
Whether application server is legal;
5th judging submodule, for being obtained from the acquisition authentication authority request that the first receiving module receives
Authorization code judges whether authorization code is effective;
Minor microstructure module, for determining that authorization code is effective and the 4th judging submodule is sentenced when the 5th judging submodule
Determine to be identified when application server is legal according to application identities, certificate server and user information organizational identities authenticate authority, and makes
Authentication authority is signed to obtain signature result with private key.
Optionally, minor microstructure module, when being specifically used for obtaining the current server time as the transmission of authentication authority
Between, according to application identities, certificate server mark, user information and authentication authority sending time organizational identities certification with
According to;
Correspondingly, the binding module includes:
Sign test submodule, the signature result sign test for being received using public key to the second receiving module;
7th judging submodule judges the identity that the second receiving module receives when if passing through for sign test submodule sign test
The authentication authority sending time in authority is authenticated whether earlier than the first preset time;
Submodule is bound, for being no earlier than the first preset time when the 7th judging submodule authentication authority sending time
When, authentication authority is bound with user;
It is default earlier than first to be also used to authentication authority sending time described in the 7th judging submodule for first sending module
Authentication invalid credentials information is sent to the certificate server when time.
Optionally, first judgment module is also used to obtain server current time as authentication terminal user time;
Minor microstructure module is specifically used for judging mould according to application identities, certificate server mark, user information and first
The authentication terminal user time organizational identities that block obtains authenticate authority
Correspondingly, the binding module includes:
Sign test submodule, the signature result sign test for being received using public key to the second receiving module;
8th judging submodule judges the identity that the second receiving module receives when if passing through for sign test submodule sign test
The authentication terminal user time in authority is authenticated whether earlier than the second preset time;
Submodule is bound, for determining that the authentication terminal user time is no earlier than second and presets when the 8th judging submodule
Authentication authority is bound with user when the time;
First sending module is also used to when the 8th judging submodule determines that authentication terminal user time is default earlier than second
Between when to certificate server send authentication invalid credentials information.
Optionally, minor microstructure module is specifically used for according to application identities, certificate server mark, user information and body
Part certification authority validity period organizational identities authenticate authority;
Correspondingly, binding module includes:
Sign test submodule, the signature result sign test for being received using public key to the second receiving module;
9th judging submodule, for judge the current server time whether earlier than authentication authority validity period;
Submodule is bound, for determining current server time having earlier than authentication authority when the 9th judging submodule
Authentication authority is bound with user when the effect phase;
First sending module, be also used to when the 9th judging submodule determine current server it is late in authentication with
According to validity period when to certificate server send authentication invalid credentials information.
Embodiment 4
The present embodiment provides a kind of certificate servers for issuing authentication authority, referring to Fig. 5, comprising:
First receiving module, for receiving the authentication request of application server transmission;It is also used to receive application server hair
The acquisition authentication authority request sent;
Subscriber information module is obtained, when user inputs user information from the user authentication page, is used for from user authentication page
Face obtains user information;
First judgment module after receiving authentication request for the first receiving module, judges to obtain subscriber information module
Whether the user information got is legal;
Authorization code generation module, for generating authorization code after first judgment module determines that user information is legal;
Second sending module, the authorization code for generating authorization code generation module are sent to application server;It is also used to
The authentication authority of signature result and minor microstructure modular organisation that signature blocks are signed is sent to application server;
Specifically, further including Redirect URL in the authentication request that the first receiving module receives;
Second sending module is sent to specifically for the authorization code for generating authorization code generation module according to Redirect URL
Application server.
Second judgment module, the application obtained in the request of authentication authority for being received according to the first receiving module
Whether mark and applied cryptography judge application server legal, and the acquisition identity for judging that first receiving module receives is recognized
Whether the authorization code demonstrate,proved in authority request is effective;
Minor microstructure module, for when the second judgment module determine application server it is legal and when authorization code is effective according to the
What one receiving module received obtains application identities, certificate server mark and the acquisition user's letter in the request of authentication authority
The user information organizational identities certification authority got in breath module;
Signature blocks, for being signed to obtain to the authentication authority that minor microstructure modular organisation obtains using private key
Signature result.
Preferably, certificate server further include: third judgment module, for judging what first receiving module received
Whether all call parameters in authentication request all exist and effectively;
First judgment module, for when all call parameters presence in third judgment module judgement authentication request and effectively
When, after the first receiving module receives authentication request, judge to obtain whether the user information that subscriber information module is got closes
Method.
Second sending module, be also used to third judgment module determine authentication request in all call parameters not all exist or
Failed authentication response is sent to application server when not all effective.
It is that third judgment module specifically includes in more detail:
First judging submodule, for whether judging in authentication request that the first receiving module receives comprising application identities
And Redirect URL;
Second judgment submodule determines to include application identities and redirection in authentication request for the first judging submodule
Application identities are obtained when URL from authentication request, judge whether application server is registered according to application identities;
Third judging submodule is used for when second judgment submodule determines that application server is registered according to application
Mark obtains the Redirect URL prestored, obtains the pre-registered Redirect URL of application server according to application identities, and judge
Whether the Redirect URL in authentication request matches with the Redirect URL prestored;
First judgment module determines Redirect URL and institute in the authentication request specifically for third judging submodule
When stating the Redirect URL matching prestored, whether the user information for judging that acquisition subscriber information module is got is legal;
Second sending module, be also used to third judging submodule module determine authentication request in Redirect URL with prestore
Redirect URL mismatch when to application server send failed authentication response.
Preferably, in the authentication request that the first receiving module receives further include: the scope of resource requested access to;
Minor microstructure module is specifically used for raw when the second judgment module determines that application server is legal and authorization code is effective
At access authority, by the storage corresponding with the scope of resource requested access to of access authority;And received according to the first receiving module
Obtain the user's letter got in the application identities in the request of authentication authority, certificate server mark and first judgment module
It ceases organizational identities and authenticates authority;
Second sending module is also used to the access authority being sent to application server.
Preferably, the certificate server further include:
4th judgment module, the resource model requested access in the authentication request for being received according to the first receiving module
It encloses and jumps to user's authorization page, judge whether available to the scope of resource requested access to from user's authorization page
Allow authorization message;
Authorization code generation module, for determining to receive the permission to the scope of resource requested access to when the 4th judgment module
Authorization code is generated when authorization message;
Second sending module is also used to the 4th judgment module and determines to be not received by permitting to the scope of resource requested access to
Perhaps failed authentication response is sent to application server when authorization message.
Preferably, the second judgment module specifically includes:
Submodule is decrypted, for obtaining application cryptogram letter from the acquisition authentication authority request in the first receiving module
Breath generates application identities and applied cryptography to being decrypted using cipher-text information;
4th judging submodule, for according to the application identities decrypted of decryption submodule and applied cryptography judgement
Whether application server is legal;
5th judging submodule, for being obtained from the acquisition authentication authority request that the first receiving module receives
Authorization code judges whether authorization code is effective;
Minor microstructure module, for determining that authorization code is effective and the 4th judging submodule is sentenced when the 5th judging submodule
Determine to be identified when application server is legal according to application identities, certificate server and user information organizational identities authenticate authority, and makes
Authentication authority is signed to obtain signature result with private key.
Optionally, minor microstructure module, when being specifically used for obtaining the current server time as the transmission of authentication authority
Between, according to application identities, certificate server mark, user information and authentication authority sending time organizational identities certification with
According to;
Optionally, first judgment module is also used to obtain server current time as authentication terminal user time;
Minor microstructure module is specifically used for judging mould according to application identities, certificate server mark, user information and first
The authentication terminal user time organizational identities that block obtains authenticate authority;
Optionally, minor microstructure module is specifically used for according to application identities, certificate server mark, user information and body
Part certification authority validity period organizational identities authenticate authority.
Embodiment described above is the present invention more preferably specific embodiment, and those skilled in the art is in this hair
The usual variations and alternatives carried out in bright technical proposal scope should be all included within the scope of the present invention.
Claims (46)
1. a kind of method for issuing authentication authority characterized by comprising
Step S1, after receiving the access request of user's triggering, application server jumps to the user authentication page, and to certification
Server sends authentication request;
Step S2, when user inputs user information from the user authentication page, the certificate server is recognized from the user
It demonstrate,proves the page and obtains user information, and judge whether the user information is legal, is, generate authorization code, and the authorization code is returned
Back to the application server, step S3 is executed, is otherwise terminated;
Step S3, the described application server is according to the authorization code and in the pre-registered application identities of the certificate server
The request of authentication authority is obtained with applied cryptography tissue, and acquisition authentication authority request is sent to the certification
Server;
Step S4, the described certificate server is according to the application identities in the acquisition authentication authority request and described answers
It is whether legal that the application server is judged with password, and whether judges to obtain the authorization code in the request of authentication authority
Effectively, step S5 is executed when judgement, which is, is, is otherwise terminated;
Step S5, the described certificate server is according to the application identities, certificate server mark and the user information tissue body
Part certification authority, and signed using private key to the authentication authority, by signature result and the authentication authority
It is sent to the application server;
Step S6, the described application server uses public key to the signature result sign test, if sign test passes through, by the authentication
Authority is bound with user.
2. the method as described in claim 1, which is characterized in that described that the authentication authority and user are carried out binding tool
Body are as follows: the application server obtains user information from proof-of-identity, and by the user information and the authentication with
It is stored according to corresponding.
3. the method as described in claim 1, which is characterized in that described that the authentication authority and user are carried out binding tool
Body are as follows: application server distribution character string is used as user identifier, by the user identifier and the authentication authority into
The corresponding storage of row.
4. the method as described in claim 1, which is characterized in that between the step S1 and the step S2 further include: described
Certificate server judges whether all call parameters in the authentication request all exist and effectively, is to then follow the steps S2, no
Failed authentication response then is returned to the application server, is terminated.
5. method as claimed in claim 4, which is characterized in that described to judge that all call parameters in the authentication request are
It is no all to exist and effectively specifically include:
Step A1, whether the described certificate server judges comprising application identities and Redirect URL in the authentication request, is to hold
Otherwise row step A2 returns to failed authentication response to the application server, terminates;
Step A2, the described certificate server obtains application identities from the authentication request, judges institute according to the application identities
It whether registered states application server, is to then follow the steps A3, otherwise return to failed authentication to the application server and ring
It answers, terminates;
Step A3, the described certificate server obtains the pre-registered redirection of application server according to the application identities
URL, and judge whether the Redirect URL in the authentication request matches with the pre-registered Redirect URL of acquisition, it is
S2 is thened follow the steps, otherwise failed authentication response is returned to the application server, terminates.
6. the method as described in claim 1, which is characterized in that in the authentication request further include: the resource model requested access to
It encloses;
The step S5 is specifically included: the certificate server generates access authority, and the access authority and the request are visited
The corresponding storage of the scope of resource asked;And according to the application identities, certificate server mark and the user information organizational identities
Authenticate authority, and signed using private key to the authentication authority, and by signature result, the authentication authority and
The access authority is sent to the application server;
After the step S6 further include: described in application server is obtained from the certificate server using the access authority
The resource in scope of resource requested access to.
7. method as claimed in claim 6, which is characterized in that raw after determining that the user information is legal in the step S2
Before authorization code further include: the certificate server jumps to user's authorization page according to the scope of resource requested access to, sentences
It is disconnected from user's authorization page whether the available permission authorization message to the scope of resource requested access to, be
Authorization code is then generated, otherwise returns to failed authentication response to the application server.
8. the method as described in claim 1, which is characterized in that include: Redirect URL in the authentication request;
It is described that the authorization code is returned into the application server specifically: by the authorization code according to the Redirect URL
Return to the application server.
9. the method as described in claim 1, which is characterized in that the step S3 is specifically included:
Step B1, the described application server is added the application identities and applied cryptography in advance in certificate server registration
It is dense at application cryptogram information;
Step B2, the described application server obtains authentication authority according to the application cryptogram information and the authorization code tissue
Request, and acquisition authentication authority request is sent to the certificate server;
The step S4 is specifically included: the certificate server obtains the application from acquisition authentication authority request
Cipher-text information is decrypted to obtain the application identities and the applied cryptography, be answered according to described to the application cryptogram information
It is whether legal that application server is judged with mark and the applied cryptography, and judges to obtain the authorization in the request of authentication authority
Whether code is effective, and step S5 is executed when judgement, which is, is, is otherwise terminated.
10. the method as described in claim 1, which is characterized in that application server described in the step S6 uses public key pair
Signature result carry out sign test, if after sign test passes through, it is described the authentication authority is bound with user before also wrap
Include: the application server judges whether the application identities in the authentication authority are legal, is to continue to execute described incite somebody to action
The authentication authority is bound with user, otherwise returns to authentication invalid credentials information to the certificate server,
Terminate.
11. the method as described in claim 1, which is characterized in that
The step S5 is specifically included: when the certificate server obtains the current server time as the transmission of authentication authority
Between, according to the application identities, certificate server mark, the user information and the authentication authority sending time tissue
Authentication authority, and signed using private key to authentication authority, signature result and the authentication authority are sent out
Give the application server;
Application server described in the step S6 carries out sign test to signature result using public key, if after sign test passes through, it is described
Before the authentication authority and user are bound further include: the application server judges the authentication authority
In the authentication authority sending time whether earlier than the first preset time, be then to the certificate server send identity
Invalid credentials information is authenticated, is terminated;Otherwise it continues to execute and described binds the authentication authority with user.
12. the method as described in claim 1, which is characterized in that
When the step S2 determines that user is legal further include: obtain server current time as authentication terminal user time;
The step S5 is specifically included: the certificate server is according to the application identities, certificate server mark, the user
Information and the authentication terminal user time organizational identities authenticate authority, and are signed using private key to the authentication authority
Name, is sent to the application server for signature result and authentication authority;
Application server described in the step S6 carries out sign test to signature result using public key, if after sign test passes through, by institute
State authentication authority and before user binds further include: the application server judges described in authentication authority
Whether authentication terminal user time is then to send authentication invalid credentials to the certificate server earlier than the second preset time
Information;Otherwise it continues to execute and described binds the authentication authority with user.
13. the method as described in claim 1, which is characterized in that
Specifically include in the step S5: the certificate server is according to the application identities, certificate server mark, the use
Family information and authentication authority validity period organizational identities authenticate authority, and are signed using private key to the authentication authority
Name, is sent to the application server for signature result and authentication authority;
Application server described in the step S6 carries out sign test to signature result using public key, if after sign test passes through, by institute
State authentication authority and before user binds further include: the application server judge current server time whether morning
In the validity period of the authentication authority, be continue to execute it is described the authentication authority is bound with user,
Otherwise authentication invalid credentials information is returned to the certificate server.
14. a kind of system for issuing authentication authority characterized by comprising certificate server and application server;
The application server specifically includes:
First sending module jumps to the user authentication page for receiving the access request of user's triggering, and to authentication service
Device sends authentication request;It is also used to the acquired authentication authority request of the first tissue modular organisation being sent to the certification
Server;
Second receiving module, the authorization code sent for receiving the certificate server;It is also used to receive the certificate server
The signature result and authentication authority of transmission;
The first tissue module, the authorization code for being received according to second receiving module and in the certification
The pre-registered application identities of server and applied cryptography tissue obtain the request of authentication authority;
Binding module, the signature result sign test for being received using public key to second receiving module, if sign test is logical
It crosses, the authentication authority that second receiving module is received is bound with user;
The certificate server specifically includes:
First receiving module, the authentication request sent for receiving the application server;It is also used to receive the application
The acquisition authentication authority request that server is sent;
Subscriber information module is obtained, when user inputs user information from the user authentication page, is used for from the user authentication page
Face obtains user information;
First judgment module, for judging the acquisition user when first receiving module receives the authentication request
Whether the user information that information module is got is legal;
Authorization code generation module, for generating authorization code after the first judgment module determines that the user information is legal;
Second sending module, the authorization code for generating the authorization code generation module are sent to the application service
Device;The signature that the authentication authority and signature blocks for being also used to obtain minor microstructure modular organisation are signed
As a result it is sent to the application server;
Second judgment module, for being received according to first receiving module the acquisition authentication authority request in
Whether the application identities and the applied cryptography judge the application server legal, and judge that first receiving module connects
Whether the authorization code in acquisition authentication authority request received is effective;
The minor microstructure module is used for when second judgment module judgement application server is legal and the authorization code
Effectively when according to first receiving module receive obtain authentication authority request in application identities, certificate server
The user information organizational identities certification authority that mark and the acquisition subscriber information module are got;
The signature blocks, for being carried out using private key to the authentication authority that the minor microstructure modular organisation obtains
Signature obtains signature result.
15. system as claimed in claim 14, which is characterized in that the binding module is specifically used for using public key to described
The signature result sign test that second receiving module receives obtains user information, and will if sign test passes through from proof-of-identity
User information storage corresponding with the authentication authority.
16. system as claimed in claim 14, which is characterized in that the binding module is specifically used for using public key to described
The signature result sign test that second receiving module receives, if sign test passes through, distribution character string, will be described as user identifier
User identifier carries out corresponding storage with the authentication authority.
17. system as claimed in claim 14, which is characterized in that the certificate server further include:
Third judgment module, for judging all call parameters in the authentication request that first receiving module receives
Whether all exist and effectively;
The first judgment module, for determining that all call parameters in the authentication request are deposited when the third judgment module
And it is effective when, judge whether the user information that gets of acquisition subscriber information module legal;
Second sending module is also used to the third judgment module and determines that all call parameters are not all in the authentication request
In the presence of or it is not all effective when to the application server send failed authentication response.
18. system as claimed in claim 17, which is characterized in that the third judgment module specifically includes:
First judging submodule, for whether judging in the authentication request that first receiving module receives comprising application
Mark and Redirect URL;
Second judgment submodule, for including application identities in first judging submodule judgement authentication request and resetting
Application identities are obtained from the authentication request when to URL, judge the application server whether according to the application identities
Through registering;
Third judging submodule, for when the second judgment submodule determines that the application server is registered according to
The application identities obtain the pre-registered Redirect URL of application server, and judge resetting in the authentication request
Whether matched to URL with the pre-registered Redirect URL of acquisition;
The first judgment module determines the Redirect URL in the authentication request specifically for the third judging submodule
When matching with the pre-registered Redirect URL of acquisition, the use that the acquisition subscriber information module is got is judged
Whether family information is legal;
Second sending module, be also used to the third judging submodule determine Redirect URL in the authentication request with
Failed authentication response is sent to the application server when the pre-registered Redirect URL obtained mismatches.
19. system as claimed in claim 14, which is characterized in that the authentication request that first receiving module receives
In further include: the scope of resource requested access to;
Minor microstructure module is specifically used for when second judgment module judgement application server is legal and the authorization code
Access authority is generated when effectively, by the access authority and the corresponding storage of the scope of resource requested access to;And according to described
What the first receiving module received obtains application identities, certificate server mark and the acquisition in the request of authentication authority
The user information organizational identities that subscriber information module is got authenticate authority;
Second sending module is also used to the access authority that the minor microstructure module generates being sent to application service
Device;
The application server further include: access resource module for receiving access authority, and uses the access authority from institute
State the resource in the scope of resource requested access to described in obtaining in certificate server.
20. system as claimed in claim 14, which is characterized in that the certificate server further include:
4th judgment module, the money requested access in the authentication request for being received according to first receiving module
Whether source range jumps to user's authorization page, judge from user's authorization page available to request access to to described
Scope of resource permission authorization message;
The authorization code generation module, for receiving when the 4th judgment module judgement to the resource model requested access to
Authorization code is generated when the permission authorization message enclosed;
Second sending module is also used to the 4th judgment module judgement and is not received by the resource requested access to
Failed authentication response is sent to the application server when permission authorization message of range.
21. system as claimed in claim 14, which is characterized in that the authentication request that first receiving module receives
In further include Redirect URL;
Second sending module is reset according to specifically for the authorization code for generating the authorization code generation module
The application server is sent to URL.
22. system as claimed in claim 14, which is characterized in that
The first tissue module specifically includes:
Submodule is encrypted, for the application identities and applied cryptography in advance in certificate server registration to be carried out encryption generation
Application cryptogram information;
The first tissue submodule, the application cryptogram information, first reception for being generated according to the encryption submodule
The authorization code and Redirect URL that module receives, which generate, obtains the request of authentication authority;
First sending module, the acquisition authentication authority for generating the first tissue submodule request hair
Give the certificate server;
Second judgment module specifically includes:
Submodule is decrypted, for obtaining application cryptogram letter from the acquisition authentication authority request in first receiving module
Breath generates application identities and applied cryptography to being decrypted using cipher-text information;
4th judging submodule, the application identities and the applied cryptography for being decrypted according to the decryption submodule
Judge whether the application server is legal;
5th judging submodule, for being obtained from the acquisition authentication authority request that second receiving module receives
Authorization code judges whether authorization code is effective;
The minor microstructure module, for determining that authorization code is effective and the described 4th judges submodule when the 5th judging submodule
Block determines to be recognized when the application server is legal according to the application identities, certificate server mark and user information organizational identities
Authority is demonstrate,proved, and the authentication authority is signed to obtain signature result using private key.
23. system as claimed in claim 14, which is characterized in that the binding module includes:
Sign test submodule, the signature result sign test for being received using public key to second receiving module;
6th judging submodule judges that second receiving module receives if pass through for the sign test submodule sign test
Authentication authority in application identities it is whether legal;
Submodule is bound, is used for when the 6th judging submodule determines that the application identities are legal, by the authentication
Authority is bound with user;
First sending module is also used to the Xiang Suoshu when the 6th judging submodule determines that the application identities are illegal
Certificate server sends authentication invalid credentials information.
24. system as claimed in claim 14, which is characterized in that
The minor microstructure module, specifically for determining that the application server is legal and described awards when second judgment module
When weighted code is effective, the current server time is obtained as authentication authority sending time, is taken according to the application identities, certification
Being engaged in, device identifies, the user information and the authentication authority sending time organizational identities authenticate authority;
The binding module includes:
Sign test submodule, the signature result sign test for being received using public key to second receiving module;
7th judging submodule judges what second receiving module received when if passing through for the sign test submodule sign test
Whether the authentication authority sending time in the authentication authority is earlier than the first preset time;
Submodule is bound, it is default to be no earlier than first for the authentication authority sending time described in the 7th judging submodule
When the time, the authentication authority is bound with user;
It is default earlier than first to be also used to authentication authority sending time described in the 7th judging submodule for first sending module
Authentication invalid credentials information is sent to the certificate server when time.
25. system as claimed in claim 14, which is characterized in that
The first judgment module is also used to obtain server current time as authentication terminal user time;
The minor microstructure module, specifically for determining that the application server is legal and described awards when second judgment module
When weighted code is effective, obtained according to the application identities, certificate server mark, the user information and the first judgment module
The authentication terminal user time organizational identities authenticate authority
The binding module includes:
Sign test submodule, the signature result sign test for being received using public key to second receiving module;
8th judging submodule judges what second receiving module received when if passing through for the sign test submodule sign test
Whether the authentication terminal user time in the authentication authority is earlier than the second preset time;
Submodule is bound, for determining that the authentication terminal user time is no earlier than second and presets when the 8th judging submodule
The authentication authority is bound with user when the time;
First sending module is also used to determine the authentication terminal user time earlier than the when the 8th judging submodule
Authentication invalid credentials information is sent to the certificate server when two preset times.
26. system as claimed in claim 14, which is characterized in that
The minor microstructure module, specifically for determining that the application server is legal and described awards when second judgment module
When weighted code is effective, according to the application identities, certificate server mark, the user information and authentication authority validity period group
Knit authentication authority;
The binding module includes:
Sign test submodule, the signature result sign test for being received using public key to second receiving module;
9th judging submodule, for judge the current server time whether earlier than the authentication authority validity period;
Submodule is bound, for determining the current server time earlier than the authentication authority when the 9th judging submodule
Validity period when the authentication authority is bound with user;
First sending module is also used to when it is late in the body for the 9th judging submodule judgement current server
Authentication invalid credentials information is sent to the certificate server when validity period of part certification authority.
27. a kind of method for issuing authentication authority characterized by comprising
Step R1, certificate server receives the authentication request that application server is sent, and uses when user inputs from the user authentication page
When the information of family, user information is obtained from the user authentication page, and judge whether the user information is legal, is, generation is awarded
Weighted code, and the authorization code is returned into the application server, step R2 is executed, is otherwise terminated;
Step R2, when the certificate server receives the acquisition authentication authority request that the application server is sent,
Judge whether the application server is legal according to the application identities obtained in the request of authentication authority and applied cryptography,
And judge whether the authorization code obtained in the request of authentication authority is effective, and step R3 is executed when judgement, which is, is, it is no
Then terminate;
Step R3, the described certificate server is according to the application identities, certificate server mark and the user information tissue body
Part certification authority, and signed using private key to the authentication authority, by signature result and the authentication authority
It is sent to the application server.
28. method as claimed in claim 27, which is characterized in that certificate server described in the step R1 receives application clothes
It is engaged in after the authentication request that device is sent, before the acquisition user information from the user authentication page further include: the certification
Server judges whether all call parameters in the authentication request all exist and effectively, be continue to execute it is described from described
The user authentication page obtains user information, otherwise returns to failed authentication response to the application server, terminates.
29. method as claimed in claim 28, which is characterized in that all call parameters in the judgement authentication request
Whether all exists and effectively specifically includes:
Step C1, whether the described certificate server judges comprising application identities and Redirect URL in the authentication request, is to hold
Otherwise row step C2 returns to failed authentication response to the application server, terminates;
Step C2, the described certificate server obtains application identities from the authentication request, judges institute according to the application identities
It whether registered states application server, is to then follow the steps C3, otherwise return to failed authentication to the application server and ring
It answers, terminates;
Step C3, the described certificate server obtains the pre-registered redirection of application server according to the application identities
URL, and judge whether the Redirect URL in the authentication request matches with the pre-registered Redirect URL of acquisition, it is
C2 is thened follow the steps, otherwise failed authentication response is returned to the application server, terminates.
30. method as claimed in claim 27, which is characterized in that in the authentication request further include: the resource requested access to
Range;
The step R3 is specifically included: the certificate server generates access authority, and the access authority and the request are visited
The corresponding storage of the scope of resource asked;And according to the application identities, certificate server mark and the user information organizational identities
Authority is authenticated, and is signed using private key to the authentication authority, and signature result and the access authority are sent
To the application server.
31. method as claimed in claim 27, which is characterized in that after determining that the user information is legal in the step R1,
Before generation authorization code further include: the certificate server jumps to user's authorization page according to the scope of resource requested access to,
Judge from user's authorization page whether the available permission authorization message to the scope of resource requested access to,
It is to generate authorization code, otherwise returns to failed authentication response to the application server.
32. method as claimed in claim 27, which is characterized in that include: Redirect URL in the authentication request;
It is described that the authorization code is returned into the application server specifically: by the authorization code according to the Redirect URL
Return to the application server.
33. method as claimed in claim 27, which is characterized in that the step R2 is specifically included: the certificate server from
Application cryptogram information is obtained in the acquisition authentication authority request, the application cryptogram information is decrypted to obtain described
Application identities and the applied cryptography judge whether application server is legal according to the application identities and the applied cryptography,
And judge whether the authorization code obtained in the request of authentication authority is effective, and step R3 is executed when judgement, which is, is, is otherwise tied
Beam.
34. method as claimed in claim 27, which is characterized in that
The step R3 is specifically included: when the certificate server obtains the current server time as the transmission of authentication authority
Between, according to the application identities, certificate server mark, the user information and the authentication authority sending time tissue
Authentication authority, and signed using private key to authentication authority, signature result and the authentication authority are sent out
Give the application server.
35. method as claimed in claim 27, which is characterized in that
When determining that user is legal in the step R1 further include: obtain server current time as authentication terminal user time;
The step R3 is specifically included: the certificate server is according to the application identities, certificate server mark, the user
Information and the authentication terminal user time organizational identities authenticate authority, and are signed using private key to the authentication authority
Name, is sent to the application server for signature result and the authentication authority.
36. method as claimed in claim 27, which is characterized in that
Specifically include in the step R3: the certificate server is according to the application identities, certificate server mark, the use
Family information and authentication authority validity period organizational identities authenticate authority, and are signed using private key to the authentication authority
Name, is sent to the application server for signature result and the authentication authority.
37. a kind of certificate server for issuing authentication authority characterized by comprising
First receiving module, for receiving the authentication request of application server transmission;It is also used to receive the application server hair
The acquisition authentication authority request sent;
Subscriber information module is obtained, is used for when user inputs user information from the user authentication page, from the user authentication page
Face obtains the user information;
First judgment module, for judging the acquisition user when first receiving module receives the authentication request
Whether the user information that information module is got is legal;
Authorization code generation module, for generating authorization code after the first judgment module determines that the user information is legal;
Second sending module, the authorization code for generating the authorization code generation module are sent to the application service
Device;The signature result and authentication authority for being also used to sign signature blocks are sent to the application server;
Second judgment module, for being received according to first receiving module the acquisition authentication authority request in
Whether application identities and applied cryptography judge the application server legal, and judge the institute that first receiving module receives
Whether effective state the authorization code obtained in the request of authentication authority;
Minor microstructure module is used for when second judgment module judgement application server is legal and the authorization code is effective
When according to first receiving module receive obtain authentication authority request in application identities, certificate server identify
The user information organizational identities got with the acquisition subscriber information module authenticate authority;
Signature blocks, for being signed using private key to the authentication authority that the minor microstructure modular organisation obtains
Obtain signature result.
38. certificate server as claimed in claim 37, which is characterized in that further include:
Third judgment module, for after first receiving module receives the authentication request, judging that described first connects
All call parameters in the authentication request that receives of module are received whether all to exist and effectively;
The first judgment module, for determining that all call parameters in the authentication request are deposited when the third judgment module
And it is effective when, judge whether the user information that gets of acquisition subscriber information module legal;
Second sending module is also used to the third judgment module and determines that all call parameters are not all in the authentication request
In the presence of or it is not all effective when to the application server send failed authentication response.
39. certificate server as claimed in claim 38, which is characterized in that the third judgment module specifically includes:
First judging submodule, for whether judging in the authentication request that first receiving module receives comprising application
Mark and Redirect URL;
Second judgment submodule, for including application identities in first judging submodule judgement authentication request and resetting
Application identities are obtained from the authentication request when to URL, judge the application server whether according to the application identities
Through registering;
Third judging submodule, for when the second judgment submodule determines that the application server is registered according to
The application identities obtain the pre-registered Redirect URL of application server, and judge resetting in the authentication request
Whether matched to URL with the pre-registered Redirect URL of acquisition;
The first judgment module determines the Redirect URL in the authentication request specifically for the third judging submodule
When matching with the pre-registered Redirect URL of acquisition, the use that the acquisition subscriber information module is got is judged
Whether family information is legal;
Second sending module, be also used to the third judging submodule determine Redirect URL in the authentication request with
Failed authentication response is sent to the application server when the pre-registered Redirect URL obtained mismatches.
40. certificate server as claimed in claim 37, which is characterized in that the mirror that first receiving module receives
In power request further include: the scope of resource requested access to;
Minor microstructure module is specifically used for when second judgment module judgement application server is legal and the authorization code
Access authority is generated when effectively, by the access authority and the corresponding storage of the scope of resource requested access to;And according to described
What the first receiving module received obtains application identities, certificate server mark and the acquisition in the request of authentication authority
The user information organizational identities that subscriber information module is got authenticate authority;
Second sending module is also used to the access authority that the minor microstructure module generates being sent to application service
Device.
41. certificate server as claimed in claim 37, which is characterized in that further include:
4th judgment module, the money requested access in the authentication request for being received according to first receiving module
Whether source range jumps to user's authorization page, judge from user's authorization page available to request access to to described
Scope of resource permission authorization message;
The authorization code generation module, for receiving when the 4th judgment module judgement to the resource model requested access to
Authorization code is generated when the permission authorization message enclosed;
Second sending module is also used to the 4th judgment module judgement and is not received by the resource requested access to
Failed authentication response is sent to the application server when permission authorization message of range.
42. certificate server as claimed in claim 37, which is characterized in that the mirror that first receiving module receives
It further include Redirect URL in power request;
Second sending module is reset according to specifically for the authorization code for generating the authorization code generation module
The application server is sent to URL.
43. certificate server as claimed in claim 37, which is characterized in that
Second judgment module specifically includes:
Submodule is decrypted, for obtaining application cryptogram letter from the acquisition authentication authority request in first receiving module
Breath generates application identities and applied cryptography to being decrypted using cipher-text information;
4th judging submodule, the application identities and the applied cryptography for being decrypted according to the decryption submodule
Judge whether the application server is legal;
5th judging submodule, for being obtained from the acquisition authentication authority request that first receiving module receives
Authorization code judges whether authorization code is effective;
The minor microstructure module, for determining that authorization code is effective and the described 4th judges submodule when the 5th judging submodule
Block determines to be recognized when the application server is legal according to the application identities, certificate server mark and user information organizational identities
Authority is demonstrate,proved, and the authentication authority is signed to obtain signature result using private key.
44. certificate server as claimed in claim 37, which is characterized in that
The minor microstructure module, specifically for determining that the application server is legal and described awards when second judgment module
The current server time is obtained when weighted code is effective as authentication authority sending time, is taken according to the application identities, certification
Being engaged in, device identifies, the user information and the authentication authority sending time organizational identities authenticate authority.
45. certificate server as claimed in claim 37, which is characterized in that
The first judgment module is also used to obtain server current time as authentication terminal user time;
The minor microstructure module, specifically for determining that the application server is legal and described awards when second judgment module
It is obtained when weighted code is effective according to the application identities, certificate server mark, the user information and the first judgment module
The authentication terminal user time organizational identities authenticate authority.
46. certificate server as claimed in claim 37, which is characterized in that
The minor microstructure module, specifically for determining that the application server is legal and described awards when second judgment module
According to the application identities, certificate server mark, the user information and authentication authority validity period group when weighted code is effective
Knit authentication authority.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710121273.5A CN106973041B (en) | 2017-03-02 | 2017-03-02 | A kind of method that issuing authentication authority, system and certificate server |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710121273.5A CN106973041B (en) | 2017-03-02 | 2017-03-02 | A kind of method that issuing authentication authority, system and certificate server |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106973041A CN106973041A (en) | 2017-07-21 |
CN106973041B true CN106973041B (en) | 2019-10-08 |
Family
ID=59328380
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710121273.5A Active CN106973041B (en) | 2017-03-02 | 2017-03-02 | A kind of method that issuing authentication authority, system and certificate server |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106973041B (en) |
Families Citing this family (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107241361A (en) * | 2017-08-07 | 2017-10-10 | 中国石油工程建设有限公司 | A kind of unified identity authentication method based on cloud environment |
CN107609364B (en) * | 2017-10-30 | 2020-12-01 | 泰康保险集团股份有限公司 | User identity confirmation method and device |
CN108347428B (en) * | 2017-12-29 | 2020-11-20 | 北京世纪互联宽带数据中心有限公司 | Registration system, method and device of application program based on block chain |
CN108200089B (en) * | 2018-02-07 | 2022-06-07 | 腾讯云计算(北京)有限责任公司 | Method, device and system for realizing information security and storage medium |
CN108809953B (en) * | 2018-05-22 | 2020-09-01 | 飞天诚信科技股份有限公司 | Anonymous identity authentication method and device based on block chain |
CN108882223A (en) * | 2018-05-30 | 2018-11-23 | 努比亚技术有限公司 | Using data reporting method, mobile terminal and computer readable storage medium |
CN110569638B (en) * | 2018-06-06 | 2021-08-06 | 中移(苏州)软件技术有限公司 | API authentication method and device, storage medium and computing equipment |
CN110062383A (en) * | 2019-04-24 | 2019-07-26 | 中国联合网络通信集团有限公司 | A kind of authentication method, terminal, certificate server, application server |
CN112291188B (en) * | 2019-09-23 | 2023-02-10 | 中建材信息技术股份有限公司 | Registration verification method and system, registration verification server and cloud server |
CN110808998B (en) * | 2019-11-12 | 2022-05-17 | 上海华羿汽车系统集成有限公司 | Initialization of identity authentication device, identity authentication method and device |
CN111107060B (en) * | 2019-11-29 | 2022-11-29 | 视联动力信息技术股份有限公司 | Login request processing method, server, electronic equipment and storage medium |
CN111585954A (en) * | 2020-03-26 | 2020-08-25 | 中国平安财产保险股份有限公司 | Authentication method, authentication device, computer equipment and storage medium |
CN111682941B (en) * | 2020-05-18 | 2022-12-20 | 浙江连湖科技有限责任公司 | Centralized identity management, distributed authentication and authorization method based on cryptography |
CN111698248B (en) * | 2020-06-11 | 2021-06-11 | 杭州商湾网络科技有限公司 | Network authorization management method and system based on label |
CN111901346B (en) * | 2020-07-29 | 2022-10-25 | 北京奇艺世纪科技有限公司 | Identity authentication system |
CN114006751A (en) * | 2021-10-29 | 2022-02-01 | 广东宜教通教育有限公司 | Campus system single sign-on method using temporary authentication code |
CN117544378A (en) * | 2023-11-21 | 2024-02-09 | 广州方舟信息科技有限公司 | Authorization management method, device, equipment and storage medium |
CN117411724B (en) * | 2023-12-13 | 2024-03-19 | 北京持安科技有限公司 | Method and device for sharing credentials across multiple applications of zero-trust application gateway |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101060520A (en) * | 2006-04-21 | 2007-10-24 | 盛趣信息技术(上海)有限公司 | Token-based SSO authentication system |
CN102111410A (en) * | 2011-01-13 | 2011-06-29 | 中国科学院软件研究所 | Agent-based single sign on (SSO) method and system |
CN103609090A (en) * | 2013-06-19 | 2014-02-26 | 华为技术有限公司 | Method and device for identity login |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8762283B2 (en) * | 2004-05-03 | 2014-06-24 | Visa International Service Association | Multiple party benefit from an online authentication service |
-
2017
- 2017-03-02 CN CN201710121273.5A patent/CN106973041B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101060520A (en) * | 2006-04-21 | 2007-10-24 | 盛趣信息技术(上海)有限公司 | Token-based SSO authentication system |
CN102111410A (en) * | 2011-01-13 | 2011-06-29 | 中国科学院软件研究所 | Agent-based single sign on (SSO) method and system |
CN103609090A (en) * | 2013-06-19 | 2014-02-26 | 华为技术有限公司 | Method and device for identity login |
Also Published As
Publication number | Publication date |
---|---|
CN106973041A (en) | 2017-07-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106973041B (en) | A kind of method that issuing authentication authority, system and certificate server | |
CN106295394B (en) | Resource authorization method and system and authorization server and working method | |
CN105024819B (en) | A kind of multiple-factor authentication method and system based on mobile terminal | |
EP2258094B1 (en) | Devolved authentication | |
CA2531533C (en) | Session-based public key infrastructure | |
CA2463286C (en) | Multi-factor authentication system | |
US9331991B2 (en) | Authenticating a client using linked authentication credentials | |
JP5619019B2 (en) | Method, system, and computer program for authentication (secondary communication channel token-based client-server authentication with a primary authenticated communication channel) | |
JP5027227B2 (en) | Method and apparatus for an authentication procedure in a communication network | |
Dey et al. | PseudoID: Enhancing privacy in federated login | |
CN106209749A (en) | Single-point logging method and the processing method and processing device of device, relevant device and application | |
CA2661922A1 (en) | Method and system for providing authentication service for internet users | |
WO2007104243A1 (en) | The managing system of accounts security based on the instant message and its method | |
CN106230838A (en) | A kind of third-party application accesses the method and apparatus of resource | |
KR20110003353A (en) | Handling expired passwords | |
JPH08297638A (en) | User authentication system | |
CN105187417B (en) | Authority acquiring method and apparatus | |
US11146536B2 (en) | Method and a system for managing user identities for use during communication between two web browsers | |
CN116233832A (en) | Verification information sending method and device | |
Moon et al. | An AAA scheme using ID-based ticket with anonymity in future mobile communication | |
KR20190065007A (en) | Method and system for providing portal-site relay service | |
CN107864113A (en) | Safe login method and system | |
Scheper et al. | IRMA over Bluetooth | |
JP2024514039A (en) | User authentication method for multi-node parties | |
SIG | Embedded DCE Security Bridge (EDB) Application Programming Interface |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
OL01 | Intention to license declared | ||
OL01 | Intention to license declared |