CN106973041B - A kind of method that issuing authentication authority, system and certificate server - Google Patents

A kind of method that issuing authentication authority, system and certificate server Download PDF

Info

Publication number
CN106973041B
CN106973041B CN201710121273.5A CN201710121273A CN106973041B CN 106973041 B CN106973041 B CN 106973041B CN 201710121273 A CN201710121273 A CN 201710121273A CN 106973041 B CN106973041 B CN 106973041B
Authority
CN
China
Prior art keywords
authentication
authority
server
application
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710121273.5A
Other languages
Chinese (zh)
Other versions
CN106973041A (en
Inventor
陆舟
于华章
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Feitian Technologies Co Ltd
Original Assignee
Feitian Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Feitian Technologies Co Ltd filed Critical Feitian Technologies Co Ltd
Priority to CN201710121273.5A priority Critical patent/CN106973041B/en
Publication of CN106973041A publication Critical patent/CN106973041A/en
Application granted granted Critical
Publication of CN106973041B publication Critical patent/CN106973041B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present invention relates to the communications field, in particular to a kind of method for issuing authentication authority, system and certificate server;This method specifically includes: certificate server receives the authentication request that application server is sent, and when user inputs user information from the user authentication page, judges whether user information is legal, is, generates authorization code, and send an authorization to application server;When certificate server receives authentication authority application, according in authentication authority application identities and applied cryptography judge whether application server legal, and judge whether the authorization code in authentication authority is effective, when judgement, which is, is, certificate server authenticates authority according to application identities, certificate server mark and user information organizational identities, and signed with private key to authentication authority, signature result and authentication authority are sent to application server.The invention enables families to log in cost that is more convenient, and reducing website oneself creation member system and login function.

Description

A kind of method that issuing authentication authority, system and certificate server
Technical field
The present invention relates to the communications field, in particular to a kind of method for issuing authentication authority, system and authentication service Device.
Background technique
In the prior art user for the first time using the service of certain website when generally require process by cumbersome register account number, Website register account number generally passes through two ways, the first is by the free letter of user or data as account, simultaneously Need to fill in numerous user informations;And memory a large amount of website account is then faced after user is in multiple website register account numbers Trouble, need to re-register website account if user forgets website account;Second way user can also be by existing Email address carry out registration of website account, but user often receives more spams, poor user experience.Each mention Require to establish oneself member system and login function, the development cost of increased website for the website of service.
Summary of the invention
The present invention provides a kind of method for issuing authentication authority, system and certificate server,
A method of issuing authentication authority, comprising:
Step S1, after receiving the access request of user's triggering, application server jumps to the user authentication page, and to Certificate server sends authentication request;
Step S2, when user inputs user information from the user authentication page, certificate server is obtained from the user authentication page User information is taken, and judges whether user information is legal, is, generates authorization code, and enabling legislation is returned into application server, Step S3 is executed, is otherwise terminated;
Step S3, application server is according to authorization code and in the application identities of present certificate server registration and using close Code character, which is knitted, obtains the request of authentication authority, and will acquire the request of authentication authority and be sent to certificate server;
Step S4, certificate server is answered according to the application identities and applied cryptography judgement that obtain in the request of authentication authority Whether server is legal, and judges whether the authorization code obtained in the request of authentication authority is effective, when judgement is to be Shi Zhihang step S5, otherwise terminates;
Step S5, certificate server is according to application identities, certificate server mark and the certification of user information organizational identities with According to, and signed using private key to authentication authority, signature result and authentication authority are sent to application server;
Step S6, application server carries out sign test to signature signature result using public key, if sign test passes through, by the identity Certification authority is bound with user.
A method of issuing authentication authority, comprising:
Step R1, certificate server receives the authentication request that application server is sent, when user is defeated from the user authentication page When access customer information, user information is obtained from the user authentication page, and judge whether user information is legal, is, generate authorization Code, and authorization code is returned into application server, step R2 is executed, is otherwise terminated;
Step R2, when certificate server receives the acquisition authentication authority request of application server transmission, according to Whether application identities and applied cryptography in acquisition authentication authority request judge application server legal, and judge to obtain body Whether the authorization code in part certification authority request is effective, and step R3 is executed when judgement, which is, is, is otherwise terminated;
Step R3, certificate server is according to application identities, certificate server mark and the certification of user information organizational identities with According to, and signed using private key to authentication authority, signature result and authentication authority are sent to application server.
A kind of system for issuing authentication authority, including certificate server and application server;
Application server specifically includes:
First sending module jumps to the user authentication page for receiving the access request of user's triggering, and to Certificate server sends authentication request;It is also used to for the acquired authentication authority request of the first tissue modular organisation being sent to The certificate server;
Second receiving module, for receiving the authorization code of certificate server transmission;It is also used to receive certificate server The signature result and authentication authority of transmission;
The first tissue module, authorization code for being received according to the second receiving module and is infused in advance in certificate server The application identities and applied cryptography tissue of volume obtain the request of authentication authority;
Binding module, the signature result sign test for being received using public key to second receiving module, if testing Label pass through, and the authentication authority that second receiving module is received is bound with user;
Certificate server specifically includes:
First receiving module, for receiving the authentication request of application server transmission;It is also used to receive application server hair The acquisition authentication authority request sent;
Subscriber information module is obtained, after user inputs user information from the user authentication page, is used for from user authentication The page obtains the user information
First judgment module after receiving authentication request for the first receiving module, judges to obtain subscriber information module Whether the user information got is legal;
Authorization code generation module, for generating authorization code after first judgment module determines that user information is legal;
First sending module, the authorization code for generating authorization code generation module are sent to application server;It is also used to The authentication authority of signature result and minor microstructure modular organisation that signature blocks are signed is sent to application server;
Second judgment module, the acquisition authentication authority request for being received according to first receiving module In the application identities and the applied cryptography whether judge the application server legal, and judge that described first connects Whether the authorization code received in the acquisition authentication authority request that module receives is effective;
Minor microstructure module, for when the second judgment module determine application server it is legal and when authorization code is effective according to the What one receiving module received obtains application identities, certificate server mark and the acquisition user's letter in the request of authentication authority The user information organizational identities certification authority that breath module is got;
Signature blocks, for being signed to obtain to the authentication authority that minor microstructure modular organisation obtains using private key Signature result.
A kind of certificate server for issuing authentication authority, comprising:
First receiving module, for receiving the authentication request of application server transmission;It is also used to receive application server hair The acquisition authentication authority request sent;
Subscriber information module is obtained, when user inputs user information from the user authentication page, is used for from user authentication page Face obtains user information;
First judgment module obtains subscriber information module for judging when the first receiving module receives authentication request Whether the user information got is legal;
Authorization code generation module, for generating authorization code after first judgment module determines that user information is legal;
First sending module, the authorization code for generating authorization code generation module are sent to application server;It is also used to The authentication authority of signature result and minor microstructure modular organisation that signature blocks are signed is sent to application server;
Second judgment module, the acquisition authentication authority request for being received according to first receiving module In the application identities and the applied cryptography whether judge the application server legal, and judge that described first connects Whether the authorization code received in the acquisition authentication authority request that module receives is effective;
Minor microstructure module, for when the second judgment module determine application server it is legal and when authorization code is effective according to the What one receiving module received obtains application identities, certificate server mark and the acquisition user's letter in the request of authentication authority The user information organizational identities certification authority that breath module is got;
Signature blocks, for being signed to obtain to the authentication authority that minor microstructure modular organisation obtains using private key Signature result.
The invention has the benefit that simplifying the process of user's registration Website login, avoids repeated registration, fills in body The complicated processes of part data, so that user's login is more efficient and convenient, user does not need to remember a large amount of website account, and user is only The website freedom that any support authentication authority logs in need to can be logged in by enrollment status certification authority on certificate server It logs in, and reduce the member system of creation oneself and the cost of login function to provide the website of service.
Detailed description of the invention
Illustrate the embodiment of the present invention or technical solution in the prior art in order to clearer, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with It obtains other drawings based on these drawings.
Fig. 1 is a kind of flow chart for method for issuing authentication authority that the embodiment of the present invention 1 provides;
Fig. 2 and Fig. 3 is a kind of flow chart for method for issuing authentication authority that the embodiment of the present invention 2 provides;
Fig. 4 is a kind of block diagram for system for issuing authentication authority that the embodiment of the present invention 3 provides;
Fig. 5 is a kind of block diagram for certificate server for issuing authentication authority that the embodiment of the present invention 4 provides.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, those skilled in the art's every other implementation obtained without making creative work Example, shall fall within the protection scope of the present invention.
Embodiment 1
The present embodiment provides a kind of methods for issuing authentication authority, specifically include:
Step S1, after receiving the access request of user's triggering, application server jumps to the user authentication page, and to Certificate server sends authentication request;
Step S2, when user inputs user information from the user authentication page, certificate server is obtained from the user authentication page User information is taken, and judges whether user information is legal, is, generates authorization code, and enabling legislation is returned into application server, Step S3 is executed, is otherwise terminated;
It further gives, includes: Redirect URL in authentication request;
Authorization code is returned into application server specifically: authorization code is returned into application server according to Redirect URL.
Preferably, between step S1 and step S2 further include: certificate server judges the institute in authentication request, and it is necessary to join Whether number all exists and effectively, is to then follow the steps S2, otherwise returns to failed authentication response to application server, terminates.
Further, judge whether all call parameters in authentication request all exist and effectively specifically include:
Step A1, whether certificate server judges comprising application identities and Redirect URL in authentication request, is to execute step Otherwise rapid A2 returns to failed authentication response to application server, terminates;
Step A2, certificate server obtains application identities from authentication request, judges application server according to application identities It is whether registered, it is to then follow the steps A3, otherwise returns to failed authentication response to application server, terminate;
Step A3, certificate server obtains the pre-registered Redirect URL of application server according to application identities, and judges Whether the Redirect URL in authentication request matches with the Redirect URL prestored, is to then follow the steps S2, otherwise to application service Device returns to failed authentication response, terminates.
Step S3, application server is according to authorization code and close in the application identities of certificate server registration and application in advance Code character, which is knitted, obtains the request of authentication authority, and will acquire the request of authentication authority and be sent to certificate server;
Step S4, certificate server is answered according to the application identities and applied cryptography judgement that obtain in the request of authentication authority It is whether legal with server, and judge whether the authorization code obtained in the request of authentication authority is effective, when judgement, which is, is Step S5 is executed, is otherwise terminated;
Preferably, step S3 is specifically included:
Step B1, the application identities and applied cryptography in advance in certificate server registration are carried out encryption life by application server At application cryptogram information;
Step B2, application server obtains the request of authentication authority according to application cryptogram information and authorization code tissue, and It will acquire the request of authentication authority and be sent to certificate server;
Step S4 is specifically included: certificate server obtains application cryptogram information from acquisition authentication authority request, right Be applied mark and the applied cryptography is decrypted in application cryptogram information, according to application identities and applied cryptography judgement application Whether server is legal, and judges whether the authorization code obtained in the request of authentication authority is effective, holds when judgement, which is, is Row step S5, otherwise terminates.
Step S5, certificate server is according to application identities, certificate server mark and the certification of user information organizational identities with According to, and signed using private key to authentication authority, signature result and authentication authority are sent to application server;
Step S6, application server carries out sign test to signature result using public key, if sign test passes through, by authentication authority It is bound with user.
Specifically, authentication authority is bound with user specifically: the application server is from proof-of-identity Obtain user information, and by user information it is corresponding with authentication authority store.
Optionally, authentication authority is bound with user specifically: application server distributes character string as use Family mark, carries out corresponding storage with authentication authority for user identifier.
Preferably, in authentication request further include: the scope of resource requested access to;
Step S5 is specifically included: certificate server generates access authority, the scope of resource that will be accessed authority and request access to Corresponding storage;And authority is authenticated according to application identities, certificate server mark and user information organizational identities, and use private key pair Authentication authority is signed, and authentication authority, signature result and access authority are sent to application server;
After step S6 further include: application server uses the access authority money that acquisition request accesses from certificate server Resource in source range.
Preferably, application server uses public key to signature result sign test in step S6, if after sign test passes through, it will be described Before authentication authority and user bind further include: application server judges that the application identities in authentication authority are It is no legal, it is to continue to execute to bind authentication authority with user, otherwise returns to authentication to certificate server Invalid credentials information terminates.
Further, after determining that user information is legal in step S2, before generation authorization code further include: certificate server root User's authorization page is jumped to according to the scope of resource requested access to, whether available to asking is judged from user's authorization page The permission authorization message for seeking the scope of resource of access is to generate authorization code, otherwise returns to failed authentication to application server and rings It answers.
Preferably, step S5 is specifically included: certificate server obtains the current server time as authentication authority hair The time is sent, is authenticated according to application identities, certificate server mark, user information and authentication authority sending time organizational identities Authority, and signed using private key to authentication authority, authentication authority, signature result and access authority are sent to Application server.
In step S6 application server using public key to signature result sign test, if sign test by obtain authentication authority it Afterwards, before authentication authority and user being bound further include: application server judges the identity in authentication authority Authority sending time is authenticated whether earlier than the first preset time, is then to send the authentication authority to the certificate server Invalid information terminates;Otherwise it continues to execute and described binds the authentication authority with user.
Preferably, when step S2 determines that user is legal further include: obtain server current time and used as authentication terminal The family time;
Step S5 is specifically included: certificate server is according to application identities, certificate server mark, user information and identifies eventually End subscriber time organizational identities authenticate authority, and are signed using private key to authentication authority, by signature result and identity Certification authority is sent to application server;
In step S6 application server using public key to signature result sign test, if sign test by obtain authentication authority it Afterwards, before authentication authority and user being bound further include: application server judges the identification in authentication authority Whether terminal user's time is then to send authentication invalid credentials information to certificate server earlier than the second preset time;It is no It then continues to execute and binds authentication authority with user.
Preferably, specifically include in step S5: certificate server is according to application identities, certificate server mark, Yong Huxin Breath and authentication authority validity period organizational identities authenticate authority, and are signed using private key to authentication authority, will sign Name result and authentication authority are sent to application server;
In step S6 application server using public key to signature result sign test, if after sign test passes through, by authentication with According to before being bound with user further include: whether application server judges the current server time earlier than authentication authority Validity period is to continue to execute to bind the authentication authority with user, otherwise returns to identity to authentication service and recognizes Demonstrate,prove invalid credentials information.
The present embodiment provides a kind of method for issuing authentication authority again, referring to Fig. 1, comprising:
Step R1, certificate server receives the authentication request that application server is sent, when user is defeated from the user authentication page When access customer information, user information is obtained from the user authentication page, and judge whether user information is legal, is, generate authorization Code, and authorization code is returned into application server, step R2 is executed, otherwise returns to failed authentication response, knot to application server Beam;
Specifically, including: Redirect URL in authentication request;
Authorization code is returned into application server specifically: authorization code is returned into application server according to Redirect URL.
Preferably, after determining that the user information is legal in step R1, before generation authorization code further include: certificate server User's authorization page is jumped to according to the scope of resource requested access to, is judged whether available to right from user's authorization page The permission authorization message of the scope of resource requested access to is to generate authorization code, otherwise returns to failed authentication to application server Response terminates.
Preferably, after certificate server receives authentication request in step R1, user's letter is obtained from the user authentication page Before breath further include: certificate server judges whether all call parameters in authentication request all exist and effectively, is to continue It executes from the user authentication page and obtains user information, otherwise return to failed authentication response to application server, terminate.
Specifically, judging whether all call parameters in the authentication request all exist and effectively specifically include:
Step C1, whether certificate server judges comprising application identities and Redirect URL in authentication request, is to execute step Otherwise rapid C2 returns to failed authentication response to application server, terminates;
Step C2, certificate server obtains application identities from authentication request, judges application server according to application identities It is whether registered, it is to then follow the steps C3, otherwise returns to failed authentication response to application server, terminate;
Step C3, certificate server obtains the pre-registered Redirect URL of application server according to application identities, and judges Whether the Redirect URL in authentication request matches with the Redirect URL prestored, is to then follow the steps C2, otherwise to application service Device returns to failed authentication response, terminates.
Step R2, when certificate server receives the acquisition authentication authority request of application server transmission, according to Whether application identities and applied cryptography in acquisition authentication authority request judge application server legal, and judge to obtain body Whether the authorization code in part certification authority request is effective, and step R3 is executed when judgement, which is, is, is otherwise returned to application server Failed authentication response is returned, is terminated;
Specifically, step R2 is specifically included: certificate server obtains application cryptogram from acquisition authentication authority request Information is decrypted be applied mark and applied cryptography to using cipher-text information, is judged according to application identities and applied cryptography Whether application server is legal, and judges whether the authorization code obtained in the request of authentication authority is effective, when judgement is to be Otherwise Shi Zhihang step R3 returns to failed authentication response to application server, terminates.
Step R3, certificate server is according to application identities, certificate server mark and the certification of user information organizational identities with According to, and signed using private key to authentication authority, signature result is sent to application server.
If in authentication request further include: the scope of resource requested access to;
Step R3 is specifically included: certificate server generates access authority, the scope of resource that will be accessed authority and request access to Corresponding storage;And authority is authenticated according to application identities, certificate server mark and user information organizational identities, and use private key pair Authentication authority and access authority are signed, and signature result and access authority are sent to application server.
Optionally, step R3 is specifically included: certificate server obtains the current server time as authentication authority hair The time is sent, is authenticated according to application identities, certificate server mark, user information and authentication authority sending time organizational identities Authority, and signed using private key to authentication authority, signature result is sent to the application server.
Optionally, when determining that user is legal in step R1 further include: obtain server current time and used as authentication terminal The family time;
Step R3 is specifically included: certificate server is according to the application identities, certificate server mark, user information and mirror Other terminal user's time organizational identities authenticate authority, and are signed using private key to authentication authority, and signature result is sent out Give application server.
Optionally, specifically include in step R3: certificate server is according to application identities, certificate server mark, Yong Huxin Breath and authentication authority validity period organizational identities authenticate authority, and are signed using private key to authentication authority, will sign Name result is sent to application server.
Embodiment 2
The present embodiment provides a kind of methods for issuing authentication authority, as shown in Figures 2 and 3, comprising:
Terminal user needs to register user information to certificate server in advance, and the user information specifically includes user name and close Code;Certificate server needs to distribute unique terminal user identification for terminal user.
Application server needs the Redirect URL to certificate server registration application server and certificate server institute in advance It is required that other information, other information required by certificate server includes Apply Names, applied cryptography;Certificate server is to answer Unique application identities are distributed with server;And application server should negotiate authentication authority with certificate server in advance The information such as public private key pair.
Step 101, application server jump to the user authentication page after receiving the access request of user's triggering, and Tissue includes scope of resource, the respond style, application identities, the authentication request of Redirect URL requested access to.
The scope of resource requested access to need to include parameter preset, be an ID authentication request for identifying this request;It rings Type is answered to be used to determine currently used user authentication mode, such as when using authorization code identification flow, respond style tool Body is code;Preferably, authentication request further include: status indicator, the value is to other outside certificate server and application server Using invisible.
In the present embodiment, authentication request specifically:
HTTP/1.1 302 Found
Location:https: //server.example.com/authorize?
Response_type=code&scope=openid%20profile%20email&client _ id=s6Bh DRkqt3&state=af0ifjsldkj&redirect_uri=https: //client.example.org/cb?
Wherein, response_type=code shows that respond style is authorization code;Scope=openid% 20profile%20email shows that the scope of resource requested access to is authentication request, and the scope of resource requested access to is eventually End subscriber mark and email address;Client_id=s6BhdRkqt3 shows that relying party is identified as s6BhdRkqt3;State= Af0ifjsldkj shows that status indicator is af0ifjsldkj;Redirect_uri=https: // Client.example.org/cb? show that Redirect URL is https%3A%2F%2Fclient.example.org% 2Fcb。
Authentication request is sent to certificate server by step 102, application server.
Step 103, certificate server judge in authentication request whether all mandatory parameters all exist and effectively, are to execute Step 104;Otherwise failed authentication response is returned to application server, terminated.
Step 103 specifically includes:
Step 103-1, recognize certificate server whether to judge in authentication request comprising application identities and Redirect URL;It is then Step 103-2 is executed, otherwise failed authentication response is returned to the application server, terminates.
Step 103-2, certificate server obtains application identities from authentication request, judges whether application server has been infused Volume mistake, is to then follow the steps 103-3, otherwise returns to failed authentication response to the application server, terminates.
Step 103-3, certificate server obtains the pre-registered Redirect URL of application server according to application identities, and Judge whether the Redirect URL in authentication request matches with the Redirect URL prestored, is to then follow the steps 104, otherwise to application Server returns to failed authentication response, terminates.
Step 104, when user inputs user information from the user authentication page, certificate server is from the user authentication page Middle acquisition user information, and judge whether user information is legal, is, server current time is obtained as authentication terminal user Time executes step 105, otherwise returns to failed authentication response to application server, terminates.
Step 105, certificate server jump to user's authorization page according to the scope of resource requested access to, judge from user In authorization page whether the available permission authorization message to the scope of resource requested access to;It is to then follow the steps 106, it is no Failed authentication response then is returned to application server, is terminated
Step 106, certificate server generate authorization code, and authorization code and application identities and Redirect URL are bound, and according to Redirect URL and authorization code generate authentication success response, and authentication success response is sent to application server.
Specifically, certificate server generates random string as authorization code, for example, the authorization code generated in the present embodiment For SplxlOBeZQQYbYS6WxSbIA.
Authentication Response specifically:
HTTP/1.1 302 Found
Location:https: //client.example.org/cb? code=SplxlOBeZQQYbYS6WxSb IA& State=af0ifjsldkj
Wherein https: //client.example.org/cb? for the Redirect URL that application server prestores, code= SplxlOBeZQQYbYS6WxSbIA shows that the authorization code that certificate server generates is SplxlOBeZQQYbYS6WxSbIA;
It preferably, further include status indicator in Authentication Response.
Application identities and applied cryptography are carried out encryption and generate application cryptogram information by step 107, application server;
Step 108, application server generate authentication authority according to application cryptogram information, authorization code and Redirect URL Request, and the request of authentication authority is transmitted across to certificate server;
The request of authentication authority is obtained to specifically include
POST/token HTTP/1.1
Host:server.example.com
Content-Type:application/x-www-form-urlencoded
Authorization:Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbI A&redire Ct_uri=https%3A%2F%2Fclient.example.org%2Fcb
Step 109, certificate server are from acquisition application cryptogram information in the request of authentication authority is obtained, to application cryptogram Information, which is decrypted, generates application identities and applied cryptography;
Step 110, certificate server judge whether the application server is legal, is according to application identities and applied cryptography 111 are thened follow the steps, otherwise failed authentication response is returned to application server, terminates.
Specifically, certificate server judge whether can to inquire the application identities decrypted with application cryptogram information and The consistent information of applied cryptography is to determine that application server is legal;Otherwise failed authentication response, knot are returned to application server Beam.
Step 111, the Redirect URL in certificate server judgement acquisition authentication authority request and application server are pre- Whether the Redirect URL first registered is consistent, is to then follow the steps 112, otherwise returns to failed authentication to the application server and rings It answers, terminates
Step 112, certificate server obtain authorization code from acquisition authentication authority request, judge whether authorization code has Effect, is to then follow the steps 113, returns to failed authentication response to application server, terminates.
Specifically, the authorization code that certificate server judgement is bound with application identifier is obtained with from acquisition certification authority request Whether the authorization code got is consistent, is, determines that authorization code is effective, otherwise determines that authorization code is invalid.
Step 113, certificate server obtain Time Of Release of the current server time as authentication authority;
Step 114, certificate server are according to application identities, certificate server mark and user information, authentication authority Validity period provides authentication authority time, authentication terminal user time organizational identities certification authority;
It should be understood that authentication authority validity period, provide the authentication authority time, authentication terminal user when Between be 0 to divide 0 second number of seconds to Time Of Release when JSON number was represented from 1 day 0 January in 1970;Authentication service in the present embodiment The authentication authority that device generates specifically: " iss ": " https: //server.example.com ", " sub ": " 24400320","aud":"s6BhdRkqt3","nonce":"n-0S6_WzA2Mj","exp":1311281970,"iat": 1311280970, " auth_time ": 1311280969, " acr ": " urn:mace:incommon:iap:silver " } wherein " Iss ": " https: //server.example.com " shows that certificate server is identified as https: // server.example.com;" sub ": " 24400320 " show that user information is 24400320;"aud":"s6BhdRkqt3" Show that application server identifier is s6BhdRkqt3;" exp ": 1311281970 show authentication authority validity period;"iat": 1311280970, show to provide authentication authority time " auth_time ": 1311280969 when showing authentication terminal user Between;
Step 115, certificate server are signed to obtain signature result using private key to authentication authority;
Specifically, signature algorithm can be RHA256withRSA algorithm.In addition to this it is possible to be other algorithms, such as SHA1withRSA, SM2 signature algorithm etc..
Step 116, certificate server generate access authority;It is raw according to authentication authority, signature result and access authority It is responded at authentication authority is obtained;And it is sent to application server and obtains the response of authentication authority.
Specifically, obtaining the response of authentication authority includes: access authority, access type, access authority in the present embodiment Validity period updates authority, signature result.
Preferably, the head for obtaining the response of authentication authority should indicate that all the elements in response will not be all buffered And all the elements will not be all cached in temporary file.
In the present embodiment, certification authority response is obtained specifically:
HTTP/1.1 200OK
Content-Type:application/json
Cache-Control:no-store
Pragma:no-cache
{"access_token":"SlAV32hkKG","token_type":"Bearer","refresh_token":" 8xLOxBtZp8","expires_in":3600,"iss":"https://server.example.com","sub":" 24400320","aud":"s6BhdRkqt3","nonce":"n-0S6_WzA2Mj","exp":1311281970,"iat": 1311280970,"auth_time":1311280969,"acr":"urn:mace:incommon:iap:silver""id_ token":"eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzcyI6ICJodHRwOi8vc 2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5NzYxMDAxIiwKICJhdWQiOiAiczZCa GRSa3F0MyIsCiAibm9uY2UiOiAibi0wUzZfV3pBMk1qIiwKICJleHAiOiAxMzExMjgxOTcwLAogI mlhdCI6IDEzMTEyODA5NzAKfQ.ggW8hZ1EuVLuxNuuIJKX_V8a_ OMXzR0EHR9R6jgdqrOOF4daGU96Sr_P6qJp6IcmD3HP99Obi1PRs-cwh3LO-p146waJ8IhehcwL7 F09JdijmBqkvPeB2T9CJNqeGpe-gccMg4vfKjkM8FcGvnzZUN4_KSP0aAp1tOJ1zZwgjxqGByKHi OtX7TpdQyHE5lcMiKPXfEIQILVq0pc_E2DzL7emopWoaoZTF_m0_N0YzFC6g6EJbOEoRoSK5hoDa lrcvRYLSrQAZZKfl yuVCyixEoV9GfNQC3_osjzw2PAithfubEEBLuVVk4XUVrWOLrLl0nx7RkKU 8NXNHq-rvKMzqg"}
Wherein, access authority access_token is specially SlAV32hkKG;Access type token_type is specially Bearer, access authority validity period expires_in are 3600 minutes, update authority refresh_token is specially 8xLOxBtZp8, the value that signature result is id_token.
Step 117, application server obtain signature result from acquisition authentication authority response, use application server The public key specified when registration carries out sign test to signature result, if sign test passes through, executes step 118, otherwise carries out error handle;
Step 118, application server judge whether the application identities in authentication authority are correct, are to then follow the steps 119, otherwise authentication invalid credentials information is sent to certificate server.
Specifically, application server judges certification clothes when application identities and application server registers in authentication authority Whether the application identities that device distributes of being engaged in are consistent, are to determine that application identities are correct, otherwise determine that application identities are incorrect.
Step 119, application server obtain authentication authority validity period from authentication authority, judge current time It is to then follow the steps 120 whether earlier than authentication authority validity period;Otherwise to certificate server send authentication authority without Imitate information.
Step 120, application server are obtained from authentication authority provides the authentication authority time, judges to provide body Whether part certification authority time is then to send authentication invalid credentials information to certificate server earlier than the first preset time; It is no to then follow the steps 121.
Step 121, application server obtain authentication terminal user time from authentication authority, judge that authentication terminal is used Whether the family time is then to send authentication invalid credentials information to certificate server earlier than the second preset time;Otherwise by body Part certification authority and user bind.
Specifically, authentication authority is bound with user specifically: application server is obtained from proof-of-identity User information, and by user information it is corresponding with authentication authority storage.
Authentication authority to be bound with user specifically: application server distributes character string as user identifier, User identifier is subjected to corresponding storage with authentication authority.
It should be noted that application server completes terminal user and completes authentication, and can be for eventually after step 121 End subscriber provides corresponding service or access authority obtaining step 105 from certificate server can be used in application server By the resource of terminal user authorization in the certificate server.
Further, the step 118, step 119, step 120 and step 121 application server are sent out to certificate server Application server can also be performed to certificate server transmission re-authentication terminal user after sending terminal user identity authentication failure Request.
Embodiment 3
The present embodiment provides a kind of systems for issuing authentication authority, referring to fig. 4, including application server and certification clothes Business device;
Application server specifically includes:
First sending module jumps to the user authentication page for receiving the access request of user's triggering, and to certification Server sends authentication request;It is also used to the acquired authentication authority request of the first tissue modular organisation being sent to certification Server;
Second receiving module, for receiving the authorization code of certificate server transmission;It is also used to receive certificate server transmission Signature result and authentication authority;
The first tissue module, authorization code for being received according to the second receiving module and is infused in advance in certificate server The application identities and applied cryptography tissue of volume obtain the request of authentication authority;
Binding module, the signature result sign test for being received using public key to second receiving module, if testing Label pass through, and the authentication authority that second receiving module is received is bound with user;
Specifically, binding module is specifically used for, the label for being received using public key to second receiving module Name result sign test obtains user information if sign test passes through from authentication authority, and by user information and authentication authority Corresponding storage.
Specifically, binding module is specifically used for, the label for being received using public key to second receiving module Name result sign test is distributed character string as user identifier, user identifier is carried out with authentication authority corresponding if sign test passes through Storage.
Preferably, binding module specifically includes:
Sign test submodule, the signature result sign test for being received using public key to second receiving module;
6th judging submodule judges that second receiving module connects if pass through for the sign test submodule sign test Whether the application identities in authentication authority received are legal;
Submodule is bound, is used for when the 6th judging submodule determines that the application identities are legal, by the identity Certification authority is bound with user;
First sending module, be also used to when the 6th judging submodule determines that the application identities are illegal to The certificate server sends authentication invalid credentials information.
Certificate server specifically includes:
First receiving module, for receiving the authentication request of application server transmission;It is also used to receive application server hair The acquisition authentication authority request sent;
Subscriber information module is obtained, after user inputs user information from the user authentication page, is used for from user authentication The page obtains user information;
First judgment module after receiving authentication request for the first receiving module, judges to obtain subscriber information module Whether the user information got is legal;
Authorization code generation module, for generating authorization code after first judgment module determines that user information is legal;
Second sending module, the authorization code for generating authorization code generation module are sent to application server;It is also used to The authentication authority of signature result and minor microstructure modular organisation that signature blocks are signed is sent to application server;
Specifically, further including Redirect URL in the authentication request that the first receiving module receives;
Second sending module is sent to specifically for the authorization code for generating authorization code generation module according to Redirect URL Application server.
Second judgment module, the application obtained in the request of authentication authority for being received according to the first receiving module Whether mark and applied cryptography judge application server legal, and the acquisition identity for judging that first receiving module receives is recognized Whether the authorization code demonstrate,proved in authority request is effective;
Minor microstructure module, for when the second judgment module determine application server it is legal and when authorization code is effective according to the What one receiving module received obtains application identities, certificate server mark and the acquisition user's letter in the request of authentication authority The user information organizational identities certification authority that breath module is got;
Signature blocks, for being signed to obtain to the authentication authority that minor microstructure modular organisation obtains using private key Signature result.
Preferably, certificate server further include: third judgment module, for judging what first receiving module received Whether all call parameters in authentication request all exist and effectively;
First judgment module, for when all call parameters presence in third judgment module judgement authentication request and effectively When, whether the user information for judging that acquisition subscriber information module is got is legal.
Second sending module, be also used to third judgment module determine authentication request in all call parameters not all exist or Failed authentication response is sent to application server when not all effective.
It is that third judgment module specifically includes in more detail:
First judging submodule, for whether judging in authentication request that the first receiving module receives comprising application identities And Redirect URL;
Second judgment submodule determines to include application identities and redirection in authentication request for the first judging submodule Application identities are obtained when URL from authentication request, judge whether application server is registered according to application identities;
Third judging submodule is used for when second judgment submodule determines that application server is registered according to application Mark obtains the Redirect URL prestored, obtains the pre-registered Redirect URL of application server according to application identities, and judge Whether the Redirect URL in authentication request matches with the Redirect URL prestored;
First judgment module determines Redirect URL and institute in the authentication request specifically for third judging submodule When stating the Redirect URL matching prestored, whether the user information for judging that acquisition subscriber information module is got is legal;
Second sending module, be also used to third judging submodule module determine authentication request in Redirect URL with prestore Redirect URL mismatch when to application server send failed authentication response.
Preferably, in the authentication request that the first receiving module receives further include: the scope of resource requested access to;
Minor microstructure module is specifically used for raw when the second judgment module determines that application server is legal and authorization code is effective At access authority, by the storage corresponding with the scope of resource requested access to of access authority;And received according to the first receiving module It obtains the application identities in the request of authentication authority, certificate server mark and obtains the user that subscriber information module is got Information organizational identities authenticate authority;
Second sending module is also used to the access authority being sent to application server.
Application server further include: access resource module, for using access authority acquisition request from certificate server Resource in the scope of resource of access.
Preferably, the certificate server further include:
4th judgment module, the resource model requested access in the authentication request for being received according to the first receiving module It encloses and jumps to user's authorization page, judge whether available to the scope of resource requested access to from user's authorization page Allow authorization message;
Authorization code generation module, for determining to receive the permission to the scope of resource requested access to when the 4th judgment module Authorization code is generated when authorization message;
Second sending module is also used to the 4th judgment module and determines to be not received by permitting to the scope of resource requested access to Perhaps failed authentication response is sent to application server when authorization message.
Preferably, the first tissue module specifically includes:
Submodule is encrypted, for the application identities and applied cryptography in advance in certificate server registration to be carried out encryption generation Application cryptogram information;
The first tissue submodule, application cryptogram information, the first receiving module for being generated according to encryption submodule receive The authorization code and Redirect URL arrived, which generates, obtains the request of authentication authority;
First sending module, the acquisition authentication authority request for generating the first tissue submodule are sent to certification Server;
Second judgment module specifically includes:
Submodule is decrypted, for obtaining application cryptogram letter from the acquisition authentication authority request in the second receiving module Breath generates application identities and applied cryptography to being decrypted using cipher-text information;
4th judging submodule, for according to the application identities decrypted of decryption submodule and applied cryptography judgement Whether application server is legal;
5th judging submodule, for being obtained from the acquisition authentication authority request that the first receiving module receives Authorization code judges whether authorization code is effective;
Minor microstructure module, for determining that authorization code is effective and the 4th judging submodule is sentenced when the 5th judging submodule Determine to be identified when application server is legal according to application identities, certificate server and user information organizational identities authenticate authority, and makes Authentication authority is signed to obtain signature result with private key.
Optionally, minor microstructure module, when being specifically used for obtaining the current server time as the transmission of authentication authority Between, according to application identities, certificate server mark, user information and authentication authority sending time organizational identities certification with According to;
Correspondingly, the binding module includes:
Sign test submodule, the signature result sign test for being received using public key to the second receiving module;
7th judging submodule judges the identity that the second receiving module receives when if passing through for sign test submodule sign test The authentication authority sending time in authority is authenticated whether earlier than the first preset time;
Submodule is bound, for being no earlier than the first preset time when the 7th judging submodule authentication authority sending time When, authentication authority is bound with user;
It is default earlier than first to be also used to authentication authority sending time described in the 7th judging submodule for first sending module Authentication invalid credentials information is sent to the certificate server when time.
Optionally, first judgment module is also used to obtain server current time as authentication terminal user time;
Minor microstructure module is specifically used for judging mould according to application identities, certificate server mark, user information and first The authentication terminal user time organizational identities that block obtains authenticate authority
Correspondingly, the binding module includes:
Sign test submodule, the signature result sign test for being received using public key to the second receiving module;
8th judging submodule judges the identity that the second receiving module receives when if passing through for sign test submodule sign test The authentication terminal user time in authority is authenticated whether earlier than the second preset time;
Submodule is bound, for determining that the authentication terminal user time is no earlier than second and presets when the 8th judging submodule Authentication authority is bound with user when the time;
First sending module is also used to when the 8th judging submodule determines that authentication terminal user time is default earlier than second Between when to certificate server send authentication invalid credentials information.
Optionally, minor microstructure module is specifically used for according to application identities, certificate server mark, user information and body Part certification authority validity period organizational identities authenticate authority;
Correspondingly, binding module includes:
Sign test submodule, the signature result sign test for being received using public key to the second receiving module;
9th judging submodule, for judge the current server time whether earlier than authentication authority validity period;
Submodule is bound, for determining current server time having earlier than authentication authority when the 9th judging submodule Authentication authority is bound with user when the effect phase;
First sending module, be also used to when the 9th judging submodule determine current server it is late in authentication with According to validity period when to certificate server send authentication invalid credentials information.
Embodiment 4
The present embodiment provides a kind of certificate servers for issuing authentication authority, referring to Fig. 5, comprising:
First receiving module, for receiving the authentication request of application server transmission;It is also used to receive application server hair The acquisition authentication authority request sent;
Subscriber information module is obtained, when user inputs user information from the user authentication page, is used for from user authentication page Face obtains user information;
First judgment module after receiving authentication request for the first receiving module, judges to obtain subscriber information module Whether the user information got is legal;
Authorization code generation module, for generating authorization code after first judgment module determines that user information is legal;
Second sending module, the authorization code for generating authorization code generation module are sent to application server;It is also used to The authentication authority of signature result and minor microstructure modular organisation that signature blocks are signed is sent to application server;
Specifically, further including Redirect URL in the authentication request that the first receiving module receives;
Second sending module is sent to specifically for the authorization code for generating authorization code generation module according to Redirect URL Application server.
Second judgment module, the application obtained in the request of authentication authority for being received according to the first receiving module Whether mark and applied cryptography judge application server legal, and the acquisition identity for judging that first receiving module receives is recognized Whether the authorization code demonstrate,proved in authority request is effective;
Minor microstructure module, for when the second judgment module determine application server it is legal and when authorization code is effective according to the What one receiving module received obtains application identities, certificate server mark and the acquisition user's letter in the request of authentication authority The user information organizational identities certification authority got in breath module;
Signature blocks, for being signed to obtain to the authentication authority that minor microstructure modular organisation obtains using private key Signature result.
Preferably, certificate server further include: third judgment module, for judging what first receiving module received Whether all call parameters in authentication request all exist and effectively;
First judgment module, for when all call parameters presence in third judgment module judgement authentication request and effectively When, after the first receiving module receives authentication request, judge to obtain whether the user information that subscriber information module is got closes Method.
Second sending module, be also used to third judgment module determine authentication request in all call parameters not all exist or Failed authentication response is sent to application server when not all effective.
It is that third judgment module specifically includes in more detail:
First judging submodule, for whether judging in authentication request that the first receiving module receives comprising application identities And Redirect URL;
Second judgment submodule determines to include application identities and redirection in authentication request for the first judging submodule Application identities are obtained when URL from authentication request, judge whether application server is registered according to application identities;
Third judging submodule is used for when second judgment submodule determines that application server is registered according to application Mark obtains the Redirect URL prestored, obtains the pre-registered Redirect URL of application server according to application identities, and judge Whether the Redirect URL in authentication request matches with the Redirect URL prestored;
First judgment module determines Redirect URL and institute in the authentication request specifically for third judging submodule When stating the Redirect URL matching prestored, whether the user information for judging that acquisition subscriber information module is got is legal;
Second sending module, be also used to third judging submodule module determine authentication request in Redirect URL with prestore Redirect URL mismatch when to application server send failed authentication response.
Preferably, in the authentication request that the first receiving module receives further include: the scope of resource requested access to;
Minor microstructure module is specifically used for raw when the second judgment module determines that application server is legal and authorization code is effective At access authority, by the storage corresponding with the scope of resource requested access to of access authority;And received according to the first receiving module Obtain the user's letter got in the application identities in the request of authentication authority, certificate server mark and first judgment module It ceases organizational identities and authenticates authority;
Second sending module is also used to the access authority being sent to application server.
Preferably, the certificate server further include:
4th judgment module, the resource model requested access in the authentication request for being received according to the first receiving module It encloses and jumps to user's authorization page, judge whether available to the scope of resource requested access to from user's authorization page Allow authorization message;
Authorization code generation module, for determining to receive the permission to the scope of resource requested access to when the 4th judgment module Authorization code is generated when authorization message;
Second sending module is also used to the 4th judgment module and determines to be not received by permitting to the scope of resource requested access to Perhaps failed authentication response is sent to application server when authorization message.
Preferably, the second judgment module specifically includes:
Submodule is decrypted, for obtaining application cryptogram letter from the acquisition authentication authority request in the first receiving module Breath generates application identities and applied cryptography to being decrypted using cipher-text information;
4th judging submodule, for according to the application identities decrypted of decryption submodule and applied cryptography judgement Whether application server is legal;
5th judging submodule, for being obtained from the acquisition authentication authority request that the first receiving module receives Authorization code judges whether authorization code is effective;
Minor microstructure module, for determining that authorization code is effective and the 4th judging submodule is sentenced when the 5th judging submodule Determine to be identified when application server is legal according to application identities, certificate server and user information organizational identities authenticate authority, and makes Authentication authority is signed to obtain signature result with private key.
Optionally, minor microstructure module, when being specifically used for obtaining the current server time as the transmission of authentication authority Between, according to application identities, certificate server mark, user information and authentication authority sending time organizational identities certification with According to;
Optionally, first judgment module is also used to obtain server current time as authentication terminal user time;
Minor microstructure module is specifically used for judging mould according to application identities, certificate server mark, user information and first The authentication terminal user time organizational identities that block obtains authenticate authority;
Optionally, minor microstructure module is specifically used for according to application identities, certificate server mark, user information and body Part certification authority validity period organizational identities authenticate authority.
Embodiment described above is the present invention more preferably specific embodiment, and those skilled in the art is in this hair The usual variations and alternatives carried out in bright technical proposal scope should be all included within the scope of the present invention.

Claims (46)

1. a kind of method for issuing authentication authority characterized by comprising
Step S1, after receiving the access request of user's triggering, application server jumps to the user authentication page, and to certification Server sends authentication request;
Step S2, when user inputs user information from the user authentication page, the certificate server is recognized from the user It demonstrate,proves the page and obtains user information, and judge whether the user information is legal, is, generate authorization code, and the authorization code is returned Back to the application server, step S3 is executed, is otherwise terminated;
Step S3, the described application server is according to the authorization code and in the pre-registered application identities of the certificate server The request of authentication authority is obtained with applied cryptography tissue, and acquisition authentication authority request is sent to the certification Server;
Step S4, the described certificate server is according to the application identities in the acquisition authentication authority request and described answers It is whether legal that the application server is judged with password, and whether judges to obtain the authorization code in the request of authentication authority Effectively, step S5 is executed when judgement, which is, is, is otherwise terminated;
Step S5, the described certificate server is according to the application identities, certificate server mark and the user information tissue body Part certification authority, and signed using private key to the authentication authority, by signature result and the authentication authority It is sent to the application server;
Step S6, the described application server uses public key to the signature result sign test, if sign test passes through, by the authentication Authority is bound with user.
2. the method as described in claim 1, which is characterized in that described that the authentication authority and user are carried out binding tool Body are as follows: the application server obtains user information from proof-of-identity, and by the user information and the authentication with It is stored according to corresponding.
3. the method as described in claim 1, which is characterized in that described that the authentication authority and user are carried out binding tool Body are as follows: application server distribution character string is used as user identifier, by the user identifier and the authentication authority into The corresponding storage of row.
4. the method as described in claim 1, which is characterized in that between the step S1 and the step S2 further include: described Certificate server judges whether all call parameters in the authentication request all exist and effectively, is to then follow the steps S2, no Failed authentication response then is returned to the application server, is terminated.
5. method as claimed in claim 4, which is characterized in that described to judge that all call parameters in the authentication request are It is no all to exist and effectively specifically include:
Step A1, whether the described certificate server judges comprising application identities and Redirect URL in the authentication request, is to hold Otherwise row step A2 returns to failed authentication response to the application server, terminates;
Step A2, the described certificate server obtains application identities from the authentication request, judges institute according to the application identities It whether registered states application server, is to then follow the steps A3, otherwise return to failed authentication to the application server and ring It answers, terminates;
Step A3, the described certificate server obtains the pre-registered redirection of application server according to the application identities URL, and judge whether the Redirect URL in the authentication request matches with the pre-registered Redirect URL of acquisition, it is S2 is thened follow the steps, otherwise failed authentication response is returned to the application server, terminates.
6. the method as described in claim 1, which is characterized in that in the authentication request further include: the resource model requested access to It encloses;
The step S5 is specifically included: the certificate server generates access authority, and the access authority and the request are visited The corresponding storage of the scope of resource asked;And according to the application identities, certificate server mark and the user information organizational identities Authenticate authority, and signed using private key to the authentication authority, and by signature result, the authentication authority and The access authority is sent to the application server;
After the step S6 further include: described in application server is obtained from the certificate server using the access authority The resource in scope of resource requested access to.
7. method as claimed in claim 6, which is characterized in that raw after determining that the user information is legal in the step S2 Before authorization code further include: the certificate server jumps to user's authorization page according to the scope of resource requested access to, sentences It is disconnected from user's authorization page whether the available permission authorization message to the scope of resource requested access to, be Authorization code is then generated, otherwise returns to failed authentication response to the application server.
8. the method as described in claim 1, which is characterized in that include: Redirect URL in the authentication request;
It is described that the authorization code is returned into the application server specifically: by the authorization code according to the Redirect URL Return to the application server.
9. the method as described in claim 1, which is characterized in that the step S3 is specifically included:
Step B1, the described application server is added the application identities and applied cryptography in advance in certificate server registration It is dense at application cryptogram information;
Step B2, the described application server obtains authentication authority according to the application cryptogram information and the authorization code tissue Request, and acquisition authentication authority request is sent to the certificate server;
The step S4 is specifically included: the certificate server obtains the application from acquisition authentication authority request Cipher-text information is decrypted to obtain the application identities and the applied cryptography, be answered according to described to the application cryptogram information It is whether legal that application server is judged with mark and the applied cryptography, and judges to obtain the authorization in the request of authentication authority Whether code is effective, and step S5 is executed when judgement, which is, is, is otherwise terminated.
10. the method as described in claim 1, which is characterized in that application server described in the step S6 uses public key pair Signature result carry out sign test, if after sign test passes through, it is described the authentication authority is bound with user before also wrap Include: the application server judges whether the application identities in the authentication authority are legal, is to continue to execute described incite somebody to action The authentication authority is bound with user, otherwise returns to authentication invalid credentials information to the certificate server, Terminate.
11. the method as described in claim 1, which is characterized in that
The step S5 is specifically included: when the certificate server obtains the current server time as the transmission of authentication authority Between, according to the application identities, certificate server mark, the user information and the authentication authority sending time tissue Authentication authority, and signed using private key to authentication authority, signature result and the authentication authority are sent out Give the application server;
Application server described in the step S6 carries out sign test to signature result using public key, if after sign test passes through, it is described Before the authentication authority and user are bound further include: the application server judges the authentication authority In the authentication authority sending time whether earlier than the first preset time, be then to the certificate server send identity Invalid credentials information is authenticated, is terminated;Otherwise it continues to execute and described binds the authentication authority with user.
12. the method as described in claim 1, which is characterized in that
When the step S2 determines that user is legal further include: obtain server current time as authentication terminal user time;
The step S5 is specifically included: the certificate server is according to the application identities, certificate server mark, the user Information and the authentication terminal user time organizational identities authenticate authority, and are signed using private key to the authentication authority Name, is sent to the application server for signature result and authentication authority;
Application server described in the step S6 carries out sign test to signature result using public key, if after sign test passes through, by institute State authentication authority and before user binds further include: the application server judges described in authentication authority Whether authentication terminal user time is then to send authentication invalid credentials to the certificate server earlier than the second preset time Information;Otherwise it continues to execute and described binds the authentication authority with user.
13. the method as described in claim 1, which is characterized in that
Specifically include in the step S5: the certificate server is according to the application identities, certificate server mark, the use Family information and authentication authority validity period organizational identities authenticate authority, and are signed using private key to the authentication authority Name, is sent to the application server for signature result and authentication authority;
Application server described in the step S6 carries out sign test to signature result using public key, if after sign test passes through, by institute State authentication authority and before user binds further include: the application server judge current server time whether morning In the validity period of the authentication authority, be continue to execute it is described the authentication authority is bound with user, Otherwise authentication invalid credentials information is returned to the certificate server.
14. a kind of system for issuing authentication authority characterized by comprising certificate server and application server;
The application server specifically includes:
First sending module jumps to the user authentication page for receiving the access request of user's triggering, and to authentication service Device sends authentication request;It is also used to the acquired authentication authority request of the first tissue modular organisation being sent to the certification Server;
Second receiving module, the authorization code sent for receiving the certificate server;It is also used to receive the certificate server The signature result and authentication authority of transmission;
The first tissue module, the authorization code for being received according to second receiving module and in the certification The pre-registered application identities of server and applied cryptography tissue obtain the request of authentication authority;
Binding module, the signature result sign test for being received using public key to second receiving module, if sign test is logical It crosses, the authentication authority that second receiving module is received is bound with user;
The certificate server specifically includes:
First receiving module, the authentication request sent for receiving the application server;It is also used to receive the application The acquisition authentication authority request that server is sent;
Subscriber information module is obtained, when user inputs user information from the user authentication page, is used for from the user authentication page Face obtains user information;
First judgment module, for judging the acquisition user when first receiving module receives the authentication request Whether the user information that information module is got is legal;
Authorization code generation module, for generating authorization code after the first judgment module determines that the user information is legal;
Second sending module, the authorization code for generating the authorization code generation module are sent to the application service Device;The signature that the authentication authority and signature blocks for being also used to obtain minor microstructure modular organisation are signed As a result it is sent to the application server;
Second judgment module, for being received according to first receiving module the acquisition authentication authority request in Whether the application identities and the applied cryptography judge the application server legal, and judge that first receiving module connects Whether the authorization code in acquisition authentication authority request received is effective;
The minor microstructure module is used for when second judgment module judgement application server is legal and the authorization code Effectively when according to first receiving module receive obtain authentication authority request in application identities, certificate server The user information organizational identities certification authority that mark and the acquisition subscriber information module are got;
The signature blocks, for being carried out using private key to the authentication authority that the minor microstructure modular organisation obtains Signature obtains signature result.
15. system as claimed in claim 14, which is characterized in that the binding module is specifically used for using public key to described The signature result sign test that second receiving module receives obtains user information, and will if sign test passes through from proof-of-identity User information storage corresponding with the authentication authority.
16. system as claimed in claim 14, which is characterized in that the binding module is specifically used for using public key to described The signature result sign test that second receiving module receives, if sign test passes through, distribution character string, will be described as user identifier User identifier carries out corresponding storage with the authentication authority.
17. system as claimed in claim 14, which is characterized in that the certificate server further include:
Third judgment module, for judging all call parameters in the authentication request that first receiving module receives Whether all exist and effectively;
The first judgment module, for determining that all call parameters in the authentication request are deposited when the third judgment module And it is effective when, judge whether the user information that gets of acquisition subscriber information module legal;
Second sending module is also used to the third judgment module and determines that all call parameters are not all in the authentication request In the presence of or it is not all effective when to the application server send failed authentication response.
18. system as claimed in claim 17, which is characterized in that the third judgment module specifically includes:
First judging submodule, for whether judging in the authentication request that first receiving module receives comprising application Mark and Redirect URL;
Second judgment submodule, for including application identities in first judging submodule judgement authentication request and resetting Application identities are obtained from the authentication request when to URL, judge the application server whether according to the application identities Through registering;
Third judging submodule, for when the second judgment submodule determines that the application server is registered according to The application identities obtain the pre-registered Redirect URL of application server, and judge resetting in the authentication request Whether matched to URL with the pre-registered Redirect URL of acquisition;
The first judgment module determines the Redirect URL in the authentication request specifically for the third judging submodule When matching with the pre-registered Redirect URL of acquisition, the use that the acquisition subscriber information module is got is judged Whether family information is legal;
Second sending module, be also used to the third judging submodule determine Redirect URL in the authentication request with Failed authentication response is sent to the application server when the pre-registered Redirect URL obtained mismatches.
19. system as claimed in claim 14, which is characterized in that the authentication request that first receiving module receives In further include: the scope of resource requested access to;
Minor microstructure module is specifically used for when second judgment module judgement application server is legal and the authorization code Access authority is generated when effectively, by the access authority and the corresponding storage of the scope of resource requested access to;And according to described What the first receiving module received obtains application identities, certificate server mark and the acquisition in the request of authentication authority The user information organizational identities that subscriber information module is got authenticate authority;
Second sending module is also used to the access authority that the minor microstructure module generates being sent to application service Device;
The application server further include: access resource module for receiving access authority, and uses the access authority from institute State the resource in the scope of resource requested access to described in obtaining in certificate server.
20. system as claimed in claim 14, which is characterized in that the certificate server further include:
4th judgment module, the money requested access in the authentication request for being received according to first receiving module Whether source range jumps to user's authorization page, judge from user's authorization page available to request access to to described Scope of resource permission authorization message;
The authorization code generation module, for receiving when the 4th judgment module judgement to the resource model requested access to Authorization code is generated when the permission authorization message enclosed;
Second sending module is also used to the 4th judgment module judgement and is not received by the resource requested access to Failed authentication response is sent to the application server when permission authorization message of range.
21. system as claimed in claim 14, which is characterized in that the authentication request that first receiving module receives In further include Redirect URL;
Second sending module is reset according to specifically for the authorization code for generating the authorization code generation module The application server is sent to URL.
22. system as claimed in claim 14, which is characterized in that
The first tissue module specifically includes:
Submodule is encrypted, for the application identities and applied cryptography in advance in certificate server registration to be carried out encryption generation Application cryptogram information;
The first tissue submodule, the application cryptogram information, first reception for being generated according to the encryption submodule The authorization code and Redirect URL that module receives, which generate, obtains the request of authentication authority;
First sending module, the acquisition authentication authority for generating the first tissue submodule request hair Give the certificate server;
Second judgment module specifically includes:
Submodule is decrypted, for obtaining application cryptogram letter from the acquisition authentication authority request in first receiving module Breath generates application identities and applied cryptography to being decrypted using cipher-text information;
4th judging submodule, the application identities and the applied cryptography for being decrypted according to the decryption submodule Judge whether the application server is legal;
5th judging submodule, for being obtained from the acquisition authentication authority request that second receiving module receives Authorization code judges whether authorization code is effective;
The minor microstructure module, for determining that authorization code is effective and the described 4th judges submodule when the 5th judging submodule Block determines to be recognized when the application server is legal according to the application identities, certificate server mark and user information organizational identities Authority is demonstrate,proved, and the authentication authority is signed to obtain signature result using private key.
23. system as claimed in claim 14, which is characterized in that the binding module includes:
Sign test submodule, the signature result sign test for being received using public key to second receiving module;
6th judging submodule judges that second receiving module receives if pass through for the sign test submodule sign test Authentication authority in application identities it is whether legal;
Submodule is bound, is used for when the 6th judging submodule determines that the application identities are legal, by the authentication Authority is bound with user;
First sending module is also used to the Xiang Suoshu when the 6th judging submodule determines that the application identities are illegal Certificate server sends authentication invalid credentials information.
24. system as claimed in claim 14, which is characterized in that
The minor microstructure module, specifically for determining that the application server is legal and described awards when second judgment module When weighted code is effective, the current server time is obtained as authentication authority sending time, is taken according to the application identities, certification Being engaged in, device identifies, the user information and the authentication authority sending time organizational identities authenticate authority;
The binding module includes:
Sign test submodule, the signature result sign test for being received using public key to second receiving module;
7th judging submodule judges what second receiving module received when if passing through for the sign test submodule sign test Whether the authentication authority sending time in the authentication authority is earlier than the first preset time;
Submodule is bound, it is default to be no earlier than first for the authentication authority sending time described in the 7th judging submodule When the time, the authentication authority is bound with user;
It is default earlier than first to be also used to authentication authority sending time described in the 7th judging submodule for first sending module Authentication invalid credentials information is sent to the certificate server when time.
25. system as claimed in claim 14, which is characterized in that
The first judgment module is also used to obtain server current time as authentication terminal user time;
The minor microstructure module, specifically for determining that the application server is legal and described awards when second judgment module When weighted code is effective, obtained according to the application identities, certificate server mark, the user information and the first judgment module The authentication terminal user time organizational identities authenticate authority
The binding module includes:
Sign test submodule, the signature result sign test for being received using public key to second receiving module;
8th judging submodule judges what second receiving module received when if passing through for the sign test submodule sign test Whether the authentication terminal user time in the authentication authority is earlier than the second preset time;
Submodule is bound, for determining that the authentication terminal user time is no earlier than second and presets when the 8th judging submodule The authentication authority is bound with user when the time;
First sending module is also used to determine the authentication terminal user time earlier than the when the 8th judging submodule Authentication invalid credentials information is sent to the certificate server when two preset times.
26. system as claimed in claim 14, which is characterized in that
The minor microstructure module, specifically for determining that the application server is legal and described awards when second judgment module When weighted code is effective, according to the application identities, certificate server mark, the user information and authentication authority validity period group Knit authentication authority;
The binding module includes:
Sign test submodule, the signature result sign test for being received using public key to second receiving module;
9th judging submodule, for judge the current server time whether earlier than the authentication authority validity period;
Submodule is bound, for determining the current server time earlier than the authentication authority when the 9th judging submodule Validity period when the authentication authority is bound with user;
First sending module is also used to when it is late in the body for the 9th judging submodule judgement current server Authentication invalid credentials information is sent to the certificate server when validity period of part certification authority.
27. a kind of method for issuing authentication authority characterized by comprising
Step R1, certificate server receives the authentication request that application server is sent, and uses when user inputs from the user authentication page When the information of family, user information is obtained from the user authentication page, and judge whether the user information is legal, is, generation is awarded Weighted code, and the authorization code is returned into the application server, step R2 is executed, is otherwise terminated;
Step R2, when the certificate server receives the acquisition authentication authority request that the application server is sent, Judge whether the application server is legal according to the application identities obtained in the request of authentication authority and applied cryptography, And judge whether the authorization code obtained in the request of authentication authority is effective, and step R3 is executed when judgement, which is, is, it is no Then terminate;
Step R3, the described certificate server is according to the application identities, certificate server mark and the user information tissue body Part certification authority, and signed using private key to the authentication authority, by signature result and the authentication authority It is sent to the application server.
28. method as claimed in claim 27, which is characterized in that certificate server described in the step R1 receives application clothes It is engaged in after the authentication request that device is sent, before the acquisition user information from the user authentication page further include: the certification Server judges whether all call parameters in the authentication request all exist and effectively, be continue to execute it is described from described The user authentication page obtains user information, otherwise returns to failed authentication response to the application server, terminates.
29. method as claimed in claim 28, which is characterized in that all call parameters in the judgement authentication request Whether all exists and effectively specifically includes:
Step C1, whether the described certificate server judges comprising application identities and Redirect URL in the authentication request, is to hold Otherwise row step C2 returns to failed authentication response to the application server, terminates;
Step C2, the described certificate server obtains application identities from the authentication request, judges institute according to the application identities It whether registered states application server, is to then follow the steps C3, otherwise return to failed authentication to the application server and ring It answers, terminates;
Step C3, the described certificate server obtains the pre-registered redirection of application server according to the application identities URL, and judge whether the Redirect URL in the authentication request matches with the pre-registered Redirect URL of acquisition, it is C2 is thened follow the steps, otherwise failed authentication response is returned to the application server, terminates.
30. method as claimed in claim 27, which is characterized in that in the authentication request further include: the resource requested access to Range;
The step R3 is specifically included: the certificate server generates access authority, and the access authority and the request are visited The corresponding storage of the scope of resource asked;And according to the application identities, certificate server mark and the user information organizational identities Authority is authenticated, and is signed using private key to the authentication authority, and signature result and the access authority are sent To the application server.
31. method as claimed in claim 27, which is characterized in that after determining that the user information is legal in the step R1, Before generation authorization code further include: the certificate server jumps to user's authorization page according to the scope of resource requested access to, Judge from user's authorization page whether the available permission authorization message to the scope of resource requested access to, It is to generate authorization code, otherwise returns to failed authentication response to the application server.
32. method as claimed in claim 27, which is characterized in that include: Redirect URL in the authentication request;
It is described that the authorization code is returned into the application server specifically: by the authorization code according to the Redirect URL Return to the application server.
33. method as claimed in claim 27, which is characterized in that the step R2 is specifically included: the certificate server from Application cryptogram information is obtained in the acquisition authentication authority request, the application cryptogram information is decrypted to obtain described Application identities and the applied cryptography judge whether application server is legal according to the application identities and the applied cryptography, And judge whether the authorization code obtained in the request of authentication authority is effective, and step R3 is executed when judgement, which is, is, is otherwise tied Beam.
34. method as claimed in claim 27, which is characterized in that
The step R3 is specifically included: when the certificate server obtains the current server time as the transmission of authentication authority Between, according to the application identities, certificate server mark, the user information and the authentication authority sending time tissue Authentication authority, and signed using private key to authentication authority, signature result and the authentication authority are sent out Give the application server.
35. method as claimed in claim 27, which is characterized in that
When determining that user is legal in the step R1 further include: obtain server current time as authentication terminal user time;
The step R3 is specifically included: the certificate server is according to the application identities, certificate server mark, the user Information and the authentication terminal user time organizational identities authenticate authority, and are signed using private key to the authentication authority Name, is sent to the application server for signature result and the authentication authority.
36. method as claimed in claim 27, which is characterized in that
Specifically include in the step R3: the certificate server is according to the application identities, certificate server mark, the use Family information and authentication authority validity period organizational identities authenticate authority, and are signed using private key to the authentication authority Name, is sent to the application server for signature result and the authentication authority.
37. a kind of certificate server for issuing authentication authority characterized by comprising
First receiving module, for receiving the authentication request of application server transmission;It is also used to receive the application server hair The acquisition authentication authority request sent;
Subscriber information module is obtained, is used for when user inputs user information from the user authentication page, from the user authentication page Face obtains the user information;
First judgment module, for judging the acquisition user when first receiving module receives the authentication request Whether the user information that information module is got is legal;
Authorization code generation module, for generating authorization code after the first judgment module determines that the user information is legal;
Second sending module, the authorization code for generating the authorization code generation module are sent to the application service Device;The signature result and authentication authority for being also used to sign signature blocks are sent to the application server;
Second judgment module, for being received according to first receiving module the acquisition authentication authority request in Whether application identities and applied cryptography judge the application server legal, and judge the institute that first receiving module receives Whether effective state the authorization code obtained in the request of authentication authority;
Minor microstructure module is used for when second judgment module judgement application server is legal and the authorization code is effective When according to first receiving module receive obtain authentication authority request in application identities, certificate server identify The user information organizational identities got with the acquisition subscriber information module authenticate authority;
Signature blocks, for being signed using private key to the authentication authority that the minor microstructure modular organisation obtains Obtain signature result.
38. certificate server as claimed in claim 37, which is characterized in that further include:
Third judgment module, for after first receiving module receives the authentication request, judging that described first connects All call parameters in the authentication request that receives of module are received whether all to exist and effectively;
The first judgment module, for determining that all call parameters in the authentication request are deposited when the third judgment module And it is effective when, judge whether the user information that gets of acquisition subscriber information module legal;
Second sending module is also used to the third judgment module and determines that all call parameters are not all in the authentication request In the presence of or it is not all effective when to the application server send failed authentication response.
39. certificate server as claimed in claim 38, which is characterized in that the third judgment module specifically includes:
First judging submodule, for whether judging in the authentication request that first receiving module receives comprising application Mark and Redirect URL;
Second judgment submodule, for including application identities in first judging submodule judgement authentication request and resetting Application identities are obtained from the authentication request when to URL, judge the application server whether according to the application identities Through registering;
Third judging submodule, for when the second judgment submodule determines that the application server is registered according to The application identities obtain the pre-registered Redirect URL of application server, and judge resetting in the authentication request Whether matched to URL with the pre-registered Redirect URL of acquisition;
The first judgment module determines the Redirect URL in the authentication request specifically for the third judging submodule When matching with the pre-registered Redirect URL of acquisition, the use that the acquisition subscriber information module is got is judged Whether family information is legal;
Second sending module, be also used to the third judging submodule determine Redirect URL in the authentication request with Failed authentication response is sent to the application server when the pre-registered Redirect URL obtained mismatches.
40. certificate server as claimed in claim 37, which is characterized in that the mirror that first receiving module receives In power request further include: the scope of resource requested access to;
Minor microstructure module is specifically used for when second judgment module judgement application server is legal and the authorization code Access authority is generated when effectively, by the access authority and the corresponding storage of the scope of resource requested access to;And according to described What the first receiving module received obtains application identities, certificate server mark and the acquisition in the request of authentication authority The user information organizational identities that subscriber information module is got authenticate authority;
Second sending module is also used to the access authority that the minor microstructure module generates being sent to application service Device.
41. certificate server as claimed in claim 37, which is characterized in that further include:
4th judgment module, the money requested access in the authentication request for being received according to first receiving module Whether source range jumps to user's authorization page, judge from user's authorization page available to request access to to described Scope of resource permission authorization message;
The authorization code generation module, for receiving when the 4th judgment module judgement to the resource model requested access to Authorization code is generated when the permission authorization message enclosed;
Second sending module is also used to the 4th judgment module judgement and is not received by the resource requested access to Failed authentication response is sent to the application server when permission authorization message of range.
42. certificate server as claimed in claim 37, which is characterized in that the mirror that first receiving module receives It further include Redirect URL in power request;
Second sending module is reset according to specifically for the authorization code for generating the authorization code generation module The application server is sent to URL.
43. certificate server as claimed in claim 37, which is characterized in that
Second judgment module specifically includes:
Submodule is decrypted, for obtaining application cryptogram letter from the acquisition authentication authority request in first receiving module Breath generates application identities and applied cryptography to being decrypted using cipher-text information;
4th judging submodule, the application identities and the applied cryptography for being decrypted according to the decryption submodule Judge whether the application server is legal;
5th judging submodule, for being obtained from the acquisition authentication authority request that first receiving module receives Authorization code judges whether authorization code is effective;
The minor microstructure module, for determining that authorization code is effective and the described 4th judges submodule when the 5th judging submodule Block determines to be recognized when the application server is legal according to the application identities, certificate server mark and user information organizational identities Authority is demonstrate,proved, and the authentication authority is signed to obtain signature result using private key.
44. certificate server as claimed in claim 37, which is characterized in that
The minor microstructure module, specifically for determining that the application server is legal and described awards when second judgment module The current server time is obtained when weighted code is effective as authentication authority sending time, is taken according to the application identities, certification Being engaged in, device identifies, the user information and the authentication authority sending time organizational identities authenticate authority.
45. certificate server as claimed in claim 37, which is characterized in that
The first judgment module is also used to obtain server current time as authentication terminal user time;
The minor microstructure module, specifically for determining that the application server is legal and described awards when second judgment module It is obtained when weighted code is effective according to the application identities, certificate server mark, the user information and the first judgment module The authentication terminal user time organizational identities authenticate authority.
46. certificate server as claimed in claim 37, which is characterized in that
The minor microstructure module, specifically for determining that the application server is legal and described awards when second judgment module According to the application identities, certificate server mark, the user information and authentication authority validity period group when weighted code is effective Knit authentication authority.
CN201710121273.5A 2017-03-02 2017-03-02 A kind of method that issuing authentication authority, system and certificate server Active CN106973041B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710121273.5A CN106973041B (en) 2017-03-02 2017-03-02 A kind of method that issuing authentication authority, system and certificate server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710121273.5A CN106973041B (en) 2017-03-02 2017-03-02 A kind of method that issuing authentication authority, system and certificate server

Publications (2)

Publication Number Publication Date
CN106973041A CN106973041A (en) 2017-07-21
CN106973041B true CN106973041B (en) 2019-10-08

Family

ID=59328380

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710121273.5A Active CN106973041B (en) 2017-03-02 2017-03-02 A kind of method that issuing authentication authority, system and certificate server

Country Status (1)

Country Link
CN (1) CN106973041B (en)

Families Citing this family (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107241361A (en) * 2017-08-07 2017-10-10 中国石油工程建设有限公司 A kind of unified identity authentication method based on cloud environment
CN107609364B (en) * 2017-10-30 2020-12-01 泰康保险集团股份有限公司 User identity confirmation method and device
CN108347428B (en) * 2017-12-29 2020-11-20 北京世纪互联宽带数据中心有限公司 Registration system, method and device of application program based on block chain
CN108200089B (en) * 2018-02-07 2022-06-07 腾讯云计算(北京)有限责任公司 Method, device and system for realizing information security and storage medium
CN108809953B (en) * 2018-05-22 2020-09-01 飞天诚信科技股份有限公司 Anonymous identity authentication method and device based on block chain
CN108882223A (en) * 2018-05-30 2018-11-23 努比亚技术有限公司 Using data reporting method, mobile terminal and computer readable storage medium
CN110569638B (en) * 2018-06-06 2021-08-06 中移(苏州)软件技术有限公司 API authentication method and device, storage medium and computing equipment
CN110062383A (en) * 2019-04-24 2019-07-26 中国联合网络通信集团有限公司 A kind of authentication method, terminal, certificate server, application server
CN112291188B (en) * 2019-09-23 2023-02-10 中建材信息技术股份有限公司 Registration verification method and system, registration verification server and cloud server
CN110808998B (en) * 2019-11-12 2022-05-17 上海华羿汽车系统集成有限公司 Initialization of identity authentication device, identity authentication method and device
CN111107060B (en) * 2019-11-29 2022-11-29 视联动力信息技术股份有限公司 Login request processing method, server, electronic equipment and storage medium
CN111585954A (en) * 2020-03-26 2020-08-25 中国平安财产保险股份有限公司 Authentication method, authentication device, computer equipment and storage medium
CN111682941B (en) * 2020-05-18 2022-12-20 浙江连湖科技有限责任公司 Centralized identity management, distributed authentication and authorization method based on cryptography
CN111698248B (en) * 2020-06-11 2021-06-11 杭州商湾网络科技有限公司 Network authorization management method and system based on label
CN111901346B (en) * 2020-07-29 2022-10-25 北京奇艺世纪科技有限公司 Identity authentication system
CN114006751A (en) * 2021-10-29 2022-02-01 广东宜教通教育有限公司 Campus system single sign-on method using temporary authentication code
CN117544378A (en) * 2023-11-21 2024-02-09 广州方舟信息科技有限公司 Authorization management method, device, equipment and storage medium
CN117411724B (en) * 2023-12-13 2024-03-19 北京持安科技有限公司 Method and device for sharing credentials across multiple applications of zero-trust application gateway

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101060520A (en) * 2006-04-21 2007-10-24 盛趣信息技术(上海)有限公司 Token-based SSO authentication system
CN102111410A (en) * 2011-01-13 2011-06-29 中国科学院软件研究所 Agent-based single sign on (SSO) method and system
CN103609090A (en) * 2013-06-19 2014-02-26 华为技术有限公司 Method and device for identity login

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8762283B2 (en) * 2004-05-03 2014-06-24 Visa International Service Association Multiple party benefit from an online authentication service

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101060520A (en) * 2006-04-21 2007-10-24 盛趣信息技术(上海)有限公司 Token-based SSO authentication system
CN102111410A (en) * 2011-01-13 2011-06-29 中国科学院软件研究所 Agent-based single sign on (SSO) method and system
CN103609090A (en) * 2013-06-19 2014-02-26 华为技术有限公司 Method and device for identity login

Also Published As

Publication number Publication date
CN106973041A (en) 2017-07-21

Similar Documents

Publication Publication Date Title
CN106973041B (en) A kind of method that issuing authentication authority, system and certificate server
CN106295394B (en) Resource authorization method and system and authorization server and working method
CN105024819B (en) A kind of multiple-factor authentication method and system based on mobile terminal
EP2258094B1 (en) Devolved authentication
CA2531533C (en) Session-based public key infrastructure
CA2463286C (en) Multi-factor authentication system
US9331991B2 (en) Authenticating a client using linked authentication credentials
JP5619019B2 (en) Method, system, and computer program for authentication (secondary communication channel token-based client-server authentication with a primary authenticated communication channel)
JP5027227B2 (en) Method and apparatus for an authentication procedure in a communication network
Dey et al. PseudoID: Enhancing privacy in federated login
CN106209749A (en) Single-point logging method and the processing method and processing device of device, relevant device and application
CA2661922A1 (en) Method and system for providing authentication service for internet users
WO2007104243A1 (en) The managing system of accounts security based on the instant message and its method
CN106230838A (en) A kind of third-party application accesses the method and apparatus of resource
KR20110003353A (en) Handling expired passwords
JPH08297638A (en) User authentication system
CN105187417B (en) Authority acquiring method and apparatus
US11146536B2 (en) Method and a system for managing user identities for use during communication between two web browsers
CN116233832A (en) Verification information sending method and device
Moon et al. An AAA scheme using ID-based ticket with anonymity in future mobile communication
KR20190065007A (en) Method and system for providing portal-site relay service
CN107864113A (en) Safe login method and system
Scheper et al. IRMA over Bluetooth
JP2024514039A (en) User authentication method for multi-node parties
SIG Embedded DCE Security Bridge (EDB) Application Programming Interface

Legal Events

Date Code Title Description
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
OL01 Intention to license declared
OL01 Intention to license declared