CN109286633A - Single sign-on method, device, computer equipment and storage medium - Google Patents

Single sign-on method, device, computer equipment and storage medium Download PDF

Info

Publication number
CN109286633A
CN109286633A CN201811260465.5A CN201811260465A CN109286633A CN 109286633 A CN109286633 A CN 109286633A CN 201811260465 A CN201811260465 A CN 201811260465A CN 109286633 A CN109286633 A CN 109286633A
Authority
CN
China
Prior art keywords
user
access
token
user terminal
unit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201811260465.5A
Other languages
Chinese (zh)
Inventor
刘子威
李银山
陈涛
詹伟真
顾正
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Huayun Zhongsheng Science And Technology Co Ltd
Original Assignee
Shenzhen Huayun Zhongsheng Science And Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Huayun Zhongsheng Science And Technology Co Ltd filed Critical Shenzhen Huayun Zhongsheng Science And Technology Co Ltd
Priority to CN201811260465.5A priority Critical patent/CN109286633A/en
Publication of CN109286633A publication Critical patent/CN109286633A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/108Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The present invention relates to single sign-on method, device, computer equipment and storage medium, this method includes the user terminal ID and redirect address for obtaining user and being accessed;Obtain user's authorization conditions;Judge whether authorization conditions are to give user terminal authorization;If so, the redirection uniform resource identifier that user guiding is specified in advance, redirects uniform resource identifier to obtain standard;Uniform resource identifier is redirected to standard and encloses standard authorization code;Obtain the request of application token and information to be verified for carrying out user terminal;Judge whether information to be verified meets the requirements;If so, sending access token according to application token request;By page reorientation to the application page of access, so that user accesses service resources by access token.The present invention, which realizes, provides universal retrieval service for each service server, provides unified logentry, facilitates the unified login demand and safety management of the different business server of user, enhances the usage experience of user.

Description

Single sign-on method, device, computer equipment and storage medium
Technical field
The present invention relates to system login methods, more specifically refer to single sign-on method, device, computer equipment and deposit Storage media.
Background technique
Currently with information-based fast development, many companies or government department have gradually used related to business itself Various systems, wherein in the majority with Web system, almost each operation system respectively devise a set of subscriber data and The mechanism of rights management, and user's login is provided to identify the identity of user, and according to its different role, distribution is certain Permission, the operation service system in permission use scope.The demand in terms of business is met in this way, but this system brings use The problems such as family account management inconvenience, subscriber data disunity, not only to very big difficulty is brought in management, in secure context Also great hidden danger has been buried.
Therefore, it is necessary to design a kind of method, it is embodied as subsystems and universal retrieval service is provided, unified step on is provided Typing mouth, convenient for the unified management of user and application.
Summary of the invention
It is an object of the invention to overcome the deficiencies of existing technologies, provide single sign-on method, device, computer equipment and Storage medium.
To achieve the above object, the invention adopts the following technical scheme: single sign-on method, comprising:
Obtain user terminal ID and redirect address that user is accessed;
Obtain user's authorization conditions;
Judge whether the authorization conditions are to give user terminal authorization;
If so, the redirection uniform resource identifier that user guiding is specified in advance, redirects unification to obtain standard Resource identifier;
Uniform resource identifier is redirected to standard and encloses standard authorization code;
Obtain the request of application token and information to be verified for carrying out user terminal;
Judge whether information to be verified meets the requirements;
If so, sending access token according to application token request;
By page reorientation to the application page of access, so that user accesses service resources by access token.
Its further technical solution are as follows: the redirect address includes the application address that user is accessed.
Its further technical solution are as follows: the information to be verified includes authorization code from user terminal and from user The redirection uniform resource identifier of terminal.
Its further technical solution are as follows: described to judge whether information to be verified meets the requirements, comprising:
Whether the authorization code that judgement carrys out user terminal is consistent with standard authorization code;
If so, judgement come user terminal redirect uniform resource identifier whether with the redirection of standard is unified provides Source identifier is consistent;
If so, information to be verified is met the requirements.
Its further technical solution are as follows: the access token includes the relevant information of user.
Its further technical solution are as follows: the application page by page reorientation extremely access, so that user passes through access Token accesses after service resources, further includes:
When user accesses service resources by access token, user access request is obtained;
Access token is put in the HTTP request head of access request;
Related micro services are called according to HTTP request head;
Whether authentication-access token meets the requirements;
If so, returning to user base information, extent of competence and effective time.
The present invention also provides single sign-on devices, comprising:
ID acquiring unit, for obtaining the user terminal ID and redirect address that user is accessed;
Authorization conditions unit, for obtaining user's authorization conditions;
Authorization conditions judging unit, for judging whether the authorization conditions are to give user terminal authorization;
Pilot unit, for if so, the redirection uniform resource identifier that user guiding is specified in advance, to be marked Standard redirects uniform resource identifier;
Extracode unit encloses standard authorization code for redirecting uniform resource identifier to standard;
Information acquisition unit, for obtaining the request of application token and information to be verified that carry out user terminal;
Information judging unit, for judging whether information to be verified meets the requirements;
Token transmission unit is used for if so, sending access token according to application token request;
Page reorientation unit, for the application page by page reorientation to access, so that user passes through access token Access service resources.
Its further technical solution are as follows: described device further include:
Request unit, for obtaining user access request when user accesses service resources by access token;
Token setting unit, for being put in access token in the HTTP request head of access request;
Call unit, for calling related micro services according to HTTP request head;
Whether authentication unit meets the requirements for authentication-access token;
Return unit is used for if so, returning to user base information, extent of competence and effective time.
The present invention also provides a kind of computer equipments, which is characterized in that the computer equipment includes memory and place Device is managed, is stored with computer program on the memory, the processor realizes above-mentioned side when executing the computer program Method.
The present invention also provides a kind of storage medium, the storage medium is stored with computer program, the computer journey Sequence can realize above-mentioned method when being executed by processor.
Compared with the prior art, the invention has the advantages that: the present invention passes through based on open authorized agreement and a series of The Single Sign-On service of the ordered set of frame, according to the authorization conditions of user, standard redirect uniform resource identifier and Standard authorization code tests the authorization code for carrying out user terminal and the redirection uniform resource identifier for carrying out user terminal Card sends access token, and by the page reorientation of user terminal to the application page of access, with access after being verified Service resources realize and provide universal retrieval service for each service server, provide unified logentry, facilitate user Different business server unified login demand and safety management, enhance the usage experience of user.
The invention will be further described in the following with reference to the drawings and specific embodiments.
Detailed description of the invention
Technical solution in order to illustrate the embodiments of the present invention more clearly, below will be to needed in embodiment description Attached drawing is briefly described, it should be apparent that, drawings in the following description are some embodiments of the invention, general for this field For logical technical staff, without creative efforts, it is also possible to obtain other drawings based on these drawings.
Fig. 1 is the application scenarios schematic diagram of single sign-on method provided in an embodiment of the present invention;
Fig. 2 is the flow diagram of single sign-on method provided in an embodiment of the present invention;
Fig. 3 is the sub-process schematic diagram of single sign-on method provided in an embodiment of the present invention;
Fig. 4 be another embodiment of the present invention provides single sign-on method flow diagram;
Fig. 5 is the schematic block diagram of single sign-on device provided in an embodiment of the present invention;
Fig. 6 is the schematic block diagram of the information judging unit of single sign-on device provided in an embodiment of the present invention;
Fig. 7 be another embodiment of the present invention provides single sign-on device schematic block diagram;
Fig. 8 is the schematic block diagram of computer equipment provided in an embodiment of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiments are some of the embodiments of the present invention, instead of all the embodiments.Based on this hair Embodiment in bright, every other implementation obtained by those of ordinary skill in the art without making creative efforts Example, shall fall within the protection scope of the present invention.
It should be appreciated that ought use in this specification and in the appended claims, term " includes " and "comprising" instruction Described feature, entirety, step, operation, the presence of element and/or component, but one or more of the other feature, whole is not precluded Body, step, operation, the presence or addition of element, component and/or its set.
It is also understood that mesh of the term used in this description of the invention merely for the sake of description specific embodiment And be not intended to limit the present invention.As description of the invention and it is used in the attached claims, unless on Other situations are hereafter clearly indicated, otherwise " one " of singular, "one" and "the" are intended to include plural form.
It will be further appreciated that the term "and/or" used in description of the invention and the appended claims is Refer to any combination and all possible combinations of one or more of associated item listed, and including these combinations.
Fig. 1 and Fig. 2 are please referred to, Fig. 1 is the application scenarios schematic diagram of single sign-on method provided in an embodiment of the present invention.Figure 2 be the schematic flow chart of single sign-on method provided in an embodiment of the present invention.The application scenarios of the single sign-on method include Certificate server, service server and user terminal.Wherein, user terminal can be smart phone, tablet computer, notebook The electronic equipments such as computer, desktop computer, personal digital assistant and wearable device;Certificate server can be independent service Device, is also possible to the server cluster of multiple server compositions, and service server can be independent server, be also possible to more The server cluster of a server composition.
It is deployed with single sign-on platform in certificate server, user accesses service server, and service server is requested to recognizing Server is demonstrate,proved, the access of user is handled, and user is inputted the authorization conditions such as account and password and sent by the user terminal Into certificate server, so that certificate server can carry out authorization identifying and processing to authorization conditions, so that user Ke Tong The single sign-on platform access is crossed to service server.
The certificate server is the authentication micro services based on oauth2 agreement, the micro services be exactly be subsystems (i.e. service server) is provided based on oauth2 (open authorization) agreement and a series of Spring Cloud Security (frames Ordered set) Single Sign-On service basis.Wherein, certificate server use oauth2, Spring Security, Spring boot.Spring boot is the most common system architecture of micro services framework, and Spring Boot is by Pivotal group The completely new frame that team provides, purpose of design be for simplify new Spring application initially build and development process.The frame Frame has used specific mode to be configured, so that developer be made no longer to need to define the configuration of stereotyping, oauth2 is Stable authentication agreement, Spring Security, which is one, to provide sound for the enterprise application system based on Spring The security framework of the safe access control solution of Ming Dynasty style cooperates oauth2, provides login interface for user.
It should be noted that only illustrating a certificate server in Fig. 2, it can be more in the actual operation process Certificate server is handled.
Fig. 2 is the flow diagram of single sign-on method provided in an embodiment of the present invention.As shown in Fig. 2, this method includes Following steps S110 to S200.
S110, user terminal ID and redirect address that user is accessed are obtained.
User terminal ID refers to the unique identification of user terminal, to identify terminal identity used in user, redirects ground Location refers to the address of the service server of user terminal access, i.e., the described redirect address includes the application ground that user is accessed Location.
User accesses corresponding service server by browser, if service server can not find in database user and Authority information then determines that user is not logged in, and needs to carry out single sign-on processing, and certificate server is requested to issue user information for it And access token.
Service server transmit a request to certificate server, and carry accessed service server user terminal ID and Redirect address.
S120, user's authorization conditions are obtained.
In the present embodiment, specifically user inputs account and password by user terminal and chooses whether to give user's end End authorization.
S130, judge whether the authorization conditions are to give user terminal authorization;
S140, if so, the redirection uniform resource identifier that user guiding is specified in advance, to obtain standard redirection Uniform resource identifier.
Specifically, it is to specify a redirection unified resource in advance by user terminal that standard, which redirects uniform resource identifier, Identifier;Redirection URI (uniform resource identifier, the Uniform that certificate server specifies user guiding client in advance Resource Identifier)。
S150, standard authorization code is enclosed to standard redirection uniform resource identifier.
Authorization code refers to that user is issued to an identification code of user terminal, needs to use when authenticating user identity; Double authentication can be carried out by enclosing standard authorization code, improve certification accuracy rate.
S160, the request of application token and information to be verified for carrying out user terminal are obtained.
In the present embodiment, the information to be verified includes authorization code from user terminal and carrys out user terminal Redirect uniform resource identifier.
Application token request refers to the request of application user related information.
Specifically, user terminal receives certification authorization terminal code, after enclosing the initial redirection URI of user terminal, uses Family terminal sends application token request to certificate server by service server, specifically completes on the backstage of user terminal , it is invisible to user.
S170, judge whether information to be verified meets the requirements.
In one embodiment, as shown in figure 3, above-mentioned step S170 may include step S171~S174.
Whether the authorization code that S171, judgement carry out user terminal is consistent with standard authorization code;
If it is not, then entering step S174.
S172, if so, judgement come user terminal redirection uniform resource identifier whether the redirection with standard Uniform resource identifier is consistent;
S173, if so, information to be verified is met the requirements;
S174, if it is not, then information to be verified is unsatisfactory for requiring.
S180, if so, according to application token request send access token.
In the present embodiment, the access token includes the relevant information of user.
After access token is back to service server, user terminal is back to by service server, user uses the visit After asking that token logs in, log-on message is fed back into service server.
In one embodiment, above-mentioned certificate server can be arranged by endpoint token association attributes it is for example effective The storage mode of phase and token, the storage mode of jdbcToken used in the present embodiment, by token information, there are databases In, so that different business server is shared.
It can also be set by user terminal details service configuration program and certificate server security configuration program to correspond to Set the association attributes of user terminal and the association attributes of certificate server.Security configuration class is configured using shielded blank is rewritten (such as secure HTTP) method configures security attribute, and settable login, which is jumped and published, to be jumped, and the request to be filtered is arranged, with Oauth2 cooperates the entrance for realizing unified login.
S190, the application page for extremely accessing page reorientation, so that user accesses service resources by access token.
Certificate server is by the page reorientation of user terminal to the application page of access, in order to which user accesses business clothes The resource being engaged in device.
S200, if it is not, then sending undesirable notice to user terminal.
In addition, after step S130 judges whether the authorization conditions are to give user terminal authorization further include:
If it is not, then entering end step.
Above-mentioned single-point logging method passes through the single-point based on open authorized agreement and a series of ordered set of frames Sign-On services redirect uniform resource identifier and standard authorization code according to the authorization conditions of user, standard, to from user The authorization code of terminal and the redirection uniform resource identifier for carrying out user terminal are verified, and after being verified, are sent Access token, and by the page reorientation of user terminal to the application page of access, to access service resources, it is each for realizing Service server provides universal retrieval service, provides unified logentry, and the different business server for facilitating user is unified Login demand and safety management enhance the usage experience of user.
Fig. 4 be another embodiment of the present invention provides a kind of single sign-on method flow diagram.As shown in figure 4, this The single sign-on method of embodiment includes step S210-S350.The wherein step in step S210-S250 and above-described embodiment S110-S200 is similar, and details are not described herein.The following detailed description of in the present embodiment increase step S310-S350.
S310, user by access token access service resources when, obtain user access request;
S320, access token is put in the HTTP request head of access request;
S330, related micro services are called according to HTTP request head;
Whether S340, authentication-access token meet the requirements;
S350, if so, returning to user base information, extent of competence and effective time.
If it is not, then entering end step.
Access token generally can include the relevant information of user, can complete proof of identity by authentication-access token. User inputs log-on message, is sent to identity authentication service and is authenticated to certificate server.Certificate server authentication-access enables Whether board is correct, returns to information and the client terminal memory interfaces such as user base information, extent of competence, effective time.User Access token is placed in HTTP request head, initiate relevant identity micro services API (application programming interface, Application Programming Interface) it calls, i.e. the interface of calling certificate server carries out authentication, tests After demonstrate,proving access token.Service server returns to related resource and data.
Fig. 5 is a kind of schematic block diagram of single sign-on device 400 provided in an embodiment of the present invention.As shown in figure 5, corresponding In the above single sign-on method, the present invention also provides a kind of single sign-on devices 400.The single sign-on device 400 includes being used for The unit of above-mentioned single sign-on method is executed, which can be configured in server.
Specifically, referring to Fig. 5, the single sign-on device 400 includes:
ID acquiring unit 401, for obtaining the user terminal ID and redirect address that user is accessed;
Authorization conditions unit 402, for obtaining user's authorization conditions;
Authorization conditions judging unit 403, for judging whether the authorization conditions are to give user terminal authorization;
Pilot unit 404, for if so, the redirection uniform resource identifier that user guiding is specified in advance, with Uniform resource identifier is redirected to standard;
Extracode unit 405 encloses standard authorization code for redirecting uniform resource identifier to standard;
Information acquisition unit 406, for obtaining the request of application token and information to be verified that carry out user terminal;
Information judging unit 407, for judging whether information to be verified meets the requirements;
Token transmission unit 408 is used for if so, sending access token according to application token request;
Page reorientation unit 409, for the application page by page reorientation to access, so that user is enabled by access Board accesses service resources.
Notification unit 410, for if it is not, then sending undesirable notice to user terminal.
In one embodiment, as shown in fig. 6, above-mentioned information judging unit 407 includes:
Authorization code judgment sub-unit 4071, for judge to come user terminal authorization code whether with standard authorization code one It causes;
Identifier judgment sub-unit 4072, for if so, judgement carrys out the redirection uniform resource identifier of user terminal It whether consistent with the redirection uniform resource identifier of standard accords with;If so, information to be verified is met the requirements, if it is not, then to be tested Card information is unsatisfactory for requiring.
Fig. 7 be another embodiment of the present invention provides a kind of single sign-on device 400 schematic block diagram.As shown in fig. 7, The single sign-on device 400 of the present embodiment is that request unit 411, token setting are increased on the basis of above-described embodiment is single Member 412, call unit 413, authentication unit 414 and return unit 415.
Request unit 411 is asked for when user accesses service resources by access token, obtaining user's access It asks;
Token setting unit 412, for being put in access token in the HTTP request head of access request;
Call unit 413, for calling related micro services according to HTTP request head;
Whether authentication unit 414 meets the requirements for authentication-access token;
Return unit 415 is used for if so, returning to user base information, extent of competence and effective time.
It should be noted that it is apparent to those skilled in the art that, above-mentioned 400 He of single sign-on device The specific implementation process of each unit can refer to the corresponding description in preceding method embodiment, for convenience of description and succinctly, Details are not described herein.
Above-mentioned single sign-on device 400 can be implemented as a kind of form of computer program, which can be It is run in computer equipment as shown in Figure 8.
Referring to Fig. 8, Fig. 8 is a kind of schematic block diagram of computer equipment provided by the embodiments of the present application.The computer Equipment 500 is server, and server can be independent server, is also possible to the server cluster of multiple server compositions.
Refering to Fig. 8, which includes processor 502, memory and the net connected by system bus 501 Network interface 505, wherein memory may include non-volatile memory medium 503 and built-in storage 504.
The non-volatile memory medium 503 can storage program area 5031 and computer program 5032.The computer program 5032 include program instruction, which is performed, and processor 502 may make to execute a kind of single sign-on method.
The processor 502 is for providing calculating and control ability, to support the operation of entire computer equipment 500.
The built-in storage 504 provides environment for the operation of the computer program 5032 in non-volatile memory medium 503, should When computer program 5032 is executed by processor 502, processor 502 may make to execute a kind of single sign-on method.
The network interface 505 is used to carry out network communication with other equipment.It will be understood by those skilled in the art that in Fig. 8 The structure shown, only the block diagram of part-structure relevant to application scheme, does not constitute and is applied to application scheme The restriction of computer equipment 500 thereon, specific computer equipment 500 may include more more or fewer than as shown in the figure Component perhaps combines certain components or with different component layouts.
Wherein, the processor 502 is for running computer program 5032 stored in memory, to realize following step It is rapid:
Obtain user terminal ID and redirect address that user is accessed;
Obtain user's authorization conditions;
Judge whether the authorization conditions are to give user terminal authorization;
If so, the redirection uniform resource identifier that user guiding is specified in advance, redirects unification to obtain standard Resource identifier;
Uniform resource identifier is redirected to standard and encloses standard authorization code;
Obtain the request of application token and information to be verified for carrying out user terminal;
Judge whether information to be verified meets the requirements;
If so, sending access token according to application token request;
By page reorientation to the application page of access, so that user accesses service resources by access token.
Wherein, the redirect address includes the application address that user is accessed.
The information to be verified includes authorization code from user terminal and carrys out the redirection of user terminal and unified provide Source identifier.
The access token includes the relevant information of user.
In one embodiment, processor 502 realize it is described judge whether information to be verified meets the requirements step when, specifically Realize following steps:
Whether the authorization code that judgement carrys out user terminal is consistent with standard authorization code;
If so, judgement come user terminal redirect uniform resource identifier whether with the redirection of standard is unified provides Source identifier is consistent;
If so, information to be verified is met the requirements.
In one embodiment, processor 502 is realizing the application page by page reorientation to access, so that user After accessing service resources step by access token, following steps are also realized:
When user accesses service resources by access token, user access request is obtained;
Access token is put in the HTTP request head of access request;
Related micro services are called according to HTTP request head;
Whether authentication-access token meets the requirements;
If so, returning to user base information, extent of competence and effective time.
It should be appreciated that in the embodiment of the present application, processor 502 can be central processing unit (Central Processing Unit, CPU), which can also be other general processors, digital signal processor (Digital Signal Processor, DSP), specific integrated circuit (Application Specific Integrated Circuit, ASIC), ready-made programmable gate array (Field-Programmable Gate Array, FPGA) or other programmable logic Device, discrete gate or transistor logic, discrete hardware components etc..Wherein, general processor can be microprocessor or Person's processor is also possible to any conventional processor etc..
Those of ordinary skill in the art will appreciate that be realize above-described embodiment method in all or part of the process, It is that relevant hardware can be instructed to complete by computer program.The computer program includes program instruction, computer journey Sequence can be stored in a storage medium, which is computer readable storage medium.The program instruction is by the department of computer science At least one processor in system executes, to realize the process step of the embodiment of the above method.
Therefore, the present invention also provides a kind of storage mediums.The storage medium can be computer readable storage medium.This is deposited Storage media is stored with computer program, and processor is made to execute following steps when wherein the computer program is executed by processor:
Obtain user terminal ID and redirect address that user is accessed;
Obtain user's authorization conditions;
Judge whether the authorization conditions are to give user terminal authorization;
If so, the redirection uniform resource identifier that user guiding is specified in advance, redirects unification to obtain standard Resource identifier;
Uniform resource identifier is redirected to standard and encloses standard authorization code;
Obtain the request of application token and information to be verified for carrying out user terminal;
Judge whether information to be verified meets the requirements;
If so, sending access token according to application token request;
By page reorientation to the application page of access, so that user accesses service resources by access token.
Wherein, the redirect address includes the application address that user is accessed.
The information to be verified includes authorization code from user terminal and carrys out the redirection of user terminal and unified provide Source identifier.
The access token includes the relevant information of user.
In one embodiment, the processor realizes that the judgement information to be verified is executing the computer program It is not no when meeting the requirements step, it is implemented as follows step:
Whether the authorization code that judgement carrys out user terminal is consistent with standard authorization code;
If so, judgement come user terminal redirect uniform resource identifier whether with the redirection of standard is unified provides Source identifier is consistent;
If so, information to be verified is met the requirements.
In one embodiment, the processor is realized described by page reorientation to visit in the execution computer program The application page asked, so as to also realize following steps after user accesses service resources step by access token:
When user accesses service resources by access token, user access request is obtained;
Access token is put in the HTTP request head of access request;
Related micro services are called according to HTTP request head;
Whether authentication-access token meets the requirements;
If so, returning to user base information, extent of competence and effective time.
The storage medium can be USB flash disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), magnetic disk Or the various computer readable storage mediums that can store program code such as CD.
Those of ordinary skill in the art may be aware that list described in conjunction with the examples disclosed in the embodiments of the present disclosure Member and algorithm steps, can be realized with electronic hardware, computer software, or a combination of the two, in order to clearly demonstrate hardware With the interchangeability of software, each exemplary composition and step are generally described according to function in the above description.This A little functions are implemented in hardware or software actually, the specific application and design constraint depending on technical solution.Specially Industry technical staff can use different methods to achieve the described function each specific application, but this realization is not It is considered as beyond the scope of this invention.
In several embodiments provided by the present invention, it should be understood that disclosed device and method can pass through it Its mode is realized.For example, the apparatus embodiments described above are merely exemplary.For example, the division of each unit, only Only a kind of logical function partition, there may be another division manner in actual implementation.Such as multiple units or components can be tied Another system is closed or is desirably integrated into, or some features can be ignored or not executed.
The steps in the embodiment of the present invention can be sequentially adjusted, merged and deleted according to actual needs.This hair Unit in bright embodiment device can be combined, divided and deleted according to actual needs.In addition, in each implementation of the present invention Each functional unit in example can integrate in one processing unit, is also possible to each unit and physically exists alone, can also be with It is that two or more units are integrated in one unit.
If the integrated unit is realized in the form of SFU software functional unit and when sold or used as an independent product, It can store in one storage medium.Based on this understanding, technical solution of the present invention is substantially in other words to existing skill The all or part of part or the technical solution that art contributes can be embodied in the form of software products, the meter Calculation machine software product is stored in a storage medium, including some instructions are used so that a computer equipment (can be a People's computer, terminal or network equipment etc.) it performs all or part of the steps of the method described in the various embodiments of the present invention.
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any Those familiar with the art in the technical scope disclosed by the present invention, can readily occur in various equivalent modifications or replace It changes, these modifications or substitutions should be covered by the protection scope of the present invention.Therefore, protection scope of the present invention should be with right It is required that protection scope subject to.

Claims (10)

1. single sign-on method characterized by comprising
Obtain user terminal ID and redirect address that user is accessed;
Obtain user's authorization conditions;
Judge whether the authorization conditions are to give user terminal authorization;
If so, the redirection uniform resource identifier that user guiding is specified in advance, redirects unified resource to obtain standard Identifier;
Uniform resource identifier is redirected to standard and encloses standard authorization code;
Obtain the request of application token and information to be verified for carrying out user terminal;
Judge whether information to be verified meets the requirements;
If so, sending access token according to application token request;
By page reorientation to the application page of access, so that user accesses service resources by access token.
2. single sign-on method according to claim 1, which is characterized in that the redirect address includes that user is accessed Application address.
3. single sign-on method according to claim 1, which is characterized in that the information to be verified includes whole from user The authorization code at end and the redirection uniform resource identifier for carrying out user terminal.
4. single sign-on method according to claim 1, which is characterized in that described to judge whether information to be verified meets and want It asks, comprising:
Whether the authorization code that judgement carrys out user terminal is consistent with standard authorization code;
If so, judgement come user terminal redirection uniform resource identifier whether the redirection unified resource mark with standard It is consistent to know symbol;
If so, information to be verified is met the requirements.
5. single sign-on method according to claim 1, which is characterized in that the access token includes the related letter of user Breath.
6. single sign-on method according to any one of claims 1 to 5, which is characterized in that it is described by page reorientation extremely The application page of access, so that after user is by access token access service resources, further includes:
When user accesses service resources by access token, user access request is obtained;
Access token is put in the HTTP request head of access request;
Related micro services are called according to HTTP request head;
Whether authentication-access token meets the requirements;
If so, returning to user base information, extent of competence and effective time.
7. single sign-on device characterized by comprising
ID acquiring unit, for obtaining the user terminal ID and redirect address that user is accessed;
Authorization conditions unit, for obtaining user's authorization conditions;
Authorization conditions judging unit, for judging whether the authorization conditions are to give user terminal authorization;
Pilot unit, for if so, the redirection uniform resource identifier that user guiding is specified in advance, to obtain standard weight Orient uniform resource identifier;
Extracode unit encloses standard authorization code for redirecting uniform resource identifier to standard;
Information acquisition unit, for obtaining the request of application token and information to be verified that carry out user terminal;
Information judging unit, for judging whether information to be verified meets the requirements;
Token transmission unit is used for if so, sending access token according to application token request;
Page reorientation unit, for the application page by page reorientation to access, so that user is accessed by access token Service resources.
8. single sign-on device according to claim 7, which is characterized in that described device further include:
Request unit, for obtaining user access request when user accesses service resources by access token;
Token setting unit, for being put in access token in the HTTP request head of access request;
Call unit, for calling related micro services according to HTTP request head;
Whether authentication unit meets the requirements for authentication-access token;
Return unit is used for if so, returning to user base information, extent of competence and effective time.
9. a kind of computer equipment, which is characterized in that the computer equipment includes memory and processor, on the memory It is stored with computer program, the processor is realized as described in any one of claims 1 to 6 when executing the computer program Method.
10. a kind of storage medium, which is characterized in that the storage medium is stored with computer program, the computer program quilt Processor can be realized when executing such as method described in any one of claims 1 to 6.
CN201811260465.5A 2018-10-26 2018-10-26 Single sign-on method, device, computer equipment and storage medium Pending CN109286633A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811260465.5A CN109286633A (en) 2018-10-26 2018-10-26 Single sign-on method, device, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811260465.5A CN109286633A (en) 2018-10-26 2018-10-26 Single sign-on method, device, computer equipment and storage medium

Publications (1)

Publication Number Publication Date
CN109286633A true CN109286633A (en) 2019-01-29

Family

ID=65177952

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811260465.5A Pending CN109286633A (en) 2018-10-26 2018-10-26 Single sign-on method, device, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN109286633A (en)

Cited By (33)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109936575A (en) * 2019-03-07 2019-06-25 北京融链科技有限公司 Page access method, apparatus, storage medium and processor
CN109936579A (en) * 2019-03-21 2019-06-25 广东瑞恩科技有限公司 Single-point logging method, device, equipment and computer readable storage medium
CN110086822A (en) * 2019-05-07 2019-08-02 北京智芯微电子科技有限公司 The realization method and system of unified identity authentication strategy towards micro services framework
CN110177120A (en) * 2019-06-14 2019-08-27 北京首都在线科技股份有限公司 A kind of method, apparatus and computer readable storage medium of single-sign-on
CN110636057A (en) * 2019-09-10 2019-12-31 腾讯科技(深圳)有限公司 Application access method and device and computer readable storage medium
CN110750314A (en) * 2019-10-23 2020-02-04 杭州安恒信息技术股份有限公司 Command execution method and system of micro-service terminal
CN110990796A (en) * 2019-11-26 2020-04-10 广州至真信息科技有限公司 Application processing method and device, application server and storage medium
CN111031008A (en) * 2019-11-25 2020-04-17 集奥聚合(北京)人工智能科技有限公司 Method for gateway to uniformly intercept user request and judge whether to release
CN111131301A (en) * 2019-12-31 2020-05-08 江苏徐工信息技术股份有限公司 Unified authentication and authorization scheme
CN111143822A (en) * 2019-12-24 2020-05-12 浙江诺诺网络科技有限公司 Application system access method and device
CN111488598A (en) * 2020-04-09 2020-08-04 腾讯科技(深圳)有限公司 Access control method, device, computer equipment and storage medium
CN111585954A (en) * 2020-03-26 2020-08-25 中国平安财产保险股份有限公司 Authentication method, authentication device, computer equipment and storage medium
CN111753268A (en) * 2020-05-12 2020-10-09 西安震有信通科技有限公司 Single sign-on method, device, storage medium and mobile terminal
CN111767533A (en) * 2019-04-01 2020-10-13 富泰华工业(深圳)有限公司 Offline mode user authorization method, device, electronic device and storage medium
WO2020238364A1 (en) * 2019-05-24 2020-12-03 中国银联股份有限公司 Method, apparatus and device for processing uniform identifier of user, and storage medium
CN112069475A (en) * 2020-09-14 2020-12-11 杭州熙菱信息技术有限公司 Identity safety management system
CN112380517A (en) * 2020-11-17 2021-02-19 上海君牧生物信息技术有限公司 Cloud platform management method and system based on unified biological information authentication
CN112685719A (en) * 2020-12-29 2021-04-20 武汉联影医疗科技有限公司 Single sign-on method, device, system, computer equipment and storage medium
CN112685709A (en) * 2021-01-13 2021-04-20 树根互联技术有限公司 Authorization token management method and device, storage medium and electronic equipment
CN112948802A (en) * 2020-04-28 2021-06-11 深圳市明源云科技有限公司 Single sign-on method, device, equipment and storage medium
CN113117318A (en) * 2021-05-13 2021-07-16 心动互动娱乐有限公司 Multi-platform data intercommunication realization method and device, computer equipment and storage medium
CN113223687A (en) * 2021-05-31 2021-08-06 康键信息技术(深圳)有限公司 Service access method, device, equipment and storage medium based on login platform
CN113259357A (en) * 2021-05-21 2021-08-13 浪潮卓数大数据产业发展有限公司 OAuth 2-based single sign-on method
CN113344567A (en) * 2021-06-23 2021-09-03 支付宝(杭州)信息技术有限公司 Method, device, equipment and medium for accessing payment page of aggregation code
CN113395326A (en) * 2021-05-20 2021-09-14 网易(杭州)网络有限公司 Network service-based login method, device and computer-readable storage medium
CN113553569A (en) * 2021-07-06 2021-10-26 猪八戒股份有限公司 Single sign-on method, system and terminal of Syngnathus system based on proxy server
CN113765676A (en) * 2021-09-18 2021-12-07 平安国际智慧城市科技股份有限公司 Interface access control method based on multiple user identities and related equipment
CN114095263A (en) * 2021-11-24 2022-02-25 上海派拉软件股份有限公司 Communication method, device and system
CN114172716A (en) * 2021-12-02 2022-03-11 北京金山云网络技术有限公司 Login method, login device, electronic equipment and storage medium
CN114338130A (en) * 2021-12-24 2022-04-12 北京达佳互联信息技术有限公司 Information processing method, device, server and storage medium
CN114567475A (en) * 2022-02-23 2022-05-31 平安国际智慧城市科技股份有限公司 Multi-system login method and device, electronic equipment and storage medium
CN114637554A (en) * 2022-03-18 2022-06-17 中国建设银行股份有限公司 Interface calling method, device, equipment and storage medium
WO2023071305A1 (en) * 2021-10-28 2023-05-04 青岛海尔科技有限公司 Cloud database resource processing method and apparatus, and electronic device and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101510877A (en) * 2009-02-25 2009-08-19 中国网络通信集团公司 Single-point logging-on method and system, communication apparatus
CN103905395A (en) * 2012-12-27 2014-07-02 中国移动通信集团陕西有限公司 WEB access control method and system based on redirection
US20140258349A1 (en) * 2013-03-08 2014-09-11 Go Daddy Operating Company, LLC Systems for Associating an Online File Folder with a Uniform Resource Locator

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101510877A (en) * 2009-02-25 2009-08-19 中国网络通信集团公司 Single-point logging-on method and system, communication apparatus
CN103905395A (en) * 2012-12-27 2014-07-02 中国移动通信集团陕西有限公司 WEB access control method and system based on redirection
US20140258349A1 (en) * 2013-03-08 2014-09-11 Go Daddy Operating Company, LLC Systems for Associating an Online File Folder with a Uniform Resource Locator

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
施智沂: "OAuth2.0认证和授权机制讲解", 《HTTPS://WWW.CNBLOGS.COM/SHIZHIYI/P/7754721.HTML》 *
阮一峰: "理解OAuth 2.0", 《HTTP://WWW.RUANYIFENG.COM/BLOG/2014/05/OAUTH_2_0.HTML》 *

Cited By (46)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109936575B (en) * 2019-03-07 2021-11-12 北京融链科技有限公司 Page access method, device, storage medium and processor
CN109936575A (en) * 2019-03-07 2019-06-25 北京融链科技有限公司 Page access method, apparatus, storage medium and processor
CN109936579A (en) * 2019-03-21 2019-06-25 广东瑞恩科技有限公司 Single-point logging method, device, equipment and computer readable storage medium
CN111767533A (en) * 2019-04-01 2020-10-13 富泰华工业(深圳)有限公司 Offline mode user authorization method, device, electronic device and storage medium
CN110086822A (en) * 2019-05-07 2019-08-02 北京智芯微电子科技有限公司 The realization method and system of unified identity authentication strategy towards micro services framework
CN110086822B (en) * 2019-05-07 2021-07-27 北京智芯微电子科技有限公司 Method and system for implementing micro-service architecture-oriented unified identity authentication strategy
WO2020238364A1 (en) * 2019-05-24 2020-12-03 中国银联股份有限公司 Method, apparatus and device for processing uniform identifier of user, and storage medium
CN110177120A (en) * 2019-06-14 2019-08-27 北京首都在线科技股份有限公司 A kind of method, apparatus and computer readable storage medium of single-sign-on
CN110636057B (en) * 2019-09-10 2021-09-28 腾讯科技(深圳)有限公司 Application access method and device and computer readable storage medium
CN110636057A (en) * 2019-09-10 2019-12-31 腾讯科技(深圳)有限公司 Application access method and device and computer readable storage medium
CN110750314A (en) * 2019-10-23 2020-02-04 杭州安恒信息技术股份有限公司 Command execution method and system of micro-service terminal
CN111031008B (en) * 2019-11-25 2022-05-24 北京小向创新人工智能科技有限公司 Method for gateway to uniformly intercept and judge whether user request is released
CN111031008A (en) * 2019-11-25 2020-04-17 集奥聚合(北京)人工智能科技有限公司 Method for gateway to uniformly intercept user request and judge whether to release
CN110990796B (en) * 2019-11-26 2022-02-11 广州至真信息科技有限公司 Application processing method and device, application server and storage medium
CN110990796A (en) * 2019-11-26 2020-04-10 广州至真信息科技有限公司 Application processing method and device, application server and storage medium
CN111143822A (en) * 2019-12-24 2020-05-12 浙江诺诺网络科技有限公司 Application system access method and device
CN111131301A (en) * 2019-12-31 2020-05-08 江苏徐工信息技术股份有限公司 Unified authentication and authorization scheme
CN111585954A (en) * 2020-03-26 2020-08-25 中国平安财产保险股份有限公司 Authentication method, authentication device, computer equipment and storage medium
CN111488598B (en) * 2020-04-09 2023-04-07 腾讯科技(深圳)有限公司 Access control method, device, computer equipment and storage medium
CN111488598A (en) * 2020-04-09 2020-08-04 腾讯科技(深圳)有限公司 Access control method, device, computer equipment and storage medium
CN112948802B (en) * 2020-04-28 2024-03-12 深圳市明源云科技有限公司 Single sign-on method, device, equipment and storage medium
CN112948802A (en) * 2020-04-28 2021-06-11 深圳市明源云科技有限公司 Single sign-on method, device, equipment and storage medium
CN111753268B (en) * 2020-05-12 2023-08-11 西安震有信通科技有限公司 Single sign-on method, single sign-on device, storage medium and mobile terminal
CN111753268A (en) * 2020-05-12 2020-10-09 西安震有信通科技有限公司 Single sign-on method, device, storage medium and mobile terminal
CN112069475B (en) * 2020-09-14 2023-10-24 杭州领信数科信息技术有限公司 Identity security management system
CN112069475A (en) * 2020-09-14 2020-12-11 杭州熙菱信息技术有限公司 Identity safety management system
CN112380517A (en) * 2020-11-17 2021-02-19 上海君牧生物信息技术有限公司 Cloud platform management method and system based on unified biological information authentication
CN112685719A (en) * 2020-12-29 2021-04-20 武汉联影医疗科技有限公司 Single sign-on method, device, system, computer equipment and storage medium
CN112685709A (en) * 2021-01-13 2021-04-20 树根互联技术有限公司 Authorization token management method and device, storage medium and electronic equipment
CN112685709B (en) * 2021-01-13 2024-02-23 树根互联股份有限公司 Authorization token management method and device, storage medium and electronic equipment
CN113117318A (en) * 2021-05-13 2021-07-16 心动互动娱乐有限公司 Multi-platform data intercommunication realization method and device, computer equipment and storage medium
CN113395326A (en) * 2021-05-20 2021-09-14 网易(杭州)网络有限公司 Network service-based login method, device and computer-readable storage medium
CN113259357A (en) * 2021-05-21 2021-08-13 浪潮卓数大数据产业发展有限公司 OAuth 2-based single sign-on method
CN113223687A (en) * 2021-05-31 2021-08-06 康键信息技术(深圳)有限公司 Service access method, device, equipment and storage medium based on login platform
WO2022267766A1 (en) * 2021-06-23 2022-12-29 支付宝(杭州)信息技术有限公司 Method, apparatus and device for accessing aggregate code payment page, and medium
CN113344567A (en) * 2021-06-23 2021-09-03 支付宝(杭州)信息技术有限公司 Method, device, equipment and medium for accessing payment page of aggregation code
CN113553569A (en) * 2021-07-06 2021-10-26 猪八戒股份有限公司 Single sign-on method, system and terminal of Syngnathus system based on proxy server
CN113765676A (en) * 2021-09-18 2021-12-07 平安国际智慧城市科技股份有限公司 Interface access control method based on multiple user identities and related equipment
CN113765676B (en) * 2021-09-18 2024-05-24 平安国际智慧城市科技股份有限公司 Interface access control method based on multiple identities of user and related equipment
WO2023071305A1 (en) * 2021-10-28 2023-05-04 青岛海尔科技有限公司 Cloud database resource processing method and apparatus, and electronic device and storage medium
CN114095263A (en) * 2021-11-24 2022-02-25 上海派拉软件股份有限公司 Communication method, device and system
CN114172716A (en) * 2021-12-02 2022-03-11 北京金山云网络技术有限公司 Login method, login device, electronic equipment and storage medium
CN114338130A (en) * 2021-12-24 2022-04-12 北京达佳互联信息技术有限公司 Information processing method, device, server and storage medium
CN114338130B (en) * 2021-12-24 2024-01-09 北京达佳互联信息技术有限公司 Information processing method, device, server and storage medium
CN114567475A (en) * 2022-02-23 2022-05-31 平安国际智慧城市科技股份有限公司 Multi-system login method and device, electronic equipment and storage medium
CN114637554A (en) * 2022-03-18 2022-06-17 中国建设银行股份有限公司 Interface calling method, device, equipment and storage medium

Similar Documents

Publication Publication Date Title
CN109286633A (en) Single sign-on method, device, computer equipment and storage medium
US10666643B2 (en) End user initiated access server authenticity check
US9591000B2 (en) Methods, systems, and computer readable media for authorization frameworks for web-based applications
US10666669B2 (en) Securing services in a networked computing environment
CN106575305B (en) Services within a reverse proxy server
US11290438B2 (en) Managing session access across multiple data centers
EP3149650B1 (en) System for managing personal data
US20180336554A1 (en) Secure electronic transaction authentication
US10547601B2 (en) System and method to allow third-party developer to debug code in customer environment
US8839354B2 (en) Mobile enterprise server and client device interaction
US10225283B2 (en) Protection against end user account locking denial of service (DOS)
CN106341234B (en) Authorization method and device
US20190068367A1 (en) Identity verification using biometric data and non-invertible functions via a blockchain
US10028139B2 (en) Leveraging mobile devices to enforce restricted area security
US20180218121A1 (en) System and Method for Online Identity Management
CN107113302A (en) Security and licensing architecture in multi-tenant computing system
US8825006B2 (en) Authentication request management
US10277606B2 (en) Anonymous application wrapping
US20220294788A1 (en) Customizing authentication and handling pre and post authentication in identity cloud service
US20220232010A1 (en) Protected resource authorization using autogenerated aliases
CN108604278A (en) Self-described configuration with the support to shared data table
CN110298162A (en) Application client login method, device, computer equipment and storage medium
US20150067772A1 (en) Apparatus, method and computer-readable storage medium for providing notification of login from new device
US20160286034A1 (en) Leveraging mobile devices to enforce restricted area security
US12001394B1 (en) User programmatic interface for supporting data access control in a database system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20190129