CN109510802B - Authentication method, device and system - Google Patents
Authentication method, device and system Download PDFInfo
- Publication number
- CN109510802B CN109510802B CN201710832765.5A CN201710832765A CN109510802B CN 109510802 B CN109510802 B CN 109510802B CN 201710832765 A CN201710832765 A CN 201710832765A CN 109510802 B CN109510802 B CN 109510802B
- Authority
- CN
- China
- Prior art keywords
- service
- service request
- authentication
- gateway server
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Abstract
An authentication method, device and system. The method comprises the following steps: the method comprises the steps that a service providing device receives a first service request sent by a gateway server, the first service request is sent to the gateway server by a first service request device, the gateway server does not authenticate the first service request and directly forwards the first service request to the service providing device, the first service request is used for requesting to acquire a first service provided by the service providing device, the first service request carries first authentication information, and the first authentication information comprises a device identifier of the first service request device; when the authorized device list comprises the device identification of the first service request device, the service providing device provides the first service to the first service request device, wherein the authorized device list is used for recording the device identification of the service request device which passes the authentication. The method and the device for the authentication reduce the times of the authentication operation required to be executed by the gateway server, and avoid the gateway server from becoming a bottleneck in a scene with a large number of service requests being highly concurrent.
Description
Technical Field
The embodiment of the application relates to the technical field of internet, in particular to an authentication method, device and system.
Background
In a typical micro service system using Application Programming Interface (API) gateway technology, an API gateway and a plurality of service providing devices are included. The service providing devices are typically servers, and different service providing devices are used to deploy different services. The API gateway is the only entrance of the system, encapsulates the internal architecture of the system, and provides services for all clients uniformly. One function of the API gateway is to perform authentication operations on clients requesting access to the system.
In the prior art, a client sends a service request carrying an authentication token to an API gateway, where the service request is used to request to acquire a service provided by the service providing device, and after receiving the service request, the API gateway performs an authentication operation on the client according to the authentication token carried in the service request. After the authentication is passed, the API gateway forwards the service request to the corresponding service providing equipment, and the service providing equipment performs service response.
Since the API gateway needs to perform an authentication operation on the client initiating each service request after receiving each service request, when the number of requests is large, a high requirement is made on the processing capability of the API gateway, and if the authentication operation performed by the API gateway is not timely enough, the service response delay is increased.
Disclosure of Invention
The embodiment of the application provides an authentication method, an authentication device and an authentication system, which can be used for solving the problem that in the prior art, because an API gateway needs to execute authentication operation once after receiving a service request, the API gateway is easy to become a bottleneck in a scene with a large number of service requests being highly concurrent, and the time delay of service response can be increased.
In one aspect, an embodiment of the present application provides an authentication method, where the method includes: the method comprises the steps that a service providing device receives a first service request sent by a gateway server, the first service request is sent to the gateway server by a first service request device, the gateway server does not authenticate the first service request and directly forwards the first service request to the service providing device, the first service request is used for requesting to acquire a first service provided by the service providing device, the first service request carries first authentication information, and the first authentication information comprises a device identifier of the first service request device; when the authorized device list comprises the device identification of the first service request device, the service providing device provides the first service to the first service request device, wherein the authorized device list is used for recording the device identification of the service request device which passes the authentication.
In the scheme provided by the embodiment of the application, the list of the authorization devices is recorded in the service providing device, the service request device authenticated by the gateway server is added to the list of the authorization devices, and the service providing device authenticates the service request device according to the list of the authorization devices, so that the times of authentication operations required to be executed by the gateway server are reduced, and the gateway server is prevented from becoming a bottleneck in a scene of high concurrency of a large number of service requests.
In one possible design, the method further includes: the service providing equipment receives a second service request sent by the gateway server, the second service request is sent to the gateway server by the second service request equipment, the gateway server does not authenticate the second service request and directly forwards the second service request to the service providing equipment, the second service request is used for requesting to acquire a second service provided by the service providing equipment, the second service request carries second authentication information, and the second authentication information comprises an equipment identifier of the second service request equipment and a second authentication token; when the authorization device list does not include the device identifier of the second service request device, the service providing device sends a first authentication request to the gateway server, wherein the first authentication request includes the device identifier of the second service request device and the second authentication token; the service providing equipment receives a first authentication response sent by the gateway server, wherein the first authentication response is used for indicating that the second service request equipment passes the authentication, and the first authentication response is sent to the service providing equipment when the gateway server determines that the second authentication token is the same as the authentication token of the second service request equipment pre-stored by the gateway server; and the service providing equipment provides the second service to the second service request equipment and adds the equipment identification of the second service request equipment in the authorized equipment list.
Through the method, the gateway server executes the authentication operation on the service request equipment under the condition that the equipment identification of the service request equipment is not included in the authorization equipment list. In addition, the service providing device adds the device identifier of the service request device passing the authentication to the authorization device list, so that when the service request of the service request device is subsequently received again, the service request device can be authenticated based on the authorization device list, and the number of authentication operations required to be executed by the gateway server is reduced.
In one possible design, the method further includes: the service providing equipment receives a third service request sent by the gateway server, the third service request is sent to the gateway server by the third service request equipment, the gateway server does not authenticate the third service request and directly forwards the third service request to the service providing equipment, the third service request is used for requesting to acquire a third service provided by the service providing equipment, the third service request carries third authentication information, and the third authentication information is obtained by performing encryption operation on an equipment identifier of the third service request equipment and a third authentication token; the service providing equipment sends a second authentication request to the gateway server, wherein the second authentication request comprises third authentication information; the service providing device receives a third authentication response, the third authentication response comprising: a third authentication result, a decryption key corresponding to the third authentication information, and a device identifier of the third service request device, where the third authentication result is used to indicate that the authentication is passed; the service providing device provides a third service to the third service request device, and correspondingly stores the received decryption key and an Internet Protocol (IP) address of the third service request device, and adds a device identifier of the third service request device in an authorized device list, where the authorized device list is used to record the device identifier of the service request device that has passed the authentication.
Through the method, under the condition that the decryption key corresponding to the service request equipment is not stored in the service providing equipment, the service providing equipment directly sends the authentication request carrying the authentication information to the gateway server, the gateway server decrypts the authentication information and completes the authentication operation on the service request equipment, and then the equipment identifier, the authentication result and the decryption key of the service request equipment are sent to the service providing equipment together, so that the acquisition of the decryption key and the authentication of the equipment can be completed through one-time request interaction, and the interaction flow between the service providing equipment and the gateway server is simplified.
In one possible design, the service providing device receives a deletion instruction sent by the gateway server, where the deletion instruction includes a device identifier of the service requesting device that has revoked the authorization; the service providing device removes the device identification of the service requesting device that has revoked the authorization from the list of authorized devices. In another possible design, when the authentication information possessed by any one of the service request devices in the authorized device list that has passed the authentication exceeds the validity period, the service providing device deletes the device identification of the service request device that has passed the authentication from the authorized device list.
By the method, the list of authorized devices is regularly cleaned, the accuracy of the list of authorized devices is ensured, and services are prevented from being provided for unauthorized devices.
On the other hand, the present embodiment provides an authentication apparatus (or referred to as "service providing device") having a function of implementing the service providing device-side behavior in the above method example. The functions can be realized by hardware, and the functions can also be realized by executing corresponding software by hardware. The hardware or software includes one or more modules or units corresponding to the above functions.
In one possible design, the apparatus includes a processor and a communication interface, and the processor is configured to support the service providing device to perform the corresponding functions of the method. The communication interface is used for supporting communication between the service providing device and other devices. Further, the service providing device may further include a memory for coupling with the processor, which stores program instructions and data necessary for the service providing device.
In another aspect, an embodiment of the present application provides an authentication system, where the authentication system includes:
the first service request device is used for sending a first service request carrying first authentication information to the gateway server, the first service request is used for requesting to acquire a first service provided by the service providing device, and the first authentication information comprises a device identifier of the first service request device;
the gateway server is used for forwarding the first service request to the service providing equipment, wherein the first service request is sent to the gateway server by the first service request equipment, and the gateway server directly forwards the first service request to the service providing equipment without authenticating the first service request;
and the service providing device is used for providing the first service to the first service request device when the authorized device list comprises the device identification of the first service request device, wherein the authorized device list is used for recording the device identification of the service request device which passes the authentication.
In one possible design, the system further includes:
the second service request device is used for sending a second service request carrying second authentication information to the gateway server, the second service request is used for requesting to acquire a second service provided by the service providing device, and the second authentication information comprises a device identifier of the second service request device and a second authentication token;
the gateway server is also used for forwarding a second service request to the service providing equipment, wherein the second service request is sent to the gateway server by the second service request equipment, and the second service request is directly forwarded to the service providing equipment without being authenticated by the gateway server;
the service providing device is further used for sending a first authentication request to the gateway server when the device identifier of the second service request device is not included in the authorization device list, wherein the first authentication request includes the device identifier of the second service request device and the second authentication token;
the gateway server is further used for sending a first authentication response to the service providing equipment when the second authentication token is determined to be the same as the authentication token of the second service request equipment which is pre-stored by the gateway server, wherein the first authentication response is used for indicating that the second service request equipment passes the authentication;
and the service providing device is also used for providing the second service to the second service request device and adding the device identification of the second service request device in the authorized device list.
In one possible design, the first authentication information is obtained by performing an encryption operation on the device identification of the first service requesting device and the first authentication token. The service providing device is further configured to perform, after receiving the first service request, a decryption operation on the first authentication information by using a decryption key corresponding to the first service request device, so as to obtain a device identifier and a first authentication token of the first service request device.
In the solution provided in the embodiment of the present application, after generating the authentication token, the gateway server does not directly send the plaintext of the authentication token to the service request device, but encrypts the plaintext by combining the device identifier of the service request device and the authentication token to obtain authentication information, and sends the authentication information to the service request device, which has the following technical effects:
1. the clear text transmission of the authentication token is avoided, and the security of the authentication token is improved;
2. the authentication information is generated by encrypting in combination with the equipment identifier of the service request equipment and the authentication token, and the equipment identifier has uniqueness, so that the uniqueness of the generated authentication information can be ensured;
3. in the process of requesting the service, the service request only needs to carry authentication information without carrying the equipment identifier plaintext of the service request equipment in the service request, so that the condition that an illegal user copies the equipment identifier of the service request equipment to request the service after intercepting the equipment identifier of the service request equipment is prevented, and the safety is fully ensured.
In one possible design, the service providing device is further configured to send a key obtaining request to the gateway server in a case that the decryption key corresponding to the first service requesting device is not stored in the service providing device, where the key obtaining request includes the first authentication information;
the gateway server is also used for sending a decryption key corresponding to the first authentication information to the service providing equipment;
the service providing device is also used for correspondingly storing the IP address of the first service request device and the decryption key.
Through the method, the decryption key is requested to be acquired from the gateway server under the condition that the decryption key corresponding to the service request device is not stored in the service providing device, so that the authentication information is decrypted smoothly.
In one possible design, the first service request device is further configured to send a token acquisition request to the gateway server, where the token acquisition request carries a device identifier of the first service request device, where the device identifier of the first service request device is generated according to at least two information of a Media Access Control (MAC) address, a processor identifier (CPU ID), and an IP address of the first service request device, and the device identifier of the first service request device is used to uniquely indicate the first service request device;
the gateway server is also used for generating a first authentication token according to the token acquisition request; performing encryption operation on the device identifier of the first service request device and the first authentication token to obtain first authentication information; and sending the first authentication information to the first service request device, and storing the corresponding relation among the device identification of the first service request device, the first authentication information and the first authentication token.
Through the mode, the equipment identifier of the service request equipment is generated according to the multiple items of identification information of the service request equipment, and the uniqueness of the generated equipment identifier is ensured.
In one possible design, the gateway server is further configured to generate an executable file according to the first authentication information and the validity period of the first authentication token, and send the executable file to the first service request device, where the executable file is configured to provide the first authentication information to the first service request device when executed within the validity period of the first authentication token;
the first service request device is also used for executing the executable file before sending the first service request; and if the first authentication information is acquired after the executable file is executed, sending a first service request to the gateway server.
Through the mode, the service request equipment executes the executable file before sending the service request every time, so that the service request equipment can perform self-check on the validity of the authentication information before sending the service request, thereby avoiding sending invalid service requests to the service providing equipment by using the expired authentication information under the condition that the authentication information is expired, and being beneficial to reducing the number of invalid requests.
In another aspect, an embodiment of the present application provides an authentication method, where the method includes: the first service request device sends a first service request carrying first authentication information to the gateway server, wherein the first service request is used for requesting to acquire a first service provided by the service providing device, and the first authentication information comprises a device identifier of the first service request device; the gateway server forwards a first service request to the service providing equipment, wherein the first service request is not authenticated by the gateway server; when the authorized device list comprises the device identification of the first service request device, the service providing device provides the first service to the first service request device, wherein the authorized device list is used for recording the device identification of the service request device which passes the authentication.
In another aspect, an embodiment of the present application provides a computer storage medium for storing computer software instructions for the service providing apparatus, which includes a program designed to execute the above aspects.
In still another aspect, the present application provides a computer program product, which is configured to execute the method on the service providing device side according to the above aspect when the computer program product is executed.
Compared with the prior art, in the scheme provided by the embodiment of the application, the authorization device list is recorded in the service providing device, the service request device authenticated by the gateway server is added to the authorization device list, and the service providing device authenticates the service request device according to the authorization device list, so that the times of authentication operation required to be executed by the gateway server are reduced, and the gateway server is prevented from becoming a bottleneck in a scene with a large number of highly concurrent service requests.
Drawings
FIG. 1 is a schematic illustration of an implementation environment provided by one embodiment of the present application;
fig. 2 is a flowchart of an authentication method provided in an embodiment of the present application;
fig. 3 is a flowchart of an authentication method according to another embodiment of the present application;
fig. 4 is a flowchart of an authentication method according to another embodiment of the present application;
fig. 5 is a flowchart of an authentication method provided in another embodiment of the present application;
fig. 6 is a flowchart of an authentication method according to another embodiment of the present application;
fig. 7A is a schematic diagram of an authentication apparatus according to an embodiment of the present application;
fig. 7B is a schematic diagram of an authentication device according to another embodiment of the present application;
FIG. 8A is a schematic block diagram of an apparatus provided by one embodiment of the present application;
fig. 8B is a schematic structural diagram of an apparatus according to an embodiment of the present application.
Detailed Description
To make the objects, technical solutions and advantages of the present application more clear, embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
The system architecture and the service scenario described in the embodiment of the present application are for more clearly illustrating the technical solution of the embodiment of the present application, and do not constitute a limitation to the technical solution provided in the embodiment of the present application, and it can be known by a person skilled in the art that the technical solution provided in the embodiment of the present application is also applicable to similar technical problems along with the evolution of the system architecture and the appearance of a new service scenario.
Referring to fig. 1, a schematic diagram of an implementation environment provided by an embodiment of the present application is shown. The implementation environment may be a microservice system 10. The implementation environment includes: a service providing device 110 and a gateway server 120.
The service providing apparatus 110 is generally a plurality of apparatuses, and the service providing apparatus 110 is used to deploy a service to provide a service to a client. Different service providing devices 110 may be used to deploy different services. For example, a large e-commerce platform provides applications with multiple services such as order management, buyer management, seller management, and goods management, and the different services can be deployed in different service providing devices 110. The service providing device 110 is typically a server.
The gateway server 120 is the only entry of the system, encapsulates the internal architecture of the system, and provides services for all clients uniformly. Some common logic that is not related to services may be implemented in the gateway server 120, such as functions of authentication, monitoring, load balancing, caching, request fragmentation and management, static response processing, and so on. The gateway server 120 and each service providing apparatus 110 may establish a communication connection via a network. Optionally, the gateway server 120 is an API gateway.
In addition, as shown in fig. 1, a service request device 130 is also included in the implementation environment. The service request device 130 may have a running client installed therein, and the client may be configured to initiate a service request to the service providing device 110 to request to acquire a service provided by the service providing device 110. Illustratively, the service requesting device 130 may be an electronic device such as a mobile phone, a tablet Computer, an electronic book reader, a multimedia playing device, a Personal Computer (PC), and the like. The service request device 130 may establish a communication connection with the gateway server 120 through a network. In the embodiment of the present application, the service request device 130 includes a first service request device, a second service request device, and a third service request device.
In practical applications, when the service request device 130 initiates a service request, the service request is first sent to the gateway server 120, and the gateway server 120 forwards the service request to the service providing device 110; similarly, when the service providing device 110 responds to the service, the data of the service is first sent to the gateway server 120, and the gateway server 120 forwards the data of the service to the service requesting device 130.
In the embodiment of the present application, by recording the authorized device list in the service providing device 110, and adding the service requesting device 130 that has been authenticated by the gateway server 120 to the authorized device list, for any service requesting device 130, in the validity period of the authentication token obtained by the service requesting device 130, no matter how many service requests the service requesting device 130 sends to the service providing device 110, only one authentication operation needs to be performed on the service requesting device 130 by the gateway server 120 when receiving the first service request sent by the service requesting device 130, and then the subsequent authentication operation is performed by the service providing device 110 according to the authorized device list when the service providing device 110 receives the service request sent by the service requesting device 130, so as to reduce the number of authentication operations that the gateway server 120 needs to perform, avoiding the gateway server 120 becoming a bottleneck in scenarios where a large number of traffic requests are highly concurrent.
The embodiments of the present application will be described in further detail below based on the common aspects related to the embodiments of the present application described above.
Please refer to fig. 2, which shows a flowchart of an authentication method according to an embodiment of the present application. The method may be applied in the implementation environment shown in fig. 1. The method may include several steps as follows.
In step 201, the first service request device sends a first service request to the gateway server 120.
The first service request device is any one of the service request devices 130. The first service request is used to request to acquire a first service provided by the service providing device 110. The first service request carries first authentication information. Alternatively, the first service request may be a HyperText Transfer Protocol (HTTP) request, and a request header of the first service request carries the first authentication information.
The first authentication information includes a device identification (device ID) of the first service requesting device. The device identifier is an identifier for indicating the identity of the service request device, and can uniquely determine one service request device, and different service request devices correspond to different device identifiers. For example, the device identification of the first service request device is used to uniquely indicate the first service request device. The device identification may also be referred to as fingerprint information.
Optionally, the first service request device generates its own device identifier according to its own item identifier. The item identification includes, but is not limited to, at least two items of information: MAC address, CPU ID and IP address. Optionally, the first service request device performs an encryption operation on its own item identifier by using a Hash algorithm to generate its own device identifier. For example, the first service request device splices and combines the MAC address, the CPU ID, and the IP address into a string of data, and then performs an encryption operation on the data by using a Hash algorithm, where an obtained encryption result is the device identifier of the first service request device. The Hash Algorithm may be a SHA256 Algorithm, and the SHA256 Algorithm is a Hash Algorithm based on a Secure Hash Algorithm (SHA) and having a Hash value size of 256 bits. Illustratively, the MAC address of the first service request device is 00-23-5A-15-99-42, the CPU ID is 178BFBFF000206D7, and the IP address is 192.168.12.3. Since the Hash algorithm is an irreversible encryption algorithm, it can prevent an illegal person from obtaining private information such as an MAC address, a CPU ID, or an IP address of the first service request device by decrypting the device identifier after intercepting the device identifier of the first service request device.
Accordingly, the gateway server 120 receives the first service request sent by the first service request device.
The gateway server 120 forwards the first service request to the service providing device 110, step 202.
Unlike the prior art, in the embodiment of the present application, after receiving a first service request sent by a first service request device, the gateway server 120 directly passes through the first service request to the corresponding service providing device 110, and does not authenticate the first service request.
Accordingly, the service providing apparatus 110 receives the first service request transmitted by the gateway server 120.
In step 203, the service providing device 110 detects whether the device identifier of the first service requesting device is included in the authorized device list.
The list of authorized devices is used to record the device identification of the service requesting device that has passed the authentication. In actual implementation, the authorized device list is pre-recorded for the service providing device 110. The recording process for the list of authorized devices will be described below.
In step 204, when the device identifier of the first service request device is included in the authorized device list, the service providing device 110 provides the first service to the first service request device.
If the authorized device list includes the device identifier of the first service request device, which indicates that the first service request device is a device that has passed the authentication, the service providing device 110 provides the first service to the first service request device. In actual implementation, the service providing device 110 does not directly send the data of the first service to the first service requesting device, but first sends the data of the first service to the gateway server 120, and the gateway server 120 forwards the data to the first service requesting device. Accordingly, the first service request apparatus receives the data of the first service transmitted by the service providing apparatus 110.
In the solution provided in the embodiment of the present application, the service providing device 110 records the authorized device list, the service requesting device that has passed the authentication of the gateway server 120 is added to the authorized device list, and the service providing device 110 authenticates the service requesting device 130 according to the authorized device list, so that the number of authentication operations that the gateway server 120 needs to execute is reduced, and the gateway server 120 is prevented from becoming a bottleneck in a scenario where a large number of service requests are highly concurrent.
Please refer to fig. 3, which shows a flowchart of an authentication method according to another embodiment of the present application. The method may be applied in the implementation environment shown in fig. 1. The method may include several steps as follows.
In step 301, the first service request device sends a first service request to the gateway server 120.
The first service request is used to request to acquire a first service provided by the service providing device 110. The first service request carries first authentication information. In this embodiment, the first authentication information includes the device identification of the first service requesting device and the first authentication token. In the present embodiment, the authentication token of the first service requesting device is referred to as a "first authentication token".
The first authentication token is the authentication token that the first service requesting device requests to obtain from the gateway server 120. The authentication token is the credential, typically a string of letters and numbers, upon which the gateway server 120 performs an authentication operation on the service requesting device 130.
In one example, the first service requesting device obtains the first authentication token by:
1. the first service request device sends a first token acquisition request to the gateway server 120;
the token acquisition request is for requesting acquisition of an authentication token. In this embodiment, the token obtaining request sent by the first service request device to the gateway server 120 is referred to as a "first token obtaining request".
Optionally, the first token acquisition request carries a user name and a password, or an Access Key identifier (Access Key ID, AK) and a private Access Key (Secret Access Key, SK). The user name and the password refer to the user name and the password currently logging in the first service request device. AK is an access identifier of the first service request device in the service providing device 110, and is equivalent to a user name of the first service request device, and each AK uniquely corresponds to one service request device, so that the service providing device 110 can identify the corresponding service request device according to the AK; SK is a key, equivalent to an access password, for the first service request device to access the service providing device 110; therefore, AK and SK are in one-to-one correspondence, and a pair of AK and SK is equivalent to a pair of user name and password.
2. The gateway server 120 generates a first authentication token according to the first token acquisition request;
in this embodiment, the first authentication token may be denoted as token 1. In addition, the validity period of the first authentication token is determined at the same time of generation. The validity period may be referred To as a Time To Live (TTL).
Optionally, the gateway server 120 performs encoding processing on the user name and the password carried in the first token acquisition request or performs encoding processing on the AK and the SK according to a preset encoding rule to generate a first authentication token, and sets the validity period of the first authentication token to be a preset duration. The preset time period may be configured in advance according to actual requirements, which is not limited in the embodiment of the present application, and for example, the preset time period is 1 hour, 12 hours, 1 day, and the like.
3. The gateway server 120 sends the first authentication token to the first service requesting device.
Accordingly, the first service requesting device receives the first authentication token transmitted by the gateway server 120. Subsequently, in the service request phase, the first service request device may send a first service request to the gateway server 120, where the first service request carries first authentication information, and the first authentication information includes a device identifier of the first service request device and a first authentication token.
In another example, the first service requesting device obtains the first authentication token by:
1. the first service request device sends a first token acquisition request to the gateway server 120;
optionally, the first token acquisition request carries a user name and a password, or carries AK and SK. In addition, the first token acquisition request also carries the device identifier of the first service request device.
2. The gateway server 120 generates a first authentication token according to the first token acquisition request;
3. the gateway server 120 performs an encryption operation on the device identifier of the first service request device and the first authentication token to obtain first authentication information; and stores a correspondence between the device identification of the first service request device, the first authentication information, and the first authentication token.
In this embodiment, the first authentication token may be denoted as token1, and the first authentication information may be denoted as token 2. The first authentication information is also a character string composed of letters and numbers.
Optionally, the gateway server 120 performs an encryption process on a combination of the device identifier of the first service request device and the first authentication token by using an asymmetric encryption algorithm, and generates the first authentication information. The asymmetric encryption algorithm is that the algorithm generates a pair of keys, namely a public key and a private key, which are called a public key and a private key for short, wherein the public key is used for encryption, and the private key is used for decryption. Illustratively, the above asymmetric encryption algorithm may be RSA _2048, and RSA _2048 is an asymmetric encryption algorithm in which a key length of a generated RSA key is 2048 bits.
In the embodiment of the present application, the gateway server 120 generates different decryption keys for different service request devices, and the validity period of the decryption key may be the same as that of the authentication token. In addition, the gateway server 120 adds the correspondence between the first authentication information and the corresponding decryption key to the pre-stored correspondence after generating the first authentication information.
4. The gateway server 120 transmits the first authentication information to the first service request device.
Accordingly, the first service requesting device receives the first authentication token transmitted by the gateway server 120. Subsequently, in the service request phase, the first service request device may send a first service request to the gateway server 120, where the first service request carries first authentication information, and the first authentication information is generated by performing an encryption operation on the device identifier of the first service request device and the first authentication token.
In one possible implementation, the gateway server 120 generates an executable file (denoted as "first executable file" in this embodiment) according to the first authentication information and the validity period of the first authentication token. The gateway server 120 sends the first executable file to the first service request device. The first executable file is for providing the first authentication information to the first service requesting device when executed during a validity period of the first authentication token. That is, after the first service request device receives the first executable file sent by the gateway server 120, if the first executable file is executed within the validity period of the first authentication token, the operation result of the first executable file is to display the first authentication information, that is, the first service request device may obtain the first authentication information; if the first executable file is executed after the validity period of the first authentication token is exceeded, the operation result of the first executable file is an error, that is, the first service request device cannot acquire the first authentication information.
Alternatively, the gateway server 120 may write a program for implementing the above functions through C + +, Java, or other programming languages, and compile the program into a binary executable file. Optionally, a timer is set in the program, and the timeout duration of the timer is the validity period of the first authentication token. When the first service request device executes the first executable file, if the timer is overtime, an error is displayed, which indicates that the first authentication information cannot be acquired; and if the timer is not overtime, displaying the first authentication information.
In this embodiment, after generating the first authentication token (i.e. token1), the gateway server 120 does not directly send the first authentication token to the first service request device in plaintext, but encrypts the device identifier of the first service request device and the first authentication token to obtain first authentication information (i.e. token2), and sends the first authentication information to the first service request device, which has the following technical effects:
1. the clear text transmission of the authentication token is avoided, and the security of the authentication token is improved;
2. since the authentication information is generated by encrypting in combination with the device identifier of the service requesting device 130 and the authentication token, and the device identifier has uniqueness, the uniqueness of the generated authentication information can be ensured;
3. in the process of requesting a service, the service request device 130 only needs to carry authentication information in the service request, and does not need to carry the device identifier of the service request device 130 in the service request in a clear text, so as to prevent an illegal user from using the device identifier to counterfeit the service request device 130 to request the service after intercepting the device identifier of the service request device 130, thereby fully ensuring the security.
Of course, in the case of not considering security, after generating the authentication token, the gateway server 120 may also directly send the authentication token to the service request device 130, and the service request device 130 carries its device identifier and the authentication token in the service request, which can also solve the problem existing in the background art.
In step 302, the gateway server 120 forwards the first service request to the service providing device 110.
In step 303, the service providing device 110 performs a decryption operation on the first authentication information by using the decryption key to obtain the device identifier of the first service requesting device and the first authentication token.
Optionally, after receiving the first service request, the service providing device 110 extracts a source IP address from a data packet of the first service request, where the source IP address is an IP address of the first service request device. The service providing apparatus 110 detects whether a decryption key corresponding to the IP address of the first service requesting apparatus is stored; if the decryption key corresponding to the IP address of the first service request device is stored, the service providing device 110 performs a decryption operation on the first authentication information by using the decryption key, and obtains the device identifier and the first authentication token of the first service request device.
In addition, if the decryption key corresponding to the IP address of the first service requesting device is not stored, the service providing device 110 requests the acquisition of the decryption key corresponding to the first service requesting device from the gateway server 120. Illustratively, the service providing device 110 sends a key acquisition request (in this embodiment, referred to as a "first key acquisition request") to the gateway server 120, where the first key acquisition request includes first authentication information, and the first key acquisition request is used to request to acquire a decryption key corresponding to the first authentication information (i.e., a decryption key corresponding to the first service requesting device). The gateway server 120 detects whether the pre-stored correspondence includes a decryption key corresponding to the first authentication information; if the pre-stored correspondence includes the decryption key corresponding to the first authentication information, the gateway server 120 transmits the decryption key corresponding to the first authentication information to the service providing apparatus 110. Accordingly, the service providing apparatus 110 receives the decryption key corresponding to the first authentication information transmitted from the gateway server 120, and stores the decryption key in association with the IP address of the first service requesting apparatus.
In addition, the decryption key has a validity period. When the decryption key exceeds the validity period, the first authentication information cannot be successfully decrypted by using the decryption key. The service providing device 110 may request the gateway server 120 to acquire the decryption key corresponding to the first service requesting device when the decryption key expires and the first authentication information cannot be successfully decrypted.
In step 304, the service providing device 110 detects whether the device identification of the first service requesting device is included in the list of authorized devices.
In step 305, when the device identification of the first service request device is included in the authorized device list, the service providing device 110 provides the first service to the first service request device.
In addition, when the device identification of the first service request device is not included in the authorized device list, an authentication operation is performed on the first service request device according to the first authentication token. For a specific flow of performing an authentication operation on the service request device according to the authentication token, refer to the embodiment of fig. 4 below.
For details not disclosed in the embodiment of fig. 3, reference is made to the embodiment of fig. 2.
In the solution provided in this embodiment of the present application, by recording an authorized device list in the service providing device 110, and adding the service requesting device 130 that has passed the authentication of the gateway server 120 to the authorized device list, for any service requesting device 130, in the validity period of the authentication token obtained by the service requesting device 130, no matter how many service requests the service requesting device 130 sends to the service providing device 110, only when receiving a first service request sent by the service requesting device 130, the gateway server 120 needs to perform an authentication operation on the service requesting device 130, and when the service providing device 110 subsequently receives a service request sent by the service requesting device 130, the service providing device 110 performs a verification according to the authorized device list, thereby reducing the number of authentication operations that the gateway server 120 needs to perform, avoiding the gateway server 120 becoming a bottleneck in scenarios where a large number of traffic requests are highly concurrent.
Optionally, when the micro service system includes multiple service providing devices 110, the multiple service providing devices 110 may synchronize their respective recorded authorization device lists with each other, so that, for any service request device 130, no matter which service providing device/devices 110 in the micro service system the service request device 130 requests to access, the gateway server 120 only needs to perform one authentication operation on the service request device 130 within the validity period of the authentication token possessed by the service request device 130, thereby further reducing the number of authentication operations that the gateway server 120 needs to perform.
In addition, since the service request sent by the service request device 130 to the service providing device 110 carries the authentication information, which is generated by performing an encryption operation on the device identifier and the authentication token of the service request device 130, the device identifier of the service request device 130 is prevented from being transmitted in the clear text in the service request, and after an illegal user intercepts the device identifier of the service request device 130, the device identifier is used to counterfeit the service request device 130 for requesting the service, thereby fully ensuring the security.
Please refer to fig. 4, which shows a flowchart of an authentication method according to another embodiment of the present application. The method may be applied in the implementation environment shown in fig. 1. The method may include several steps as follows.
In step 401, the second service request device sends a second service request to the gateway server 120.
The second service request device is any one of the service request devices 130. The second service request is used to request to acquire a second service provided by the service providing device 110. The second service request carries second authentication information. Optionally, the second service request may also be an HTTP request, and a request header of the second service request carries the second authentication information. The second authentication information comprises a device identification of the second service requesting device and a second authentication token. In the present embodiment, the authentication token of the second service requesting device is referred to as "second authentication token". The second authentication token is the authentication token that the second service requesting device requests to obtain from the gateway server 120. For the process of acquiring the second authentication token, reference may be made to the process of acquiring the first authentication token described in the embodiment of fig. 3, which is not described in detail in this embodiment.
Optionally, the second authentication information is generated by performing an encryption operation on the device identification of the second service request device and the second authentication token.
The gateway server 120 forwards the second service request to the service providing device 110, step 402.
The second service request is not authenticated by the gateway server 120.
In step 403, the service providing device 110 detects whether the device identifier of the second service requesting device is included in the authorized device list.
Optionally, if the second authentication information is generated by performing an encryption operation on the device identifier of the second service request device and the second authentication token, before performing step 403, the service providing device 110 performs a decryption operation on the second authentication information by using a decryption key corresponding to the second service request device, so as to obtain the device identifier of the second service request device and the second authentication token. For the decryption process of the second authentication information, reference may be made to the decryption process of the first authentication information described in the embodiment of fig. 3, which is not described in detail in this embodiment.
In step 404, when the device identification of the second service request device is not included in the authorized device list, the service providing device 110 sends a first authentication request to the gateway server 120.
If the authorized device list does not include the device identifier of the second service request device, it is indicated that the second service request device is a device that has not been authenticated. The service providing device 110 sends a first authentication request for requesting an authentication operation to be performed on the second service requesting device to the gateway server 120. The first authentication request comprises the device identification of the second service requesting device and the second authentication token.
In step 405, the gateway server 120 performs an authentication operation on the second service request device according to the device identifier of the second service request device and the second authentication token.
For example, the gateway server 120 detects whether the second authentication token is valid, wherein if the second authentication token is the same as the authentication token of the second service request device that is pre-stored by the gateway server 120 and the authentication token of the second service request device is within the valid period, the second authentication token is valid; if the second authentication token is not the same as the authentication token of the second service request device pre-stored by the gateway server 120, or the second authentication token is the same as the authentication token of the second service request device pre-stored by the gateway server 120 but the authentication token of the second service request device exceeds the validity period, the second authentication token is invalid.
The gateway server 120 sends a first authentication response to the service providing device 110, step 406.
When the gateway server 120 determines that the second authentication token is valid, a first authentication response is transmitted to the service providing device 110. The first authentication response is used to indicate that the second service requesting device is authenticated. Optionally, the first authentication response includes the device identifier of the second service request device and a first authentication result, and the first authentication result is used to indicate that the authentication is passed.
When the gateway server 120 determines that the second authentication token is invalid, a second authentication response is transmitted to the service providing device 110. The second authentication response is used to indicate that the second service requesting device failed authentication. Optionally, the second authentication response includes a device identifier of the second service request device and a second authentication result, where the second authentication result is used to indicate that the authentication is not passed.
In step 407, the service providing device 110 provides the second service to the second service requesting device, and performs step 408 described below.
In step 408, the service providing device 110 adds the device identification of the second service requesting device in the list of authorized devices.
In this embodiment, the execution sequence of the steps 407 and 408 is not limited, and the step 408 may be executed before the step 407, after the step 407, or simultaneously with the step 407.
In addition, if the service providing device 110 receives the second authentication response, the service providing device 110 does not provide the second service to the second service requesting device, and optionally, the service providing device 110 sends a message indicating that the authentication is not passed to the second service requesting device.
In addition, when the device identification of the second service request device is included in the authorized device list, the service providing device 110 provides the second service to the second service request device.
For details not disclosed in the embodiment of fig. 4, reference is made to the embodiment of fig. 2 and 3.
In the case where the device identification of the service requesting device 130 is not included in the authorized device list of the service providing device 110, an authentication operation is performed on the service requesting device 130 by the gateway server 120 according to the authentication token. In addition, the service providing device 110 adds the device identifier of the authenticated service requesting device 130 to the authorized device list, so that when the service request of the service requesting device 130 is subsequently received again, the service requesting device 130 can be authenticated based on the authorized device list, thereby reducing the number of authentication operations that the gateway server 120 needs to perform.
Please refer to fig. 5, which shows a flowchart of an authentication method according to another embodiment of the present application. The method may be applied in the implementation environment shown in fig. 1. The method may include several steps as follows.
In step 501, the second service request device sends a second token obtaining request to the gateway server 120.
In the present embodiment, the token obtaining request sent from the second service request device to the gateway server 120 is referred to as a "second token obtaining request". Optionally, the second token acquisition request carries a username and a password, or carries AK and SK. In addition, the second token acquisition request also carries the device identifier of the second service request device.
Optionally, the second service request device generates its own device identifier according to its own item identifier. The item identification includes, but is not limited to, at least two items of information: MAC address, CPU ID and IP address. The device identification of the second service request device is used to uniquely indicate the second service request device.
Step 502, the gateway server 120 generates a second authentication token according to the second token obtaining request.
Illustratively, the second authentication token is: MIII5AYJKoZIhvcNAQcCoIII1 TCCCNECA. Optionally, the TTL of the second authentication token is 3600 seconds.
In step 503, the gateway server 120 performs an encryption operation on the device identifier of the second service request device and the second authentication token to obtain second authentication information.
Illustratively, the second authentication information is:
AYJKoZICoIIJRTCCCUECAQExDPUKKmTTvXIQfVSGWKcsUIWHL。
in addition, the gateway server 120 records the following correspondence: the device identifier (may be denoted as device ID) of the second service request device, the second authentication token (may be denoted as token1), the second authentication information (may be denoted as token2), the decryption key corresponding to the second service request device, and the validity period (may be denoted as TTL) of the second authentication token.
In step 504, the gateway server 120 generates an executable file according to the second authentication information and the validity period of the second authentication token.
In the present embodiment, the above-described executable file is referred to as a "second executable file". The second executable file is for providing the second authentication information to the second service requesting device when executed within the validity period of the second authentication token.
The gateway server 120 sends 505 the executable file to the second service request device.
If the second service request device does not acquire the second authentication information after executing the second executable file sent by the gateway server 120, the second service request device may start to execute from step 501 again, and request to acquire the second authentication information again; if the second service request device acquires the second authentication information after executing the second executable file, the following steps 506 to 514 are performed.
Optionally, before each time the second service request device sends the second service request to the gateway server 120, the second service request device may execute the second executable file sent by the gateway server 120, and only when the second executable file is executed and the second authentication information is obtained, the second service request device sends the second service request to the gateway server 120. Through the above manner, the service request device can perform self-check on the validity of the second authentication information before sending the second service request, so that the situation that the expired second authentication information is used to send an invalid service request to the service providing device 110 under the condition that the second authentication information is expired is avoided, and the number of invalid requests is reduced.
The second service request device sends a second service request to the gateway server 120, step 506.
The second service request is used to request to acquire a second service provided by the service providing device 110. The second service request carries second authentication information.
Illustratively, the gateway server 120 corresponds to a request address https:// group.com: 7443/Servicexx/v1/URLx to which the second service request device sends the second service request.
In step 507, the gateway server 120 forwards the second service request to the service providing device 110.
Illustratively, the service providing device 110 corresponds to a request address of https:// a.com:7443/v1/URL to which the gateway server 120 forwards the second service request.
In step 508, the service providing device 110 performs a decryption operation on the second authentication information by using the decryption key to obtain the device identifier and the second authentication token of the second service requesting device.
Optionally, the service providing device 110 obtains the corresponding decryption key according to the IP address of the second service requesting device.
In addition, in the case where the decryption key corresponding to the IP address of the second service requesting apparatus is not stored in the service providing apparatus 110, the decryption key may be acquired as follows: the service providing device 110 sends a key acquisition request (in this embodiment, referred to as a "second key acquisition request") to the gateway server 120, where the second key acquisition request includes the second authentication information. The gateway server 120 detects whether the pre-stored correspondence includes a decryption key corresponding to the second authentication information (i.e., a decryption key corresponding to the second service request device); if the pre-stored correspondence includes the decryption key corresponding to the second authentication information, the gateway server 120 sends the decryption key corresponding to the second authentication information to the service providing device 110. Accordingly, the service providing device 110 stores the decryption key corresponding to the IP address of the second service requesting device after receiving the decryption key corresponding to the second authentication information transmitted by the gateway server 120.
In step 509, the service providing device 110 detects whether the authorized device list includes the device identifier of the second service requesting device.
If the authorized device list includes the device identifier of the second service request device, execute step 514; if the device identification of the second service request device is not included in the list of authorized devices, the following steps 510 to 514 are performed.
The service providing device 110 sends a first authentication request to the gateway server 120, step 510.
The first authentication request is for requesting an authentication operation to be performed on the second service requesting device. The first authentication request comprises the device identification of the second service requesting device and the second authentication token.
In step 511, the gateway server 120 performs an authentication operation on the second service request device according to the device identifier of the second service request device and the second authentication token.
The gateway server 120 sends a first authentication response to the service providing device 110, step 512.
When the gateway server 120 determines that the second authentication token is valid, a first authentication response is transmitted to the service providing device 110. The first authentication response is used to indicate that the second service requesting device is authenticated.
When the gateway server 120 determines that the second authentication token is invalid, a second authentication response is transmitted to the service providing device 110. The second authentication response is used to indicate that the second service requesting device failed authentication.
In step 513, the service providing device 110 adds the device identification of the second service requesting device to the authorized device list, and performs step 514 described below.
If the service providing device 110 receives the second authentication response, the service providing device 110 does not provide the second service to the second service requesting device. Alternatively, the service providing device 110 transmits a message indicating that the authentication is not passed to the second service requesting device.
In step 514, the service providing device 110 provides the second service to the second service requesting device.
For details not disclosed in the embodiment of fig. 5, reference is made to the embodiments of fig. 2, 3 and 4.
Please refer to fig. 6, which shows a flowchart of an authentication method according to another embodiment of the present application. The method may be applied in the implementation environment shown in fig. 1. The method may include several steps as follows.
In step 601, the third service request device sends a third service request to the gateway server 120.
The third service request device is any one of the service request devices 130. The third service request is used to request to acquire a third service provided by the service providing device 110. The third service request carries third authentication information. The third authentication information is obtained by performing an encryption operation on the device identifier of the third service request device and the third authentication token. In the present embodiment, the authentication token of the third service request device is referred to as a "third authentication token". The third authentication token is the credential upon which the gateway server 120 performs an authentication operation on the third service request device.
The gateway server 120 forwards the third service request to the service providing device 110, step 602.
Step 603, when the service providing device 110 does not store the decryption key corresponding to the IP address of the third service requesting device, the service providing device 110 sends a second authentication request to the gateway server 120.
Optionally, after receiving the third service request, the service providing device 110 extracts a source IP address from a data packet of the third service request, where the source IP address is an IP address of the third service request device. The service providing device 110 detects whether a decryption key corresponding to the IP address of the third service requesting device is stored; if the decryption key corresponding to the IP address of the third service request device is not stored, a second authentication request is sent to the gateway server 120.
The second authentication request is for requesting that an authentication operation be performed for the third service request device. The second authentication request includes third authentication information.
In step 604, the gateway server 120 performs an authentication operation on the third service request device according to the third authentication information.
After receiving the second authentication request, the gateway server 120 detects whether the pre-stored correspondence includes a decryption key corresponding to the third authentication information; if the pre-stored correspondence includes a decryption key corresponding to the third authentication information, the gateway server 120 performs a decryption operation on the third authentication information by using the decryption key corresponding to the third authentication information, so as to obtain the device identifier of the third service request device and the third authentication token. Thereafter, the gateway server 120 performs an authentication operation on the third service request device according to the device identifier of the third service request device and the third authentication token. For example, the gateway server 120 detects whether the third authentication token is valid, wherein if the third authentication token is the same as the authentication token of the third service request device that is pre-stored by the gateway server 120 and the authentication token of the third service request device is within the valid period, the third authentication token is valid; if the third authentication token is not the same as the authentication token of the third service request device pre-stored by the gateway server 120, or the third authentication token is the same as the authentication token of the third service request device pre-stored by the gateway server 120 but the authentication token of the third service request device exceeds the validity period, the third authentication token is invalid.
The gateway server 120 sends a third authentication response to the service providing device 110, step 605.
When the gateway server 120 determines that the third authentication token is valid, a third authentication response is transmitted to the service providing device 110. The third authentication response is used to indicate that the third service request device is authenticated. Optionally, the third authentication response comprises: the third authentication result, a decryption key corresponding to the third authentication information, and the device identifier of the third service request device. And the third authentication result is used for indicating that the authentication is passed.
When the gateway server 120 determines that the third authentication token is invalid, a fourth authentication response is transmitted to the service providing device 110. The fourth authentication response is to indicate that the third service request device failed authentication. Optionally, the fourth authentication response comprises: the fourth authentication result, the decryption key corresponding to the third authentication information, and the device identifier of the third service request device. And the fourth authentication result is used for indicating that the authentication is passed.
In step 606, the service providing device 110 provides the third service to the third service requesting device, and performs the following step 607.
In step 607, the service providing device 110 stores the decryption key in correspondence with the IP address of the third service requesting device, and adds the device identifier of the third service requesting device to the authorized device list.
In this embodiment, the execution sequence of the steps 606 and 607 is not limited, and the step 607 may be executed before the step 606, after the step 606, or simultaneously with the step 606.
The service providing device 110 records the corresponding relationship between the IP address of the third service requesting device and the decryption key, so that when a third service request sent by the third service requesting device is subsequently received, the service providing device can locally obtain the corresponding decryption key to decrypt the third authentication information carried in the third service request.
In addition, if the service providing device 110 receives the fourth authentication response, the service providing device 110 does not provide the third service to the third service requesting device. Optionally, the service providing device 110 sends a message indicating that the authentication is not passed to the third service requesting device.
For details not disclosed in the embodiment of fig. 6, reference is made to the embodiments of fig. 2, 3, 4 and 5.
In this embodiment, under the condition that the decryption key corresponding to the service request device 130 is not stored in the service providing device 110, the service providing device 110 directly sends an authentication request carrying authentication information to the gateway server 120, the gateway server 120 decrypts the authentication information and completes the authentication operation on the service request device 130, and then sends the device identifier, the authentication result, and the decryption key of the service request device 130 to the service providing device 110, so that the acquisition of the decryption key and the authentication of the device can be completed through one request interaction, and the interaction flow between the service providing device 110 and the gateway server 120 is simplified.
In the embodiment of the present application, a mechanism for cleaning the device identifier in the authorized device list is further provided, so as to ensure the accuracy of the device identifier recorded in the authorized device list.
In one example, the gateway server 120 sends a deletion indication to the service providing device 110, the deletion indication including the device identification of the service requesting device 130 that has revoked the authorization. The service providing device 110, after receiving the deletion indication, deletes the device identification of the service requesting device 130, which has revoked the authorization, from the authorized device list. In practical implementation, the service request device 130 with revoked authorization indicated by the gateway server 120 includes: a service request device 130 that has authentication information (i.e., an authentication token) that exceeds a validity period, a service request device 130 that initiates a large number of malicious service requests, and so on.
In another example, the service providing device 110 records therein a validity period of authentication information (i.e., an authentication token) possessed by each service requesting device 130, the validity period being provided to the service providing device 110 by the gateway server 120, and when the authentication information possessed by any one service requesting device 130 in the authorized device list that has passed the authentication exceeds the validity period, the service providing device 110 deletes the device identification of the service requesting device 130 from the authorized device list. Alternatively, the service providing device 110 may delete its device identifier from the authorized device list when the authentication information of the service requesting device 130 exceeds the validity period, or may periodically clear the authorized device list according to the validity period.
Optionally, the service providing device 110 may further record a list of unauthorized devices. The list of authorized devices may be referred to as a white list and the list of unauthorized devices may be referred to as a black list. The black list is used to record the device identifier of the service request device 130 in which abnormal situations such as repeated authentication failure, too high access frequency, and abnormal access occur. After receiving the service request and decrypting the device identifier of the service requesting device 130 from the authentication information, the service providing device 110 may further detect whether the device identifier of the service requesting device 130 is in a blacklist, and if the device identifier of the service requesting device 130 is in the blacklist, the service is not provided to the service requesting device 130.
The following are embodiments of the apparatus of the present application that may be used to perform embodiments of the method of the present application. For details which are not disclosed in the embodiments of the apparatus of the present application, reference is made to the embodiments of the method of the present application.
Please refer to fig. 7A, which illustrates a schematic diagram of an authentication apparatus according to an embodiment of the present application. The device has the functions of realizing the method examples, and the functions can be realized by hardware or by hardware executing corresponding software. The apparatus may include: a receiving module 710 and a processing module 720.
A receiving module 710, configured to receive a first service request sent by a gateway server 120, where the first service request is sent to the gateway server 120 by a first service request device and the gateway server 120 directly forwards the first service request to a service providing device 110 without authenticating the first service request, the first service request is used to request to obtain a first service provided by the service providing device 110, the first service request carries first authentication information, and the first authentication information includes a device identifier of the first service request device.
A processing module 720, configured to provide the first service to the first service request device when a device identifier of the first service request device is included in an authorized device list, where the authorized device list is used to record the device identifier of the service request device that has passed the authentication.
In summary, the apparatus provided in the embodiment of the present application records the authorized device list in the service providing device 110, adds the service requesting device 130 that has passed the authentication of the gateway server 120 to the authorized device list, and authenticates the service requesting device 130 by the service providing device 110 according to the authorized device list, thereby reducing the number of authentication operations that the gateway server 120 needs to perform, and avoiding that the gateway server 120 becomes a bottleneck in a scenario where a large number of service requests are highly concurrent.
Optionally, as shown in fig. 7B, the processing module 720 includes a determining module 722 and a sending module 724. The determining module 722 is configured to detect whether the device identifier of the first service request device is included in the authorized device list. A sending module 724, configured to send the data of the first service to the first service request device when the determining module 722 detects that the authorized device list includes the device identifier of the first service request device.
In an alternative embodiment provided based on the embodiment of figures 7A and 7B,
the receiving module 710 is further configured to receive a second service request sent by the gateway server 120, where the second service request is sent to the gateway server 120 by a second service request device, and the gateway server 120 directly forwards the second service request to the service providing device 110 without authenticating the second service request, the second service request is used to request to obtain a second service provided by the service providing device 110, the second service request carries second authentication information, and the second authentication information includes a device identifier of the second service request device and a second authentication token.
The processing module 720 is further configured to send a first authentication request to the gateway server 120 when the device identifier of the second service request device is not included in the authorized device list, where the first authentication request includes the device identifier of the second service request device and the second authentication token.
The receiving module 710 is further configured to receive a first authentication response sent by the gateway server 120, where the first authentication response is used to indicate that the second service requesting device passes the authentication, and the first authentication response is sent to the service providing device 110 by the gateway server 120 when the gateway server 120 determines that the second authentication token is the same as the authentication token of the second service requesting device pre-stored by the gateway server 120.
The processing module 720 is further configured to provide the second service to the second service request device, and add the device identifier of the second service request device in the authorized device list.
In another alternative embodiment provided based on the embodiment of fig. 7A and 7B, the apparatus further comprises: delete module (not shown in the figure).
The receiving module 710 is further configured to receive a deletion instruction sent by the gateway server 120, where the deletion instruction includes a device identifier of a service request device that has revoked.
The deleting module is configured to delete the device identifier of the service request device that has revoked authorization from the authorized device list.
In another optional embodiment provided based on the embodiment of fig. 7, the apparatus further comprises: delete module (not shown in the figure).
The deleting module is further configured to delete the device identifier of the authenticated service request device from the authorized device list when authentication information owned by any authenticated service request device in the authorized device list exceeds a validity period.
The above-mentioned scheme provided by the embodiment of the present application is mainly described from the perspective of interaction between the service request device 130 (e.g., the first service request device, the second service request device, and the third service request device), the gateway server 120, and the service providing device 110. The above-mentioned steps related to the service request device 130 side may be implemented separately as an authentication method of the service request device 130 side, the steps related to the gateway server 120 side may be implemented separately as an authentication method of the gateway server 120 side, and the steps related to the service providing device 110 side may be implemented separately as an authentication method of the service providing device 110 side.
It is understood that the apparatus (or referred to as "device") for implementing the above-described functions includes corresponding hardware structures and/or software modules for performing the respective functions. The various illustrative modules and algorithm steps described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is performed as hardware or computer software drives hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present teachings.
In the embodiment of the present application, functional modules of an apparatus (or referred to as "device") may be divided according to the above method examples, for example, each functional module may be divided corresponding to each function, or two or more functions may be integrated into one processing module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. It should be noted that, in the embodiment of the present application, the division of the module is schematic, and is only one logic function division, and there may be another division manner in actual implementation.
In the case of integrated modules, fig. 8A shows a possible structural schematic of the apparatus (or referred to as "device") involved in the above-described embodiment. The apparatus 800 comprises: a processing module 802 and a communication module 803. The processing module 802 is used for controlling and managing the actions of the apparatus 800. For example, when the apparatus 800 is the service providing device 110, the processing module 802 is configured to implement the functions of the determining module and the deleting module in the above-described embodiment of fig. 7, and the processing module 802 is configured to enable the apparatus 800 to perform step 203 in fig. 2, steps 303 and 304 in fig. 3, steps 403 and 408 in fig. 4, steps 508, 509 and 513 in fig. 5, step 607 in fig. 6, and/or other steps for performing the techniques described herein. The communication module 803 is used to support the communication of the apparatus 800 with other devices. For example, when the apparatus 800 is the service providing device 110, the communication module 803 is used to implement the functions of the receiving module 710 and the sending module 724 in the embodiment of fig. 7B. The apparatus 800 may also include a storage module 801 for storing program codes and data for the apparatus 800.
The Processing module 802 may be a Processor or a controller, such as a Central Processing Unit (CPU), a general purpose Processor, a Digital Signal Processor (DSP), an Application-Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, a transistor logic device, a hardware component, or any combination thereof. Which may implement or perform the various illustrative logical blocks, modules, and circuits described in connection with the disclosure. The processor may also be a combination of computing functions, e.g., comprising one or more microprocessors, DSPs, and microprocessors, among others. The communication module 803 may be a communication interface, a transceiver circuit, etc., wherein the communication interface is a generic term and may include one or more interfaces, such as an interface between the service request device 130 and the gateway server 120 and an interface between the service providing device 110 and the gateway server 120. The storage module 801 may be a memory.
When the processing module 802 is a processor, the communication module 803 is a communication interface, and the storage module 801 is a memory, the apparatus according to the embodiment of the present application may be the apparatus shown in fig. 8B.
Referring to fig. 8B, the apparatus 810 includes: processor 812, communications interface 813, memory 811. Optionally, the device 810 may also include a bus 814. Wherein the communication interface 813, the processor 812 and the memory 811 may be connected to each other by a bus 814; the bus 814 may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The bus 814 may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 8B, but this is not intended to represent only one bus or type of bus.
The apparatus shown in fig. 8A or fig. 8B may be the service providing device 110, the service requesting device 130, or the gateway server 120.
The steps of the method described in connection with the disclosure of the embodiments of the present application may be implemented in hardware or may be implemented by a processor executing software instructions. The software instructions may be comprised of corresponding software modules that may be stored in Random Access Memory (RAM), flash Memory, Read Only Memory (ROM), Erasable Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), registers, a hard disk, a removable disk, a compact disc Read Only Memory (CD-ROM), or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. Of course, the storage medium may also be integral to the processor. The processor and the storage medium may reside in an ASIC. Additionally, the ASIC may reside in a device. Of course, the processor and the storage medium may reside as discrete components in an apparatus.
Those skilled in the art will recognize that, in one or more of the examples described above, the functions described in the embodiments of the present application may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.
It should be understood that reference to "a plurality" herein means two or more. "and/or" describes the association relationship of the associated objects, meaning that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. The use of "first," "second," and similar terms herein do not denote any order, quantity, or importance, but rather the terms are used to distinguish one object from another.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the embodiments of the present application in further detail, and it should be understood that the above-mentioned embodiments are only specific embodiments of the present application, and are not intended to limit the scope of the embodiments of the present application, and any modifications, equivalent substitutions, improvements and the like made on the basis of the technical solutions of the embodiments of the present application should be included in the scope of the embodiments of the present application.
Claims (15)
1. A method of authentication, the method comprising:
the method comprises the steps that a service providing device receives a first service request sent by a gateway server, the first service request is sent to the gateway server by a first service request device and is directly forwarded to the service providing device without authenticating the first service request by the gateway server, the first service request is used for requesting to acquire a first service provided by the service providing device, the first service request carries first authentication information, the first authentication information comprises a device identification of the first service request device, the first authentication information is acquired by a first service request device executing a first executable file within a validity period of the first authentication information, the first executable file is generated by the gateway server according to the first authentication information and the validity period of the first authentication information and is issued to the first service request device, the first service request device executing the first executable file before sending a service request to the gateway server, the first executable file for providing the first authentication information to the first service request device when executed within a validity period of the first authentication information;
and when the authorized device list comprises the device identifier of the first service request device, the service providing device provides the first service to the first service request device, wherein the authorized device list is used for recording the device identifier of the service request device which passes the authentication.
2. The method of claim 1, further comprising:
the service providing equipment receives a second service request sent by the gateway server, the second service request is sent to the gateway server by second service request equipment, the gateway server does not authenticate the second service request and directly forwards the second service request to the service providing equipment, the second service request is used for requesting to acquire a second service provided by the service providing equipment, the second service request carries second authentication information, and the second authentication information comprises an equipment identifier and a second authentication token of the second service request equipment;
when the device identifier of the second service request device is not included in the authorized device list, the service providing device sends a first authentication request to the gateway server, where the first authentication request includes the device identifier of the second service request device and the second authentication token;
the service providing device receives a first authentication response sent by the gateway server, wherein the first authentication response is used for indicating that the second service request device passes the authentication, and the first authentication response is sent to the service providing device by the gateway server when the gateway server determines that the second authentication token is the same as the authentication token of the second service request device pre-stored by the gateway server;
and the service providing equipment provides the second service to the second service request equipment, and adds the equipment identifier of the second service request equipment in the authorization equipment list.
3. The method of claim 1, further comprising:
the service providing equipment receives a deletion instruction sent by the gateway server, wherein the deletion instruction comprises an equipment identifier of the first service request equipment;
the service providing device deletes the device identification of the first service request device from the authorized device list.
4. The method of claim 1, wherein the list of authorized devices further includes a validity period for providing service for the first service request device, the method further comprising:
when detecting that the validity period of the service provided for the first service request device in the authorized device list is expired, the service providing device deletes the device identifier of the first service request device from the authorized device list.
5. An authentication apparatus, characterized in that the apparatus comprises:
a receiving module, configured to receive a first service request sent by a gateway server, where the first service request is sent to the gateway server by a first service request device and the gateway server forwards the first service request to a service providing device without authenticating the first service request, the first service request is used to request to acquire a first service provided by the service providing device, the first service request carries first authentication information, the first authentication information includes a device identifier of the first service request device, the first authentication information is acquired by a first service request device executing a first executable file within a validity period of the first authentication information, and the first executable file is generated by the gateway server according to the first authentication information and the validity period of the first authentication information and is sent to the first service request device, the first service request device executing the first executable file before sending a service request to the gateway server, the first executable file for providing the first authentication information to the first service request device when executed within a validity period of the first authentication information;
and the processing module is used for providing the first service for the first service request device when a list of authorized devices includes the device identifier of the first service request device, wherein the list of authorized devices is used for recording the device identifier of the service request device which passes the authentication.
6. The apparatus of claim 5,
the receiving module is further configured to receive a second service request sent by the gateway server, where the second service request is sent to the gateway server by a second service request device, and the gateway server directly forwards the second service request to the service providing device without authenticating the second service request, where the second service request is used to request to obtain a second service provided by the service providing device, the second service request carries second authentication information, and the second authentication information includes a device identifier of the second service request device and a second authentication token;
the processing module is further configured to send a first authentication request to the gateway server when the device identifier of the second service request device is not included in the authorized device list, where the first authentication request includes the device identifier of the second service request device and the second authentication token;
the receiving module is further configured to receive a first authentication response sent by the gateway server, where the first authentication response is used to indicate that the second service request device passes authentication, and the first authentication response is sent to the service providing device by the gateway server when the gateway server determines that the second authentication token is the same as an authentication token of the second service request device that is pre-stored by the gateway server;
the processing module is further configured to provide the second service to the second service request device, and add the device identifier of the second service request device in the authorized device list.
7. The apparatus of claim 5,
the receiving module is further configured to receive a deletion instruction sent by the gateway server, where the deletion instruction includes a device identifier of the first service request device;
the device further comprises:
a deletion module configured to delete the device identifier of the first service request device from the authorized device list.
8. The apparatus of claim 5, wherein the list of authorized devices further includes a validity period for providing the service for the first service request device, the apparatus further comprising:
a deleting module, configured to delete the device identifier of the first service request device from the authorized device list when detecting that a validity period of providing a service for the first service request device in the authorized device list expires.
9. An authentication system, characterized in that the system comprises:
a first service request device, configured to send a first service request carrying first authentication information to a gateway server, where the first service request is used to request to acquire a first service provided by a service providing device, the first authentication information includes a device identifier of the first service request device, the first authentication information is acquired by the first service request device executing a first executable file within a validity period of the first authentication information, the first executable file is generated by the gateway server according to the first authentication information and the validity period of the first authentication information and is sent to the first service request device, the first service request device executes the first executable file before sending the service request to the gateway server, and the first executable file is used to be executed within the validity period of the first authentication information, providing the first authentication information to the first service requesting device;
the gateway server is configured to forward the first service request to the service providing device, where the first service request is sent to the gateway server by the first service requesting device, and the gateway server directly forwards the first service request to the service providing device without authenticating the first service request;
the service providing device is configured to receive the first service request sent by the gateway server, and provide the first service to the first service requesting device when a list of authorized devices includes a device identifier of the first service requesting device, where the list of authorized devices is used to record the device identifier of the service requesting device that has passed authentication.
10. The system of claim 9, further comprising:
a second service request device, configured to send a second service request carrying second authentication information to the gateway server, where the second service request is used to request to acquire a second service provided by the service providing device, and the second authentication information includes a device identifier and a second authentication token of the second service request device;
the gateway server is further configured to forward the second service request to the service providing device, where the second service request is sent to the gateway server by the second service requesting device, and the second service request is directly forwarded to the service providing device without being authenticated by the gateway server;
the service providing device is further configured to receive the second service request sent by the gateway server, and send a first authentication request to the gateway server when the authorization device list does not include the device identifier of the second service requesting device, where the first authentication request includes the device identifier of the second service requesting device and the second authentication token;
the gateway server is further configured to send a first authentication response to the service providing device when it is determined that the second authentication token is the same as the authentication token of the second service requesting device that is pre-stored by the gateway server, where the first authentication response is used to indicate that the second service requesting device passes authentication;
the service providing device is further configured to provide the second service to the second service requesting device, and add the device identifier of the second service requesting device in the authorized device list.
11. The system according to claim 9, wherein the first authentication information is obtained by performing an encryption operation on a device identification of the first service request device and a first authentication token;
the service providing device is further configured to, after receiving the first service request, perform a decryption operation on the first authentication information by using a decryption key corresponding to the communication address of the first service requesting device, so as to obtain a device identifier of the first service requesting device and the first authentication token.
12. The system of claim 11,
the service providing device is further configured to send a key acquisition request to the gateway server when a decryption key corresponding to the communication address of the first service requesting device is not stored in the service providing device, where the key acquisition request includes the first authentication information;
the gateway server is further configured to send the decryption key corresponding to the first authentication information to the service providing apparatus;
the service providing device is further configured to correspondingly store the communication address of the first service request device and the decryption key.
13. The system of claim 9,
the first service request device is further configured to send a token acquisition request to the gateway server, where the token acquisition request carries a device identifier of the first service request device, where the device identifier of the first service request device is generated according to at least two pieces of information among a media access control MAC address, a processor identifier, and a communication address of the first service request device, and the device identifier of the first service request device is used to uniquely indicate the first service request device;
the gateway server is further configured to generate the first authentication token according to the token acquisition request, perform an encryption operation on the device identifier of the first service request device and the first authentication token to obtain the first authentication information, send the first authentication information to the first service request device, and store a correspondence between the device identifier of the first service request device, the first authentication information, and the first authentication token.
14. The system of claim 9,
the gateway server is further configured to send a deletion instruction to the service providing device, where the deletion instruction includes a device identifier of the first service requesting device;
the service providing device is further configured to delete the device identifier of the first service request device from the authorized device list.
15. A method of authentication, the method comprising:
a first service request device sends a first service request carrying first authentication information to a gateway server, the first service request being used for requesting to acquire a first service provided by a service providing device, the first authentication information including a device identifier of the first service request device, the first authentication information being acquired by the first service request device executing a first executable file within a validity period of the first authentication information, the first executable file being generated by the gateway server according to the first authentication information and the validity period of the first authentication information and being issued to the first service request device, the first service request device executing the first executable file before sending the service request to the gateway server, the first executable file being used for being executed within the validity period of the first authentication information, providing the first authentication information to the first service requesting device;
the gateway server forwards the first service request to the service providing equipment, wherein the first service request is not authenticated by the gateway server;
and when the authorized device list comprises the device identifier of the first service request device, the service providing device provides the first service to the first service request device, wherein the authorized device list is used for recording the device identifier of the service request device which passes the authentication.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710832765.5A CN109510802B (en) | 2017-09-15 | 2017-09-15 | Authentication method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710832765.5A CN109510802B (en) | 2017-09-15 | 2017-09-15 | Authentication method, device and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109510802A CN109510802A (en) | 2019-03-22 |
| CN109510802B true CN109510802B (en) | 2021-05-14 |
Family
ID=65744932
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710832765.5A Active CN109510802B (en) | 2017-09-15 | 2017-09-15 | Authentication method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109510802B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111131416B (en) * | 2019-12-12 | 2023-09-05 | 京东科技控股股份有限公司 | Service providing method and device, storage medium and electronic device |
| CN110971617A (en) * | 2019-12-24 | 2020-04-07 | 苏州思必驰信息科技有限公司 | Voice equipment authorization method, authentication method and system |
| CN111224968B (en) * | 2019-12-31 | 2022-01-04 | 北京安盛联合科技有限公司 | Secure communication method for randomly selecting transfer server |
| CN112422490B (en) * | 2020-04-15 | 2022-07-01 | 岭博科技(北京)有限公司 | Method and system for authenticating user equipment based on local cache |
| CN111585880B (en) * | 2020-05-13 | 2021-09-28 | 腾讯科技(深圳)有限公司 | Gateway control method and device in service system and electronic equipment |
| CN111447245A (en) * | 2020-05-27 | 2020-07-24 | 杭州海康威视数字技术股份有限公司 | Authentication method, authentication device, electronic equipment and server |
| CN112487502A (en) * | 2020-12-15 | 2021-03-12 | 平安国际智慧城市科技股份有限公司 | Equipment authentication method and device, electronic equipment and storage medium |
| CN112804258B (en) * | 2021-03-11 | 2023-02-28 | 北京市商汤科技开发有限公司 | Authentication and authorization method, authorization server, API gateway, system and storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1918553A (en) * | 2004-02-04 | 2007-02-21 | 索尼株式会社 | Service providing server, information processor, data processing method, and computer program |
| CN106714167A (en) * | 2016-12-30 | 2017-05-24 | 北京华为数字技术有限公司 | Authentication method and network access server |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2015139725A1 (en) * | 2014-03-17 | 2015-09-24 | Telefonaktiebolaget L M Ericsson (Publ) | User identifier based device, identity and activity management system |
-
2017
- 2017-09-15 CN CN201710832765.5A patent/CN109510802B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1918553A (en) * | 2004-02-04 | 2007-02-21 | 索尼株式会社 | Service providing server, information processor, data processing method, and computer program |
| CN106714167A (en) * | 2016-12-30 | 2017-05-24 | 北京华为数字技术有限公司 | Authentication method and network access server |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109510802A (en) | 2019-03-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109510802B (en) | Authentication method, device and system | |
| CN108650082B (en) | Encryption and verification method of information to be verified, related device and storage medium | |
| CN108737394B (en) | Offline verification system, code scanning device and server | |
| US10666642B2 (en) | System and method for service assisted mobile pairing of password-less computer login | |
| US8196186B2 (en) | Security architecture for peer-to-peer storage system | |
| TWI620087B (en) | Authorization server, authorization method and computer program product thereof | |
| US9197420B2 (en) | Using information in a digital certificate to authenticate a network of a wireless access point | |
| JP5860815B2 (en) | System and method for enforcing computer policy | |
| US20170091463A1 (en) | Secure Audit Logging | |
| US20180062863A1 (en) | Method and system for facilitating authentication | |
| CN110933078B (en) | H5 unregistered user session tracking method | |
| CN110868291B (en) | Data encryption transmission method, device, system and storage medium | |
| CN112738117A (en) | Data transmission method, device and system, storage medium and electronic device | |
| CN110708291B (en) | Data authorization access method, device, medium and electronic equipment in distributed network | |
| CN104243452B (en) | A kind of cloud computing access control method and system | |
| CN111786996B (en) | Cross-domain synchronous login state method and device and cross-domain synchronous login system | |
| KR20150135032A (en) | System and method for updating secret key using physical unclonable function | |
| CN110138558B (en) | Transmission method and device of session key and computer-readable storage medium | |
| TWI827906B (en) | Message transmitting system, user device and hardware security module for use therein | |
| CN115473655B (en) | Terminal authentication method, device and storage medium for access network | |
| CN110912857B (en) | Method and storage medium for sharing login between mobile applications | |
| WO2017029708A1 (en) | Personal authentication system | |
| US8312277B2 (en) | Method and system for secure communication between computers | |
| JP6353412B2 (en) | ID password authentication method, password management service system, information terminal, password management service device, user terminal, and program thereof | |
| JP2002328905A (en) | Client authentication method, authentication device, program and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |