CN109729048A - A kind of joint qualification method, system, related platform and medium - Google Patents
A kind of joint qualification method, system, related platform and medium Download PDFInfo
- Publication number
- CN109729048A CN109729048A CN201711041509.0A CN201711041509A CN109729048A CN 109729048 A CN109729048 A CN 109729048A CN 201711041509 A CN201711041509 A CN 201711041509A CN 109729048 A CN109729048 A CN 109729048A
- Authority
- CN
- China
- Prior art keywords
- platform
- identity
- service providing
- initiator
- identification code
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Abstract
The invention discloses a kind of joint qualification methods, system, related platform and medium, specifically: when identity provides platform and service providing platform to initiator's progress joint qualification, using phone number as the identity of initiator, by the identifying code transmitted in the form of short message as authentication infrastructure, authentication is carried out to initiator, process is simple, complexity is low, and, since most of identity offer platform and service providing platform support short message protocol, so, this method is suitable for most of identity and provides platform and service providing platform, versatility is stronger, furthermore, since phone number has uniqueness, and the identifying code transmitted in the form of short message is not easy to be obtained by illegal terminal, so, this method not only ensure that the accuracy of authentication result, also it has been avoided as much as since user information is by unauthorized theft, lead to safety The lower problem of property.
Description
Technical field
The present invention relates to identity identifying technology field more particularly to a kind of joint qualification method, system, related platform and Jie
Matter.
Background technique
Openstack is currently more active cloud platform, Openstack mainly provide calculating service (i.e. Nova),
Object storage service (i.e. Swift), mirroring service (i.e. Glance), identity authentication service (i.e. Keystone), network and address
Management service (i.e. Neutron), UI interface service (i.e. Horizon), measurement service (i.e. Ceilometer), deployment orchestrating services
(i.e. Heat) and database service (i.e. Trove) etc., wherein Keystone carries as a basal core service
The certification work of other services in Openstack, this will bring very big burden to Keystone, therefore, in order to reduce
The burden of Keystone, the joint qualification mode based on Keystone service and third party's service are come into being.
In the prior art, the joint qualification mode based on Keystone service and third party's service is mainly with Keystone
Service is service provider (Service Provider, SP), using third party's service as identity provider (Identity
Provider, IDP), the mistake that the initiator of resource access request is authenticated is initiated in SP and IDP joint opposite direction Openstack
Cheng Zhong, SP and IDP need to establish trusted relationships by the agreement (Protocol) of agreement, and based on the agreement of agreement, connection
It closes and authentication is carried out to initiator.
Currently, the agreement that can arrange between SP and IDP mainly has security assertion markup language (Security Assertion
Markup Language2.0, SAML2.0) agreement, OpenIDConnect (i.e. OIDC) agreement, Light Directory Access Protocol
(Lightweight Directory Access Protocol, LDAP) and network authentication (Kerberos) agreement, it is seen then that SP
It is needed with IDP while supporting above-mentioned at least one agreement could combine to carry out joint qualification to initiator, this will necessarily give this
Joint qualification mode brings limitation, and the versatility so as to cause this joint qualification mode is poor.Moreover, in joint qualification
In the process, it generally requires using user informations such as the username and passwords of initiator as the identity of initiator, passes through agreement
Agreement be packaged and transmitted between SP and IDP, if user information is by unauthorized theft in transmittance process, not only can to use
Security risk is brought at family, and entire Openstack platform can also be made to fall into security crisis.In addition, the connection based on above-mentioned agreement
The process for closing authentication method is also more complicated, and authentication efficiency is relatively low.
Summary of the invention
The embodiment of the invention provides joint qualification method, system, related platform and the media of a kind of cloud platform, to solve
Joint qualification method certainly in the prior art has that identifying procedure is complicated, versatility is poor, safety is lower.
Specific technical solution provided in an embodiment of the present invention is as follows:
A kind of joint qualification method, applied to the joint qualification for including identity offer platform, service providing platform and terminal
In system, comprising:
Identity provides platform and receives the resource access request that service providing platform redirects, and acquisition and resource access request
The associated phone number of initiator;
Identity provides platform and generates the first identifying code, and is based on phone number, and the first identifying code is sent out in the form of short message
It send to the terminal of initiator;
Identity provides platform and receives the second identifying code that initiator is returned based on the first identifying code in terminal, and based on the
Two identifying codes and the first identifying code whether successful match, determine whether initiator authenticates and pass through.
Preferably, being obtained and money after identity provides the resource access request that platform receives service providing platform redirection
Before the associated phone number of the initiator of source access request, the joint qualification method further include:
Identity provides the first identification code that platform is generated by service providing platform, establishes identity offer platform and mentions with service
For the trusted relationships between platform.
Preferably, identity provides the first identification code that platform is generated by service providing platform, establishes identity and platform is provided
Trusted relationships between service providing platform, comprising:
Identity provides platform and initiates trusted relationships foundation request to service providing platform;
Identity provides platform and receives the first identification code that service providing platform is sent in the form of short message, wherein first knows
Other code is that service providing platform is random in the case where receiving trusted relationships and establishing request and determine that identity offer platform is legal
It generates;
Identity is provided platform and is handled using default processing mode the first identification code, obtains the second identification code, and will
Second identification code is back to service providing platform in the form of short message;
Identity provides platform and receives the trusted relationships foundation response that service providing platform returns, wherein trusted relationships are established
Response is the second identification code that service providing platform identity-based provides that platform returns, and determines whether identity provides platform believable
In the case of return;
Identity provides platform and is based on trusted relationships foundation response, determines whether trusted relationships are successfully established.
Preferably, identity provide platform be based on the second identifying code and the first identifying code whether successful match, determine initiator
Whether certification passes through, comprising:
Identity provides platform if it is determined that the second identifying code and the first identifying code successful match, then assert that initiator's certification is logical
It crosses;
Identity provide platform if it is determined that the second identifying code and the first identifying code it fails to match, then assert initiator authenticate it is obstructed
It crosses.
Preferably, if identity provides platform and determines that initiator's certification passes through, the joint qualification method further include:
It is map information of initiator's configuring sponsor party on service providing platform that identity, which provides platform,;
Identity provide platform by map information and the authentication result that passes through of characterization initiator's certification be back to service provide it is flat
Platform is based on map information, generates for initiator after determining that initiator's certification passes through based on authentication result so as to service providing platform
Access token.
A kind of joint qualification method, applied to the joint qualification for including identity offer platform, service providing platform and terminal
In system, comprising:
Service providing platform receives the resource access request that initiator initiates;
Resource access request is redirected to identity and provides platform by service providing platform, so that identity provides platform using upper
Joint qualification method is stated to authenticate the initiator of resource access request.
Preferably, the joint qualification method further include:
Identity provides platform by the first identification code generated, establishes identity and provides between platform and service providing platform
Trusted relationships.
Preferably, identity provides platform by the first identification code of generation, identity offer platform is provided and service is provided and put down
Trusted relationships between platform, comprising:
Service providing platform receives identity and provides the trusted relationships foundation request that platform is initiated;
Service providing platform generate the first identification code, and by the first identification code be sent in the form of short message identity provide it is flat
Platform;
Service providing platform is handled the first identification code using default processing mode, obtains third identification code;
Service providing platform receives identity and provides the second identification code that platform is returned in the form of short message, wherein second knows
Other code is obtained after identity offer platform is handled the first identification code using default processing mode;
Service providing platform be based on the second identification code and third identification code whether successful match, determine that identity provides platform and is
It is no credible.
It the trusted relationships that platform is initiated is provided establishes after request preferably, service providing platform receives identity, generate the
Before one identification code, the joint qualification method further include:
Service providing platform searches identity and provides the registration information of platform;
If the registration information that service providing platform finds identity offer platform is recognized when determining that registration information is legal
It is legal to determine identity offer platform.
Preferably, the joint qualification method further include:
Service providing platform receives identity and provides the authentication result and map information of the initiator that platform returns, if based on recognizing
Card result determines that initiator's certification passes through, then is based on map information, generates access token for initiator.
A kind of identity offer platform, comprising:
Receiving module, for receiving the resource access request of service providing platform redirection;
Module is obtained, for obtaining phone number associated with the initiator of resource access request;
Generation module for generating the first identifying code, and is based on phone number, the first identifying code is sent out in the form of short message
It send to the terminal of initiator;
Authentication module, the second identifying code returned for receiving initiator based on the first identifying code in terminal, and be based on
Second identifying code and the first identifying code whether successful match, determine whether initiator authenticates and pass through.
Preferably, it further includes establishing module that the identity, which provides platform, wherein
Module is established, for obtaining after the resource access request that receiving module receives that service providing platform redirects
Before modulus block obtains associated with the initiator of resource access request phone number, pass through the of service providing platform generation
One identification code establishes the trusted relationships between identity offer platform and service providing platform.
Preferably, establishing identity in the first identification code generated by service providing platform and providing platform and service offer
When trusted relationships between platform, establishes module and is specifically used for:
Trusted relationships, which are initiated, to service providing platform establishes request;
Receive the first identification code that service providing platform is sent in the form of short message, wherein the first identification code is that service mentions
It is generated at random for platform in the case where receiving trusted relationships and establishing and request and determine that identity offer platform is legal;
The first identification code is handled using default processing mode, obtain the second identification code, and by the second identification code with
Short message form is back to service providing platform;
It receives the trusted relationships that service providing platform returns and establishes response, wherein it is that service mentions that trusted relationships, which establish response,
The second identification code that platform returns is provided for platform identity-based, determines that identity provides and is returned in the whether believable situation of platform
's;
It is established and is responded based on trusted relationships, determine whether trusted relationships are successfully established.
Preferably, based on the second identifying code and the first identifying code whether successful match, it is logical to determine whether initiator authenticates
Out-of-date, authentication module is specifically used for:
When determining the second identifying code and the first identifying code successful match, assert that initiator's certification passes through;
When determining the second identifying code and the first identifying code it fails to match, assert that initiator's certification does not pass through.
Preferably, it further includes configuration module that the identity, which provides platform, wherein configuration module is used for:
For map information of initiator's configuring sponsor party on service providing platform;
The authentication result that map information and characterization initiator's certification pass through is back to service providing platform, is mentioned to service
After determining that initiator's certification passes through based on authentication result for platform, it is based on map information, generates access token for initiator.
A kind of service providing platform, comprising:
Receiving module, for receiving the resource access request of initiator's initiation;
Redirection module provides platform for resource access request to be redirected to identity, adopts so that identity provides platform
The initiator of resource access request is authenticated with above-mentioned joint qualification method.
Preferably, the service providing platform further includes establishing module, wherein
Module is established, for the first identification code by generating, identity is established and provides between platform and service providing platform
Trusted relationships.
Preferably, in the first identification code by generating, establish identity provide between platform and service providing platform can
When gateway system, establishes module and is specifically used for:
It receives identity and the trusted relationships foundation request that platform is initiated is provided;
The first identification code is generated, and the first identification code is sent to identity in the form of short message, platform is provided;
The first identification code is handled using default processing mode, obtains third identification code;
It receives identity and the second identification code that platform is returned in the form of short message is provided, wherein the second identification code is that identity mentions
It is obtained after being handled using default processing mode the first identification code for platform;
Based on the second identification code and third identification code whether successful match, determine whether identity provides platform credible.
Preferably, generating the first identification code after receiving identity and providing the trusted relationships foundation request that platform is initiated
Before, module is established to be also used to:
It searches identity and the registration information of platform is provided;
If finding identity provides the registration information of platform, when determining that registration information is legal, it is flat to assert that identity provides
Platform is legal.
Preferably, the service providing platform further includes generation module, wherein
Generation module is used for: being received identity and is provided the authentication result and map information of the initiator that platform returns, if being based on
Authentication result determines that initiator's certification passes through, then is based on map information, generates access token for initiator.
A kind of federated authentication system, comprising: above-mentioned identity provides platform, above-mentioned service providing platform and above-mentioned terminal.
A kind of computer readable storage medium, computer-readable recording medium storage have computer executable instructions, calculate
Machine executable instruction is for making computer execute above-mentioned joint qualification method.
The embodiment of the present invention has the beneficial effect that:
It, will when identity provides platform and service providing platform to initiator's progress joint qualification in the embodiment of the present invention
Identity of the phone number as initiator, by the identifying code transmitted in the form of short message as authentication infrastructure, no longer by user
Identity of the information as initiator, also no longer using the agreement mentioned in the prior art as authentication infrastructure, compared to existing
There is the joint qualification mode in technology, process is simple, and complexity is low, also, since most of identity offer platform and service mention
Short message protocol is supported for platform, so, the joint qualification mode based on identifying code is suitable for most of identity and provides platform
And service providing platform, versatility is stronger, further, since phone number has uniqueness, and that is transmitted in the form of short message tests
Card code is not easy to be obtained by illegal terminal, so, using phone number as the identity of initiator, by what is transmitted in the form of short message
Identifying code authenticates initiator as authentication infrastructure, not only ensure that the accuracy of authentication result, is also avoided as much as
Since user information is by unauthorized theft, lead to the problem that safety is lower.
Detailed description of the invention
Fig. 1 is the overview schematic diagram of the joint qualification method provided in the embodiment of the present invention one;
Fig. 2 is the idiographic flow schematic diagram of the joint qualification method provided in the embodiment of the present invention two;
Fig. 3 is that the identity provided in the embodiment of the present invention three provides the illustrative view of functional configuration of platform;
Fig. 4 is the illustrative view of functional configuration of the service providing platform provided in the embodiment of the present invention four;
Fig. 5 is the structural schematic diagram of the federated authentication system provided in the embodiment of the present invention five.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, is not whole embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
That there are identifying procedures in order to solve joint qualification method in the prior art is complicated, versatility is poor, safety compared with
Low problem, will when identity provides platform and service providing platform and carries out joint qualification to initiator in the embodiment of the present invention
Identity of the phone number as initiator, by the identifying code transmitted in the form of short message as authentication infrastructure, no longer by user
Identity of the information as initiator, also no longer using the agreement mentioned in the prior art as authentication infrastructure, compared to existing
There is the joint qualification mode in technology, process is simple, and complexity is low, also, since most of identity offer platform and service mention
Short message protocol (Short Message Protocol, SMP) is supported for platform, so, the joint qualification side based on identifying code
Formula is suitable for most of identity and provides platform and service providing platform, and versatility is stronger, further, since phone number has only
One property, and the identifying code transmitted in the form of short message is not easy to be obtained by illegal terminal, so, using phone number as initiator's
Identity authenticates initiator, not only ensure that certification by the identifying code transmitted in the form of short message as authentication infrastructure
As a result accuracy has also been avoided as much as leading to the problem that safety is lower since user information is by unauthorized theft.
The present invention program is described in detail below by specific embodiment, certainly, the present invention is not limited to following realities
Apply example.
Embodiment one
A kind of joint qualification method is provided in the embodiment of the present invention one, is mentioned applied to including identity offer platform, service
For in the federated authentication system of platform and terminal, as shown in fig.1, the process of the joint qualification method is as follows:
Step 101: service providing platform receives the resource access request that initiator initiates.
Step 102: resource access request is redirected to identity and provides platform by service providing platform.
Step 103: identity provides platform and receives the resource access request that service providing platform redirects, and acquisition and resource
The associated phone number of the initiator of access request.
Step 104: identity provides platform and generates the first identifying code.
Step 105: identity provides platform and is based on phone number, and the first identifying code is sent to the hair in the form of short message
Play the terminal of side.
Step 106: identity provides platform and receives the second identifying code that initiator is returned based on the first identifying code in terminal,
And based on the second identifying code and the first identifying code whether successful match, determine whether initiator authenticates and pass through.
Embodiment two
The joint qualification method provided in above-described embodiment one is described in further detail below, as shown in fig.2, this
The detailed process of the joint qualification method provided in inventive embodiments two is as follows:
Step 201: service providing platform receives user (initiator that following users are referred to as resource access request) in body
The resource access request initiated on part offer platform.
Step 202: the resource access request is redirected to identity and provides platform by service providing platform.
Step 203: identity provides platform and receives the resource access request that service providing platform redirects, and provides to service
Platform initiates trusted relationships and establishes request.
Step 204: service providing platform receives identity and provides the trusted relationships foundation request that platform is sent, and searches identity
Registration information of the platform on service providing platform is provided.
Step 205: if service providing platform finds identity and provides the registration information of platform and determine the registration found
Information is legal, then it is legal to assert that identity provides platform.
It is tellable to be, if service providing platform does not find identity and provides the registration information of platform, alternatively, finding body
The registration information of part offer platform simultaneously determines that the registration information found is illegal, then service providing platform can be assumed that identity provides
Platform is illegal, and refuses identity and provide the trusted relationships foundation request that platform is initiated.Specifically, service providing platform can pass through
Platform is provided to identity and returns to the mode that characterization refusal establishes the trusted relationships foundation response of trusted relationships, is provided to refuse identity
The trusted relationships that platform is initiated establish request, can also provide platform hair by way of not making any response to refuse identity
The trusted relationships risen establish request, are not specifically limited herein.
Step 206: service providing platform generates the first identification code, wherein first identification code be service providing platform with
What machine generated.
Step 207: the first identification code is sent in the form of short message identity and provides platform by service providing platform.
Step 208: service providing platform is handled the first identification code using default processing mode, obtains third identification
Code.
Preferably, the default processing mode can be but be not limited to encryption, i.e. service providing platform is known to first
Other code is encrypted, and obtains third identification code.
Step 209: identity provides platform and receives the first identification code that service providing platform is sent in the form of short message, and adopts
The first identification code is handled with default processing mode, obtains the second identification code.
Accordingly, identity provides platform and uses cipher mode identical with service providing platform, carries out to the first identification code
Encryption obtains the second identification code.
Step 210: identity provides platform and the second identification code is sent to service providing platform in the form of short message.
Step 211: service providing platform receives identity and provides the second identification code that platform is returned in the form of short message, and base
In the second identification code and third identification code whether successful match, determine whether identity provides platform credible.
Specifically, if the second identification code and third identification code successful match, it is determined that it is credible platform that identity, which provides platform,
To complete the foundation of trusted relationships;If the second identification code is with third identification code, it fails to match, it is determined that identity provides platform and is
Insincere platform, so that refusal establishes trusted relationships.
Step 212: service providing platform is if it is determined that identity provides platform credible, then by the second identification code and third identification code
The matching result of successful match is back to identity and provides platform.
Step 213: identity provides platform the second identification code that reception service providing platform returns and matches with third identification code
Successful matching result, and determine that trusted relationships are established and complete.
Step 214: identity provides platform and exports authentication interface, and obtains related to the initiator of resource access request
The phone number of connection, wherein the authentication interface includes at least: for the first input frame of input handset number, Yi Jiyong
In the second input frame of input identifying code.
Tellable to be, if initiator provides in identity binds phone number on platform, initiator provides in identity
When initiating resource access request to service providing platform on platform, carry in the resource access request including at least the initiator
Phone number initiator information, in the case, identity provides platform and can be directly based upon in the resource access request and takes
The initiator information of band obtains phone number associated with the initiator of the resource access request, and at authentication interface
On the first input frame in automatically write the phone number.
If initiator does not provide in identity and binds phone number on platform, identity provides platform and can be initiated by acquisition
The phone number that side inputs in the first input frame on authentication interface, obtains initiator's phase with the resource access request
Associated phone number.
Step 215: identity provides platform and generates the first identifying code.
Step 216: identity provides platform and is based on phone number, and the first identifying code is sent to initiator in the form of short message
Terminal.
Step 217: the first identifying code shown in the short message that initiator is received based on terminal, at authentication interface
On the second input frame in input the second identifying code.
Step 218: identity provide that platform acquisition initiator inputs in the second input frame on authentication interface the
Two identifying codes, and based on the second identifying code and the first identifying code whether successful match, determine whether the initiator authenticates and pass through.
Specifically, if identity provides platform and determines the second identifying code and the first identifying code successful match, it can be assumed that should
Initiator's certification passes through;If identity offer platform determines the second identifying code and the first identifying code, it fails to match, it can be assumed that should
Initiator's certification does not pass through.
Step 219: identity provide platform if it is determined that initiator certification pass through, then configure the initiator for initiator and servicing
There is provided the map information on platform, wherein the map information includes but is not limited to: tenant's information, domain information etc..
Step 220: identity provides platform and the authentication result that map information and characterization initiator's certification pass through is back to clothes
Business provides platform.
Step 221: service providing platform receives identity and provides the authentication result and map information of the initiator that platform returns,
If determining that initiator's certification passes through based on authentication result, it is based on map information, generates access token for initiator.
Step 222: access token is back to identity and provides platform by service providing platform.
Step 223: identity provides platform and receives the access token that service providing platform returns, and based on the access token and
The phone number of initiator initiates resource access request to service providing platform again.
Step 224: service providing platform receives the resource access request that service providing platform is initiated, however, it is determined that the access enables
Board is legal, then the initiator is allowed to access respective resources.
Tellable to be, which can be applied to the user and provides on platform in identity to service providing platform hair
Other resource access requests risen, until the term of validity of the access token expires, if the term of validity of the access token
It expires, then the access token fails, and needs just to obtain access token again through the above way, details are not described herein.
Embodiment three
Based on the above embodiment, a kind of identity offer platform is provided in the embodiment of the present invention three, as shown in fig.3, should
Identity provides platform and includes at least:
Receiving module 301, for receiving the resource access request of service providing platform redirection;
Module 302 is obtained, for obtaining phone number associated with the initiator of resource access request;
Generation module 303 for generating the first identifying code, and is based on phone number, by the first identifying code with short message shape
Formula is sent to the terminal of initiator;
Authentication module 304, the second identifying code returned for receiving initiator based on the first identifying code in terminal, and base
In the second identifying code and the first identifying code whether successful match, determine whether initiator authenticates and pass through.
Preferably, it further includes establishing module 305 that the identity, which provides platform, wherein
Establish module 305, for receiving module 301 receive service providing platform redirect resource access request it
Afterwards, it before obtaining module 302 and obtaining phone number associated with the initiator of resource access request, is provided by service flat
The first identification code that platform generates establishes the trusted relationships between identity offer platform and service providing platform.
Preferably, establishing identity in the first identification code generated by service providing platform and providing platform and service offer
When trusted relationships between platform, establishes module 305 and is specifically used for:
Trusted relationships, which are initiated, to service providing platform establishes request;
Receive the first identification code that service providing platform is sent in the form of short message, wherein the first identification code is that service mentions
It is generated at random for platform in the case where receiving trusted relationships and establishing and request and determine that identity offer platform is legal;
The first identification code is handled using default processing mode, obtain the second identification code, and by the second identification code with
Short message form is back to service providing platform;
It receives the trusted relationships that service providing platform returns and establishes response, wherein it is that service mentions that trusted relationships, which establish response,
The second identification code that platform returns is provided for platform identity-based, determines that identity provides and is returned in the whether believable situation of platform
's;
It is established and is responded based on trusted relationships, determine whether trusted relationships are successfully established.
Preferably, based on the second identifying code and the first identifying code whether successful match, it is logical to determine whether initiator authenticates
Out-of-date, authentication module 304 is specifically used for:
When determining the second identifying code and the first identifying code successful match, assert that initiator's certification passes through;
When determining the second identifying code and the first identifying code it fails to match, assert that initiator's certification does not pass through.
Preferably, it further includes configuration module 306 that the identity, which provides platform, wherein configuration module 306 is used for:
For map information of initiator's configuring sponsor party on service providing platform;
The authentication result that map information and characterization initiator's certification pass through is back to service providing platform, is mentioned to service
After determining that initiator's certification passes through based on authentication result for platform, it is based on map information, generates access token for initiator.
Example IV
Based on the above embodiment, a kind of service providing platform is provided in the embodiment of the present invention four, as shown in fig.4, should
Service providing platform includes at least:
Receiving module 401, for receiving the resource access request of initiator's initiation;
Redirection module 402 provides platform for resource access request to be redirected to identity, so that identity provides platform
The initiator of resource access request is authenticated.
Preferably, the service providing platform further includes establishing module 403, wherein
Establish module 403, for the first identification code by generating, establish identity provide platform and service providing platform it
Between trusted relationships.
Preferably, in the first identification code by generating, establish identity provide between platform and service providing platform can
When gateway system, establishes module 403 and is specifically used for:
It receives identity and the trusted relationships foundation request that platform is initiated is provided;
The first identification code is generated, and the first identification code is sent to identity in the form of short message, platform is provided;
The first identification code is handled using default processing mode, obtains third identification code;
It receives identity and the second identification code that platform is returned in the form of short message is provided, wherein the second identification code is that identity mentions
It is obtained after being handled using default processing mode the first identification code for platform;
Based on the second identification code and third identification code whether successful match, determine whether identity provides platform credible.
Preferably, generating the first identification code after receiving identity and providing the trusted relationships foundation request that platform is initiated
Before, module 403 is established to be also used to:
It searches identity and the registration information of platform is provided;
If finding identity provides the registration information of platform, when determining that registration information is legal, it is flat to assert that identity provides
Platform is legal.
Preferably, the service providing platform further includes generation module 404, wherein
Generation module 404 is used for: being received identity and is provided the authentication result and map information of the initiator that platform returns, if base
It determines that initiator's certification passes through in authentication result, is then based on map information, generates access token for initiator.
Embodiment five
Based on the above embodiment, a kind of federated authentication system is provided in the embodiment of the present invention five, as shown in fig.5, should
Federated authentication system includes at least the identity provided in above-described embodiment three such as and provides platform 501, as mentioned in above-mentioned example IV
The service providing platform 502 and terminal 503 of confession, wherein
Service providing platform 502, for receiving the resource access request of initiator's initiation, and by the resource access request weight
It is directed to identity and platform is provided;
Identity provides platform 501, for receiving the resource access request of service providing platform redirection, and acquisition and resource
The associated phone number of the initiator of access request;Generate the first identifying code, and be based on phone number, by the first identifying code with
Short message form is sent to the terminal of initiator;Receive the second verifying that initiator is returned based on the first identifying code in terminal
Code, and based on the second identifying code and the first identifying code whether successful match, determine whether initiator authenticates and pass through.
Embodiment six
Based on the above embodiment, a kind of computer readable storage medium is provided in the embodiment of the present invention six, the computer
Readable storage medium storing program for executing is stored with computer executable instructions, and the computer executable instructions are for making computer execute above-mentioned joint
Authentication method.
In conclusion service providing platform receives the resource access request that initiator initiates, and will in the embodiment of the present invention
The resource access request is redirected to identity and provides platform;Identity provides platform and receives the resource visit that service providing platform redirects
It asks request, and obtains phone number associated with the initiator of resource access request;The first identifying code is generated, and is based on mobile phone
First identifying code is sent to the terminal of initiator by number in the form of short message;Initiator is received to test based on first in terminal
Demonstrate,prove the second identifying code that code returns, and based on the second identifying code and the first identifying code whether successful match, whether determine initiator
Certification passes through.In this way, phone number is made when identity provides platform and service providing platform to initiator's progress joint qualification
For the identity of initiator, by the identifying code transmitted in the form of short message as authentication infrastructure, no longer using user information as sending out
Rise side identity, also no longer using the agreement mentioned in the prior art as authentication infrastructure, compared with the prior art in
Joint qualification mode, process is simple, and complexity is low, also, since most of identity offer platform and service providing platform prop up
Short message protocol is held, so, the joint qualification mode based on identifying code is suitable for most of identity and provides platform and service offer
Platform, versatility is stronger, further, since phone number has uniqueness, and the identifying code transmitted in the form of short message be not easy by
Illegal terminal obtain, so, using phone number be used as the identity of initiator, by the form of short message transmitting identifying code as
Authentication infrastructure authenticates initiator, not only ensure that the accuracy of authentication result, has also been avoided as much as due to user
Information leads to the problem that safety is lower by unauthorized theft.
It should be understood by those skilled in the art that, the embodiment of the present invention can provide as method, system or computer program
Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the present invention
Apply the form of example.Moreover, it wherein includes the computer of computer usable program code that the present invention, which can be used in one or more,
The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) produces
The form of product.
The present invention be referring to according to the method for the embodiment of the present invention, the process of equipment (system) and computer program product
Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions
The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs
Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce
A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real
The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates,
Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or
The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one
The step of function of being specified in a box or multiple boxes.
Although preferred embodiments of the present invention have been described, it is created once a person skilled in the art knows basic
Property concept, then additional changes and modifications may be made to these embodiments.So it includes excellent that the following claims are intended to be interpreted as
It selects embodiment and falls into all change and modification of the scope of the invention.
Obviously, those skilled in the art can carry out various modification and variations without departing from this hair to the embodiment of the present invention
The spirit and scope of bright embodiment.In this way, if these modifications and variations of the embodiment of the present invention belong to the claims in the present invention
And its within the scope of equivalent technologies, then the present invention is also intended to include these modifications and variations.
Claims (22)
1. a kind of joint qualification method, applied to the joint qualification system for including identity offer platform, service providing platform and terminal
In system characterized by comprising
The identity provides platform and receives the resource access request that the service providing platform redirects, and obtains and the resource
The associated phone number of the initiator of access request;
The identity provides platform and generates the first identifying code, and is based on the phone number, and first identifying code is disappeared with short
Breath form is sent to the terminal of the initiator;
The identity provides platform and receives the second identifying code that the initiator is returned based on the first identifying code in the terminal,
And based on second identifying code and first identifying code whether successful match, determine whether the initiator authenticates and pass through.
2. joint qualification method as described in claim 1, which is characterized in that the identity provides the platform reception service and mentions
After the resource access request redirected for platform, phone number associated with the initiator of the resource access request is obtained
Before, the joint qualification method further include:
The identity provides the first identification code that platform is generated by the service providing platform, establishes the identity and provides platform
With the trusted relationships between the service providing platform.
3. joint qualification method as claimed in claim 2, which is characterized in that the identity provides platform and mentioned by the service
For the first identification code that platform generates, the trusted relationships between the identity offer platform and the service providing platform are established,
Include:
The identity provides platform and initiates trusted relationships foundation request to the service providing platform;
The identity provides platform and receives the first identification code that the service providing platform is sent in the form of short message, wherein institute
Stating the first identification code is that the service providing platform is receiving the trusted relationships foundation request and determining that the identity provides
It is generated at random in the case that platform is legal;
The identity is provided platform and is handled using default processing mode first identification code, and the second identification code is obtained,
And second identification code is back to the service providing platform in the form of short message;
The identity provides platform and receives the trusted relationships foundation response that the service providing platform returns, wherein described credible
It is second identification code that the service providing platform provides that platform is returned based on the identity that relationship, which establishes response, determines institute
It states identity and provides and returned in platform whether believable situation;
The identity provides platform and is based on trusted relationships foundation response, determines whether the trusted relationships are successfully established.
4. joint qualification method as described in claim 1, which is characterized in that the identity provides platform and tests based on described second
Demonstrate,prove code and first identifying code whether successful match, determine whether the initiator authenticates and pass through, comprising:
The identity provides platform if it is determined that second identifying code and the first identifying code successful match, then assert the hair
Side's certification is played to pass through;
The identity provides platform, and if it is determined that second identifying code is with first identifying code, it fails to match, then assert the hair
Side's certification is played not pass through.
5. joint qualification method according to any one of claims 1-4, which is characterized in that if the identity provides platform and determines
Initiator's certification passes through, then the joint qualification method further include:
It is that the initiator configures map information of the initiator on the service providing platform that the identity, which provides platform,;
The identity provides platform and the authentication result that the map information and characterization initiator's certification pass through is back to institute
Service providing platform is stated, after determining that initiator's certification passes through based on the authentication result so as to the service providing platform,
Based on the map information, access token is generated for the initiator.
6. a kind of joint qualification method, applied to the joint qualification system for including identity offer platform, service providing platform and terminal
In system characterized by comprising
The service providing platform receives the resource access request that initiator initiates;
The resource access request is redirected to the identity and provides platform by the service providing platform, so that the identity mentions
It is carried out for platform using initiator of the joint qualification method as described in any one in claim 1-5 to the resource access request
Certification.
7. joint qualification method as claimed in claim 6, which is characterized in that the joint qualification method further include:
The identity provides platform and passes through the first identification code generated, establishes the identity offer platform and the service is provided and put down
Trusted relationships between platform.
8. joint qualification method as claimed in claim 7, which is characterized in that the identity provides platform by the first of generation
Identification code establishes the trusted relationships between the identity offer platform and the service providing platform, comprising:
The service providing platform receives the identity and provides the trusted relationships foundation request that platform is initiated;
The service providing platform generates the first identification code, and first identification code is sent to the body in the form of short message
Part offer platform;
The service providing platform is handled first identification code using default processing mode, obtains third identification code;
The service providing platform receives the identity and provides the second identification code that platform is returned in the form of short message, wherein institute
Stating the second identification code is after the identity offer platform is handled first identification code using the default processing mode
It obtains;
The service providing platform be based on second identification code and the third identification code whether successful match, determine the body
Whether part offer platform is credible.
9. joint qualification method as claimed in claim 8, which is characterized in that the service providing platform receives the identity and mentions
After the trusted relationships foundation request initiated for platform, before generating the first identification code, the joint qualification method further include:
The service providing platform searches the identity and provides the registration information of platform;
If the service providing platform finds the identity and provides the registration information of platform, the registration information conjunction is being determined
When method, it is legal to assert that the identity provides platform.
10. joint qualification method as claim in any one of claims 6-9, which is characterized in that the joint qualification method is also wrapped
It includes:
The service providing platform receives the identity and provides the authentication result and map information of the initiator that platform returns,
If determining that initiator's certification passes through based on the authentication result, it is based on the map information, is generated for the initiator
Access token.
11. a kind of identity provides platform characterized by comprising
Receiving module, for receiving the resource access request of service providing platform redirection;
Module is obtained, for obtaining phone number associated with the initiator of the resource access request;
Generation module for generating the first identifying code, and is based on the phone number, by first identifying code with short message shape
Formula is sent to the terminal of the initiator;
Authentication module, the second identifying code returned for receiving the initiator based on the first identifying code in the terminal, and
Based on second identifying code and first identifying code whether successful match, determine whether the initiator authenticates and pass through.
12. identity as claimed in claim 11 provides platform, which is characterized in that it further includes establishing mould that the identity, which provides platform,
Block, wherein
It is described to establish module, for the receiving module receive resource access request that the service providing platform redirects it
Afterwards, it obtains and is asked with resource access based on the initiator information carried in the resource access request in the acquisition module
Before the associated phone number of the initiator asked, the first identification code generated by the service providing platform, described in foundation
Identity provides the trusted relationships between platform and the service providing platform.
13. identity as claimed in claim 12 provides platform, which is characterized in that is generated by the service providing platform
First identification code, it is described to establish mould when the trusted relationships between the identity offer platform and the service providing platform are provided
Block is specifically used for:
Trusted relationships, which are initiated, to the service providing platform establishes request;
Receive the first identification code that the service providing platform is sent in the form of short message, wherein first identification code is institute
Service providing platform is stated in the case where receiving the trusted relationships foundation request and determining that the identity offer platform is legal
It generates at random;
First identification code is handled using default processing mode, obtains the second identification code, and described second is identified
Code is back to the service providing platform in the form of short message;
It receives the trusted relationships that the service providing platform returns and establishes response, wherein it is institute that the trusted relationships, which establish response,
It states service providing platform and provides second identification code that platform returns based on the identity, determine that the identity provides platform and is
It is returned in no believable situation;
It is established and is responded based on the trusted relationships, determine whether the trusted relationships are successfully established.
14. identity as claimed in claim 11 provides platform, which is characterized in that based on second identifying code and described the
One identifying code whether successful match, determine the initiator whether authenticate by when, the authentication module is specifically used for:
If it is determined that second identifying code and the first identifying code successful match, then assert that initiator's certification passes through;
If it is determined that second identifying code is with first identifying code, it fails to match, then assert that initiator's certification does not pass through.
15. as the described in any item identity of claim 11-14 provide platform, which is characterized in that the identity provides platform also
Including configuration module, wherein the configuration module is used for:
Map information of the initiator on the service providing platform is configured for the initiator;
The authentication result that the map information and characterization initiator's certification pass through is back to the service providing platform, with
Toilet is stated after service providing platform determines that initiator certification passes through based on the authentication result, and the map information is based on,
Access token is generated for the initiator.
16. a kind of service providing platform characterized by comprising
Receiving module, for receiving the resource access request of initiator's initiation;
Redirection module provides platform for the resource access request to be redirected to the identity, so that the identity mentions
It is carried out for platform using initiator of the joint qualification method as described in any one in claim 1-5 to the resource access request
Certification.
17. service providing platform as claimed in claim 16, which is characterized in that the service providing platform further includes establishing mould
Block, wherein
It is described to establish module, for the first identification code by generating, establishes the identity and platform and service offer are provided
Trusted relationships between platform.
18. service providing platform as claimed in claim 17, which is characterized in that in the first identification code by generating, establish
When the identity provides the trusted relationships between platform and the service providing platform, the module of establishing is specifically used for:
It receives the identity and the trusted relationships foundation request that platform is initiated is provided;
The first identification code is generated, and first identification code is sent to the identity in the form of short message, platform is provided;
First identification code is handled using default processing mode, obtains third identification code;
It receives the identity and the second identification code that platform is returned in the form of short message is provided, wherein second identification code is institute
It states identity and provides after platform is handled first identification code using the default processing mode and obtain;
Based on second identification code and the third identification code whether successful match, determine that the identity provides platform and whether may be used
Letter.
19. service providing platform as claimed in claim 18, which is characterized in that provide what platform was initiated receiving the identity
Trusted relationships are established after request, and before generating the first identification code, the module of establishing is also used to:
It searches the identity and the registration information of platform is provided;
If the registration information for finding the identity offer platform assert the body when determining that the registration information is legal
Part offer platform is legal.
20. such as the described in any item service providing platforms of claim 16-19, which is characterized in that it further include generation module,
In,
The generation module is used for: being received the identity and is provided the authentication result and mapping letter of the initiator that platform returns
Breath is based on the map information if determining that initiator's certification passes through based on the authentication result, raw for the initiator
At access token.
21. a kind of federated authentication system characterized by comprising put down as the described in any item identity of claim 11-15 provide
Platform, such as the described in any item service providing platforms of claim 16-20 and terminal.
22. a kind of computer readable storage medium, which is characterized in that the computer-readable recording medium storage has computer can
It executes instruction, the computer executable instructions are for executing the computer as right wants the described in any item joints of 1-5
Authentication method;And/or execute such as the described in any item joint qualification methods of claim 6-10.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711041509.0A CN109729048A (en) | 2017-10-30 | 2017-10-30 | A kind of joint qualification method, system, related platform and medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711041509.0A CN109729048A (en) | 2017-10-30 | 2017-10-30 | A kind of joint qualification method, system, related platform and medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109729048A true CN109729048A (en) | 2019-05-07 |
Family
ID=66294186
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711041509.0A Pending CN109729048A (en) | 2017-10-30 | 2017-10-30 | A kind of joint qualification method, system, related platform and medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109729048A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110868467A (en) * | 2019-11-12 | 2020-03-06 | 广州大白互联网科技有限公司 | Network certificate synchronization method, system and storage medium based on network certificate platform |
CN112769756A (en) * | 2020-12-18 | 2021-05-07 | 赛尔网络有限公司 | Service authentication method, LDAP server, storage medium and service authentication system |
CN113688379A (en) * | 2021-08-20 | 2021-11-23 | 杭州海康威视数字技术股份有限公司 | Platform registration method and device and computer equipment |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102457376A (en) * | 2010-10-29 | 2012-05-16 | 中兴通讯股份有限公司 | Method and system for uniformly authenticating cloud computing services |
CN106664294A (en) * | 2014-06-20 | 2017-05-10 | 标致·雪铁龙汽车公司 | Method and system for authentication by means of tokens |
US20170149767A1 (en) * | 2015-11-24 | 2017-05-25 | International Business Machines Corporation | Using a service-provider password to simulate f-sso functionality |
CN106790251A (en) * | 2017-01-24 | 2017-05-31 | 中国联合网络通信集团有限公司 | User access method and subscriber access system |
-
2017
- 2017-10-30 CN CN201711041509.0A patent/CN109729048A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102457376A (en) * | 2010-10-29 | 2012-05-16 | 中兴通讯股份有限公司 | Method and system for uniformly authenticating cloud computing services |
CN106664294A (en) * | 2014-06-20 | 2017-05-10 | 标致·雪铁龙汽车公司 | Method and system for authentication by means of tokens |
US20170149767A1 (en) * | 2015-11-24 | 2017-05-25 | International Business Machines Corporation | Using a service-provider password to simulate f-sso functionality |
CN106790251A (en) * | 2017-01-24 | 2017-05-31 | 中国联合网络通信集团有限公司 | User access method and subscriber access system |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110868467A (en) * | 2019-11-12 | 2020-03-06 | 广州大白互联网科技有限公司 | Network certificate synchronization method, system and storage medium based on network certificate platform |
CN112769756A (en) * | 2020-12-18 | 2021-05-07 | 赛尔网络有限公司 | Service authentication method, LDAP server, storage medium and service authentication system |
CN112769756B (en) * | 2020-12-18 | 2023-03-24 | 赛尔网络有限公司 | Service authentication method, LDAP server, storage medium and service authentication system |
CN113688379A (en) * | 2021-08-20 | 2021-11-23 | 杭州海康威视数字技术股份有限公司 | Platform registration method and device and computer equipment |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11711219B1 (en) | PKI-based user authentication for web services using blockchain | |
CN109981561A (en) | Monomer architecture system moves to the user authen method of micro services framework | |
CN104065653B (en) | A kind of interactive auth method, device, system and relevant device | |
KR101924683B1 (en) | Multi-factor authentication to achieve required authentication assurance level | |
Zhang et al. | Location-based authentication and authorization using smart phones | |
CN110770695A (en) | Internet of things (IOT) device management | |
CN112491881B (en) | Cross-platform single sign-on method, system, electronic equipment and storage medium | |
US20190230087A1 (en) | Technique for downloading a network access profile | |
WO2017054617A1 (en) | Wifi network authentication method, device and system | |
CN106230594B (en) | A method of user authentication is carried out based on dynamic password | |
WO2017076216A1 (en) | Server, mobile terminal, and internet real name authentication system and method | |
CN108347428A (en) | Accreditation System, the method and apparatus of application program based on block chain | |
CN109388937B (en) | Single sign-on method and sign-on system for multi-factor identity authentication | |
WO2014110877A1 (en) | Mobile terminal device and user authentication method based on pki technology | |
WO2014048769A1 (en) | Single sign-on method, proxy server and system | |
JP4897503B2 (en) | Account linking system, account linking method, linkage server device | |
CN104767617A (en) | Message processing method, system and related device | |
CN109729048A (en) | A kind of joint qualification method, system, related platform and medium | |
CN106302428B (en) | A kind of automatic deployment method and device of encryption level | |
CN106331003A (en) | Method and device for accessing application portal system on cloud desktop | |
Thomas et al. | Single sign-on in cloud federation using CloudSim | |
Schwarz et al. | Feido: Recoverable FIDO2 tokens using electronic ids | |
CN110278084B (en) | eID establishing method, related device and system | |
CN104683356B (en) | Dynamic password authentication method and system based on software token | |
Gordin et al. | Moving forward passwordless authentication: challenges and implementations for the private cloud |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190507 |