CN109729048A - A kind of joint qualification method, system, related platform and medium - Google Patents

A kind of joint qualification method, system, related platform and medium Download PDF

Info

Publication number
CN109729048A
CN109729048A CN201711041509.0A CN201711041509A CN109729048A CN 109729048 A CN109729048 A CN 109729048A CN 201711041509 A CN201711041509 A CN 201711041509A CN 109729048 A CN109729048 A CN 109729048A
Authority
CN
China
Prior art keywords
platform
identity
service providing
initiator
identification code
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201711041509.0A
Other languages
Chinese (zh)
Inventor
杨巍巍
房耘耘
何磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Suzhou Software Technology Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Suzhou Software Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Suzhou Software Technology Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201711041509.0A priority Critical patent/CN109729048A/en
Publication of CN109729048A publication Critical patent/CN109729048A/en
Pending legal-status Critical Current

Links

Abstract

The invention discloses a kind of joint qualification methods, system, related platform and medium, specifically: when identity provides platform and service providing platform to initiator's progress joint qualification, using phone number as the identity of initiator, by the identifying code transmitted in the form of short message as authentication infrastructure, authentication is carried out to initiator, process is simple, complexity is low, and, since most of identity offer platform and service providing platform support short message protocol, so, this method is suitable for most of identity and provides platform and service providing platform, versatility is stronger, furthermore, since phone number has uniqueness, and the identifying code transmitted in the form of short message is not easy to be obtained by illegal terminal, so, this method not only ensure that the accuracy of authentication result, also it has been avoided as much as since user information is by unauthorized theft, lead to safety The lower problem of property.

Description

A kind of joint qualification method, system, related platform and medium
Technical field
The present invention relates to identity identifying technology field more particularly to a kind of joint qualification method, system, related platform and Jie Matter.
Background technique
Openstack is currently more active cloud platform, Openstack mainly provide calculating service (i.e. Nova), Object storage service (i.e. Swift), mirroring service (i.e. Glance), identity authentication service (i.e. Keystone), network and address Management service (i.e. Neutron), UI interface service (i.e. Horizon), measurement service (i.e. Ceilometer), deployment orchestrating services (i.e. Heat) and database service (i.e. Trove) etc., wherein Keystone carries as a basal core service The certification work of other services in Openstack, this will bring very big burden to Keystone, therefore, in order to reduce The burden of Keystone, the joint qualification mode based on Keystone service and third party's service are come into being.
In the prior art, the joint qualification mode based on Keystone service and third party's service is mainly with Keystone Service is service provider (Service Provider, SP), using third party's service as identity provider (Identity Provider, IDP), the mistake that the initiator of resource access request is authenticated is initiated in SP and IDP joint opposite direction Openstack Cheng Zhong, SP and IDP need to establish trusted relationships by the agreement (Protocol) of agreement, and based on the agreement of agreement, connection It closes and authentication is carried out to initiator.
Currently, the agreement that can arrange between SP and IDP mainly has security assertion markup language (Security Assertion Markup Language2.0, SAML2.0) agreement, OpenIDConnect (i.e. OIDC) agreement, Light Directory Access Protocol (Lightweight Directory Access Protocol, LDAP) and network authentication (Kerberos) agreement, it is seen then that SP It is needed with IDP while supporting above-mentioned at least one agreement could combine to carry out joint qualification to initiator, this will necessarily give this Joint qualification mode brings limitation, and the versatility so as to cause this joint qualification mode is poor.Moreover, in joint qualification In the process, it generally requires using user informations such as the username and passwords of initiator as the identity of initiator, passes through agreement Agreement be packaged and transmitted between SP and IDP, if user information is by unauthorized theft in transmittance process, not only can to use Security risk is brought at family, and entire Openstack platform can also be made to fall into security crisis.In addition, the connection based on above-mentioned agreement The process for closing authentication method is also more complicated, and authentication efficiency is relatively low.
Summary of the invention
The embodiment of the invention provides joint qualification method, system, related platform and the media of a kind of cloud platform, to solve Joint qualification method certainly in the prior art has that identifying procedure is complicated, versatility is poor, safety is lower.
Specific technical solution provided in an embodiment of the present invention is as follows:
A kind of joint qualification method, applied to the joint qualification for including identity offer platform, service providing platform and terminal In system, comprising:
Identity provides platform and receives the resource access request that service providing platform redirects, and acquisition and resource access request The associated phone number of initiator;
Identity provides platform and generates the first identifying code, and is based on phone number, and the first identifying code is sent out in the form of short message It send to the terminal of initiator;
Identity provides platform and receives the second identifying code that initiator is returned based on the first identifying code in terminal, and based on the Two identifying codes and the first identifying code whether successful match, determine whether initiator authenticates and pass through.
Preferably, being obtained and money after identity provides the resource access request that platform receives service providing platform redirection Before the associated phone number of the initiator of source access request, the joint qualification method further include:
Identity provides the first identification code that platform is generated by service providing platform, establishes identity offer platform and mentions with service For the trusted relationships between platform.
Preferably, identity provides the first identification code that platform is generated by service providing platform, establishes identity and platform is provided Trusted relationships between service providing platform, comprising:
Identity provides platform and initiates trusted relationships foundation request to service providing platform;
Identity provides platform and receives the first identification code that service providing platform is sent in the form of short message, wherein first knows Other code is that service providing platform is random in the case where receiving trusted relationships and establishing request and determine that identity offer platform is legal It generates;
Identity is provided platform and is handled using default processing mode the first identification code, obtains the second identification code, and will Second identification code is back to service providing platform in the form of short message;
Identity provides platform and receives the trusted relationships foundation response that service providing platform returns, wherein trusted relationships are established Response is the second identification code that service providing platform identity-based provides that platform returns, and determines whether identity provides platform believable In the case of return;
Identity provides platform and is based on trusted relationships foundation response, determines whether trusted relationships are successfully established.
Preferably, identity provide platform be based on the second identifying code and the first identifying code whether successful match, determine initiator Whether certification passes through, comprising:
Identity provides platform if it is determined that the second identifying code and the first identifying code successful match, then assert that initiator's certification is logical It crosses;
Identity provide platform if it is determined that the second identifying code and the first identifying code it fails to match, then assert initiator authenticate it is obstructed It crosses.
Preferably, if identity provides platform and determines that initiator's certification passes through, the joint qualification method further include:
It is map information of initiator's configuring sponsor party on service providing platform that identity, which provides platform,;
Identity provide platform by map information and the authentication result that passes through of characterization initiator's certification be back to service provide it is flat Platform is based on map information, generates for initiator after determining that initiator's certification passes through based on authentication result so as to service providing platform Access token.
A kind of joint qualification method, applied to the joint qualification for including identity offer platform, service providing platform and terminal In system, comprising:
Service providing platform receives the resource access request that initiator initiates;
Resource access request is redirected to identity and provides platform by service providing platform, so that identity provides platform using upper Joint qualification method is stated to authenticate the initiator of resource access request.
Preferably, the joint qualification method further include:
Identity provides platform by the first identification code generated, establishes identity and provides between platform and service providing platform Trusted relationships.
Preferably, identity provides platform by the first identification code of generation, identity offer platform is provided and service is provided and put down Trusted relationships between platform, comprising:
Service providing platform receives identity and provides the trusted relationships foundation request that platform is initiated;
Service providing platform generate the first identification code, and by the first identification code be sent in the form of short message identity provide it is flat Platform;
Service providing platform is handled the first identification code using default processing mode, obtains third identification code;
Service providing platform receives identity and provides the second identification code that platform is returned in the form of short message, wherein second knows Other code is obtained after identity offer platform is handled the first identification code using default processing mode;
Service providing platform be based on the second identification code and third identification code whether successful match, determine that identity provides platform and is It is no credible.
It the trusted relationships that platform is initiated is provided establishes after request preferably, service providing platform receives identity, generate the Before one identification code, the joint qualification method further include:
Service providing platform searches identity and provides the registration information of platform;
If the registration information that service providing platform finds identity offer platform is recognized when determining that registration information is legal It is legal to determine identity offer platform.
Preferably, the joint qualification method further include:
Service providing platform receives identity and provides the authentication result and map information of the initiator that platform returns, if based on recognizing Card result determines that initiator's certification passes through, then is based on map information, generates access token for initiator.
A kind of identity offer platform, comprising:
Receiving module, for receiving the resource access request of service providing platform redirection;
Module is obtained, for obtaining phone number associated with the initiator of resource access request;
Generation module for generating the first identifying code, and is based on phone number, the first identifying code is sent out in the form of short message It send to the terminal of initiator;
Authentication module, the second identifying code returned for receiving initiator based on the first identifying code in terminal, and be based on Second identifying code and the first identifying code whether successful match, determine whether initiator authenticates and pass through.
Preferably, it further includes establishing module that the identity, which provides platform, wherein
Module is established, for obtaining after the resource access request that receiving module receives that service providing platform redirects Before modulus block obtains associated with the initiator of resource access request phone number, pass through the of service providing platform generation One identification code establishes the trusted relationships between identity offer platform and service providing platform.
Preferably, establishing identity in the first identification code generated by service providing platform and providing platform and service offer When trusted relationships between platform, establishes module and is specifically used for:
Trusted relationships, which are initiated, to service providing platform establishes request;
Receive the first identification code that service providing platform is sent in the form of short message, wherein the first identification code is that service mentions It is generated at random for platform in the case where receiving trusted relationships and establishing and request and determine that identity offer platform is legal;
The first identification code is handled using default processing mode, obtain the second identification code, and by the second identification code with Short message form is back to service providing platform;
It receives the trusted relationships that service providing platform returns and establishes response, wherein it is that service mentions that trusted relationships, which establish response, The second identification code that platform returns is provided for platform identity-based, determines that identity provides and is returned in the whether believable situation of platform 's;
It is established and is responded based on trusted relationships, determine whether trusted relationships are successfully established.
Preferably, based on the second identifying code and the first identifying code whether successful match, it is logical to determine whether initiator authenticates Out-of-date, authentication module is specifically used for:
When determining the second identifying code and the first identifying code successful match, assert that initiator's certification passes through;
When determining the second identifying code and the first identifying code it fails to match, assert that initiator's certification does not pass through.
Preferably, it further includes configuration module that the identity, which provides platform, wherein configuration module is used for:
For map information of initiator's configuring sponsor party on service providing platform;
The authentication result that map information and characterization initiator's certification pass through is back to service providing platform, is mentioned to service After determining that initiator's certification passes through based on authentication result for platform, it is based on map information, generates access token for initiator.
A kind of service providing platform, comprising:
Receiving module, for receiving the resource access request of initiator's initiation;
Redirection module provides platform for resource access request to be redirected to identity, adopts so that identity provides platform The initiator of resource access request is authenticated with above-mentioned joint qualification method.
Preferably, the service providing platform further includes establishing module, wherein
Module is established, for the first identification code by generating, identity is established and provides between platform and service providing platform Trusted relationships.
Preferably, in the first identification code by generating, establish identity provide between platform and service providing platform can When gateway system, establishes module and is specifically used for:
It receives identity and the trusted relationships foundation request that platform is initiated is provided;
The first identification code is generated, and the first identification code is sent to identity in the form of short message, platform is provided;
The first identification code is handled using default processing mode, obtains third identification code;
It receives identity and the second identification code that platform is returned in the form of short message is provided, wherein the second identification code is that identity mentions It is obtained after being handled using default processing mode the first identification code for platform;
Based on the second identification code and third identification code whether successful match, determine whether identity provides platform credible.
Preferably, generating the first identification code after receiving identity and providing the trusted relationships foundation request that platform is initiated Before, module is established to be also used to:
It searches identity and the registration information of platform is provided;
If finding identity provides the registration information of platform, when determining that registration information is legal, it is flat to assert that identity provides Platform is legal.
Preferably, the service providing platform further includes generation module, wherein
Generation module is used for: being received identity and is provided the authentication result and map information of the initiator that platform returns, if being based on Authentication result determines that initiator's certification passes through, then is based on map information, generates access token for initiator.
A kind of federated authentication system, comprising: above-mentioned identity provides platform, above-mentioned service providing platform and above-mentioned terminal.
A kind of computer readable storage medium, computer-readable recording medium storage have computer executable instructions, calculate Machine executable instruction is for making computer execute above-mentioned joint qualification method.
The embodiment of the present invention has the beneficial effect that:
It, will when identity provides platform and service providing platform to initiator's progress joint qualification in the embodiment of the present invention Identity of the phone number as initiator, by the identifying code transmitted in the form of short message as authentication infrastructure, no longer by user Identity of the information as initiator, also no longer using the agreement mentioned in the prior art as authentication infrastructure, compared to existing There is the joint qualification mode in technology, process is simple, and complexity is low, also, since most of identity offer platform and service mention Short message protocol is supported for platform, so, the joint qualification mode based on identifying code is suitable for most of identity and provides platform And service providing platform, versatility is stronger, further, since phone number has uniqueness, and that is transmitted in the form of short message tests Card code is not easy to be obtained by illegal terminal, so, using phone number as the identity of initiator, by what is transmitted in the form of short message Identifying code authenticates initiator as authentication infrastructure, not only ensure that the accuracy of authentication result, is also avoided as much as Since user information is by unauthorized theft, lead to the problem that safety is lower.
Detailed description of the invention
Fig. 1 is the overview schematic diagram of the joint qualification method provided in the embodiment of the present invention one;
Fig. 2 is the idiographic flow schematic diagram of the joint qualification method provided in the embodiment of the present invention two;
Fig. 3 is that the identity provided in the embodiment of the present invention three provides the illustrative view of functional configuration of platform;
Fig. 4 is the illustrative view of functional configuration of the service providing platform provided in the embodiment of the present invention four;
Fig. 5 is the structural schematic diagram of the federated authentication system provided in the embodiment of the present invention five.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, is not whole embodiments.It is based on Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall within the protection scope of the present invention.
That there are identifying procedures in order to solve joint qualification method in the prior art is complicated, versatility is poor, safety compared with Low problem, will when identity provides platform and service providing platform and carries out joint qualification to initiator in the embodiment of the present invention Identity of the phone number as initiator, by the identifying code transmitted in the form of short message as authentication infrastructure, no longer by user Identity of the information as initiator, also no longer using the agreement mentioned in the prior art as authentication infrastructure, compared to existing There is the joint qualification mode in technology, process is simple, and complexity is low, also, since most of identity offer platform and service mention Short message protocol (Short Message Protocol, SMP) is supported for platform, so, the joint qualification side based on identifying code Formula is suitable for most of identity and provides platform and service providing platform, and versatility is stronger, further, since phone number has only One property, and the identifying code transmitted in the form of short message is not easy to be obtained by illegal terminal, so, using phone number as initiator's Identity authenticates initiator, not only ensure that certification by the identifying code transmitted in the form of short message as authentication infrastructure As a result accuracy has also been avoided as much as leading to the problem that safety is lower since user information is by unauthorized theft.
The present invention program is described in detail below by specific embodiment, certainly, the present invention is not limited to following realities Apply example.
Embodiment one
A kind of joint qualification method is provided in the embodiment of the present invention one, is mentioned applied to including identity offer platform, service For in the federated authentication system of platform and terminal, as shown in fig.1, the process of the joint qualification method is as follows:
Step 101: service providing platform receives the resource access request that initiator initiates.
Step 102: resource access request is redirected to identity and provides platform by service providing platform.
Step 103: identity provides platform and receives the resource access request that service providing platform redirects, and acquisition and resource The associated phone number of the initiator of access request.
Step 104: identity provides platform and generates the first identifying code.
Step 105: identity provides platform and is based on phone number, and the first identifying code is sent to the hair in the form of short message Play the terminal of side.
Step 106: identity provides platform and receives the second identifying code that initiator is returned based on the first identifying code in terminal, And based on the second identifying code and the first identifying code whether successful match, determine whether initiator authenticates and pass through.
Embodiment two
The joint qualification method provided in above-described embodiment one is described in further detail below, as shown in fig.2, this The detailed process of the joint qualification method provided in inventive embodiments two is as follows:
Step 201: service providing platform receives user (initiator that following users are referred to as resource access request) in body The resource access request initiated on part offer platform.
Step 202: the resource access request is redirected to identity and provides platform by service providing platform.
Step 203: identity provides platform and receives the resource access request that service providing platform redirects, and provides to service Platform initiates trusted relationships and establishes request.
Step 204: service providing platform receives identity and provides the trusted relationships foundation request that platform is sent, and searches identity Registration information of the platform on service providing platform is provided.
Step 205: if service providing platform finds identity and provides the registration information of platform and determine the registration found Information is legal, then it is legal to assert that identity provides platform.
It is tellable to be, if service providing platform does not find identity and provides the registration information of platform, alternatively, finding body The registration information of part offer platform simultaneously determines that the registration information found is illegal, then service providing platform can be assumed that identity provides Platform is illegal, and refuses identity and provide the trusted relationships foundation request that platform is initiated.Specifically, service providing platform can pass through Platform is provided to identity and returns to the mode that characterization refusal establishes the trusted relationships foundation response of trusted relationships, is provided to refuse identity The trusted relationships that platform is initiated establish request, can also provide platform hair by way of not making any response to refuse identity The trusted relationships risen establish request, are not specifically limited herein.
Step 206: service providing platform generates the first identification code, wherein first identification code be service providing platform with What machine generated.
Step 207: the first identification code is sent in the form of short message identity and provides platform by service providing platform.
Step 208: service providing platform is handled the first identification code using default processing mode, obtains third identification Code.
Preferably, the default processing mode can be but be not limited to encryption, i.e. service providing platform is known to first Other code is encrypted, and obtains third identification code.
Step 209: identity provides platform and receives the first identification code that service providing platform is sent in the form of short message, and adopts The first identification code is handled with default processing mode, obtains the second identification code.
Accordingly, identity provides platform and uses cipher mode identical with service providing platform, carries out to the first identification code Encryption obtains the second identification code.
Step 210: identity provides platform and the second identification code is sent to service providing platform in the form of short message.
Step 211: service providing platform receives identity and provides the second identification code that platform is returned in the form of short message, and base In the second identification code and third identification code whether successful match, determine whether identity provides platform credible.
Specifically, if the second identification code and third identification code successful match, it is determined that it is credible platform that identity, which provides platform, To complete the foundation of trusted relationships;If the second identification code is with third identification code, it fails to match, it is determined that identity provides platform and is Insincere platform, so that refusal establishes trusted relationships.
Step 212: service providing platform is if it is determined that identity provides platform credible, then by the second identification code and third identification code The matching result of successful match is back to identity and provides platform.
Step 213: identity provides platform the second identification code that reception service providing platform returns and matches with third identification code Successful matching result, and determine that trusted relationships are established and complete.
Step 214: identity provides platform and exports authentication interface, and obtains related to the initiator of resource access request The phone number of connection, wherein the authentication interface includes at least: for the first input frame of input handset number, Yi Jiyong In the second input frame of input identifying code.
Tellable to be, if initiator provides in identity binds phone number on platform, initiator provides in identity When initiating resource access request to service providing platform on platform, carry in the resource access request including at least the initiator Phone number initiator information, in the case, identity provides platform and can be directly based upon in the resource access request and takes The initiator information of band obtains phone number associated with the initiator of the resource access request, and at authentication interface On the first input frame in automatically write the phone number.
If initiator does not provide in identity and binds phone number on platform, identity provides platform and can be initiated by acquisition The phone number that side inputs in the first input frame on authentication interface, obtains initiator's phase with the resource access request Associated phone number.
Step 215: identity provides platform and generates the first identifying code.
Step 216: identity provides platform and is based on phone number, and the first identifying code is sent to initiator in the form of short message Terminal.
Step 217: the first identifying code shown in the short message that initiator is received based on terminal, at authentication interface On the second input frame in input the second identifying code.
Step 218: identity provide that platform acquisition initiator inputs in the second input frame on authentication interface the Two identifying codes, and based on the second identifying code and the first identifying code whether successful match, determine whether the initiator authenticates and pass through.
Specifically, if identity provides platform and determines the second identifying code and the first identifying code successful match, it can be assumed that should Initiator's certification passes through;If identity offer platform determines the second identifying code and the first identifying code, it fails to match, it can be assumed that should Initiator's certification does not pass through.
Step 219: identity provide platform if it is determined that initiator certification pass through, then configure the initiator for initiator and servicing There is provided the map information on platform, wherein the map information includes but is not limited to: tenant's information, domain information etc..
Step 220: identity provides platform and the authentication result that map information and characterization initiator's certification pass through is back to clothes Business provides platform.
Step 221: service providing platform receives identity and provides the authentication result and map information of the initiator that platform returns, If determining that initiator's certification passes through based on authentication result, it is based on map information, generates access token for initiator.
Step 222: access token is back to identity and provides platform by service providing platform.
Step 223: identity provides platform and receives the access token that service providing platform returns, and based on the access token and The phone number of initiator initiates resource access request to service providing platform again.
Step 224: service providing platform receives the resource access request that service providing platform is initiated, however, it is determined that the access enables Board is legal, then the initiator is allowed to access respective resources.
Tellable to be, which can be applied to the user and provides on platform in identity to service providing platform hair Other resource access requests risen, until the term of validity of the access token expires, if the term of validity of the access token It expires, then the access token fails, and needs just to obtain access token again through the above way, details are not described herein.
Embodiment three
Based on the above embodiment, a kind of identity offer platform is provided in the embodiment of the present invention three, as shown in fig.3, should Identity provides platform and includes at least:
Receiving module 301, for receiving the resource access request of service providing platform redirection;
Module 302 is obtained, for obtaining phone number associated with the initiator of resource access request;
Generation module 303 for generating the first identifying code, and is based on phone number, by the first identifying code with short message shape Formula is sent to the terminal of initiator;
Authentication module 304, the second identifying code returned for receiving initiator based on the first identifying code in terminal, and base In the second identifying code and the first identifying code whether successful match, determine whether initiator authenticates and pass through.
Preferably, it further includes establishing module 305 that the identity, which provides platform, wherein
Establish module 305, for receiving module 301 receive service providing platform redirect resource access request it Afterwards, it before obtaining module 302 and obtaining phone number associated with the initiator of resource access request, is provided by service flat The first identification code that platform generates establishes the trusted relationships between identity offer platform and service providing platform.
Preferably, establishing identity in the first identification code generated by service providing platform and providing platform and service offer When trusted relationships between platform, establishes module 305 and is specifically used for:
Trusted relationships, which are initiated, to service providing platform establishes request;
Receive the first identification code that service providing platform is sent in the form of short message, wherein the first identification code is that service mentions It is generated at random for platform in the case where receiving trusted relationships and establishing and request and determine that identity offer platform is legal;
The first identification code is handled using default processing mode, obtain the second identification code, and by the second identification code with Short message form is back to service providing platform;
It receives the trusted relationships that service providing platform returns and establishes response, wherein it is that service mentions that trusted relationships, which establish response, The second identification code that platform returns is provided for platform identity-based, determines that identity provides and is returned in the whether believable situation of platform 's;
It is established and is responded based on trusted relationships, determine whether trusted relationships are successfully established.
Preferably, based on the second identifying code and the first identifying code whether successful match, it is logical to determine whether initiator authenticates Out-of-date, authentication module 304 is specifically used for:
When determining the second identifying code and the first identifying code successful match, assert that initiator's certification passes through;
When determining the second identifying code and the first identifying code it fails to match, assert that initiator's certification does not pass through.
Preferably, it further includes configuration module 306 that the identity, which provides platform, wherein configuration module 306 is used for:
For map information of initiator's configuring sponsor party on service providing platform;
The authentication result that map information and characterization initiator's certification pass through is back to service providing platform, is mentioned to service After determining that initiator's certification passes through based on authentication result for platform, it is based on map information, generates access token for initiator.
Example IV
Based on the above embodiment, a kind of service providing platform is provided in the embodiment of the present invention four, as shown in fig.4, should Service providing platform includes at least:
Receiving module 401, for receiving the resource access request of initiator's initiation;
Redirection module 402 provides platform for resource access request to be redirected to identity, so that identity provides platform The initiator of resource access request is authenticated.
Preferably, the service providing platform further includes establishing module 403, wherein
Establish module 403, for the first identification code by generating, establish identity provide platform and service providing platform it Between trusted relationships.
Preferably, in the first identification code by generating, establish identity provide between platform and service providing platform can When gateway system, establishes module 403 and is specifically used for:
It receives identity and the trusted relationships foundation request that platform is initiated is provided;
The first identification code is generated, and the first identification code is sent to identity in the form of short message, platform is provided;
The first identification code is handled using default processing mode, obtains third identification code;
It receives identity and the second identification code that platform is returned in the form of short message is provided, wherein the second identification code is that identity mentions It is obtained after being handled using default processing mode the first identification code for platform;
Based on the second identification code and third identification code whether successful match, determine whether identity provides platform credible.
Preferably, generating the first identification code after receiving identity and providing the trusted relationships foundation request that platform is initiated Before, module 403 is established to be also used to:
It searches identity and the registration information of platform is provided;
If finding identity provides the registration information of platform, when determining that registration information is legal, it is flat to assert that identity provides Platform is legal.
Preferably, the service providing platform further includes generation module 404, wherein
Generation module 404 is used for: being received identity and is provided the authentication result and map information of the initiator that platform returns, if base It determines that initiator's certification passes through in authentication result, is then based on map information, generates access token for initiator.
Embodiment five
Based on the above embodiment, a kind of federated authentication system is provided in the embodiment of the present invention five, as shown in fig.5, should Federated authentication system includes at least the identity provided in above-described embodiment three such as and provides platform 501, as mentioned in above-mentioned example IV The service providing platform 502 and terminal 503 of confession, wherein
Service providing platform 502, for receiving the resource access request of initiator's initiation, and by the resource access request weight It is directed to identity and platform is provided;
Identity provides platform 501, for receiving the resource access request of service providing platform redirection, and acquisition and resource The associated phone number of the initiator of access request;Generate the first identifying code, and be based on phone number, by the first identifying code with Short message form is sent to the terminal of initiator;Receive the second verifying that initiator is returned based on the first identifying code in terminal Code, and based on the second identifying code and the first identifying code whether successful match, determine whether initiator authenticates and pass through.
Embodiment six
Based on the above embodiment, a kind of computer readable storage medium is provided in the embodiment of the present invention six, the computer Readable storage medium storing program for executing is stored with computer executable instructions, and the computer executable instructions are for making computer execute above-mentioned joint Authentication method.
In conclusion service providing platform receives the resource access request that initiator initiates, and will in the embodiment of the present invention The resource access request is redirected to identity and provides platform;Identity provides platform and receives the resource visit that service providing platform redirects It asks request, and obtains phone number associated with the initiator of resource access request;The first identifying code is generated, and is based on mobile phone First identifying code is sent to the terminal of initiator by number in the form of short message;Initiator is received to test based on first in terminal Demonstrate,prove the second identifying code that code returns, and based on the second identifying code and the first identifying code whether successful match, whether determine initiator Certification passes through.In this way, phone number is made when identity provides platform and service providing platform to initiator's progress joint qualification For the identity of initiator, by the identifying code transmitted in the form of short message as authentication infrastructure, no longer using user information as sending out Rise side identity, also no longer using the agreement mentioned in the prior art as authentication infrastructure, compared with the prior art in Joint qualification mode, process is simple, and complexity is low, also, since most of identity offer platform and service providing platform prop up Short message protocol is held, so, the joint qualification mode based on identifying code is suitable for most of identity and provides platform and service offer Platform, versatility is stronger, further, since phone number has uniqueness, and the identifying code transmitted in the form of short message be not easy by Illegal terminal obtain, so, using phone number be used as the identity of initiator, by the form of short message transmitting identifying code as Authentication infrastructure authenticates initiator, not only ensure that the accuracy of authentication result, has also been avoided as much as due to user Information leads to the problem that safety is lower by unauthorized theft.
It should be understood by those skilled in the art that, the embodiment of the present invention can provide as method, system or computer program Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the present invention Apply the form of example.Moreover, it wherein includes the computer of computer usable program code that the present invention, which can be used in one or more, The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) produces The form of product.
The present invention be referring to according to the method for the embodiment of the present invention, the process of equipment (system) and computer program product Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates, Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one The step of function of being specified in a box or multiple boxes.
Although preferred embodiments of the present invention have been described, it is created once a person skilled in the art knows basic Property concept, then additional changes and modifications may be made to these embodiments.So it includes excellent that the following claims are intended to be interpreted as It selects embodiment and falls into all change and modification of the scope of the invention.
Obviously, those skilled in the art can carry out various modification and variations without departing from this hair to the embodiment of the present invention The spirit and scope of bright embodiment.In this way, if these modifications and variations of the embodiment of the present invention belong to the claims in the present invention And its within the scope of equivalent technologies, then the present invention is also intended to include these modifications and variations.

Claims (22)

1. a kind of joint qualification method, applied to the joint qualification system for including identity offer platform, service providing platform and terminal In system characterized by comprising
The identity provides platform and receives the resource access request that the service providing platform redirects, and obtains and the resource The associated phone number of the initiator of access request;
The identity provides platform and generates the first identifying code, and is based on the phone number, and first identifying code is disappeared with short Breath form is sent to the terminal of the initiator;
The identity provides platform and receives the second identifying code that the initiator is returned based on the first identifying code in the terminal, And based on second identifying code and first identifying code whether successful match, determine whether the initiator authenticates and pass through.
2. joint qualification method as described in claim 1, which is characterized in that the identity provides the platform reception service and mentions After the resource access request redirected for platform, phone number associated with the initiator of the resource access request is obtained Before, the joint qualification method further include:
The identity provides the first identification code that platform is generated by the service providing platform, establishes the identity and provides platform With the trusted relationships between the service providing platform.
3. joint qualification method as claimed in claim 2, which is characterized in that the identity provides platform and mentioned by the service For the first identification code that platform generates, the trusted relationships between the identity offer platform and the service providing platform are established, Include:
The identity provides platform and initiates trusted relationships foundation request to the service providing platform;
The identity provides platform and receives the first identification code that the service providing platform is sent in the form of short message, wherein institute Stating the first identification code is that the service providing platform is receiving the trusted relationships foundation request and determining that the identity provides It is generated at random in the case that platform is legal;
The identity is provided platform and is handled using default processing mode first identification code, and the second identification code is obtained, And second identification code is back to the service providing platform in the form of short message;
The identity provides platform and receives the trusted relationships foundation response that the service providing platform returns, wherein described credible It is second identification code that the service providing platform provides that platform is returned based on the identity that relationship, which establishes response, determines institute It states identity and provides and returned in platform whether believable situation;
The identity provides platform and is based on trusted relationships foundation response, determines whether the trusted relationships are successfully established.
4. joint qualification method as described in claim 1, which is characterized in that the identity provides platform and tests based on described second Demonstrate,prove code and first identifying code whether successful match, determine whether the initiator authenticates and pass through, comprising:
The identity provides platform if it is determined that second identifying code and the first identifying code successful match, then assert the hair Side's certification is played to pass through;
The identity provides platform, and if it is determined that second identifying code is with first identifying code, it fails to match, then assert the hair Side's certification is played not pass through.
5. joint qualification method according to any one of claims 1-4, which is characterized in that if the identity provides platform and determines Initiator's certification passes through, then the joint qualification method further include:
It is that the initiator configures map information of the initiator on the service providing platform that the identity, which provides platform,;
The identity provides platform and the authentication result that the map information and characterization initiator's certification pass through is back to institute Service providing platform is stated, after determining that initiator's certification passes through based on the authentication result so as to the service providing platform, Based on the map information, access token is generated for the initiator.
6. a kind of joint qualification method, applied to the joint qualification system for including identity offer platform, service providing platform and terminal In system characterized by comprising
The service providing platform receives the resource access request that initiator initiates;
The resource access request is redirected to the identity and provides platform by the service providing platform, so that the identity mentions It is carried out for platform using initiator of the joint qualification method as described in any one in claim 1-5 to the resource access request Certification.
7. joint qualification method as claimed in claim 6, which is characterized in that the joint qualification method further include:
The identity provides platform and passes through the first identification code generated, establishes the identity offer platform and the service is provided and put down Trusted relationships between platform.
8. joint qualification method as claimed in claim 7, which is characterized in that the identity provides platform by the first of generation Identification code establishes the trusted relationships between the identity offer platform and the service providing platform, comprising:
The service providing platform receives the identity and provides the trusted relationships foundation request that platform is initiated;
The service providing platform generates the first identification code, and first identification code is sent to the body in the form of short message Part offer platform;
The service providing platform is handled first identification code using default processing mode, obtains third identification code;
The service providing platform receives the identity and provides the second identification code that platform is returned in the form of short message, wherein institute Stating the second identification code is after the identity offer platform is handled first identification code using the default processing mode It obtains;
The service providing platform be based on second identification code and the third identification code whether successful match, determine the body Whether part offer platform is credible.
9. joint qualification method as claimed in claim 8, which is characterized in that the service providing platform receives the identity and mentions After the trusted relationships foundation request initiated for platform, before generating the first identification code, the joint qualification method further include:
The service providing platform searches the identity and provides the registration information of platform;
If the service providing platform finds the identity and provides the registration information of platform, the registration information conjunction is being determined When method, it is legal to assert that the identity provides platform.
10. joint qualification method as claim in any one of claims 6-9, which is characterized in that the joint qualification method is also wrapped It includes:
The service providing platform receives the identity and provides the authentication result and map information of the initiator that platform returns, If determining that initiator's certification passes through based on the authentication result, it is based on the map information, is generated for the initiator Access token.
11. a kind of identity provides platform characterized by comprising
Receiving module, for receiving the resource access request of service providing platform redirection;
Module is obtained, for obtaining phone number associated with the initiator of the resource access request;
Generation module for generating the first identifying code, and is based on the phone number, by first identifying code with short message shape Formula is sent to the terminal of the initiator;
Authentication module, the second identifying code returned for receiving the initiator based on the first identifying code in the terminal, and Based on second identifying code and first identifying code whether successful match, determine whether the initiator authenticates and pass through.
12. identity as claimed in claim 11 provides platform, which is characterized in that it further includes establishing mould that the identity, which provides platform, Block, wherein
It is described to establish module, for the receiving module receive resource access request that the service providing platform redirects it Afterwards, it obtains and is asked with resource access based on the initiator information carried in the resource access request in the acquisition module Before the associated phone number of the initiator asked, the first identification code generated by the service providing platform, described in foundation Identity provides the trusted relationships between platform and the service providing platform.
13. identity as claimed in claim 12 provides platform, which is characterized in that is generated by the service providing platform First identification code, it is described to establish mould when the trusted relationships between the identity offer platform and the service providing platform are provided Block is specifically used for:
Trusted relationships, which are initiated, to the service providing platform establishes request;
Receive the first identification code that the service providing platform is sent in the form of short message, wherein first identification code is institute Service providing platform is stated in the case where receiving the trusted relationships foundation request and determining that the identity offer platform is legal It generates at random;
First identification code is handled using default processing mode, obtains the second identification code, and described second is identified Code is back to the service providing platform in the form of short message;
It receives the trusted relationships that the service providing platform returns and establishes response, wherein it is institute that the trusted relationships, which establish response, It states service providing platform and provides second identification code that platform returns based on the identity, determine that the identity provides platform and is It is returned in no believable situation;
It is established and is responded based on the trusted relationships, determine whether the trusted relationships are successfully established.
14. identity as claimed in claim 11 provides platform, which is characterized in that based on second identifying code and described the One identifying code whether successful match, determine the initiator whether authenticate by when, the authentication module is specifically used for:
If it is determined that second identifying code and the first identifying code successful match, then assert that initiator's certification passes through;
If it is determined that second identifying code is with first identifying code, it fails to match, then assert that initiator's certification does not pass through.
15. as the described in any item identity of claim 11-14 provide platform, which is characterized in that the identity provides platform also Including configuration module, wherein the configuration module is used for:
Map information of the initiator on the service providing platform is configured for the initiator;
The authentication result that the map information and characterization initiator's certification pass through is back to the service providing platform, with Toilet is stated after service providing platform determines that initiator certification passes through based on the authentication result, and the map information is based on, Access token is generated for the initiator.
16. a kind of service providing platform characterized by comprising
Receiving module, for receiving the resource access request of initiator's initiation;
Redirection module provides platform for the resource access request to be redirected to the identity, so that the identity mentions It is carried out for platform using initiator of the joint qualification method as described in any one in claim 1-5 to the resource access request Certification.
17. service providing platform as claimed in claim 16, which is characterized in that the service providing platform further includes establishing mould Block, wherein
It is described to establish module, for the first identification code by generating, establishes the identity and platform and service offer are provided Trusted relationships between platform.
18. service providing platform as claimed in claim 17, which is characterized in that in the first identification code by generating, establish When the identity provides the trusted relationships between platform and the service providing platform, the module of establishing is specifically used for:
It receives the identity and the trusted relationships foundation request that platform is initiated is provided;
The first identification code is generated, and first identification code is sent to the identity in the form of short message, platform is provided;
First identification code is handled using default processing mode, obtains third identification code;
It receives the identity and the second identification code that platform is returned in the form of short message is provided, wherein second identification code is institute It states identity and provides after platform is handled first identification code using the default processing mode and obtain;
Based on second identification code and the third identification code whether successful match, determine that the identity provides platform and whether may be used Letter.
19. service providing platform as claimed in claim 18, which is characterized in that provide what platform was initiated receiving the identity Trusted relationships are established after request, and before generating the first identification code, the module of establishing is also used to:
It searches the identity and the registration information of platform is provided;
If the registration information for finding the identity offer platform assert the body when determining that the registration information is legal Part offer platform is legal.
20. such as the described in any item service providing platforms of claim 16-19, which is characterized in that it further include generation module, In,
The generation module is used for: being received the identity and is provided the authentication result and mapping letter of the initiator that platform returns Breath is based on the map information if determining that initiator's certification passes through based on the authentication result, raw for the initiator At access token.
21. a kind of federated authentication system characterized by comprising put down as the described in any item identity of claim 11-15 provide Platform, such as the described in any item service providing platforms of claim 16-20 and terminal.
22. a kind of computer readable storage medium, which is characterized in that the computer-readable recording medium storage has computer can It executes instruction, the computer executable instructions are for executing the computer as right wants the described in any item joints of 1-5 Authentication method;And/or execute such as the described in any item joint qualification methods of claim 6-10.
CN201711041509.0A 2017-10-30 2017-10-30 A kind of joint qualification method, system, related platform and medium Pending CN109729048A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711041509.0A CN109729048A (en) 2017-10-30 2017-10-30 A kind of joint qualification method, system, related platform and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711041509.0A CN109729048A (en) 2017-10-30 2017-10-30 A kind of joint qualification method, system, related platform and medium

Publications (1)

Publication Number Publication Date
CN109729048A true CN109729048A (en) 2019-05-07

Family

ID=66294186

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711041509.0A Pending CN109729048A (en) 2017-10-30 2017-10-30 A kind of joint qualification method, system, related platform and medium

Country Status (1)

Country Link
CN (1) CN109729048A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110868467A (en) * 2019-11-12 2020-03-06 广州大白互联网科技有限公司 Network certificate synchronization method, system and storage medium based on network certificate platform
CN112769756A (en) * 2020-12-18 2021-05-07 赛尔网络有限公司 Service authentication method, LDAP server, storage medium and service authentication system
CN113688379A (en) * 2021-08-20 2021-11-23 杭州海康威视数字技术股份有限公司 Platform registration method and device and computer equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102457376A (en) * 2010-10-29 2012-05-16 中兴通讯股份有限公司 Method and system for uniformly authenticating cloud computing services
CN106664294A (en) * 2014-06-20 2017-05-10 标致·雪铁龙汽车公司 Method and system for authentication by means of tokens
US20170149767A1 (en) * 2015-11-24 2017-05-25 International Business Machines Corporation Using a service-provider password to simulate f-sso functionality
CN106790251A (en) * 2017-01-24 2017-05-31 中国联合网络通信集团有限公司 User access method and subscriber access system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102457376A (en) * 2010-10-29 2012-05-16 中兴通讯股份有限公司 Method and system for uniformly authenticating cloud computing services
CN106664294A (en) * 2014-06-20 2017-05-10 标致·雪铁龙汽车公司 Method and system for authentication by means of tokens
US20170149767A1 (en) * 2015-11-24 2017-05-25 International Business Machines Corporation Using a service-provider password to simulate f-sso functionality
CN106790251A (en) * 2017-01-24 2017-05-31 中国联合网络通信集团有限公司 User access method and subscriber access system

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110868467A (en) * 2019-11-12 2020-03-06 广州大白互联网科技有限公司 Network certificate synchronization method, system and storage medium based on network certificate platform
CN112769756A (en) * 2020-12-18 2021-05-07 赛尔网络有限公司 Service authentication method, LDAP server, storage medium and service authentication system
CN112769756B (en) * 2020-12-18 2023-03-24 赛尔网络有限公司 Service authentication method, LDAP server, storage medium and service authentication system
CN113688379A (en) * 2021-08-20 2021-11-23 杭州海康威视数字技术股份有限公司 Platform registration method and device and computer equipment

Similar Documents

Publication Publication Date Title
US11711219B1 (en) PKI-based user authentication for web services using blockchain
CN109981561A (en) Monomer architecture system moves to the user authen method of micro services framework
CN104065653B (en) A kind of interactive auth method, device, system and relevant device
KR101924683B1 (en) Multi-factor authentication to achieve required authentication assurance level
Zhang et al. Location-based authentication and authorization using smart phones
CN110770695A (en) Internet of things (IOT) device management
CN112491881B (en) Cross-platform single sign-on method, system, electronic equipment and storage medium
US20190230087A1 (en) Technique for downloading a network access profile
WO2017054617A1 (en) Wifi network authentication method, device and system
CN106230594B (en) A method of user authentication is carried out based on dynamic password
WO2017076216A1 (en) Server, mobile terminal, and internet real name authentication system and method
CN108347428A (en) Accreditation System, the method and apparatus of application program based on block chain
CN109388937B (en) Single sign-on method and sign-on system for multi-factor identity authentication
WO2014110877A1 (en) Mobile terminal device and user authentication method based on pki technology
WO2014048769A1 (en) Single sign-on method, proxy server and system
JP4897503B2 (en) Account linking system, account linking method, linkage server device
CN104767617A (en) Message processing method, system and related device
CN109729048A (en) A kind of joint qualification method, system, related platform and medium
CN106302428B (en) A kind of automatic deployment method and device of encryption level
CN106331003A (en) Method and device for accessing application portal system on cloud desktop
Thomas et al. Single sign-on in cloud federation using CloudSim
Schwarz et al. Feido: Recoverable FIDO2 tokens using electronic ids
CN110278084B (en) eID establishing method, related device and system
CN104683356B (en) Dynamic password authentication method and system based on software token
Gordin et al. Moving forward passwordless authentication: challenges and implementations for the private cloud

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20190507