CN109902499A - A kind of resource authorization and access method, device, system, equipment and storage medium - Google Patents
A kind of resource authorization and access method, device, system, equipment and storage medium Download PDFInfo
- Publication number
- CN109902499A CN109902499A CN201910190304.1A CN201910190304A CN109902499A CN 109902499 A CN109902499 A CN 109902499A CN 201910190304 A CN201910190304 A CN 201910190304A CN 109902499 A CN109902499 A CN 109902499A
- Authority
- CN
- China
- Prior art keywords
- access token
- authorization
- access
- resource
- mark
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of resource authorizations and access method, device, system, equipment and storage medium.Wherein, which includes: acquisition resource authorization request, and the resource authorization request includes requesting party's mark, to authorization resources ownership side mark, access token and access token issuer mark;The access token is verified according to access token issuer mark;After verification passes through, send described to authorization resources.Technical solution provided in an embodiment of the present invention, due to containing access token issuer mark in resource authorization request, access token can be made to be verified in any server-side, without executing the verification operation back to access token issuer, the high availability that ensure that trans-regional resource authorization service, improves the efficiency of resource authorization and access.
Description
Technical field
The present embodiments relate to Internet technical field more particularly to a kind of resource authorization and access method, device, it is
System, equipment and storage medium.
Background technique
With the fast development of Internet technology, there is live streaming, the short-sighted frequency etc. of strong dependency to answer user account identity
It is also widely applied in daily life with product, such product is related to third party after globalization is applicable at this time
It is also required to realize globalization using the identification authorization service for such product.
The process of identification authorization service at present specifically includes that third-party application request user carries out identification authorization, Yong Hutong
After meaning authorization, authorization server gives third-party application corresponding access token, and third-party application carries the access token to awarding
Power server is verified, and the access resource that the user is authorized then is obtained;Identification authorization service is generallyd use to award to access
It can be realized by following three kinds of modes when weighing resource:
1, centralized identification authorization service
The third-party application in each region passes through centralized authorization server and obtains access token, and is verified to obtain pair
The access resource answered;It may need trans-regional transmission signaling between third-party application and centralized authorization server at this time, and by
There are problems that network delay is high and easily fluctuation in trans-regional transmission, so that identification authorization service response speed is slow or even net
Network fluctuation possibly can not provide corresponding authorization service when violent.
2, conditional distributed identification authorization service
In the whole world, each area distribution formula disposes corresponding authorization server, the authorization service that third-party application passes through one's respective area
Device obtains access token, and subsequent carrying access token is corresponding to be verified to obtain access money in the authorization server of one's respective area
Source;If at this time when the authorization server failure in certain region, the third-party application in the region needs the authorization service in other regions
Authorization service is re-started in device, so that identification authorization is relatively complicated, while if since third party's business needs, first area
Third-party application can be transferred to second area, need to carry out school to access token in the authorization server of first area at this time
It tests, will receive the influence that network delay present in trans-regional transmission is high and easily fluctuates.
3, unconfined distributed identification authorization service
In the whole world, each area distribution formula disposes corresponding authorization server, the authorization service that third-party application passes through one's respective area
Device obtains access token, and access token is synchronized to the authorization server in each region in the whole world, subsequent to carry access order
Board is verified to obtain access resource in the authorization server for being presently in region;The authorization server of any region needs at this time
All access tokens are synchronized to the authorization server in each region in the whole world, waste a large amount of internet resources cost;And by
In needing global synchronization token data, then need to guarantee data consistency using complicated scheme, and if there is network problem
When, data consistency can not be completely secured in the authorization server in each region under the premise of not traffic affecting.
Summary of the invention
The embodiment of the invention provides a kind of resource authorizations and access method, device, system, equipment and storage medium, mention
The efficiency of high resource authorization and access.
In a first aspect, the embodiment of the invention provides a kind of resource authorization methods, this method comprises:
Obtain resource authorization request, the resource authorization request include requesting party mark, to authorization resources ownership side identify,
Access token and access token issuer mark;
The access token is verified according to access token issuer mark;
After verification passes through, send described to authorization resources.
Second aspect, the embodiment of the invention provides a kind of resource access methods, this method comprises:
Access token issuer according to access request generate access token, the access request include requesting party mark and to
Authorization resources ownership side mark;
Resource authorization side executes the resource authorization method as described in first aspect.
The third aspect, the embodiment of the invention provides a kind of resource authorization device, which includes:
Resource module is accessed, for obtaining resource authorization request, the resource authorization request includes requesting party's mark, wait award
Weigh resource ownership side mark, access token and access token issuer mark;
Verification unit, for verifying the access token according to access token issuer mark;
The access resource module is also used to send after verification passes through described to authorization resources.
Fourth aspect, the embodiment of the invention provides a kind of resources to access system, which includes: two or more
Access token dispensing apparatus and the resource as described in the third aspect is respectively set in each server in the server of communication connection
Authorization device, the access token dispensing apparatus are used to generate access token according to access request, and the access request includes asking
The side of asking identifies and identifies to authorization resources ownership side.
5th aspect, the embodiment of the invention provides a kind of equipment, which includes:
One or more processors;
Storage device, for storing one or more programs;
When one or more of programs are executed by one or more of processors, so that one or more of processing
Device realizes resource authorization method described in first aspect present invention.
5th aspect, the embodiment of the invention provides a kind of computer readable storage mediums, are stored thereon with computer journey
Sequence realizes resource authorization method described in first aspect present invention when the program is executed by processor.
The embodiment of the invention provides a kind of resource authorization and access method, device, system, equipment and storage medium, roots
The access token of requesting party is verified according to the access token issuer mark carried in resource authorization request, verification is sent after passing through
Access token can be made arbitrarily to take due to containing access token issuer mark in resource authorization request to authorization resources
Business is verified on end, without executing the verification operation back to access token issuer, ensure that trans-regional resource authorization clothes
The high availability of business improves the efficiency of resource authorization and access.
Detailed description of the invention
By reading a detailed description of non-restrictive embodiments in the light of the attached drawings below, of the invention other
Feature, objects and advantages will become more apparent upon:
Principle frame of the Fig. 1 by the applicable application scenarios of a kind of resource authorization provided in an embodiment of the present invention and access method
Composition;
Fig. 2A is a kind of flow chart for resource authorization method that the embodiment of the present invention one provides;
Fig. 2 B is the schematic illustration for the resource authorization process that the embodiment of the present invention one provides;
Fig. 3 is a kind of schematic illustration of resource authorization process provided by Embodiment 2 of the present invention;
Fig. 4 A is a kind of flow chart for resource access method that the embodiment of the present invention three provides;
Fig. 4 B is a kind of schematic illustration for resource access process that the embodiment of the present invention three provides;
Fig. 5 is a kind of structural schematic diagram for resource authorization device that the embodiment of the present invention four provides;
Fig. 6 is the schematic illustration that a kind of resource that the embodiment of the present invention five provides accesses system
Fig. 7 is a kind of structural schematic diagram for equipment that the embodiment of the present invention six provides.
Specific embodiment
The present invention is described in further detail with reference to the accompanying drawings and examples.It is understood that this place is retouched
The specific embodiment stated is used only for explaining the present invention rather than limiting the invention.It also should be noted that in order to just
Only the parts related to the present invention are shown in description, attached drawing rather than entire infrastructure.In addition, in the absence of conflict, this
The feature in embodiment and embodiment in invention can be combined with each other.
Principle frame of the Fig. 1 by the applicable application scenarios of a kind of resource authorization provided in an embodiment of the present invention and access method
Composition.Specifically, referring to Fig.1, which includes: server 10 and the requesting party of two or more communication connections
20。
Wherein, requesting party 20 is the application program of any storage resource in service system that needs to obtain its other party,
It is such as relevant to Zhi Bo, short-sighted frequency to there is the application product relied on by force to user account;Server 10 is can be for request
The resource authorization request of side 20 will be sent to requesting party 20 when the access token for determining requesting party 20 is effective to authorization resources.
Specifically, the resource authorization service in order to realize globalization, server 10 can be each in the whole world with distributed deployment
Region in advance divides globalization coverage, it is ensured that each region is provided with corresponding server;Meanwhile it requesting
Side 20 can initiate resource authorization request in the server 10 that global arbitrary region is arranged into the region, so that the clothes in the region
Business device 10 carries out school to the access token of requesting party 20 by the access token issuer mark for including in the resource authorization request
It tests, to obtain corresponding to authorization resources.
It should be noted that the requesting party 20 in the present embodiment can be user oriented and be able to carry out corresponding operating, to it
He apply in storage resource there is the application program of authorization requirements for access, the quantity of server 10 specifically can be in the present embodiment
Depending on the dividing condition for the coverage that globalizes, this is not construed as limiting, therefore, to assure that each region is provided with corresponding clothes
Business device.Meanwhile the server 10 in the present embodiment can execute following resource authorization methods, specific implementation procedure is following
It is further described in resource authorization method, does not describe in detail herein.
Embodiment one
Fig. 2A is a kind of flow chart for resource authorization method that the embodiment of the present invention one provides, and the present embodiment can be applied to appoint
In the case where globalization is realized in a kind of pair of resource authorization service.A kind of resource authorization method provided in this embodiment can be by this hair
Resource authorization device that bright embodiment provides executes, which can be realized by way of software and/or hardware, union
At in the equipment for executing this method, which can be any server for having corresponding authorization service.
Specifically, this method may include steps of with reference to Fig. 2A:
S210 obtains resource authorization request.
Specifically, resource authorization request is used to indicate requesting party currently to the storage resource of one party there are authorization demand,
It is verified by the authorization identity to requesting party, to obtain accordingly to authorization resources;Requesting party refers to this resource authorization
To the storage resource of its other party, there are any application programs of authorization demand in service, and class application program of such as chatting needs to obtain joy
In happy class application program when the storage resource of a certain user, which is then the requesting party in the present embodiment;It can
Choosing, the resource authorization request in the present embodiment include requesting party mark, to authorization resources ownership side identify, access token and
Access token issuer mark.
Wherein, requesting party's mark is to refer to uniquely determine the information of requestor identity, such as Apply Names;Wait authorize money
Source refers to that requesting party needs to obtain the storage resource of its other party in this resource authorization service, refers to authorization resources ownership side
To the particular user in authorization resources current affiliated application program and the application program, marked at this time to authorization resources ownership side
Knowledge may include that can uniquely indicate to application program identification belonging to authorization resources and the user identifier in the application program
The resource present position of this request;In addition, access token refers to requesting party before request waits for authorization resources, pass through to
When access token issuer application identification authorization, by access token issuer in the basis after authorization is agreed to by authorization resources ownership side
A kind of authentication information that certain token create-rule and confidentiality agreement generate, for judging currently whether allow requesting party
It obtains to be stored in authorization resources ownership side to authorization resources;Access token issuer can be globalization any region at this time
The server of middle setting needs to guarantee to be located in the same area when requesting party applies for identification authorization with the server;Specifically, asking
The side of asking 210 is before sending resource authorization request, it is necessary first to access token issuer application identification authorization, such as Fig. 2 B institute
Show, if requesting party 210 is located in the A of region when applying for identification authorization, the clothes that requesting party 210 can be arranged into region A at this time
Business device 221 applies for identification authorization, and the server 221 being arranged in the A of the region is access token issuer, belongs to authorization resources
The access token of the requesting party 210 is generated after Fang Tongyi authorization according to certain token create-rule and confidentiality agreement, and should
Access token and access token issuer mark unified feedback are to requesting party 210;If requesting party 210 is due to business demand, by area
Domain A is transferred to region B and needs to obtain the server 222 that can be arranged at this time into region B accordingly to authorization resources transmission pair
The resource authorization request answered carries requesting party's mark in the resource authorization request, identifies to authorization resources ownership side, access token
And access token issuer mark, so as to the subsequent authorization identity to requesting party 210 of the server 222 being arranged in the B of region into
Row verification realizes the resource authorization service of globalization to obtain corresponding to authorization resources.
Optionally, in requesting party to the storage resource of one party in this resource authorization service there are when requirements for access, be
Guarantee the safety of resource authorization service, requesting party can send resource authorization request to the server for being located at the same area, should
The requesting party's mark for the representative requestor identity for realizing this resource authorization service is carried in resource authorization request, is represented wait award
Whether authorization resources, which have authorization identity, is waited for this to authorization resources ownership side mark, expression requesting party in power resource present position
Access token and pre-generate the access token access token issuer mark so that server obtains this resource and awards
The resource authorization request that requesting party sends in power service, so that the subsequent authorization identity to requesting party verifies, to obtain
It is corresponding to authorization resources, realize the resource authorization service of globalization.
S220 identifies verification access token according to access token issuer.
Specifically, can be solved to the resource authorization request after the resource authorization request for getting requesting party's transmission
Analysis obtains the requesting party carried in the resource authorization request mark, to authorization resources ownership side mark, access token and access
Token issuer mark, and according to access token issuer mark it is determining with access token is generated in the access token issuer when
The check information that the token create-rule and confidentiality agreement of use match is asked by resource authorization of the check information to acquisition
The access token of middle carrying is asked to be verified;At this time before obtaining resource authorization request, it can be previously stored in the present embodiment
The check information to match with the token create-rule and confidentiality agreement set on the server that is arranged in globalization each region,
Access token whether authorization resources have authorization identity, which verifies, to be waited for this to expression requesting party so as to subsequent, guarantees resource
The safety of authorization service.
Optionally, as shown in Figure 2 B, the server 222 being arranged in the B of region is awarded in the resource for getting the transmission of requesting party 210
When power request, can be determined according to the access token issuer mark carried in the resource authorization request indicates that this is asked for generating
The access token issuer that the side of asking 210 has the access token of identification authorization is the server 221 being arranged in the A of region, is led at this time
It crosses to obtain and the access token of requesting party 210 is verified with the matched check information of server 221 being arranged in the A of region, with
Continuing after an action of the bowels obtains corresponding to authorization resources, realizes trans-regional resource authorization service.Specifically, being stored in advance in the present embodiment
Matched check information on the server being arranged in globalization each region, in the service of each resource authorization, each region
It is communicated between server without the access token for requesting party, it is only necessary to synchronize matched verification letter in each region server
Breath, bring internet resources cost when reduction synchronizes access token improve the efficiency of globalization resource authorization service.
S230 after verification passes through, is sent to authorization resources.
Specifically, being obtained after the present embodiment verifies the access token of requesting party by access token issuer mark
To corresponding check results, according to the check results judge this request wait for authorization resources requesting party whether have this to
The authorization identity of authorization resources, if upchecking, then it represents that the requesting party has the authorization identity obtained to authorization resources, at this time
Providing in this resource authorization service of acquisition wait authorize is identified to authorization resources ownership side according to what is carried in resource authorization request
Source, and identified according to requesting party and this is waited for that authorization resources are sent to requesting party, realize corresponding resource access function;If verification is not
Pass through, then it represents that the requesting party does not have the authorization identity obtained to authorization resources, can not obtain this to authorization resources, and then not
It is corresponding to authorization resources that the service of this resource authorization can be sent to requesting party.
Optionally, as shown in Figure 2 B, the server 222 being arranged in the B of region by with the server 221 that is arranged in the A of region
The access token of the requesting party carried in matched check information verification resource authorization request, since the access token is by region A
The server 221 of interior setting generates according to certain token create-rule and confidentiality agreement, at this time by be arranged in the A of region
When the matched check information of server 221 verifies the access token, it can guarantee that verification passes through, to set in the B of region
The server 222 set calls the resource authorization service in the present embodiment, corresponding according to obtaining to authorization resources ownership side mark
It to authorization resources, and is identified according to requesting party and this is waited for that authorization resources are sent to requesting party 210, realize corresponding resource access function
Energy.
Technical solution provided in this embodiment is identified according to the access token issuer carried in resource authorization request come school
The access token of requesting party is tested, verification is sent after passing through to authorization resources, due to containing access token in resource authorization request
Issuer mark, can be such that access token is verified in any server-side, without executing back to access token issuer
The verification operation ensure that the high availability of trans-regional resource authorization service, improve the efficiency of resource authorization and access.
Embodiment two
Fig. 3 is a kind of schematic illustration of resource authorization process provided by Embodiment 2 of the present invention.Be in the present embodiment
It is optimized on the basis of technical solution provided by the above embodiment.Specifically, being enabled in the present embodiment mainly for according to access
The determination checking procedure of board issuer mark verification access token carries out detailed explanation.
Optionally, it may include steps of in the present embodiment:
S310, obtains resource authorization request, which includes requesting party's mark, to authorization resources ownership side mark
Know, access token and access token issuer identify.
S320 is identified according to access token issuer and is determined decruption key.
Wherein, it is corresponding with the cipher mode to incite somebody to action after a certain information is is encrypted by decruption key in a manner
Encrypted information is reduced to the parameter of the raw information before unencryption;In the present embodiment when being verified to access token
Referenced can be the decruption key with the matched check information of access token issuer.Correspondingly, access token issuer
In can be stored with the matched encryption key of decruption key, the encryption key be used for requesting party apply identification authorization when generate should
The access token of requesting party.Specifically, access token issuer is after authorization is agreed to by authorization resources ownership side, basis is set first
Fixed token create-rule generates the initial token of requesting party, and the encryption key pair being locally stored using access token issuer
The initial token is encrypted, and obtains the access token of the requesting party, and feed back to requesting party, so as to it is subsequent acquisition accordingly to
Authorization resources.
In addition, the safety in order to guarantee access token, access token issuer can set a time threshold, every
When reaching the time threshold, then current newest key pair is automatically generated, which includes adding for access token issuer
Key and decruption key, and give the server in other global regions to deposit by channel transmission the decruption key of generation
Storage, such as transmitted by each network operator, trans-regional special line, global public network multichannel, the service in each region in the whole world
After device confirms that newest decruption key stores successfully, the newest encryption key of generation is replaced upper one by access token issuer
Encryption key is updated, so that timing updates local key, is generated access token according to updated key and is verified, mention
The safety of high access token.Optionally, the encryption key in the present embodiment can be the private key of cipher key pair, and decruption key can
Think corresponding public key.
Optionally, it in the resource authorization request for getting requesting party, by being parsed to the resource authorization request, obtains
The requesting party carried to it identifies, to authorization resources ownership side mark, access token and access token issuer mark, at this time
In order to which the access token to requesting party verifies, judge whether the requesting party has the authorization identity to authorization resources, it can be with
It is identified according to access token issuer to determine the corresponding decruption key of access token issuer, wherein the access token issuer
Mark may include area identification locating for access token issuer and the key pair mark that timing generates;It is marked by the region
Know and determines region locating for access token issuer, so that it is determined that corresponding cipher key list on the server being arranged in the region,
It is determined according to the key pair mark for including in access token issuer mark and is matched with the encryption key for generating access token simultaneously
Decruption key, the access token is decrypted so as to subsequent.
It further, in the present embodiment, can be with before identifying verification access token according to access token issuer
It include: the decruption key for receiving access token issuer.
Specifically, since access token issuer is when periodically generating newest key pair, it can be by the solution of the cipher key pair
Close key synchronization is stored into the server in each region in the whole world, accurately to be verified to access token, therefore this reality
Example is applied before identifying verification access token according to access token issuer, can also receive the solution of access token issuer transmission
The decruption key is replaced a upper decruption key at this time and stored, to ensure decruption key synchronized update by key.It is at this time
Make synchronous failure, the encryption key and decruption key that also can use previous cipher key pair carry out resource authorization service, make
It obtains resource authorization service and key synchronization function can isolate realization, between the two without mutually support, raising resource authorization clothes
The high availability of business;It realizes complete decentralization service simultaneously, when server failure in a certain region, can directly lead to
The server for crossing other regions realizes resource authorization service, without executing additional identification authorization operation, avoids some region of
Server failure/network failure and bring adverse effect.
Specifically, the authenticity in order to guarantee decruption key, the decryption that access token issuer is received in the present embodiment is close
Key may include: the decruption key that access token issuer is received by Channel Synchronous more than two-way or two-way.Optionally,
It is visited by channel more than two-way or two-way, such as each network operator, trans-regional special line, global public network channel, synchronous receive
Ask the decruption key of token issuer, thus guarantee the authenticity of decruption key, so as to subsequent when being verified to access token, energy
Enough accurate acquisitions and the matched decruption key of access token issuer.
S330 passes through decryption key decryption access token.
Specifically, after determining corresponding decruption key according to access token issuer mark, the decruption key and access
The encryption key that token issuer is used when generating access token matches, and is asked at this time by the decruption key to resource authorization
The access token of middle carrying is asked to be decrypted, so that the authenticity of the access token is judged, if successful decryption at this time, illustrates this
Access token is generated by matched encryption key, and then determines that this is verified successfully.
S340 after verification passes through, is sent to authorization resources.
Technical solution provided in this embodiment is determined according to the access token issuer mark carried in resource authorization request
Corresponding decruption key verifies the access token of requesting party by the decruption key, only needs to provide access token at this time
The decruption key of Fang Shengcheng synchronizes storage on the server in each region in the whole world, without leading to the access token of generation
Letter transmission, it is subsequent that directly access token is verified by synchronous decruption key, resource authorization service speed is improved, is being protected
On the basis of demonstrate,proving resource authorization Services-Security, the network bandwidth cost transmitted between the server in each region is saved, money is improved
The efficiency of source authorization and access.
Embodiment three
Fig. 4 A is a kind of flow chart for resource access method that the embodiment of the present invention three provides, and Fig. 4 B is the embodiment of the present invention
A kind of schematic illustration of the three resource access process provided.It is in technical solution provided by the above embodiment in the present embodiment
On the basis of optimize.Specifically, mainly by access token issuer and resource authorization side both ends to resource in the present embodiment
The detailed process of access carries out detailed explanation.
Optionally, as shown in Figure 4 A, following steps be can specifically include in the present embodiment:
S410, access token issuer generate access token according to access request.
Wherein, requesting party to it is a certain when authorization resources there are when requirements for access, first can be to access token issuer Shen
Please for the identification authorization to authorization resources, the access request is used to indicate requesting party and currently needs to obtain identification authorization at this time
Accordingly to authorization resources, the access request in the present embodiment can be the identification authorization application of requesting party's transmission for access;Specifically
, it include that requesting party identifies and identifies to authorization resources ownership side in the access request.
Specifically, access token issuer when getting access request, can identify and wait authorize money according to requesting party
Source ownership side mark, the access token of requesting party is generated according to the token create-rule and confidentiality agreement of setting.
Optionally, as shown in Figure 4 B, access token issuer has according to access request generation access token in the present embodiment
Body may include: that access token issuer by encryption key generates access token.
Specifically, access token issuer when getting access request, can identify and wait authorize money according to requesting party
Source ownership side mark agrees that requesting party obtains according to the token create-rule generation of setting and belongs to Fang Zhongcun to authorization resources
Storage to authorization resources, have an initial token of the authorization identity to authorization resources, and use access token issuer is locally worked as
The encryption key of preceding storage encrypts the initial token, obtains corresponding access token, and by the access token and visit
Ask that token issuer mark is uniformly sent to requesting party, so that requesting party is according to the access token and access token issuer mark
Know corresponding to authorization resources in the acquisition of resource authorization side.
In addition, can also include: access token before access token issuer generates access token according to access request
Issuer broadcasts decruption key corresponding with encryption key.
Specifically, the safety in order to guarantee access token, access token issuer can set a time threshold,
When often reaching the time threshold, then current newest key pair is automatically generated, which includes access token issuer
Encryption key and decruption key, and the decruption key corresponding with encryption key of generation is broadcast to the service in each region in the whole world
Device, that is, give the server in other global regions to be stored by channel transmission, such as by each network operator, transregional
The multichannels such as domain special line, global public network are transmitted, the server in each region in the whole world confirm newest decruption key storage at
After function, the newest encryption key of generation is replaced a upper encryption key and is updated by access token issuer, thus timing
Local key is updated, access token is generated according to updated key and is verified, the safety of access token is improved.
S420, resource authorization side execute the resource authorization method in any embodiment of that present invention.
Specifically, resource authorization side is the server being arranged in any region of the whole world, any implementation of the invention can be executed
The resource authorization method that there is provided in example, with get requesting party this request access to authorization resources.
Technical solution provided in this embodiment, access token issuer are enabled by the access that access request generates requesting party
Board, requesting party carry the access token obtained in resource authorization side it is corresponding to authorization resources so that access token issuer with
Resource authorization side can be two different servers being arranged in global different zones, realize trans-regional resource authorization and access
Service, is provided simultaneously with identical beneficial effect in the resource authorization method in any embodiment of that present invention.
Example IV
Fig. 5 is a kind of structural schematic diagram for resource authorization device that the embodiment of the present invention four provides, specifically, such as Fig. 5 institute
Show, the apparatus may include:
Access resource module 510, for obtaining resource authorization request, the resource authorization request include requesting party mark, to
Authorization resources ownership side mark, access token and access token issuer mark.
Verification unit 520, for identifying verification access token according to access token issuer.
Above-mentioned access resource module 510 is also used to send after verification passes through to authorization resources.
The access token of requesting party, verification are verified according to the access token issuer mark carried in resource authorization request
It is sent by rear to authorization resources, due to containing access token issuer mark in resource authorization request, access can be made to enable
Board is verified in any server-side, without executing the verification operation back to access token issuer, ensure that trans-regional
The high availability of resource authorization service improves the efficiency of resource authorization and access.
Further, above-mentioned verification unit 520 includes: deciphering module 521, for according to access token issuer mark pair
The decryption key decryption access token answered;Token correction verification module 522, for determining access token verification knot according to decrypted result
Fruit.
Further, above-mentioned resource authorization device can also include: key reception module, for sending out according to access token
Before the side's of putting mark verification access token, the decruption key of access token issuer is received.
Further, above-mentioned key reception module, specifically can be used for: be connect by Channel Synchronous more than two-way or two-way
Receive the decruption key of access token issuer.
Resource authorization device provided in this embodiment is applicable to the resource authorization method of any embodiment of that present invention offer,
Have corresponding function and beneficial effect.
Embodiment five
Fig. 6 is the schematic illustration that a kind of resource that the embodiment of the present invention five provides accesses system.Specifically, referring to Fig. 6,
Resource access system 60 may include: the server 610 of two or more communication connections, set respectively in each server
Set the resource authorization device 612 in access token dispensing apparatus 611 and any embodiment of that present invention.
Wherein, access token dispensing apparatus 601 is used to generate access token according to access request, which includes asking
The side of asking identifies and identifies to authorization resources ownership side.
Specifically, above-mentioned access token dispensing apparatus 601 may include: user's authorization module, for receiving access request;
Token generation module, for generating initial token according to preset rules;Encrypting module, for initially being enabled by encryption keys
Board;Access token dispensing apparatus 601 is mainly used for generating the access request of requesting party at this time, specifically executed and appoints referring to the present invention
The function of the access token issuer referred in meaning embodiment.Meanwhile resource authorization device 602 is suitable for any implementation of the present invention
The resource authorization method that example provides, specific implementation procedure have phase referring to the resource authorization method in any embodiment of that present invention
The function of answering, does not describe in detail herein.
Technical solution provided in this embodiment, access token issuer are enabled by the access that access request generates requesting party
Board, requesting party carry the access token obtained in resource authorization side it is corresponding to authorization resources so that access token issuer with
Resource authorization side can be two different servers being arranged in global different zones, realize trans-regional resource authorization and access
Service, is provided simultaneously with identical beneficial effect in the resource authorization method in any embodiment of that present invention.
Embodiment six
Fig. 7 is a kind of structural schematic diagram for equipment that the embodiment of the present invention six provides, as shown in fig. 7, the equipment includes place
Manage device 70, storage device 71 and communication device 72;The quantity of processor 70 can be one or more in equipment, with one in Fig. 7
For a processor 70;Processor 70, storage device 71 and communication device 72 in equipment can pass through bus or other modes
It connects, in Fig. 7 for being connected by bus.
Storage device 71 is used as a kind of computer readable storage medium, and it is executable to can be used for storing software program, computer
Program and module, such as the corresponding program instruction/module of the resource authorization method provided in the embodiment of the present invention.Processor 70 is logical
Cross the operation software program, instruction and the module that are stored in storage device 71, thereby executing equipment various function application with
And data processing, that is, realize above-mentioned resource authorization method.
Storage device 71 can mainly include storing program area and storage data area, wherein storing program area can store operation
Application program needed for system, at least one function;Storage data area, which can be stored, uses created data etc. according to terminal.
It can also include nonvolatile memory in addition, storage device 71 may include high-speed random access memory, for example, at least one
A disk memory, flush memory device or other non-volatile solid state memory parts.In some instances, storage device 71 can
It further comprise the memory remotely located relative to processor 70, these remote memories can be by network connection to setting
It is standby.The example of above-mentioned network includes but is not limited to internet, intranet, local area network, mobile radio communication and combinations thereof.
Communication device 72 can be used for realizing the network connection or mobile data cube computation of equipment room.
A kind of equipment provided in this embodiment can be used for executing the resource authorization method of any embodiment of that present invention offer, tool
Standby corresponding function and beneficial effect.
Embodiment seven
The embodiment of the present invention seven additionally provides a kind of computer readable storage medium, is stored thereon with computer program, should
Program can realize the resource authorization method in any embodiment of that present invention when being executed by processor.This method can specifically include:
Resource authorization request is obtained, which includes requesting party's mark, to authorization resources ownership side mark, visit
Ask token and access token issuer mark;
Verification access token is identified according to access token issuer;
After verification passes through, send to authorization resources.
Certainly, a kind of storage medium comprising computer executable instructions, computer provided by the embodiment of the present invention
The method operation that executable instruction is not limited to the described above, can also be performed resource authorization provided by any embodiment of the invention
Relevant operation in method.
By the description above with respect to embodiment, it is apparent to those skilled in the art that, the present invention
It can be realized by software and required common hardware, naturally it is also possible to which by hardware realization, but in many cases, the former is more
Good embodiment.Based on this understanding, technical solution of the present invention substantially in other words contributes to the prior art
Part can be embodied in the form of software products, which can store in computer readable storage medium
In, floppy disk, read-only memory (Read-Only Memory, ROM), random access memory (Random such as computer
Access Memory, RAM), flash memory (FLASH), hard disk or CD etc., including some instructions are with so that a computer is set
Standby (can be personal computer, server or the network equipment etc.) executes method described in each embodiment of the present invention.
It is worth noting that, included each unit and module are only pressed in the embodiment of above-mentioned resource authorization device
It is divided, but is not limited to the above division according to function logic, as long as corresponding functions can be realized;In addition,
The specific name of each functional unit is also only for convenience of distinguishing each other, the protection scope being not intended to restrict the invention.
The above description is only a preferred embodiment of the present invention, is not intended to restrict the invention, for those skilled in the art
For, the invention can have various changes and changes.All any modifications made within the spirit and principles of the present invention are equal
Replacement, improvement etc., should all be included in the protection scope of the present invention.
Claims (13)
1. a kind of resource authorization method characterized by comprising
Resource authorization request is obtained, the resource authorization request includes requesting party's mark, to authorization resources ownership side mark, access
Token and access token issuer mark;
The access token is verified according to access token issuer mark;
After verification passes through, send described to authorization resources.
2. the method according to claim 1, wherein described identify verification institute according to the access token issuer
State access token, comprising:
It is identified according to the access token issuer and determines decruption key;
Pass through access token described in the decryption key decryption.
3. according to the method described in claim 2, it is characterized in that, according to access token issuer mark verification
Before access token, further includes:
Receive the decruption key of the access token issuer.
4. according to the method described in claim 3, it is characterized in that, the decryption for receiving the access token issuer is close
Key, comprising:
The decruption key of the access token issuer is received by Channel Synchronous more than two-way or two-way.
5. a kind of resource access method characterized by comprising
Access token issuer generates access token according to access request, and the access request includes that requesting party identifies and wait authorize
Resource ownership side mark;
Resource authorization side executes such as the described in any item resource authorization methods of Claims 1-4.
6. according to the method described in claim 5, it is characterized in that, the access token issuer generates visit according to access request
Ask token, comprising:
The access token issuer generates access token by encryption key.
7. according to the method described in claim 6, it is characterized in that, being generated in the access token issuer according to access request
Before access token, further includes:
The access token issuer broadcasts decruption key corresponding with the encryption key.
8. a kind of resource authorization device characterized by comprising
Resource module is accessed, for obtaining resource authorization request, the resource authorization request includes requesting party's mark, wait authorize money
Source ownership side mark, access token and access token issuer mark;
Verification unit, for verifying the access token according to access token issuer mark;
The access resource module is also used to send after verification passes through described to authorization resources.
9. device according to claim 8, which is characterized in that the verification unit includes:
Deciphering module, for the access token according to access token issuer mark corresponding decryption key decryption;
Token correction verification module, for determining access token check results according to decrypted result.
10. a kind of resource accesses system characterized by comprising the server of two or more communication connections, each clothes
Access token dispensing apparatus and resource authorization device as claimed in claim 8 or 9, the access token is respectively set in business device
Dispensing apparatus is used to generate access token according to access request, and the access request includes requesting party's mark and returns to authorization resources
Category side's mark.
11. system according to claim 10, which is characterized in that the access token dispensing apparatus includes:
User's authorization module, for receiving access request;
Token generation module, for generating initial token according to preset rules;
Encrypting module, for passing through initial token described in encryption keys.
12. a kind of equipment, which is characterized in that the equipment includes:
One or more processors;
Storage device, for storing one or more programs;
When one or more of programs are executed by one or more of processors, so that one or more of processors are real
The now resource authorization method as described in any in claim 1-4.
13. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the program is by processor
The resource authorization method as described in any in claim 1-4 is realized when execution.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910190304.1A CN109902499A (en) | 2019-03-13 | 2019-03-13 | A kind of resource authorization and access method, device, system, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910190304.1A CN109902499A (en) | 2019-03-13 | 2019-03-13 | A kind of resource authorization and access method, device, system, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109902499A true CN109902499A (en) | 2019-06-18 |
Family
ID=66952161
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910190304.1A Pending CN109902499A (en) | 2019-03-13 | 2019-03-13 | A kind of resource authorization and access method, device, system, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109902499A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111741268A (en) * | 2020-06-30 | 2020-10-02 | 中国建设银行股份有限公司 | Video transmission method, device, server, equipment and medium |
| CN113067797A (en) * | 2021-02-01 | 2021-07-02 | 上海金融期货信息技术有限公司 | Identity authentication and authorization system supporting multiple terminals and multiple certificates in cross-network area |
| CN113553600A (en) * | 2020-04-23 | 2021-10-26 | 华为技术有限公司 | Resource acquisition method, system, server and storage medium |
| CN114117551A (en) * | 2021-11-26 | 2022-03-01 | 深圳前海微众银行股份有限公司 | Access verification method and device |
| CN114666613A (en) * | 2020-12-22 | 2022-06-24 | 华为终端有限公司 | Network live broadcast method and electronic equipment |
| CN115102711A (en) * | 2022-05-09 | 2022-09-23 | 支付宝(杭州)信息技术有限公司 | Information authorization method, device and system |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102724647A (en) * | 2012-06-06 | 2012-10-10 | 电子科技大学 | Method and system for access capability authorization |
| CN103795692A (en) * | 2012-10-31 | 2014-05-14 | 中国电信股份有限公司 | Open authorization method, open authorization system and authentication and authorization server |
| CN106230838A (en) * | 2016-08-04 | 2016-12-14 | 中国银联股份有限公司 | A kind of third-party application accesses the method and apparatus of resource |
| CN106358246A (en) * | 2015-07-16 | 2017-01-25 | 电信科学技术研究院 | Access token issuing method and associated equipment |
| US20170250993A1 (en) * | 2014-09-12 | 2017-08-31 | Giftagram | System, apparatus and method for access and authorization control |
| WO2018019069A1 (en) * | 2016-07-25 | 2018-02-01 | 华为技术有限公司 | Resource operation method and apparatus |
| CN108234448A (en) * | 2016-12-12 | 2018-06-29 | Sap欧洲公司 | A kind of mandate code stream for being applied in browser |
| CN108810006A (en) * | 2018-06-25 | 2018-11-13 | 百度在线网络技术(北京)有限公司 | resource access method, device, equipment and storage medium |
-
2019
- 2019-03-13 CN CN201910190304.1A patent/CN109902499A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102724647A (en) * | 2012-06-06 | 2012-10-10 | 电子科技大学 | Method and system for access capability authorization |
| CN103795692A (en) * | 2012-10-31 | 2014-05-14 | 中国电信股份有限公司 | Open authorization method, open authorization system and authentication and authorization server |
| US20170250993A1 (en) * | 2014-09-12 | 2017-08-31 | Giftagram | System, apparatus and method for access and authorization control |
| CN106358246A (en) * | 2015-07-16 | 2017-01-25 | 电信科学技术研究院 | Access token issuing method and associated equipment |
| WO2018019069A1 (en) * | 2016-07-25 | 2018-02-01 | 华为技术有限公司 | Resource operation method and apparatus |
| CN106230838A (en) * | 2016-08-04 | 2016-12-14 | 中国银联股份有限公司 | A kind of third-party application accesses the method and apparatus of resource |
| CN108234448A (en) * | 2016-12-12 | 2018-06-29 | Sap欧洲公司 | A kind of mandate code stream for being applied in browser |
| CN108810006A (en) * | 2018-06-25 | 2018-11-13 | 百度在线网络技术(北京)有限公司 | resource access method, device, equipment and storage medium |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113553600A (en) * | 2020-04-23 | 2021-10-26 | 华为技术有限公司 | Resource acquisition method, system, server and storage medium |
| CN111741268A (en) * | 2020-06-30 | 2020-10-02 | 中国建设银行股份有限公司 | Video transmission method, device, server, equipment and medium |
| CN111741268B (en) * | 2020-06-30 | 2022-07-05 | 中国建设银行股份有限公司 | Video transmission method, device, server, equipment and medium |
| CN114666613A (en) * | 2020-12-22 | 2022-06-24 | 华为终端有限公司 | Network live broadcast method and electronic equipment |
| CN114666613B (en) * | 2020-12-22 | 2024-01-05 | 华为终端有限公司 | Network live broadcast method and electronic equipment |
| CN113067797A (en) * | 2021-02-01 | 2021-07-02 | 上海金融期货信息技术有限公司 | Identity authentication and authorization system supporting multiple terminals and multiple certificates in cross-network area |
| CN114117551A (en) * | 2021-11-26 | 2022-03-01 | 深圳前海微众银行股份有限公司 | Access verification method and device |
| CN114117551B (en) * | 2021-11-26 | 2022-12-27 | 深圳前海微众银行股份有限公司 | Access verification method and device |
| CN115102711A (en) * | 2022-05-09 | 2022-09-23 | 支付宝(杭州)信息技术有限公司 | Information authorization method, device and system |
| CN115102711B (en) * | 2022-05-09 | 2024-01-02 | 支付宝(杭州)信息技术有限公司 | Information authorization method, device and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109902499A (en) | A kind of resource authorization and access method, device, system, equipment and storage medium | |
| CN106850699B (en) | A kind of mobile terminal login authentication method and system | |
| CN107483509B (en) | A kind of auth method, server and readable storage medium storing program for executing | |
| US20190363896A1 (en) | Blockchain based decentralized and distributed certificate authority | |
| US20190334700A1 (en) | Method and system for managing decentralized data access permissions through a blockchain | |
| CN105933315B (en) | A kind of network service safe communication means, device and system | |
| CN105706048B (en) | It is authenticated using the media client end device of hardware root of trust | |
| US8687805B2 (en) | Context-aware based cryptography | |
| US11588642B2 (en) | Method and apparatus for sharing and acquiring information | |
| US8995669B1 (en) | Updating shared keys | |
| JP6672889B2 (en) | Electronic lottery system and electronic lottery method | |
| CN110083783A (en) | A kind of method, apparatus, storage medium and computer equipment for sharing link | |
| CN110796449B (en) | Transaction processing method, system, medium and computing device | |
| CN109683936A (en) | Gray scale dissemination method and device, storage medium and electronic equipment | |
| CN111740966B (en) | Data processing method based on block chain network and related equipment | |
| CN106209734B (en) | The identity identifying method and device of process | |
| CN111753014B (en) | Identity authentication method and device based on block chain | |
| KR20130101964A (en) | System and method for securely upgrading or downgrading platform components | |
| CN110351276A (en) | Data processing method, equipment and computer readable storage medium | |
| CN102857497B (en) | User access system and authentication method based on hybrid type content network of CDN (Content Distribution Network) and P2P (peer to peer) | |
| CN111984936A (en) | Authorization allocation method, device, server and storage medium | |
| US11799653B2 (en) | Computer-readable recording medium, management apparatus, and method for identity verification | |
| CN112181599B (en) | Model training method, device and storage medium | |
| CN111311269B (en) | Vehicle traveling method and device based on block chain | |
| CN114866251B (en) | Equipment interconnection security authentication system, method, device, server and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |