CN110309636B

CN110309636B - Identity authentication method and system

Info

Publication number: CN110309636B
Application number: CN201910598760.XA
Authority: CN
Inventors: 杨潇峰; 周茜
Original assignee: Advanced New Technologies Co Ltd
Current assignee: Advanced New Technologies Co Ltd; Advantageous New Technologies Co Ltd
Priority date: 2019-07-04
Filing date: 2019-07-04
Publication date: 2022-11-25
Anticipated expiration: 2039-07-04
Also published as: CN110309636A; CN116049785A

Abstract

One or more embodiments of the present description relate to a method and system for identity authentication. One of the methods is performed by at least one processor of a first platform, the method including obtaining a user ID and verifying login information of the user ID; acquiring first platform information and transmitting the first platform information to a second platform; the first platform information at least comprises user ID related information, and the first platform information is at least used for the second platform to verify the user ID; receiving a login token returned by the second platform, wherein the login token is related to the first platform information and is valid within a preset time range; the login token can cause: when the user ID accesses the specified content of the second platform through the first platform by using the login token within the preset time range, the user ID does not need to be verified again through the second platform, and the access right of the specified content is related to the first platform information.

Description

Identity authentication method and system

Technical Field

The present disclosure relates to the field of network communication technologies, and in particular, to an identity authentication system.

Background

Multi-tenant (Multi-tenacy), or Multi-Tenancy, is a software architecture technology, which aims to solve the problem of how to share the same system or program components in a Multi-user environment and still ensure the isolation of Multi-user data. For a multi-tenant system, the data of each tenant are isolated from each other, and the tenant can be understood as an access information right in a certain sense. A user can obtain one or more tenants by purchasing and the like, so that the data of the corresponding tenants can be accessed or used.

In some application scenarios of data interaction, the data service platform can embed the data content of other data service platforms. For example, a business platform has embedded therein a page of another data service platform. The user can directly call the data service of the data service platform in the data service platform.

When the data service platform is a multi-tenant architecture platform and a user corresponds to multiple tenants, if the user uses (or repeatedly and alternately uses) at least two tenant data at the same time within a certain time period, some access rights may be caused.

Based on the above application scenario that the same user has multiple tenants, it is necessary to provide an efficient information interaction manner or identity authentication manner.

Disclosure of Invention

One embodiment of the present disclosure provides a method for identity authentication. The method of identity authentication is performed by at least one processor of a first platform, comprising: acquiring a user ID and verifying login information of the user ID; acquiring first platform information and transmitting the first platform information to a second platform; the first platform information at least comprises the information related to the user ID, and the first platform information is at least used for a second platform to verify the user ID; receiving a login token returned by the second platform, wherein the login token is related to the first platform information and is valid within a preset time range; the login token can cause: when the user ID accesses the appointed content of the second platform through the first platform by using the login token within a preset time range, the user ID does not need to be verified again through the second platform, and the access authority of the appointed content is related to the first platform information.

In some embodiments, the first platform information further comprises access information permissions corresponding to the user ID; the access information right corresponding to the user ID is related to the specified content.

In some embodiments, the user ID has one or more access information permissions, and the user ID and the one or more access information permissions it has are stored on the first platform, the method further comprising retrieving the access information permissions corresponding to the user ID from memory.

In some embodiments, the method of identity authentication further comprises: acquiring an access request of a user for specified content of a second platform; the specified content comprises an embedded page of the second platform in the first platform; and outputting a specified content URL including the login token.

In some embodiments, the first platform information further comprises time information related to the access request and/or to the access request.

In some embodiments, the user ID has one or more access information rights; the acquiring the first platform information comprises: and determining the access information authority corresponding to the specified content from the one or more access information authorities based on the specified content which the user requests to access, and including the access information authority corresponding to the specified content as the access information authority corresponding to the user ID in the first platform information.

In some embodiments, the obtaining of the user's access request for the specified content of the second platform includes: and acquiring an access request of a user to one or more specified contents.

In some embodiments, said receiving a login token returned by said second platform comprises: receiving one or more login tokens returned by the second platform; the one or more login tokens respectively correspond to the one or more specified contents for which access is requested.

In some embodiments, the output comprises a specified content URL of the login token, including: outputting one or more specified content URLs; the one or more specified content URLs respectively contain login tokens corresponding to the specified content.

One or more embodiments of the present specification also provide a system for identity authentication, the system including: the first acquisition module is used for acquiring a user ID; the first verification module is used for verifying the login information of the user ID; the second acquisition module is used for acquiring the first platform information; the first platform information at least comprises the information related to the user ID, and the first platform information is at least used for a second platform to verify the user ID; the first transmission module is used for transmitting the first platform information to a second platform; a first receiving module, configured to receive a login token returned by the second platform, where the login token is related to the first platform information and is valid within a preset time range; the login token is capable of causing: and in a preset time range, when the user ID accesses the specified content of the second platform by using the login token through the first platform, the user ID does not need to be verified again through the second platform, and the access right of the specified content is related to the first platform information.

In some embodiments, the first platform information further comprises access information permissions corresponding to the user ID; the access right corresponding to the user ID is associated with the specified content.

In some embodiments, the user ID has one or more access information permissions, and the user ID and the one or more access information permissions it has are stored at the first platform; the system also comprises a third acquisition module used for acquiring the access information authority corresponding to the user ID from the memory.

In some embodiments, the system further comprises: the fourth acquisition module is used for acquiring an access request of a user for the specified content of the second platform; the specified content comprises an embedded page of the second platform in the first platform; a first output module for outputting a specified content URL including the login token.

In some embodiments, the user ID has one or more access information rights; the system also comprises a third acquisition module, a second acquisition module and a third display module, wherein the third acquisition module is used for determining the access information authority corresponding to the specified content from the one or more access information authorities based on the specified content which the user requests to access, and taking the access information authority corresponding to the specified content as the access information authority corresponding to the user ID; the second obtaining module is configured to include the access information permission corresponding to the user ID in the first platform information.

In some embodiments, the fourth obtaining module is further configured to obtain a user access request for one or more specified contents.

In some embodiments, the first receiving module is further configured to receive one or more login tokens returned by the second platform; the one or more login tokens respectively correspond to the one or more specified contents for which access is requested.

In some embodiments, the first output module is further configured to output one or more specified content URLs; and the one or more specified content URLs respectively comprise login tokens corresponding to the specified content.

One or more embodiments in this specification also provide an apparatus for identity verification, the apparatus comprising at least one processor and at least one memory; the at least one memory is for storing computer instructions; the at least one processor is configured to execute at least some of the computer instructions to implement the operations of the corresponding method steps.

One or more embodiments in this specification also provide a method of identity authentication, the method performed by at least one processor of a second platform, the method comprising: receiving and verifying first platform information from a first platform; the first platform information at least comprises user ID related information; generating a login token based at least on the first platform information; the login token is valid within a preset time range; the login token can cause: when the user ID accesses the appointed content of the second platform through the first platform by using the login token within a preset time range, the user ID does not need to be verified again through the second platform, and the access authority of the appointed content is related to the first platform information; and returning the login token.

In some embodiments, the method of identity authentication further comprises determining and storing the preset time range.

In some embodiments, the user ID has one or more access information permissions, and the user ID and the one or more access information permissions it has are stored on the second platform; the first platform information also comprises access information authority corresponding to the user ID; the verifying the first platform information from the first platform comprises: and verifying whether the user ID and the access information authority corresponding to the user ID are consistent with the information stored in the second platform or not, and if so, passing the verification.

In some embodiments, the first platform information further comprises a plurality of access information permissions corresponding to the user ID; the generating a login token based at least on the first platform information comprises: determining a plurality of user ID and access information authority pairs based on the user ID in the first platform information and a plurality of access information authorities corresponding to the user ID; a plurality of login tokens are generated based on the plurality of user ID and access information authority pairs.

In some embodiments, the method of identity authentication further comprises determining access information permissions corresponding to the user ID; the generating a login token based at least on the first platform information comprises: and generating the login token based on the first platform information and the access information authority.

In some embodiments, the user ID has one or more access information permissions, and the user ID and the one or more access information permissions it has are stored on the second platform; the first platform information also comprises an access request of a user to the specified content of the second platform; the specified content comprises an embedded page of a second platform in the first platform; the determining the access information authority corresponding to the user ID comprises: and determining the access information authority corresponding to the specified content from one or more access information authorities of the user ID based on the specified content which the user requests to access, and taking the access information authority corresponding to the specified content as the access information authority corresponding to the user ID.

In some embodiments, the first platform information further comprises user access requests for a plurality of specified content; the determining the access information authority corresponding to the user ID comprises: determining a plurality of access information rights corresponding to a plurality of specified contents from one or more access information rights possessed by the user ID based on the specified contents which the user requests to access, and taking the plurality of access information rights corresponding to the user ID; the generating the login token based on the first platform information and the access information authority comprises: determining a plurality of user IDs and access information permission pairs based on a plurality of access information permissions corresponding to the plurality of user IDs; a plurality of login tokens are generated based on the plurality of user ID and access information authority pairs.

In some embodiments, the method of identity authentication further comprises storing the user ID and its corresponding access information rights.

In some embodiments, the first platform information further includes time information related to a user's access request for the specified content.

In some embodiments, said generating a login token based on at least said first platform information comprises: the login token is generated based on an asymmetric encryption algorithm.

One or more embodiments of the present specification further provide a system for identity authentication, the system including a second receiving module for receiving first platform information from a first platform; the first platform information at least comprises user ID related information; the second verification module is used for verifying the first platform information from the first platform; a generation module for generating a login token based at least on the first platform information; the login token is valid within a preset time range; the login token can cause: when the user ID accesses the appointed content of the second platform through the first platform by using the login token within a preset time range, the user ID does not need to be verified again through the second platform, and the access authority of the appointed content is related to the first platform information; and the first returning module is used for returning the login token.

In some embodiments, the system further comprises the system further comprising: the first determining module is used for determining the preset time range; and the first storage module is used for storing the preset time range.

In some embodiments, the user ID has one or more access information permissions, and the user ID and the one or more access information permissions it has are stored on the second platform; the first platform information also comprises access information authority corresponding to the user ID; the verification module is further used for verifying whether the user ID and the access information authority corresponding to the user ID are consistent with the information stored in the second platform or not, and if so, the verification is passed.

In some embodiments, the first platform information further comprises a plurality of access information permissions corresponding to the user ID; the generation module is further used for determining a plurality of user ID and access information authority pairs based on the user ID in the first platform information and a plurality of access information authorities corresponding to the user ID; a plurality of login tokens are generated based on the plurality of user ID and access information authority pairs.

In some embodiments, the system further comprises: the second determining module is used for determining the access information authority corresponding to the user ID; the generation module is further configured to generate the login token based on the first platform information and the access information permission.

In some embodiments, the user ID has one or more access information permissions, and the user ID and the one or more access information permissions it has are stored on the second platform; the first platform information also comprises an access request of a user to the specified content of the second platform; the specified content comprises an embedded page of a second platform in the first platform; the determining module is further used for determining the access information authority corresponding to the specified content from one or more access information authorities of the user ID based on the specified content which the user requests to access, and taking the access information authority corresponding to the specified content as the access information authority corresponding to the user ID.

In some embodiments, the first platform information further comprises user access requests for a plurality of specified content; the second determining module is also used for determining a plurality of access information authorities corresponding to a plurality of specified contents from one or more access information authorities possessed by the user ID based on the specified contents which the user requests to access, and taking the plurality of access information authorities corresponding to the user ID as the plurality of access information authorities; the generation module is further used for determining a plurality of user IDs and access information permission pairs based on a plurality of access information permissions corresponding to the plurality of user IDs; a plurality of login tokens are generated based on the plurality of user ID and access information authority pairs.

In some embodiments, the system further comprises a second storage module for storing the user ID and its corresponding access information rights.

In some embodiments, the generation module is further configured to generate the login token based on being an asymmetric cryptographic algorithm.

One or more embodiments of the present specification also provide an apparatus for identity verification, the apparatus comprising at least one processor and at least one memory; the at least one memory is for storing computer instructions; the at least one processor is configured to execute at least some of the computer instructions to implement the operations of the corresponding method steps.

One or more embodiments of the present specification also provide a method of identity authentication, the method being performed by at least one processor of a second platform, the method comprising: acquiring an access request of a user for specified content in a first platform; the specified content is an embedded page of a second platform in the first platform; the access request carries a login token; verifying the login token; and responding to the verification of the login token, acquiring the requested data and returning the data.

In some embodiments, said verifying said login token, verifies passing when a combination of one or more of the following conditions is met: verifying that the login token is consistent with the information stored in the second platform; verifying that the access request time carrying the login token is within a preset time range; successfully resolving the login token; and analyzing the user ID obtained by the login token and the corresponding access information authority to be consistent with the information stored in the second platform.

In some embodiments, the method of identity authentication further comprises: and responding to the verification of the login token, and prolonging the preset time range.

In some embodiments, said obtaining requested data comprises: and acquiring the requested data by using the login token and/or the user ID obtained by analyzing the login token and the access information authority corresponding to the user ID.

One or more embodiments of the present specification also provide a system for identity authentication, the system including: a fifth obtaining module, configured to obtain an access request of a user for specified content in the first platform; the specified content is an embedded page of a second platform in the first platform; the access request carries a login token; a third authentication module for authenticating the login token; a sixth obtaining module, configured to obtain the requested data when the login token passes verification; a second return module to return the requested data.

In some embodiments, the system further comprises: and the time extension module is used for extending the preset time range when the login token passes the verification.

In some embodiments, the sixth obtaining module is further configured to obtain the requested data by using the login token and/or the user ID obtained by parsing the login token and the access information authority corresponding to the user ID.

Drawings

The present description will be further explained by way of exemplary embodiments, which will be described in detail by way of the accompanying drawings. These embodiments are not intended to be limiting, and in these embodiments like numerals are used to indicate like structures, wherein:

FIG. 1 is a schematic diagram of an application scenario of a data interaction system in accordance with some embodiments of the present description;

FIG. 2 is a data interaction flow diagram shown in accordance with some embodiments of the present description.

FIG. 3 is an exemplary system block diagram of a first platform side shown in accordance with some embodiments of the present description;

FIG. 4 is a first platform-side exemplary flow diagram of a method for identity authentication, shown in accordance with some embodiments of the present description;

FIG. 5 is an exemplary system block diagram of a second platform side shown in accordance with some embodiments of the present description;

FIG. 6 is an exemplary flow diagram of a second platform side of a method for identity authentication, shown in accordance with some embodiments of the present description;

FIG. 7 is a diagrammatic illustration of a sub-flow shown verifying first platform information in accordance with some embodiments of the present description;

FIG. 8 is another exemplary system block diagram of a second platform side, shown in accordance with some embodiments of the present description;

fig. 9 is another exemplary flow diagram of a second platform side of a method for identity authentication shown in accordance with some embodiments of the present description.

Detailed Description

In order to more clearly illustrate the technical solutions of the embodiments of the present disclosure, the drawings used in the description of the embodiments will be briefly described below. It is obvious that the drawings in the following description are only examples or embodiments of the present description, and that for a person skilled in the art, the present description can also be applied to other similar scenarios on the basis of these drawings without inventive effort. Unless otherwise apparent from the context, or otherwise indicated, like reference numbers in the figures refer to the same structure or operation.

It should be understood that "system", "apparatus", "unit" and/or "module" as used herein is a method for distinguishing different components, elements, parts, portions or assemblies at different levels. However, other words may be substituted by other expressions if they accomplish the same purpose.

As used in this specification and the appended claims, the terms "a," "an," "the," and/or "the" are not intended to be inclusive in the singular, but rather are intended to be inclusive in the plural, unless the context clearly dictates otherwise. In general, the terms "comprises" and "comprising" are intended to cover only the explicitly identified steps or elements as not constituting an exclusive list and that the method or apparatus may comprise further steps or elements.

Flow charts are used in this description to illustrate operations performed by a system according to embodiments of the present description. It should be understood that the preceding or following operations are not necessarily performed in the exact order in which they are performed. Rather, the various steps may be processed in reverse order or simultaneously. Meanwhile, other operations may be added to the processes, or a certain step or several steps of operations may be removed from the processes.

One or more embodiments of the present description may be applied to an identity management system for a network platform accessing a database. The network platform includes but is not limited to one or a combination of several of a webpage, a browser plug-in, a client, a customization system and an enterprise internal business system. The application scenarios of one or more embodiments of the present specification include, but are not limited to, one or a combination of web pages, browser plug-ins, clients, customization systems, intra-enterprise analysis systems, and the like. It should be understood that the application scenarios of the system and method of one or more embodiments of the present specification are only examples of one or more embodiments of the present specification, and it will be apparent to those of ordinary skill in the art that one or more embodiments of the present specification can also be applied to other similar scenarios according to these drawings without inventive effort. Such as other similar data communication systems.

For convenience of description, the plurality of service platforms will be referred to simply as a first platform and a second platform, respectively. In some embodiments, the first platform has embedded therein data content of the second platform, and the user can invoke the data content of the second platform within the first platform and access the data service on the second platform. In some embodiments, the first platform may be a business platform and the second platform may be a data services platform.

The service platform in this specification may be a service platform that implements a specified data service. The service platform can obtain required data from the data service platform or call the required data service to realize the data service appointed by the service platform. For example, the translation service platform can call a translation service of a required language from the translation service platform to realize the translation task from the source language to the target language of the service platform. For another example, the machine learning model training service platform may complete the labeling of the training samples from the data labeling platform to implement the training of the machine learning model on the service platform. The service platform may be any service platform for implementing a specific service, and this specification does not limit this service platform.

The data service platform in the present specification refers to a service platform capable of providing data or services, for example, a translation service platform, a data annotation platform, and the like. In some application scenarios, the data service platform may be based on a multi-tenant architecture. For example, in the translation service platform, each translation service from a source language (such as chinese) to a target language (english) may correspond to one tenant, and thus, it may be understood that in the translation service platform, tenants of multiple translation services such as chinese-to-english translation, japanese translation, chinese translation, and the like may exist. For another example, in the data annotation platform, each kind of annotation data or data annotation service (such as lane line annotation, face key point annotation, voice segmentation, or NLP text annotation) may correspond to one tenant, and thus, it can be understood as a tenant having multiple kinds of data annotations, such as lane line annotation, face key point annotation, and the like, in the data annotation platform. The data service platform may also be a service platform that provides other types of data or services, which the present specification does not set any limit herein.

In some embodiments, the user may enter login information to authenticate and log in on the service platform. In some embodiments, the service platform is a multi-tenant architecture, a user may input login information to perform authentication and login on the multi-tenant service platform, and the multi-tenant service platform may determine its tenant rights based on the login information of the user. In some embodiments, tenant permissions, also known as access information permissions, are used to indicate which data and/or services within the platform a user has permission to access. In some embodiments, a business platform (e.g., a first platform) may be a platform embedded with data content of other service platforms (e.g., a second platform), and a user may log on to the first platform and invoke a data service of the second platform through the first platform. When the second platform is a multi-tenant service platform and a user accesses data or service of the second platform through the first platform, the second platform also needs to determine the tenant authority of the user, and when the data or service which the user requests to access corresponds to the tenant authority of the user, the second platform returns the data or service which the user requests.

FIG. 1 illustrates an application scenario of an exemplary data interaction system 100, according to some embodiments of the present description. The data interaction system 100 can be used for data interaction between a user terminal and a service platform, and between service platforms, including but not limited to data interaction through web pages, browser plug-ins, clients, customization systems, enterprise internal business systems, and the like. As shown in FIG. 1, the data interaction system 100 may include one or more servers 110-1, 110-2 …, one or more storage devices 120-1, 120-2 …, one or more user terminals 130, and a network 140.

In some embodiments, server 110-1 may be used to implement one or more functions of a first platform and server 110-2 may be used to implement one or more functions of a second platform. In some embodiments, server 110-1 and/or server 110-2 may be local or remote. For example, server 110-1 may access information and/or data stored at user terminal 130 or storage device 120-1 via network 140. As another example, server 110-2 may connect user terminal 130 and/or storage device 120-2 to access stored information and/or data. In some embodiments, server 110-1 and/or server 110-2 may be implemented on a cloud platform. By way of example only, the cloud platform may include a private cloud, a public cloud, a hybrid cloud, a community cloud, a distributed cloud, an internal cloud, a multi-tiered cloud, and the like, or any combination thereof. In some embodiments, the servers 110-1, 110-2 … may include at least one network port. The at least one network port may be configured to transmit information to and/or receive information from one or more components of the data interaction system 100 (e.g., storage devices 120-1, 110-2 …, user terminal 130) via network 140.

The storage device may store data and/or instructions. For example, storage device 120-1 may store a user ID and one or more rights to access information. As another example, the storage device 120-2 may store a preset time range as well as a user ID and one or more rights to access information. As another example, storage device 120-1 and/or storage device 120-2 may store data and/or instructions that server 110-1 and/or server 110-2 may perform or be used to perform the exemplary methods described in one or more embodiments herein. In some embodiments, storage device 120-1 and storage device 120-1 may include mass storage, removable storage, volatile read-write memory, read-only memory (ROM), the like, or any combination thereof. Exemplary mass storage may include magnetic disks, optical disks, solid state disks, and the like. Exemplary removable memories may include flash drives, floppy disks, optical disks, memory cards, compact disks, magnetic tape, and so forth. Exemplary volatile read-write memories can include Random Access Memory (RAM). Exemplary RAM may include Dynamic Random Access Memory (DRAM), double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM), static Random Access Memory (SRAM), thyristor random access memory (T-RAM), zero capacitance random access memory (Z-RAM), and the like. Exemplary read-only memories may include mask read-only memory (MROM), programmable read-only memory (PROM), erasable programmable read-only memory (perrom), electrically erasable programmable read-only memory (EEPROM), compact disc read-only memory (CD-ROM), digital versatile disc read-only memory, and the like. In some embodiments, the storage devices 120-1 and/or 120-2 may be implemented on a cloud platform. By way of example only, the cloud platform may include a private cloud, a public cloud, a hybrid cloud, a community cloud, a distributed cloud, an internal cloud, a multi-tiered cloud, and the like, or any combination thereof.

In some embodiments, storage devices 120-1, 120-2 … may include at least one network port. The at least one network port may be configured to transmit information to and/or receive information from one or more components of the data interaction system 100 (e.g., server 110-1, server 110-2, user terminal 130) via the network 140.

The user terminal 130 may implement front-end functions of one or more service platforms, such as receiving relevant login information input by a user and transmitting the login information to one or more service platforms to complete login of the user on one or more service platforms, or receiving a user data access request and transmitting the request to a specified service platform, or receiving data returned by the service platform and presenting the data to the user. In some embodiments, the user terminal may also receive an operation instruction of the user and directly execute the operation instruction. For example, the user terminal may complete local data query or processing and output the operation result to the user. The terms "user terminal," "client," "user side," or "front end" and the like as described in one or more embodiments of the present specification are interchangeable. User terminal 130 may include any electronic device used by a user. In some embodiments, the user terminal 130 may be a mobile device 130-1, a tablet computer 130-2, a laptop computer 130-3, a desktop computer 130-4, the like, or any combination thereof. In some embodiments, the mobile device 130-1 may include a wearable apparatus, a smart mobile device, a virtual reality device, an augmented reality device, and the like, or any combination thereof. In some embodiments, the wearable device may include a smart bracelet, a smart footwear, smart glasses, a smart helmet, a smart watch, a smart garment, a smart backpack, a smart accessory, or the like, or any combination thereof. In some embodiments, the smart mobile device may include a smart phone, a Personal Digital Assistant (PDA), a gaming device, a navigation device, a point of sale (POS), and the like, or any combination thereof. In some embodiments, the virtual reality device and/or the enhanced virtual reality device may include a virtual reality helmet, virtual reality glasses, virtual reality eyecups, augmented reality helmets, augmented reality glasses, augmented reality eyecups, and the like, or any combination thereof. For example, the virtual reality device and/or augmented reality device may include Googleglass, riftCon, fragmentsTM, gearVRTM, and the like. In some embodiments, desktop computer 130-4 may be an on-board computer, an on-board television, or the like.

In some embodiments, user terminal 130 may include at least one network port. The at least one network port may be configured to transmit information to and/or receive information from one or more components of the data interaction system 100 (e.g., server 110-1, server 110-2, storage device 120-1, storage device 120-2) via the network 140.

Network 140 may facilitate the exchange of information and/or data. In some embodiments, one or more components in system 100 (e.g., server 110-1, server 110-2, user terminal 130, storage device 120-1, and storage device 120-2) may send and/or receive information and/or data to/from other components in system 100 via network 140. In some embodiments, the network 140 may be any form or combination of wired or wireless network. Merely by way of example, network 140 may include a cable network, a wireline network, a fiber optic network, a telecommunications network, an intranet, the internet, a Local Area Network (LAN), a Wide Area Network (WAN), a Wireless Local Area Network (WLAN), a Metropolitan Area Network (MAN), a Wide Area Network (WAN), a Public Switched Telephone Network (PSTN), a bluetooth network, a zigbee network, a Near Field Communication (NFC) network, a global system for mobile communications (GSM) network, a Code Division Multiple Access (CDMA) network, a Time Division Multiple Access (TDMA) network, a General Packet Radio Service (GPRS) network, an enhanced data rates for GSM evolution (EDGE) network, a Wideband Code Division Multiple Access (WCDMA) network, a High Speed Downlink Packet Access (HSDPA) network, a Long Term Evolution (LTE) network, a User Datagram Protocol (UDP) network, a transmission control protocol/internet protocol (TCP/IP) network, a Short Message Service (SMS) network, a Wireless Application Protocol (WAP) network, an Ultra Wide Band (UWB) network, infrared, and the like, or any combination thereof. In some embodiments, network 140 may include one or more network access points. For example, network 140 may include wired or wireless network access points, such as base stations and/or internet switching points, through which one or more components for system 100 may connect to network 140 to exchange data and/or information.

In some embodiments, one or more components of the data interaction system 100 (e.g., the server 110-1, the server 110-2, the user terminal 130, the memory 120-1, and the memory 120-2) may communicate with each other in the form of electronic and/or electromagnetic signals through wired and/or wireless communication. In some embodiments, the data interaction system 100 may also include at least one data exchange port. The at least one switch port may be configured for receiving and/or transmitting (e.g., in the form of electronic signals and/or electromagnetic signals) between any of the electronic devices in the data interaction system 100. In some embodiments, the at least one data exchange port may be one or more antennas, network interfaces, network ports, the like, or any combination thereof. For example, at least one data exchange port may be a network port connected to server 110-1 and/or server 110-2 to send information thereto and/or receive information sent therefrom.

It should be noted that the above description of the data interaction system 100 is for illustration and description only and is not intended to limit the scope of applicability of the present description. Various modifications and alterations to the data interaction system 100 will become apparent to those skilled in the art in light of one or more embodiments set forth herein. However, such modifications and variations are intended to be within the scope of the present description.

In some embodiments, the first platform has embedded within it the data content of the second platform. For example, a first platform has embedded therein a page of a second platform. For example only, the first platform is a machine model training business platform and the second platform is a data annotation service platform. In order to complete the training of a certain machine learning model on the first platform, a large number of training samples with labeled information are needed by a user. At the moment, a user can call the data annotation service from the second platform through a second platform page embedded in the first platform to obtain the training sample with the standard information.

In some embodiments, the second platform is a multi-tenant architecture, and the user has multiple tenant identities or tenant permissions for the second platform. For example, the user has tenant a and tenant B on the second platform. For example only, currently, a user is using a first platform to complete training of a face recognition machine learning model, and a data service (such as face keypoint labeling) corresponding to tenant a is needed. When a user logs in a first platform and accesses data corresponding to tenant A on a second platform through data content of the second platform embedded in the first platform with the authority (or identity) of tenant A, context information (which can be understood as login authority information related to the user) of the user recorded on the second platform belongs to tenant A. Then, the user needs to use the data corresponding to the tenant B temporarily for business needs (e.g., voice segmentation), so the user directly logs in on the second platform and accesses the data corresponding to the tenant B with the authority of the tenant B, and the context information of the user recorded on the second platform is changed to that of the tenant B by switching of the tenant a. If the user directly returns to the first platform to continuously access the relevant data of the tenant A on the second platform through the first platform under the condition that the user does not log in the tenant A again, the user is refused to access the data corresponding to the tenant A because the context information of the user on the second platform is changed into the authority information of the tenant B. Some embodiments of the present description provide a related solution, so that when a user returns to a first platform and continues to access relevant data of tenant a on a second platform through the first platform, the relevant data of tenant a can be directly accessed without performing authentication again.

In some embodiments, the user may complete a login on the first platform through the user terminal. For example, a user may enter login information on a login interface presented by the user terminal, which may include a user ID and a password. And the user terminal transmits the login information to the first platform, the first platform verifies the login information, and if the verification is successful, the user login is completed.

In some embodiments, the user may also send a request for access to the data through the user terminal. The access request may be an access request to a data service on the second platform. For example, the access request corresponds to data of a tenant on the second platform.

The first platform may obtain the user ID related information, generate the first platform information, and transmit to the second platform. The user ID related information may include one or more of a user ID, an access request of the user, a request time related to the access request of the user, or tenant rights of the user. And the second platform receives the first platform information and carries out validity verification on the first platform information. For example, the second platform may determine whether the user ID is a legitimate user based on the first platform information. For another example, the second platform may determine the user ID and the tenant authority corresponding to the user ID based on the first platform information, and determine whether the user ID and the tenant authority correspond to each other. Specifically, the second platform stores the user ID and the tenant permission that the user ID has, and the second platform may verify, according to the record, whether the user ID actually has the tenant permission corresponding to the user ID in the first platform information. For another example, the second platform may determine the data the user ID requests to access based on the first platform information and determine whether the user ID has tenant rights to access the data it requests.

In some embodiments, after the second platform verifies the first platform information, a login token, such as a token, may be generated based on the first platform information. For example, the second platform may perform arithmetic processing on one or more combinations of a user ID included in the first platform information, an access request of the user, a request time related to the access request of the user, or tenant permissions of the user, to obtain a login token corresponding to the first platform information. In some embodiments, the second platform may process the first platform information using an asymmetric cryptographic algorithm to generate the login token. The second platform returns the login token to the first platform. In some embodiments, the second platform may store the login token and a preset validity time for the login token. The preset effective time may be 0.5 hour, 1 hour, 4 hours, one day, one week, etc., which the present specification does not limit.

In some embodiments, the first platform may invoke data or services of the second platform through a call interface. Specifically, the first platform may use the user ID and the tenant permission corresponding to the user ID as an input parameter of the call interface, and use data or service of the second platform that needs to be called as a return parameter of the call interface. Through the calling interface, the first platform can transmit the user ID and the tenant permission corresponding to the user ID to the second platform and receive the login token returned by the second platform. Correspondingly, the second platform can obtain the user ID and the corresponding tenant permission through the calling interface and transmit the login token to the first platform.

In some embodiments, the first platform may determine an access address (e.g., URL) that requires the requested data based on the user's access request, and carry the login token in the access address. And returning the access address with the login token to the user terminal. The user terminal can obtain the required data based on the access address. And the second platform acquires the access address sent by the user terminal, and analyzes the access address to obtain the login token. In some embodiments, the second platform may verify the login token. For example, the second platform may locally look up whether the login token is stored, and if so, consider the login token to be legitimately obtained. For another example, the second platform may further determine whether the login token is within a preset valid time, and if so, consider the login token to be legitimate. For another example, the second platform may analyze the login token according to a preset algorithm, and if the analysis is successful, the login token is considered to be legal. For example only, the second platform may parse the login token based on a private key in an asymmetric cryptographic algorithm. For another example, the second platform may compare the parsed information with the stored information, and if the parsed information is consistent with the stored information, the login token may be considered to be legitimate. The parsed information may include one or more combinations of a user ID, a user access request, a request time related to the user access request, or tenant permissions of the user. The second platform may also verify the login token according to other preset rules, and determine whether the login token is legal, which is not limited in this specification.

In some embodiments, after the second platform verifies that the login token is legitimate, the second platform obtains data requested by the user and returns the data. In some embodiments, the second platform may also obtain the data requested by the user for the context information of the user based on the login token and/or the parsed information after verifying that the login token is legitimate.

By way of example only, reference continues to the example of tenant a with tenant B. When a user logs in the first platform and requests to access data corresponding to the tenant A, the first platform generates first platform information based on the user ID related information and transmits the first platform information to the second platform, the second platform generates a login token and returns the login token to the first platform after completing verification of the user ID based on the first platform information, and the first platform carries the login token in an access address of the data which the user requests to access and returns the login token to the user. And the user requests data from the second platform based on the access address, and the second platform only verifies the login token and returns the data requested by the user after the verification is successful.

If the user directly logs in the second platform and accesses the data corresponding to the tenant B with the authority of the tenant B, the context information of the user recorded on the second platform is still switched to the context information of the tenant B. If the user directly returns to the first platform to continue accessing the relevant data of the tenant A on the second platform through the first platform under the condition of not logging in the tenant A again, the access data address carries a legal login token, the second platform does not verify whether the user has the authority to acquire the currently requested data (the data corresponding to the tenant A) according to the original context information (the context information of the tenant B), and the user is not refused to access the data corresponding to the tenant A.

The foregoing description has been directed to specific embodiments of this disclosure. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.

Next, the present specification will set forth one or more processes, such as data interaction or identity authentication processes, implemented on the first platform and the second platform by further embodiments.

Fig. 3 is an exemplary system block diagram of a first platform side shown in accordance with some embodiments of the present description. As shown in fig. 3, the identity authentication system 300 may include a first obtaining module 302, a first verifying module 304, a second obtaining module 306, a first transmitting module 308, and a first receiving module 310. These modules may be all or part of the hardware circuitry of the processor. These modules may also be implemented as an application or a set of instructions that are read and executed by a processing engine. Further, a module may be any combination of hardware circuitry and applications/instructions. For example, a module may be part of a processor when a processing engine or processor executes an application/set of instructions.

The first obtaining module 302 may be used to obtain a user ID.

The first authentication module 304 may be used to authenticate login information for a user ID.

The second obtaining module 306 may be configured to obtain the first platform information.

The first delivery module 308 may be configured to deliver the first platform information to the second platform; the first platform information at least comprises user ID related information, and the first platform information is at least used for the verification of the user ID by the second platform. In some embodiments, the first transferring module is further configured to transfer the user ID and the corresponding access information authority to the second platform through a call interface.

The first receiving module 310 may be configured to receive a login token returned by the second platform, where the login token is related to the first platform information and is valid within a preset time range. And in a preset time range, the user ID accesses the specified content of the second platform by using the login token through the first platform without verifying the user ID again through the second platform, and the access right of the specified content is related to the first platform information. In some embodiments, the first receiving module is further configured to receive one or more login tokens returned by the second platform; the one or more login tokens respectively correspond to the one or more specified contents for which access is requested.

In some embodiments, the system further comprises a fourth obtaining module and a first output module, wherein the fourth obtaining module is used for obtaining the access request of the user to the specified content of the second platform; the specified content comprises an embedded page of the second platform in the first platform; the first output module may be operable to output a specified content URL including the login token.

In some embodiments, the fourth module is further configured to obtain a user access request for one or more specified contents.

In some embodiments, the first output module is further configured to output one or more specified content URLs; the one or more specified content URLs respectively contain login tokens corresponding to the specified content.

In some embodiments, the system further includes a third obtaining module, and the third obtaining module may be configured to obtain the access information right corresponding to the user ID from the memory.

In some embodiments, the third obtaining module is further configured to determine, from the one or more access information permissions, an access information permission corresponding to the specified content based on the specified content to which the user requests access, and include the access information permission corresponding to the specified content as the access information permission corresponding to the user ID in the first platform information.

It should be understood that the system and its modules shown in FIG. 3 may be implemented in a variety of ways. For example, in some embodiments, the system and its modules may be implemented in hardware, software, or a combination of software and hardware. Wherein the hardware portion may be implemented using dedicated logic; the software portions may be stored in a memory for execution by a suitable instruction execution system, such as a microprocessor or specially designed hardware. Those skilled in the art will appreciate that the methods and systems described above may be implemented using computer executable instructions and/or embodied in processor control code, for example such code provided on a carrier medium such as a diskette, CD-or DVD-ROM, programmable memory such as read-only memory (firmware), or a data carrier such as an optical or electronic signal carrier. The system and its modules of one or more embodiments of the present specification may be implemented not only by hardware circuits such as very large scale integrated circuits or gate arrays, semiconductors such as logic chips, transistors, or programmable hardware devices such as field programmable gate arrays, programmable logic devices, etc., but also by software executed by various types of processors, for example, or by a combination of hardware circuits and software (e.g., firmware).

It should be noted that the above descriptions of the candidate item display and determination system and the modules thereof are merely for convenience of description, and are not intended to limit one or more embodiments of the present disclosure to the scope of the illustrated embodiments. It will be appreciated by those skilled in the art that, given the teachings of the system, any combination of modules, or connection of constituent subsystems to other modules, or omission of one or more of the modules, may be made without departing from such teachings. For example, the first obtaining module 302, the first verifying module 304, the second obtaining module 306, the first transmitting module 308, the first receiving module 310 and the first outputting module 312 disclosed in fig. 3 may be different modules in a system, or may be a module that implements the functions of two or more of the above modules. In some embodiments, the first output module 312 may also be omitted. In some embodiments, the first obtaining module 302 and the first verifying module 306 may be two modules, or one module having both obtaining and verifying functions. For example, each module may share one memory module, and each module may have its own memory module. Such variations are within the scope of one or more embodiments of the present description.

Fig. 4 is an exemplary flow diagram of a first platform side of a method for identity authentication shown in accordance with some embodiments of the present description. In some embodiments, one or more steps of process 400 may be implemented in system 100 shown in FIG. 1. For example, one or more steps in process 400 may be stored as instructions in storage device 120-1 and invoked and/or executed by server 110-1 (e.g., a processing engine in server 110-1).

Step 402, obtain a user ID. In some embodiments, step 402 may be performed by first acquisition module 302.

The user ID may be an identifier indicating the identity of the user, which may be a character string, a number, an image, a biometric feature (e.g., fingerprint information, iris information, etc.). In some embodiments, the user ID may correspond to a user and be unique. In some embodiments, the user ID is used only to indicate the user identity in the second platform. In some embodiments, the user ID may be used in both the first platform and the second platform to indicate the user identity. In other words, the identity of the same user on the first platform and the second platform may be shared.

In some embodiments, the manner of obtaining the user ID may include a direct obtaining manner. For example, a user or an operator may directly input a corresponding user ID in a login window of the client, and correspondingly, the first platform directly acquires the user ID through the first acquiring module 302.

In some embodiments, the manner of obtaining the user ID may also include an indirect obtaining manner. For example, the user inputs not the user ID but data corresponding to the user ID in the login window of the client. In some embodiments, the data corresponding to the user ID includes, but is not limited to, a character string corresponding to the user ID, sound information, fingerprint information, and facial information, or any combination thereof. In some embodiments, the string may include a job number, mailbox, or nickname of the user. In some embodiments, the first obtaining module may parse out the corresponding user ID through data corresponding to the user ID. Correspondingly, in one or more embodiments described above, the first platform directly acquires the data information corresponding to the user ID through the first acquiring module 302, and then indirectly acquires the corresponding user ID from the data information.

In some embodiments, the user ID is input at the client end by any combination of one or more of, but not limited to, manual input, voice input, acquisition of facial information through a camera, acquisition of fingerprint information through a fingerprint recognizer, and the like. In some embodiments, the manual input may include manually entering a user name in text form. In some embodiments, the voice input may include acquiring voice information through a voice acquisition module and converting the voice information into user name text information by a voice recognition module. In some embodiments, the acquiring of the face information by the camera may include acquiring face image information by an image acquisition module, and converting the face image information into text information corresponding to a user name by an image recognition module. In some embodiments, the obtaining of the fingerprint information by the fingerprint recognizer may include obtaining the fingerprint information by a fingerprint obtaining module, and converting the fingerprint information into text information corresponding to the user name by a fingerprint identification module.

Step 404, verify the login information of the user ID. In some embodiments, step 404 may be performed by the first verification module 304.

In some embodiments, the login information may include information related to the user ID, which in some embodiments may reflect at least the identity of the user, the validity of the identity, and/or the rights of the identity. In some embodiments, the login information may include a user ID and a login password. In some embodiments, the login information may include an identity of the user at the first platform, such as a user name and a login password, wherein the user ID is only used to identify the user at the second platform, and the user name is only used to identify the user at the first platform. In some embodiments, the login information may also include access information permissions corresponding to the user ID, such as tenant permissions.

In some embodiments, the login information may be some information input by the user when logging in on the first platform, the identity of the logged-in person may be shown to the first platform, and the user may be informed of the login situation. The login information may include a user name, password corresponding to the user ID. In some embodiments, the user name of the user is not limited to the user's Chinese or English name, but may also include the user's mailbox, job number, nickname, and string corresponding to the user ID. In some embodiments, the login information may further include login authentication information, which may include, but is not limited to, a short message authentication code, a text authentication code, or a gesture authentication code. In some embodiments, the entry of the login information includes, but is not limited to, manual entry, voice entry, or image entry, or any combination thereof.

In some embodiments, the first platform may verify the login information. For example, the first platform stores a user name and a password that are input by the user when the platform registers, and the first platform may compare the user name and the password in the login information with the information during registration, and if the user name and the password are consistent with the information during registration, the login information is considered to be legitimate. For another example, the first platform may send a short message verification code to a mobile device of the user, such as a mobile phone, and determine whether the verification code in the login information of the user is consistent with the sent verification code, and if so, the login information is considered to be legal. For another example, the first platform may detect whether the login gesture of the user is consistent with the set trajectory, and if so, the login information is considered to be legal. For another example, the first platform may arbitrarily combine the authentication conditions to sequentially authenticate the login information, and only when the login information satisfies all the authentication conditions, the login information is considered to be valid. The first platform may set the login information verification rule as required, which is not limited in this specification.

In some embodiments, login information for the user ID may be obtained by first obtaining module 302 and may be transmitted to first verifying module 304.

Step 406, first platform information is obtained. In some embodiments, step 406 may be performed by the second acquisition module 306.

The first platform information is used at least for authentication of the user ID by the second platform. The first platform information includes at least user ID related information. In some embodiments, the user ID related information comprises at least a user ID. In some embodiments, the user ID related information may further include a password corresponding to the user ID, and the password may be in the form of, but not limited to, one or more of voice information, facial information, or fingerprint information.

In some implementations, the user ID-related information may also include a time that the user logged in to the first platform. For example, if the time when the user inputs and verifies the user ID in the first platform is 05 minutes 30 seconds at 5 months, 30 months, 11 days in 2019, the time in the first platform information may be stored in a format of "2019-05-3011.

In some embodiments, the user ID related information may further include access information authority (tenant authority) corresponding to the user ID. The access information authority corresponding to the user ID may be understood as an authority that the user can access the data information of the second platform through the user ID. In some embodiments, the user ID may have one or more access information rights, and the first platform has the user ID and the one or more access information rights stored therein. The first platform may determine an access information authority corresponding to the user ID request for access to the data as an access information authority corresponding to the user ID. In some embodiments, the user ID and the access information rights it has are stored in the first platform, for example in a storage device or memory corresponding to the server 110-1. After the first platform acquires the user ID, the access information authority corresponding to the user ID can be obtained through the memory. In some embodiments, the user ID may have one or more rights to access information. One or more access information rights that the user ID has may be stored on the first platform. The first platform may determine, based on the access request, an access information right related to the data requested to be accessed, and determine whether the access information right is included in the access information rights possessed by the user ID, and if so, take the access information right related to the data requested to be accessed as the access information right corresponding to the user ID. In some embodiments, the first platform may determine, based on a plurality of access requests for specified content, a right to access information corresponding to the access requests, and send the right to the second platform in the first platform information. It can be understood that a user may access two inline pages within the first platform, where one inline page corresponds to tenant a and the other inline page corresponds to tenant B. Accordingly, the first platform may determine that the access information authority corresponding to the user ID includes tenant a and tenant B. In some embodiments, when a user logs in at a client, a user ID and corresponding tenant information, that is, access information authority, may be input, and the first platform obtains the access information authority corresponding to the user ID directly from the user input of the client. In other embodiments, the access information permission corresponding to the user ID may also be stored in the second platform, and the second platform may determine the access information permission according to the user ID, and the first platform does not need to acquire the access information permission corresponding to the user ID.

In some embodiments, the first platform information further comprises an access request to access the associated data information on the second platform or/and time information associated with the access request. The access request may include a request issued by a user to access specified content of a second platform embedded on the first platform. In some embodiments, the access request includes at least one click operation on the specified content. In some implementations, the specified content may include an inline page of the second platform in the first platform. In some embodiments, the specified content may also include a database embedded in the first platform that belongs to the second platform.

In some embodiments, the first platform may comprise a business platform and the second platform may comprise a data annotation service platform. The access request for the specified content may be a request issued to a face key point data service. In some embodiments, the specific manner of presentation of the second platform embedded within the first platform may include a window or a hyperlink. For example, the data service of the data annotation service platform is embedded on the page of the service platform in the form of a window, and the length and width of the window can be fixed or adjustable. In some embodiments, the object of the hyperlink may include text, an image, or a combination thereof. For example, the second platform is presented on the first platform in the form of an "in-line page", which may be the object of a hyperlink to which the user jumps when clicking on the hyperlink.

In some embodiments, the access request may correspond to an inline page of the first platform, and the inline page may be plural, each inline page corresponding to an access information authority (tenant). For example, when the accessed inline page is a nail inline page, the page is an access request for data corresponding to tenant a. And when the accessed embedded page is the second embedded page, the accessed embedded page is an access request for the data corresponding to the tenant B. In some embodiments, the first platform may determine access information permissions corresponding to the user ID based on the access request.

In some embodiments, the time information associated with the access request may be a time when the access request was initiated. For example, the time point of accessing the page embedded in the annotation platform is "2019-05-30" or "2019-05-30", and the time point information related to the access request is "2019-05-30". In some embodiments, the user-related information may also include a time at which the user made a request to access data within the second platform.

In some embodiments, the second acquisition module 206 of the first platform may acquire the first platform information over the network 140. In some embodiments, the first platform information may be retrieved from a memory of the first platform via network 140. In some embodiments, the first platform information may be obtained from input data of the client via the network 140.

Step 408, the first platform information is transferred to a second platform. In some embodiments, step 408 is performed by the first delivery module 308, and the delivery process may be delivered over the network 140.

Step 408 may provide for subsequent second platforms to verify user ID, access information permissions, access requests, and the like. For example, the user ID of the user a and the access information authority corresponding to the user a are transferred to the second platform, and the second platform may verify the user name and the access information authority of the user a. In some embodiments, the first platform may pass the access information authority to the second platform by using an interface call. For example, the first platform may use the user ID and the tenant authority corresponding to the user ID as an input parameter of the call interface, and use data or service of the second platform that needs to be called as a return parameter of the call interface. Through the calling interface, the first platform can transfer the user ID and the tenant permission corresponding to the user ID to the second platform. In some embodiments, the second platform may also generate a login token based on the first platform information, as set forth in more detail below.

Step 410, receiving a login token returned by the second platform. In some embodiments, step 410 may be performed by the first receiving module 310.

In some embodiments, the login token is associated with the first platform information and is valid for a predetermined time frame. And in a preset time range, the user ID accesses the specified content of the second platform by using the login token through the first platform without verifying the user ID again through the second platform, and the access authority of the specified content is related to the first platform information. In some embodiments, the access rights for the specified content include at least tenant information rights for the user ID. In some embodiments, the first platform information includes at least user ID related information; in some embodiments, access to information rights is also included. In some embodiments, the second platform may return one or more login tokens. The one or more login tokens may correspond to one or more specified content that the user requests access to.

In some embodiments, the flow 400 may also obtain a user's access request for specified content of the second platform. In some implementations, this step may be performed by a fourth acquisition module.

In some embodiments, the user's access request further includes an access request to obtain one or more specified content. For example, the user's access request for the specified content may be one or more. For another example, the user accesses any one or more of the image annotation database, the text annotation database, and the corpus annotation database of the second platform. The first platform may determine access information authority corresponding to the user ID based on the access request of the user.

In some embodiments, the database of the second platform may be embedded on the pages of the first platform in the form of hyperlinks. For example, the image annotation database, the text annotation database, and the corpus annotation database may be embedded in the first platform in different forms of text hyperlinks or picture hyperlinks, and accordingly, the access request of the specified content may be an access request to the image annotation database, the text annotation database, or the corpus annotation database of the first annotation platform.

In some embodiments, the flow 400 may also output a specified content URL that includes the login token. In some embodiments, this step may be performed by the first output module 312.

By including the URL of the specified content of the login token, the user can access the specified content of the second platform through the first platform without logging in again. For the detailed description of the specific contents, reference is made to the foregoing description, which is not repeated herein.

The URL (Uniform Resource Location) is translated into a "Uniform Resource locator", specifically a character string used to describe information resources on the Internet. In some embodiments, the URL specifying the content may include a URL of a page corresponding to the second platform embedded on the first platform. Such as the URL of a nested page, or the URL of any number of nested pages therein. In some embodiments, the URL specifying the content may also include a URL corresponding to a database in the second platform. For example, the URL of the annotation platform image annotation database, the URL of the text annotation database, the URL of the corpus annotation database, or the URLs of any of the databases. In some embodiments, the URL specifying the content may also be a link. The displayed form of the link may also include an image hyperlink, a text hyperlink, or a button hyperlink corresponding to the specified content. In some embodiments, the first platform may embed corresponding access information rights in URLs of a plurality of specified content that the user requests access to and return to the user.

It should be noted that the above description related to the flow 400 is only for illustration and description, and does not limit the applicable scope of the present specification. Various modifications and changes to flow 400 will be apparent to those skilled in the art in light of this description. However, such modifications and variations are intended to be within the scope of the present description.

Fig. 5 is an exemplary system block diagram of a second platform side shown in accordance with some embodiments of the present description.

As shown in fig. 5, the identity authentication system 500 may include a second receiving module 502, a second verifying module 504, a generating module 506, and a first returning module 508.

The second receiving module 502 may be configured to receive the first platform information from the first platform. The first platform information includes at least user ID related information. In some embodiments, the second receiving module is further configured to obtain the user ID and the access information authority corresponding to the user ID from a call interface of the first platform.

The second verification module 504 may be used to verify the first platform information from the first platform. In some embodiments, the second verification module 504 may be further configured to verify whether the user ID and the corresponding access information authority are consistent with the information stored in the second platform, and if so, the user ID and the corresponding access information authority pass.

The generating module 506 may be configured to generate a login token based at least on the first platform information. The login token is valid within a preset time range. And in a preset time range, the user ID accesses the specified content of the second platform through the first platform by using the login token without verifying the user ID again. In some embodiments, the generating module 506 may be further configured to determine a plurality of user ID and access information permission pairs based on the user ID in the first platform information and a plurality of access information permissions corresponding to the user ID; a plurality of login tokens are generated based on the plurality of user ID and access information authority pairs. In some embodiments, the generation module 506 is further configured to generate the login token based on an asymmetric encryption algorithm.

The first return module 508 may be used to return the login token.

In some embodiments, the identity authentication system further comprises a first determination module and a first storage module. The first determining module may be configured to determine the preset time range. The first storage module may be configured to store the preset time range.

In some embodiments, the identity authentication system further comprises a second determining module for determining access information rights corresponding to the user ID; the generation module is further configured to generate the login token based on the first platform information and the access information permission. In some embodiments, the second determining module is further configured to determine, from the one or more access information permissions, an access information permission corresponding to the specified content based on the specified content to which the user requests access, and take its access information permission corresponding to the specified content as the access information permission corresponding to the user ID. In some embodiments, the second determining module is further configured to determine, from the one or more access information permissions, a plurality of access information permissions corresponding to a plurality of specified contents based on the specified content to which the user requests access, and to treat the plurality of access information permissions corresponding to the user ID; the generation module is also used for determining a plurality of user IDs and access information authority pairs based on a plurality of access information authorities corresponding to the user IDs; a plurality of login tokens are generated based on the plurality of user ID and access information authority pairs.

It should be understood that the system and its modules shown in FIG. 5 may be implemented in a variety of ways. For example, in some embodiments, the system and its modules may be implemented in hardware, software, or a combination of software and hardware. Wherein the hardware portion may be implemented using dedicated logic; the software portions may be stored in a memory for execution by a suitable instruction execution system, such as a microprocessor or specially designed hardware. Those skilled in the art will appreciate that the methods and systems described above may be implemented using computer executable instructions and/or embodied in processor control code, for example such code provided on a carrier medium such as a diskette, CD-or DVD-ROM, programmable memory such as read-only memory (firmware), or a data carrier such as an optical or electronic signal carrier. The system and its modules of one or more embodiments of the present specification may be implemented not only by hardware circuits such as very large scale integrated circuits or gate arrays, semiconductors such as logic chips, transistors, etc., or programmable hardware devices such as field programmable gate arrays, programmable logic devices, etc., but also by software executed by various types of processors, for example, or by a combination of hardware circuits and software (e.g., firmware).

It should be noted that the above descriptions of the candidate item display and determination system and the modules thereof are merely for convenience of description, and are not intended to limit one or more embodiments of the present disclosure to the scope of the illustrated embodiments. It will be appreciated by those skilled in the art that, given the teachings of the present system, any combination of the various modules, or the connection of the constituent subsystems to other modules, or the omission of one or more of the modules, may be made without departing from such teachings. For example, the second obtaining module 502, the second verifying module 504, the generating module 506 and the first returning module 508 disclosed in fig. 5 may be different modules in a system, or may be a module that implements the functions of two or more modules. In some embodiments, the second obtaining module 502 and the second verifying module 504 may be two modules, or one module having both obtaining and verifying functions. For example, each module may share one memory module, and each module may have its own memory module. Such variations are within the scope of one or more embodiments of the present description.

Fig. 6 is an exemplary flow diagram of a second platform side of a method for identity authentication, shown in accordance with some embodiments of the present description. As shown in fig. 6, a method for identity authentication may include:

step 602, receiving first platform information from a first platform. In some embodiments, step 602 may be performed by second acquisition module 502.

In some embodiments, the first platform information may include user ID related information; in some embodiments, the first platform information may further include access information rights corresponding to the user ID. In some embodiments, the first platform information may also include a user's access request for one or more specified content. In some embodiments, receiving the access information permission from the first platform may also be performed by means of an interface call, that is, the first platform calls the data or service of the second platform by using the user ID and its corresponding access information permission as input parameters of the call interface. The second platform can acquire the access information authority corresponding to the user ID from the calling interface of the first platform. In some embodiments, the first platform information may further include time information related to an access request for the specified content. For a more detailed description of the first platform information, see elsewhere herein. For example, fig. 4.

In some embodiments, the first platform information may be sent by the server 110-1 of the first platform to the server 110-2 of the second platform (the second receiving module 602) through the network 140.

At step 604, first platform information from the first platform is verified. In some embodiments, this step may be performed by the second authentication module 504.

Step 604 is primarily based on the received first platform information for verifying and confirming access to the user ID and its corresponding access information. In some embodiments, the received first platform information includes a user ID and an access information authority corresponding to the user ID, and correspondingly, the verifying of the first platform information by the second platform may include verifying related information of the user ID to confirm whether the received user ID has related authority on the second platform and whether the user ID information is accurate, may further include verifying the user ID and the access information corresponding to the user ID to confirm whether the user ID matches the received access information authority, and may further include verifying the access information authority to confirm whether the received access information authority is authentic. For more description on the verification of the access information right, reference may be made to the description elsewhere in this specification and, for example, fig. 7.

At step 606, a login token is generated based at least on the first platform information. In some embodiments, this step may be performed by the generation module 506.

The login token generated at least based on the first platform information is valid within a preset time range, and the generated login token has the following functions: when the user ID accesses the specified content of the second platform through the first platform by using the login token within the preset time range, the second platform is not required to verify the user ID again. Wherein the access right of the specified content is related to the first platform information. In some embodiments, the first platform information includes at least a user ID, and correspondingly, the access right specifying the content is related to at least the user ID. In some embodiments, the first platform information includes a user ID and its corresponding access information rights, and the access rights specifying the content are related to the user ID and the access information rights corresponding to the user ID.

In some embodiments, when the first platform information includes a plurality of access information rights corresponding to the user ID, the login token generated based on the first platform information may correspond to the user ID and one of the access information rights it has. In some embodiments, when the generated login token includes a plurality of login tokens, each login token has a corresponding user ID and an access information authority corresponding to the user ID. In some embodiments, a user ID and an access information permission corresponding to the user ID are considered an access information permission pair, and the access information permission pair should have a login token corresponding thereto. In some embodiments, generating the login token based on the first platform information may include: determining a plurality of user ID and access information authority pairs based on the user ID in the first platform information and a plurality of access information authorities corresponding to the user ID; a plurality of login tokens are generated based on the plurality of user ID and access information authority pairs.

In some embodiments, the access information authority corresponding to the user ID is stored in the second platform, and if the second platform generates the login token based on the user ID and the access information authority corresponding to the user ID, the access information authority corresponding to the user ID needs to be determined before the login token is generated, for example, the second platform may determine the access information authority corresponding to the user ID based on a relationship list of the user ID and the access information authority corresponding to the user ID in its own memory. That is, in some embodiments, the identity authentication method further comprises determining access information rights corresponding to the user ID. In some embodiments, generating the login token based at least on the first platform information may further comprise: and generating the login token based on the first platform information and the access information authority.

In some embodiments, the access information permissions corresponding to the user ID are stored on the second platform, and the first platform information further includes a user request to access specified content of the second platform. That is, the access information authority corresponding to the specified content requested to be accessed generates a login token, and the access information authority corresponding to the specified content not requested to be accessed does not generate a login token, so that resource waste caused by the fact that the generated login token is not used is avoided.

That is, in some embodiments, determining the access information permissions corresponding to the user ID may further include: and determining the access information authority corresponding to the specified content requested to be accessed from one or more access information authorities which the user ID has based on the specified content requested to be accessed by the user, and taking the access information authority corresponding to the specified content requested to be accessed as the access information authority corresponding to the user ID. For example, if the user ID has 3 access information rights corresponding to the user ID, and the user uses the user ID to issue an access request to specified content corresponding to two of the access information rights, the two access information rights corresponding to the specified content requested to be accessed may be used as the determination result of the step "determining the access information rights corresponding to the user ID", that is, as the access information rights corresponding to the user ID, and the two access information rights may be used to generate a corresponding login token.

Correspondingly, in some embodiments, generating the login token based at least on the first platform information and the access information authority may further include: determining a plurality of user IDs and access information authority pairs based on a plurality of access information authorities corresponding to the plurality of user IDs; a plurality of login tokens are generated based on the plurality of user ID and access information authority pairs.

In some embodiments, after determining the access information permissions corresponding to the user ID, the determination may also be stored for use in subsequently generating a login token. That is, in some embodiments, the identity authentication method may further include: and storing the user ID and the access information authority corresponding to the user ID.

It should be noted that the step "determine the access information authority corresponding to the user ID" and the step related thereto or the expression related thereto, the access information authority corresponding to the user ID "is used to determine the access information authority used to generate the login token. However, the access information authority corresponding to the user ID described elsewhere in this specification is only used to explain the relationship between the access information authority that the user ID has and the user ID, and whether to generate the login token or not is determined according to different embodiments. Wherein the relevant steps or relevant expressions include, but are not limited to: the user ID and the access information authority pair are determined based on the access information authorities corresponding to the user IDs, and the user ID and the access information authority corresponding thereto are stored, as long as the purpose in the step or expression is the same as that in the step.

In some embodiments, generating the login token further comprises encrypting the first platform information. Correspondingly, in some embodiments, generating the login token based at least on the first platform information and the access information authority may further include: the login token is generated based on an asymmetric encryption algorithm.

In some embodiments, the asymmetric encryption algorithm requires two keys: a public key (public key for short) and a private key (private key for short), wherein the public key and the private key are a pair, and if the public key is used for encrypting data, only the corresponding private key can be used for decrypting the data. Asymmetric encryption algorithms include, but are not limited to, any of RSA, elgamal, knapsack Algorithm, rabin, D-H, ECC. In some embodiments, generating the login token based at least on the first platform information may further comprise generating the login token based on a Hash algorithm. The Hash algorithm includes, but is not limited to, any of MD2, MD4, MD5, HAVAL, or SHA.

Step 608, return the login token. In some embodiments, step 608 may be performed by the first return module 508.

In some embodiments, the second platform returns the generated login token to the first platform, and the first platform returns the specified content URL corresponding to the login token to the client based on the returned login token, so that the user can access the specified content of the second platform through the specified content URL with the login token.

It should be noted that the above description of the flow 600 is for illustration and description only, and does not limit the scope of the application of the present disclosure. Various modifications and changes to flow 600 will be apparent to those skilled in the art in light of this description. However, such modifications and variations are intended to be within the scope of the present description. For example, in some embodiments,

steps

606 and 608 may be omitted when the user's access information rights have been cached in the second platform in some embodiments. As another example, in some embodiments, the user does not log on to the second platform for the first time without making changes to the time range, and step 610 may be omitted.

Steps

602, 604, 606, 608, 610, 612, and/or 614 may be performed on the same device or may be performed on different devices.

Fig. 7 is a diagrammatic illustration of a sub-flow shown in some embodiments in fig. 6 to verify first platform information. The operation of the process shown below is for illustration purposes only. In some embodiments, process 700, when implemented, may add one or more additional operations not described in one or more embodiments of the specification, and/or delete one or more operations described herein. Additionally, the order in which the process operations are illustrated in FIG. 7 and described below is not intended to be limiting. In some embodiments, process 700 may be performed by second verification module 504 in the identity authentication system.

In some embodiments, the first platform information includes a user ID and its corresponding access information authority, and the sub-process of verifying the first platform information based on the situation includes:

step 702, verify the user ID. This step authenticates the user ID to verify that the user ID has the associated rights on the second platform. In some embodiments, verifying the user ID may include verifying user ID related information.

Step 704, the user ID and its corresponding access information authority are consistent with the information stored in the second platform.

In some embodiments, the plurality of access information permissions that the user ID has are stored on the second platform, and in some embodiments, the information stored on the second platform includes a correspondence between the plurality of access information permissions that the user ID has and the user ID. In some embodiments, verifying the first platform information further includes comparing the user ID and the corresponding access information authority acquired from the first platform with the correspondence between the user ID and the access information authority stored in the second platform, and giving a judgment result of whether the user ID and the access information authority are consistent.

In some embodiments, if the obtained first platform information is consistent with the information stored in the second platform through the comparison in the above steps, step 706 is performed, and the verification is passed. In some embodiments, if the verification result is inconsistent, the client is required to log in the user ID related information again, the first platform sends the first platform information to the second platform, and the second platform verifies again based on the received first platform information.

Fig. 8 is a block diagram illustrating a second platform side implementing authentication for an identity authentication system in accordance with some embodiments of the present description. As shown in fig. 8, a system for identity authentication may include a fifth obtaining module 802, a third verifying module 804, a sixth obtaining module 806, and a second returning module 808.

The fifth obtaining module 802 may be configured to obtain a user's access request for the content specified in the first platform. Designating content as an embedded page of a second platform in the first platform; the access request carries a login token.

The third authentication module 804 may be used to authenticate the login token.

The sixth obtaining module 806 may be configured to obtain the requested data when the login token is authenticated. In some embodiments, the sixth obtaining module 806 may further be configured to obtain the requested data by using the login token and/or the user ID obtained by parsing the login token and the access information authority corresponding to the user ID.

A second return module 808 may be used to return the requested data.

In some embodiments, the logon token is verified, the verification passing when a combination of one or more of the following conditions is met: verifying that the login token is consistent with the information stored in the second platform; verifying that the time for obtaining the access request carrying the login token is within a preset time range; successfully resolving the login token; and analyzing the user ID obtained by the login token and the corresponding access information authority to be consistent with the information stored in the second platform.

In some embodiments, the system further comprises a time extension module operable to extend the preset time range when the login token is validated.

It should be understood that the system and its modules shown in FIG. 8 may be implemented in a variety of ways. For example, in some embodiments, the system and its modules may be implemented in hardware, software, or a combination of software and hardware. Wherein the hardware portion may be implemented using dedicated logic; the software portions may be stored in a memory for execution by a suitable instruction execution system, such as a microprocessor or specially designed hardware. Those skilled in the art will appreciate that the methods and systems described above may be implemented using computer executable instructions and/or embodied in processor control code, such code being provided, for example, on a carrier medium such as a diskette, CD-or DVD-ROM, a programmable memory such as read-only memory (firmware), or a data carrier such as an optical or electronic signal carrier. The system and its modules of one or more embodiments of the present specification may be implemented not only by hardware circuits such as very large scale integrated circuits or gate arrays, semiconductors such as logic chips, transistors, or programmable hardware devices such as field programmable gate arrays, programmable logic devices, etc., but also by software executed by various types of processors, for example, or by a combination of hardware circuits and software (e.g., firmware).

It should be noted that the above descriptions of the candidate item display and determination system and the modules thereof are merely for convenience of description, and are not intended to limit one or more embodiments of the present disclosure to the scope of the illustrated embodiments. It will be appreciated by those skilled in the art that, given the teachings of the present system, any combination of the various modules, or the connection of the constituent subsystems to other modules, or the omission of one or more of the modules, may be made without departing from such teachings. For example, the fifth obtaining module 802, the third verifying module 804, the sixth obtaining module 806 and the second returning module 808 disclosed in fig. 8 may be different modules in a system, or may be a module that implements the functions of two or more modules described above. In some embodiments, the fifth obtaining module 802 and the third verifying module 804 may be two modules, or one module having both obtaining and verifying functions. For example, each module may share one memory module, and each module may have its own memory module. Such variations are within the scope of one or more embodiments of the present description.

Fig. 9 is another exemplary flow diagram for a second platform side of a method for identity authentication in accordance with the methods shown in some embodiments of the present description. As shown in fig. 9, process 900 may include:

step 902, obtain a user's access request for the specified content of the first platform. In some embodiments, step 902 may be performed by the fifth acquisition module 802.

In some embodiments, when a user accesses specified content of the second platform through the first platform at the client, the second platform can acquire an access request of the user. In some embodiments, the access request carries a login token generated by the second platform based on the first platform information.

In some embodiments, the access request may be communicated by the server 110-1 of the first platform to the server 110-2 of the second platform via the network 140.

Step 904, verify the login token. In some embodiments, step 904 may be performed by third verification module 804.

And after receiving an access request with a login token of a user, the second platform verifies the login token. In some embodiments, the conditions under which the login token is validated require a combination of one or more of the following conditions to be met: (1) Verifying that the login token is consistent with the information stored in the second platform; (2) Verifying that the access request time carrying the login token is within a preset time range; (3) successfully resolving the login token; (4) And analyzing the user ID obtained by the login token and the corresponding access information authority to be consistent with the information stored in the second platform.

In some embodiments, the information stored by the second platform includes a correspondence between a user ID and its corresponding access information permissions, the login token is generated based at least on the correspondence between the user ID and its corresponding access information permissions, and the authentication is passed if the login token is verified to be consistent with the information stored by the second platform.

In some embodiments, the generated logon token is valid for a preset time and is invalid when the preset time is exceeded. That is, in some embodiments, if the time of acquiring the access request with the login token is within a preset time range, the authentication is passed.

In some embodiments, the second platform may parse the login token when verifying the login token, and if the login token can be successfully parsed, the second platform may indicate that the login token is verified.

In some embodiments, when the second platform verifies the login token, the second platform parses the login token to obtain the user ID and the corresponding access information authority, compares the user ID and the corresponding access information authority with the information stored in the second platform, and if the comparison result is consistent, the verification is passed.

Step 906, in response to the login token verification passing. When the login token is verified to meet one or more of the above conditions, the second platform responds, i.e. the login token is verified.

Step 908, obtain the requested data and return the data. In some embodiments, obtaining the requested data may be performed by sixth obtaining module 806 and returning the data may be performed by second returning module 808. And after the login token passes the verification, the second platform acquires the requested data and returns the requested data to the first platform or the client.

In some embodiments, obtaining the requested data may further include: and acquiring the requested data by using the login token and/or the user ID obtained by analyzing the login token and the access information authority corresponding to the user ID.

In some embodiments, the manner in which data is returned to the client may be through a web page to directly display or return a document bearing the data. For example, what is displayed directly through a web page may be the progress of the data processing or it may be a page that may be used to view a particular data processing.

In some embodiments, after the login token passes the verification, the second platform recalculates the preset time by taking the time when the login token passes the verification as the starting time. That is, in some embodiments, the identity authentication system further comprises extending the preset time range. In some embodiments, the user successfully logs in to the second platform using the login token or operates on the second platform after login is successful, which may extend the preset time range. For example, in some embodiments, the start time of the preset time range may be the generation time of the login token, and when the generation time of the login token is taken as the start time, the login token is valid within the preset time range with the start time as the start point. For another example, if the specific value of the preset time range is 5 minutes, and the time for generating the login token is "2019-05-30" 20", the login token is valid within the time range from" 2019-05-30. In some embodiments, the starting time of the range of preset times may also be modified according to the time of using the login token. For example, the specific value of the preset time range is 5 minutes, the time for generating the login token is "2019-05-30" 20", and the user accesses the login token at a time point" 2019-05-30 "in the time range from" 2019-05-30 "to" 2019-05-3014 "20.

The beneficial effects that may be brought by the embodiments of the present description include, but are not limited to: in the description, the token parameter is added in the URL of the embedded page, so that the token can be carried by the parameter of the URL of the embedded page, which is transmitted from the front end of the Web to the rear end of the Web, and the token is used for bypassing login authentication, thereby solving the problem that the context information of the label page in the label platform is changed and the login authentication needs to be performed again, and improving the working efficiency. It is to be noted that different embodiments may produce different advantages, and in different embodiments, any one or combination of the above advantages may be produced, or any other advantages may be obtained.

Having thus described the basic concept, it will be apparent to those skilled in the art that the foregoing detailed disclosure is to be regarded as illustrative only and not as limiting the present specification. Various modifications, improvements and adaptations to the present description may occur to those skilled in the art, though not explicitly described herein. Such modifications, improvements and adaptations are proposed in the present specification and thus fall within the spirit and scope of the exemplary embodiments of the present specification.

Also, the description uses specific words to describe embodiments of the description. Reference throughout this specification to "one embodiment," "an embodiment," and/or "some embodiments" means that a particular feature, structure, or characteristic described in connection with at least one embodiment of the specification is included. Therefore, it is emphasized and should be appreciated that two or more references to "an embodiment" or "one embodiment" or "an alternative embodiment" in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, certain features, structures, or characteristics may be combined as suitable in one or more embodiments of the specification.

Moreover, those skilled in the art will appreciate that aspects of the present description may be illustrated and described in terms of several patentable species or situations, including any new and useful combination of processes, machines, manufacture, or materials, or any new and useful improvement thereof. Accordingly, aspects of this description may be performed entirely by hardware, entirely by software (including firmware, resident software, micro-code, etc.), or by a combination of hardware and software. The above hardware or software may be referred to as "data block," module, "" engine, "" unit, "" component, "or" system. Furthermore, aspects of the present description may be represented as a computer product, including computer readable program code, embodied in one or more computer readable media.

The computer storage medium may comprise a propagated data signal with the computer program code embodied therewith, for example, on baseband or as part of a carrier wave. The propagated signal may take any of a variety of forms, including electromagnetic, optical, etc., or any suitable combination. A computer storage medium may be any computer-readable medium that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code located on a computer storage medium may be propagated over any suitable medium, including radio, cable, fiber optic cable, RF, or the like, or any combination of the preceding.

Computer program code required for the operation of various portions of this specification may be written in any one or more of a variety of programming languages, including an object oriented programming language such as Java, scala, smalltalk, eiffel, JADE, emerald, C + +, C #, VB.NET, python, and the like, a conventional programming language such as C, visualBasic, fortran2003, perl, COBOL2002, PHP, ABAP, a dynamic programming language such as Python, ruby, and Groovy, or other programming languages, and the like. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or processing device. In the latter scenario, the remote computer may be connected to the user's computer through any form of network, such as a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet), or in a cloud computing environment, or as a service using, for example, software as a service (SaaS).

Additionally, the order in which the elements and sequences of the process are recited in the specification, the use of alphanumeric characters, or other designations, is not intended to limit the order in which the processes and methods of the specification occur, unless otherwise specified in the claims. While various presently contemplated embodiments of the invention have been discussed in the foregoing disclosure by way of example, it is to be understood that such detail is solely for that purpose and that the appended claims are not limited to the disclosed embodiments, but, on the contrary, are intended to cover all modifications and equivalent arrangements that are within the spirit and scope of the embodiments herein. For example, although the system components described above may be implemented by hardware devices, they may also be implemented by software-only solutions, such as installing the described system on an existing processing device or mobile device.

Similarly, it should be noted that in the preceding description of embodiments of the present specification, various features are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure aiding in the understanding of one or more of the embodiments. This method of disclosure, however, is not intended to imply that more features than are expressly recited in a claim. Indeed, the embodiments may be characterized as having less than all of the features of a single embodiment disclosed above.

Numerals describing the number of components, attributes, etc. are used in some embodiments, it being understood that such numerals used in the description of the embodiments are modified in some instances by the use of the modifier "about", "approximately" or "substantially". Unless otherwise indicated, "about", "approximately" or "substantially" indicates that the number allows a variation of ± 20%. Accordingly, in some embodiments, the numerical parameters set forth in the specification and claims are approximations that may vary depending upon the desired properties sought to be obtained by a particular embodiment. In some embodiments, the numerical parameter should take into account the specified significant digits and employ a general digit preserving approach. Notwithstanding that the numerical ranges and parameters setting forth the broad scope of the range are approximations, in the specific examples, such numerical values are set forth as precisely as possible within the scope of the application.

For each patent, patent application publication, and other material, such as articles, books, specifications, publications, documents, etc., cited in this specification, the entire contents of each are hereby incorporated by reference into the specification. Except where the application history document does not conform to or conflict with the contents of the present specification, it is to be understood that the application history document, as used herein in the present specification or appended claims, is intended to define the broadest scope of the present specification (whether presently or later in the specification) rather than the broadest scope of the present specification. It is to be understood that the descriptions, definitions and/or uses of terms in the accompanying materials of this specification shall control if they are inconsistent or contrary to the descriptions and/or uses of terms in this specification.

Finally, it should be understood that the embodiments described herein are merely illustrative of the principles of the embodiments of the present disclosure. Other variations are also possible within the scope of the present description. Thus, by way of example, and not limitation, alternative configurations of the embodiments of the present specification can be seen as consistent with the teachings of the present specification. Accordingly, the embodiments of the present description are not limited to only those embodiments explicitly described and depicted herein.

Claims

1. A method of identity authentication, the method being performed by at least one processor of a first platform, the method comprising:

acquiring a user ID and verifying login information of the user ID;

acquiring first platform information and transmitting the first platform information to a second platform; the first platform information is at least used for the second platform to verify the user ID;

receiving a login token returned by the second platform, wherein the login token is related to the first platform information and is valid within a preset time range;

wherein the login token is capable of causing: when the user ID accesses the specified content of the second platform by using the login token through the first platform within a preset time range, the user ID does not need to be verified again through the second platform; the first platform information includes access information authority corresponding to the user ID, the access information authority corresponding to the user ID being related to the specified content.

2. The method of claim 1,

the communicating the first platform information to a second platform comprises:

and transmitting the user ID and the access information authority corresponding to the user ID to a second platform through a calling interface.

3. The method of claim 1, further comprising:

acquiring an access request of a user for specified content of a second platform; the specified content comprises an embedded page of the second platform in the first platform;

and outputting a specified content URL including the login token.

4. The method of claim 3, wherein the user ID has one or more access information rights;

the acquiring of the first platform information includes:

and determining the access information authority corresponding to the specified content from the one or more access information authorities based on the specified content which the user requests to access, and including the access information authority corresponding to the specified content as the access information authority corresponding to the user ID in the first platform information.

5. A system for identity authentication, the system comprising:

the first acquisition module is used for acquiring a user ID;

the first verification module is used for verifying the login information of the user ID;

the second acquisition module is used for acquiring the first platform information; the first platform information is at least used for the second platform to verify the user ID;

the first transmission module is used for transmitting the first platform information to a second platform;

the first receiving module is used for receiving a login token returned by the second platform, wherein the login token is related to the first platform information and is valid within a preset time range; wherein the login token is capable of causing: and in a preset time range, when the user ID accesses the specified content of the second platform by using the login token through the first platform, the user ID does not need to be verified again through the second platform, the first platform information comprises the access information authority corresponding to the user ID, and the access information authority corresponding to the user ID is related to the specified content.

6. The system of claim 5, wherein the first delivery module is further configured to deliver the user ID and the corresponding access information permission to the second platform through a call interface.

7. The system of claim 5, further comprising:

the fourth acquisition module is used for acquiring an access request of a user for the specified content of the second platform; the specified content comprises an embedded page of the second platform in the first platform;

a first output module for outputting a specified content URL including the login token.

8. The system of claim 7, wherein the user ID has one or more access information rights;

the system also comprises a third acquisition module, a second acquisition module and a third display module, wherein the third acquisition module is used for determining the access information authority corresponding to the specified content from the one or more access information authorities based on the specified content which the user requests to access, and taking the access information authority corresponding to the specified content as the access information authority corresponding to the user ID;

the second acquisition module is used for including the access information authority corresponding to the user ID in the first platform information.

9. An apparatus for identity verification, the apparatus comprising at least one processor and at least one memory;

the at least one memory is for storing computer instructions;

the at least one processor is configured to execute at least some of the computer instructions to implement the operations of any of claims 1-4.

10. A method of identity authentication, the method being performed by at least one processor of a second platform, the method comprising:

receiving and verifying first platform information from a first platform;

generating a login token based at least on the first platform information;

returning the login token;

wherein the login token is valid within a preset time range; the login token can cause: and in a preset time range, when the user ID accesses the specified content of the second platform by using the login token through the first platform, the user ID does not need to be verified again through the second platform, the first platform information comprises the access information authority corresponding to the user ID, and the access information authority corresponding to the user ID is related to the specified content.

11. The method of claim 10, wherein receiving the first platform information from the first platform further comprises:

and acquiring the user ID and the access information authority corresponding to the user ID from a calling interface of the first platform.

12. The method of claim 10, further comprising:

acquiring an access request of a user for specified content in a first platform; the specified content is an embedded page of a second platform in the first platform; the access request carries a login token;

verifying the login token;

and responding to the verification of the login token, acquiring the requested data and returning the data.

13. The method of claim 12, wherein the authentication of the login token passes when a combination of one or more of the following conditions is met:

verifying that the login token is consistent with the information stored in the second platform;

verifying that the access request time carrying the login token is within a preset time range;

successfully resolving the login token;

and analyzing the user ID obtained by the login token and the corresponding access information authority to be consistent with the information stored in the second platform.

14. A system for identity authentication, the system comprising:

the second receiving module is used for receiving the first platform information from the first platform;

the second verification module is used for verifying the first platform information from the first platform;

a generation module for generating a login token based on at least the first platform information; the login token is valid within a preset time range; the login token can cause: when a user ID accesses the appointed content of a second platform through the first platform by using the login token within a preset time range, the user ID does not need to be verified again through the second platform, the first platform information comprises access information authority corresponding to the user ID, and the access information authority corresponding to the user ID is related to the appointed content;

and the first returning module is used for returning the login token.

15. The system of claim 14, wherein the second receiving module is further configured to obtain the user ID and the corresponding access information authority from a call interface of the first platform.

16. The system of claim 12, further comprising:

the fifth acquisition module is used for acquiring an access request of a user for the specified content in the first platform; the specified content is an embedded page of a second platform in the first platform; the access request carries a login token;

a third authentication module for authenticating the login token;

a sixth obtaining module, configured to obtain the requested data when the login token passes the verification;

a second return module to return the requested data.

17. The system of claim 16, wherein the authentication of the login token passes when a combination of one or more of the following conditions is met:

successfully resolving the login token;

18. An apparatus for identity verification, the apparatus comprising at least one processor and at least one memory;

the at least one memory is for storing computer instructions;

the at least one processor is configured to execute at least some of the computer instructions to implement the operations of any of claims 10 to 13.