CN110535882A - A kind of identity authentication service method and system based on heterogeneous terminals - Google Patents

A kind of identity authentication service method and system based on heterogeneous terminals Download PDF

Info

Publication number
CN110535882A
CN110535882A CN201910925627.0A CN201910925627A CN110535882A CN 110535882 A CN110535882 A CN 110535882A CN 201910925627 A CN201910925627 A CN 201910925627A CN 110535882 A CN110535882 A CN 110535882A
Authority
CN
China
Prior art keywords
user
resource
server
authorization
authorization server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910925627.0A
Other languages
Chinese (zh)
Inventor
杨劲锋
金鑫
罗奕
罗鸿轩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CSG Electric Power Research Institute
China Southern Power Grid Co Ltd
Research Institute of Southern Power Grid Co Ltd
Original Assignee
China Southern Power Grid Co Ltd
Research Institute of Southern Power Grid Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Southern Power Grid Co Ltd, Research Institute of Southern Power Grid Co Ltd filed Critical China Southern Power Grid Co Ltd
Priority to CN201910925627.0A priority Critical patent/CN110535882A/en
Publication of CN110535882A publication Critical patent/CN110535882A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3231Biological data, e.g. fingerprint, voice or retina

Abstract

The identity authentication service method and system based on heterogeneous terminals that the present invention provides a kind of, wherein method includes: the configuration information that Resource Server obtains authorization server, and Resource Server configures delegated strategy to authorization server registration resource collection;User accesses resource set by client, and whether user described in authorization server judges is registration user, if otherwise user is reminded to register;If then judging whether that resource owner is needed to carry out license confirmation according to delegated strategy, license confirmation is then if desired carried out by the resource owner;User accesses resource set by access token, and whether Resource Server judges user authorized, if then returning to resource set to the user.Identity authentication service method and system provided by the invention based on heterogeneous terminals, authorizing secure grade is set, carries out recognition of face using mobile terminal, unifies verification mode using the testimony of a witness, increase authorizing secure and convenience, enhances the applicability and scalability of system.

Description

A kind of identity authentication service method and system based on heterogeneous terminals
Technical field
The present invention relates to identity identifying technology fields, more particularly to a kind of identity authentication service side based on heterogeneous terminals Method and system.
Background technique
Currently, needing the application scenarios of authentication more and more, user with the development of wireless Internet and Internet of Things It needs to log in different equipment, also needs to be registered in different applications under normal conditions, very cumbersome and user Name and password are difficult to remember one by one.The development of OAuth technology provides possibility to improve user in third-party application login, uses Family can choose and be logged in using OAuth when logging in third-party application, may have access to third-party application by OAuth, thus It does not need to carry out registering in third-party application directly license third-party application acquisition user information.And OAuth There is still a need for users to input username and password at OAuth authorization interface, however it remains certain security risk, and fill out by hand The step of writing username and password, safety coefficient and user experience still have the space that can be promoted.Secondly, OAuth service is logical It is often to be carried out in the same software environment being deployed on same terminal device, cross-platform cannot be authorized with software environment Service, can not be using mobile terminal the characteristics of portable and integrated biometric identification capabilities progress user's identification.
As biological identification technology is increasingly mature, what can also be authenticated at the terminal is integrated, the most known to user It is the fingerprint recognition of mobile phone, user can be very easily unlocked by fingerprint recognition, and iris recognition, hand vein recognition, people The biological identification technologies such as face identification also gradually mature, and are gradually integrated on intelligent terminal.Current most important application be only into The unlock of row mobile phone, for biological identification technology, application range is excessively narrow, and could not apply the skill of bio-identification well Art.
OAuth2.0 agreement is one of current most popular API Access Controlling model.As open authorization criteria, the association View, which is widely used in, solves the problems, such as flexible cross-domain and third party authorization under open cloud platform.However most of implementations The authorization server and Resource Server of OAuth2.0 agreement still use traditional authentication mode based on the user name and password, This embodiment has certain limitation: one side authorization server will manage the authorization messages such as authorization code, access token, also The authentication informations such as username and password are managed, so that the exploitation maintenance of platform and user management high expensive, influence user's body It tests and system effectiveness;On the other hand the authentication mode safety based on the user name and password is not high, it is easy to by dictionary or Brute force attack cracks.
FIDO alliance is found in July, 2012, and alliance's objective is to meet the market demand, and unified professional standard dredges industry The upstream and downstream of chain, and then promote the development of identity identifying technology.FIDO (Fast Identity Online, quick identity on line Verifying) alliance propose the online identity certificate scheme based on biological identification technology, pass through fingerprint recognition, face recognition, vocal print The biometric technologies such as identification, realize high safety grade but very convenient and fast user identity authentication, obtain the concern of every profession and trade With approval.Year ends 2014, alliance release U2F (Universal Second Factor protocol) and UAF (Universal Authentication Framework protocol) two sets of protocol schemes.Using double factor, (password and hardware are set U2F scheme It is standby) mode protect user account and privacy;UAF scheme enhances security of user account using the mode of living things feature recognition. This two sets of plan can simplify user experience, improve safety and protection privacy, just can have secure access to correlation without password intervention Using with extensive scalability and development potentiality.
UAF is the authentication universal solution based on living things feature recognition on a kind of line.It is digital certification on line The professional standard scheme of the first opening of aspect supports the living things feature recognitions modes such as fingerprint, voice, pupil, face, without input Username-password is directly verified.Its feature protruded be authentication means and authentication protocol are carried out it is decoupling, i.e., in terminal Any authentication mode that can be supported can be used, and terminal can be tested between service using standard set authentication protocol Demonstrate,prove user.Diversified authentication mode takes unified authentication protocol, and system Construction cost reduces, and social concertedness is mentioned It rises.Traditional authentication system, usually server-side have the password and password information of user, each user do authenticate when Time will be submitted to server-side and go to compare.And this process is divided into two steps by UAF: 1) by local terminal device authentication user's body Part, authentication means can be the biological informations such as fingerprint, vocal print or face;2) after authenticating successfully, by public private key system, by taking Verify equipment in business end.This elder generation has very high by terminal device authentication user, then by the agreement of back-end services certification terminal device Scalability and compatibility.
Current existing identity authorization system is unable to reach the identity of really identification and verifying user, and serious Dependent on cable network.The authorization service of authentication based on living things feature recognition has been widely used for each service system In.But the authentication based on living things feature recognition can only judge whether user and registrant are the same person, it can not The true identity for really verifying registrant, is unable to satisfy safety requirements in the higher usage scenario of some security level requireds.
Summary of the invention
A kind of identity authentication service method and system based on heterogeneous terminals provided by the invention solve user traditional To be manually entered username and password in OAuth mode every time and the problem of OAuth is unable to striding equipment authorization.
A kind of identity authentication service method based on heterogeneous terminals provided by the invention, comprising the following steps:
Resource Server obtains the configuration information of authorization server, and the Resource Server is registered to the authorization server Resource set configures delegated strategy;
User accesses the resource set by client, and whether user described in the authorization server judges is that registration is used Family, if the user is otherwise reminded to register;If then according to the delegated strategy judge whether to need resource owner into Row license confirmation is transferred in next step if not needing, if desired carries out license confirmation by the resource owner;Wherein, institute It states and registers user to have already registered with the user on the authorization server;
The user accesses the resource set by access token, wherein the access token is by the authorization service What device was issued;
The Resource Server judges whether the user is authorized according to the verification mode of the access token, if It is to return to resource set to the user, if otherwise not returning to resource set to the user;Wherein, the verifying of the access token Mode is decided through consultation by the Resource Server and the authorization server.
Optionally, before Resource Server acquisition authorization server configuration information further include: resource owner selection authorization The authorization server is introduced Resource Server by server, and the Resource Server obtains the URL of the authorization server.
Optionally, whether user described in the authorization server judges is that registration user further comprises: the authorization clothes Business device reminds the user to authenticate by recognition of face, as the user agree to take pictures if authorizing simultaneously upload pictures to described Authorization server, the authorization server carry out testimony of a witness unification and compare, unify comparison result according to the testimony of a witness, judge that the user is No is registration user.
Optionally, the authorization server progress testimony of a witness unification, which compares, further comprises: the authorization server utilizes dress The equipment for carrying FIDO UAF carries out biological information characteristics extraction and comparison.
Optionally, the Resource Server further comprises to the authorization server registration resource collection: the authorization clothes Device be engaged in as resource set distribution unique identifier, and it is returned into the Resource Server together with a URL.
Optionally, the user accesses the resource set by access token and further comprises: the access token includes The final access authority of the user.
The identity authentication service system based on heterogeneous terminals that the present invention also provides a kind of, comprising:
Certificate Authority service module, for authenticating and authorizing service, the Certificate Authority service module includes resource clothes Business device module, certificate server module and authorization server module;
Resource owner module introduces resource for selecting authorization server module, and to the authorization server module Server module carries out license confirmation to line module, returns to resource set to the line module for obtaining authorization;
Line module shows statement to the certificate server module and carries out body for being registered to authorization server module Part certification obtains the access token that authorization server module is issued, the resource of the Resource Server is accessed by access token Collection.
Optionally, the Resource Server module further comprises, for obtaining the configuration information of authorization server module, The generation and verification mode that access token is decided through consultation with authorization server, to authorization server Module registers resource set, configuration authorization Strategy.
Optionally, the certificate server module further comprises, for being authenticated to user, Xiang Suoshu authorization service The authenticating result of device module return authentication user.
Optionally, the authorization server module further comprises, for registering to user, according to certificate server The authenticating result of module authentication user decides whether to provide access token to the user.
Technical solution provided by the invention has the beneficial effect that
The identity authentication service method and system based on heterogeneous terminals that the present invention also provides a kind of, by awarding OAuth The step of power, is transferred on the mobile intelligent terminal of isomery, and passes through the bio-identification function of intelligent terminal institute band, includes fingerprint, Vein, the various bio-identification modes such as iris, face, obtains the biometric information of user, is identified by biometric information User, and using recognition result as authorization;User can identify that the biological characteristic of oneself carries out third on mobile terminals The authorization of Fang Yingyong greatly facilitates user in the use of third-party application;And combined positioning system obtains the position of user It sets and temporal information, the safety and convenience of authorization service is improved in the case where not increasing hardware cost, enhances system Applicability and scalability.
Detailed description of the invention
Fig. 1 is a kind of system architecture diagram of the identity authentication service method and system based on heterogeneous terminals of the present invention.
Fig. 2 is a kind of identity authentication service process of the identity authentication service method and system based on heterogeneous terminals of the present invention Figure.
Specific embodiment
To facilitate the understanding of the present invention, a more comprehensive description of the invention is given in the following sections with reference to the relevant attached drawings.In attached drawing Give preferred embodiment of the invention.But the invention can be realized in many different forms, however it is not limited to this paper institute The embodiment of description.On the contrary, purpose of providing these embodiments is make it is more thorough and comprehensive to the disclosure.
Unless otherwise defined, all technical and scientific terms used herein and belong to technical field of the invention The normally understood meaning of technical staff is identical.Term as used herein in the specification of the present invention is intended merely to description tool The purpose of the embodiment of body, it is not intended that in the limitation present invention.Term " and or " used herein includes one or more phases Any and all combinations of the listed item of pass.
Identity authentication service method and system provided in an embodiment of the present invention based on heterogeneous terminals, components of system as directed include Certificate Authority service module, resource owner module and line module, the general frame of system are as shown in Figure 1, wherein certification is awarded Power service module is made of Resource Server module, certificate server module and authorization server module.Main function of system behaviour It is as described below to make process: line module requests access to some resource owner module by the client of third party application Line module is oriented to certificate server module by the resource set being stored in certain domain cloud service, the Resource Server module in domain, When carrying out authentication service to line module by certificate server module, needs that line module is requested to be authenticated and ask whether to award Power, line module carry out authentication by built-in biometrics readers and agree to authorize.Authorization server module is according to third It is that the authentication of square application program returns as a result, together with the identity of certificate server certification line module return as a result, coming Decide whether to provide access token.After the client of third party application gets legal access token, line module is logical It crosses access token and accesses resource to Resource Server module request.
Identity authentication service method and system provided in an embodiment of the present invention based on heterogeneous terminals, based on heterogeneous terminals Identity authentication service system mainly includes terminal SDK and Certificate Authority service platform.Certificate Authority service platform is opened to outside Certificate Authority service, resource owner are carried out different resources different by configuring delegated strategy on authorization server Configuration strategy, resource here refer not only to visible resource, are also possible to a kind of permission and authorize.User is providing Certificate Authority The registration of Certificate Authority service platform, registration user account, biological information and the terminal authorized, biological information can pass through Third-party platform carries out validation verification.When user accesses locked resource by client, selection is carried out by authentication service It logs in and authorization, system alert user authorizes, user carries out biological information recording in terminal if agreeing to authorization and uploads Certificate server, certificate server comparison, judges whether it is registration user;System service judges further according to configuration strategy It is no also to need resource owner self acknowledging, license confirmation, authorization server after confirmation are carried out by resource owner if necessary Access token is issued to client again, client can obtain resource using access token.The embodiment of the present invention is by recognizing identity Card service extends to mobile terminal device and using personal characteristic informations authenticating devices such as the cameras of equipment, provides for user A kind of convenient and safe authentication business experience.
The Certificate Authority service platform of the embodiment of the present invention mainly includes Resource Server and authorization server, pair of service As for resource owner, client, user, user and resource owner can be same people.Resource owner management authorization clothes The relationship being engaged between device and Resource Server allows third-party application to access resource by the way that some strategies are arranged.User's control The client of tripartite's application, can be gathered around by showing the statement including client-side information and user information when statement meets resource Available related resource when the setting requirements for the person of having.
Identity authentication service method provided in an embodiment of the present invention based on heterogeneous terminals, comprises the following steps:
Step S1: Resource Server obtains the configuration information of authorization server, and the Resource Server takes to the authorization Business device registration resource collection, configures delegated strategy;
Step S2: user accesses the resource set by client, user described in the authorization server judges whether be User is registered, if the user is otherwise reminded to register;If then according to the delegated strategy judging whether that resource is needed to gather around The person of having carries out license confirmation, is transferred in next step if not needing, if desired carries out license confirmation by the resource owner;Its In, it is described to register user to have already registered with the user on the authorization server;
Step S3: the user accesses the resource set by access token, wherein the access token is awarded by described Power server is issued;
Step S4: whether the Resource Server judge the user according to the verification mode of the access token Authorization, if then returning to resource set to the user, if otherwise not returning to resource set to the user;Wherein, the access enables The verification mode of board is decided through consultation by the Resource Server and the authorization server.
Resource owner selects the authorization server of authentication service and introduces Resource Server, resource clothes to authorization server Business device obtains the URL of authorization server.Resource Server obtains the configuration information of authorization server, and itself is registered as authorizing The client of server, and decide through consultation with Resource Server the generation and verification mode of subsequent access token.
Resource Server registers its resource set to authorization server, and request content is its each resource set to be protected Details, authorization server can distribute unique identifier for resource set, and it is returned to Resource Server together with a URL, Resource Server can guide resource owner to the URL, and resource owner can interactively manage and the resource set Associated strategy.HTTP GET, PUT and DELETE method can be used in Resource Server, reads respectively, updates and delete it Resource.
Resource owner configures delegated strategy on authorization server, and different resources needs different certifications;User and Their client will show one group of statement that can satisfy policy mandates.If not being a resource set configuration strategy, The resource set is considered as inaccessible.Once setting up strategy, resource owner can usually withdraw from the arena, when user attempts to visit When asking resource, need resource owner when resource owner authorization that need to just appear on the scene again according to delegated strategy.
User is registered in the authorization server of system service by biometric information.
User selectes resource set by client and attempts access Resource Server, resource service in the case where with no authorized Which resource set what device knew client trial access from this initial HTTP request context is, and then knows corresponding money Which information declaration source owner and authorization server need.
The authorization server of authentication service reminds user to authenticate by recognition of face;User uses if agreeing to authorization Electric terminal with camera carries out that head portrait is taken pictures and upload pictures are to authorization server, if disagreed, chooses and disappears or not Do any operation.
The testimony of a witness in authorization server is veritified service and is mentioned using the equipment progress biological information characteristic value for loading FIDO UAF It takes and compares, the unification of the abbreviation testimony of a witness compares.
System unifies comparison result according to the testimony of a witness, registration user is judged whether it is, if it is according to configuration strategy Whether also need resource owner to carry out license confirmation, confirm if necessary to resource owner, then system is answered by short message, mail Resource owner is reminded to carry out license confirmation with modes such as message push (terminal SDK reception).
Authorization server issues access token to client, and token includes the final access authority of client;User attempts Resource Server, which is accessed, by access token obtains resource;Resource Server with the access token that authorization server is decided through consultation by testing Card mode judges whether the user is authorized, as authorized in, returns to resource to client.
In the whole process, the personal information of resource owner and the personal information of user are not all revealed to resource clothes Business device or client;In addition, resource owner and user are also without the personal information of mutual revealing sensitive.User only needs minimum Proof information is provided to limit, the accessible resource of strategy of resource owner setting is met.Authorization server is served as herein The role of identity registration and verifying, and user do not need with reality in show identity document to third party, user need to only mention It takes biometric information to be sent to authorization server, identity verification is completed by authorization server, avoid personal in actual life Information leakage gives third-party problem.
The identity authentication service method and system based on heterogeneous terminals of the embodiment of the present invention, add GPS in the client Module connects remote server by Wi-Fi, obtains geographical location information in conjunction with location-server, acquisition is certified Geographical location information and temporal information where people, a part as user information.The user location obtained according to client The feature set of position identification is extracted in the identification of information, using identifying that the encoded feature vector of location information carries out identity and recognize Card.
The identity authentication service method and system based on heterogeneous terminals of the embodiment of the present invention, take in conjunction with FIDO framework Authentication mode reinforces the safety of OAuth2.0 agreement, can provide sound identification authentication mode, on the one hand to meet peace The demands such as Quan Xing, user experience;On the other hand the shared of subscriber data may be implemented, save Internet resources, reduce opening for platform Hair maintenance and user management cost.
The identity authentication service method and system based on heterogeneous terminals of the embodiment of the present invention, pass through authorize OAuth Step is transferred on the mobile intelligent terminal of isomery, and passes through the bio-identification function of intelligent terminal institute band, includes fingerprint, quiet Arteries and veins, the various bio-identification modes such as iris, face, obtains the biometric information of user, is identified and is used by biometric information Family, and using recognition result as authorization, it is manually entered in traditional OAuth mode so that user can reduce or exempt The number of username and password, and solve the disadvantage that OAuth is unable to striding equipment authorization, user can identify on mobile terminals The biological characteristic of oneself carries out the authorization of third-party application, greatly facilitates user in the use of third-party application.
The identity authentication service method and system based on heterogeneous terminals that the embodiment of the invention provides a kind of are proposed based on different The authentication identification of structure terminal and positioning system, using the authentication mode of bio-identification, and combined positioning system is obtained and is used The position of person and temporal information improve the safety and convenience of authorization service in the case where not increasing hardware cost.Work as electricity The staff of net is when critical facility carries out outdoor study, it can be ensured that real people's real example.Default authorizing secure grade, The weak authentication such as Conventional account number password still can be used, and it is not high that the weak authentication such as account number cipher is only used for safety requirements Authorization, and testimony of a witness unification etc. can be used for the higher occasion of safety requirements.
Standard configuration of the universal and camera of mobile terminal such as smart phone and tablet computer as mobile terminal, is face Identification service provides extensive terminal device, and almost everyone carries an at least mobile terminal device now, So authorizing secure and convenience can be increased under conditions of not increasing hardware cost.
The testimony of a witness unification verifying account number cipher or bio-identification more single than tradition is safer, and being applicable not only to must core The usage scenario of real user's identity is also applied for general authorization and logs in, has stronger applicability.System can not only accomplish User to user authorization can also accomplish user to third-party application authorization, and the scalability of system is stronger.
The above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although with reference to the foregoing embodiments Invention is explained in detail, those skilled in the art should understand that: it still can be to aforementioned each implementation Technical solution documented by example is modified or equivalent replacement of some of the technical features;And these modification or Replacement, the spirit and scope for technical solution of various embodiments of the present invention that it does not separate the essence of the corresponding technical solution.

Claims (10)

1. a kind of identity authentication service method based on heterogeneous terminals, which comprises the following steps:
Resource Server obtains the configuration information of authorization server, and the Resource Server is to the authorization server registration resource Collection configures delegated strategy;
User accesses the resource set by client, and whether user described in the authorization server judges is registration user, if Otherwise the user is reminded to register;If then according to the delegated strategy judging whether that resource owner is needed to be authorized Confirmation is transferred in next step if not needing, if desired carries out license confirmation by the resource owner;Wherein, the registration User is the user having already registered on the authorization server;
The user accesses the resource set by access token, wherein the access token is issued by the authorization server Hair;
The Resource Server judges whether the user is authorized, if then according to the verification mode of the access token Resource set is returned to the user, if otherwise not returning to resource set to the user;Wherein, the verification mode of the access token It is to be decided through consultation by the Resource Server and the authorization server.
2. the identity authentication service method according to claim 1 based on heterogeneous terminals, which is characterized in that Resource Server Before acquisition authorization server configuration information further include: resource owner selects authorization server, and the authorization server is drawn Enter Resource Server, the Resource Server obtains the URL of the authorization server.
3. the identity authentication service method according to claim 1 based on heterogeneous terminals, which is characterized in that the authorization clothes Business device judges whether the user is that registration user further comprises: the authorization server reminds the user to know by face It is not authenticated, takes pictures if the user agrees to authorization and upload pictures are to the authorization server, the authorization server It carries out testimony of a witness unification to compare, comparison result is unified according to the testimony of a witness, judge whether the user is registration user.
4. the identity authentication service method according to claim 3 based on heterogeneous terminals, which is characterized in that the authorization clothes Business device carries out testimony of a witness unification comparison: the authorization server carries out biological letter using the equipment for loading FIDO UAF Cease characteristics extraction and comparison.
5. the identity authentication service method according to claim 1 based on heterogeneous terminals, which is characterized in that the resource clothes Business device further comprises to the authorization server registration resource collection: the authorization server is the unique mark of resource set distribution Know symbol, and it is returned into the Resource Server together with a URL.
6. the identity authentication service method according to claim 1 based on heterogeneous terminals, which is characterized in that the user is logical Crossing the access token access resource set further comprises: the access token includes the final access authority of the user.
7. a kind of identity authentication service system based on heterogeneous terminals characterized by comprising
Certificate Authority service module, for authenticating and authorizing service, the Certificate Authority service module includes Resource Server Module, certificate server module and authorization server module;
Resource owner module introduces resource service for selecting authorization server module, and to the authorization server module Device module carries out license confirmation to line module, returns to resource set to the line module for obtaining authorization;
Line module shows statement and recognizes to certificate server module progress identity for being registered to authorization server module Card obtains the access token that authorization server module is issued, the resource set of the Resource Server is accessed by access token.
8. the identity authentication service system according to right 7 based on heterogeneous terminals, which is characterized in that the Resource Server Module further comprises, for obtaining the configuration information of authorization server module, the life of access token is decided through consultation with authorization server Delegated strategy is configured to authorization server Module registers resource set at verification mode.
9. the identity authentication service system according to right 7 based on heterogeneous terminals, which is characterized in that the certificate server Module further comprises, for being authenticated to user, the authenticating result of Xiang Suoshu authorization server module return authentication user.
10. the identity authentication service system according to right 7 based on heterogeneous terminals, which is characterized in that the authorization service Device module further comprises, for registering to user, according to the authenticating result of certificate server module authentication user, determines Whether to the user provide access token.
CN201910925627.0A 2019-09-27 2019-09-27 A kind of identity authentication service method and system based on heterogeneous terminals Pending CN110535882A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910925627.0A CN110535882A (en) 2019-09-27 2019-09-27 A kind of identity authentication service method and system based on heterogeneous terminals

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910925627.0A CN110535882A (en) 2019-09-27 2019-09-27 A kind of identity authentication service method and system based on heterogeneous terminals

Publications (1)

Publication Number Publication Date
CN110535882A true CN110535882A (en) 2019-12-03

Family

ID=68670999

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910925627.0A Pending CN110535882A (en) 2019-09-27 2019-09-27 A kind of identity authentication service method and system based on heterogeneous terminals

Country Status (1)

Country Link
CN (1) CN110535882A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111064718A (en) * 2019-12-09 2020-04-24 国网河北省电力有限公司信息通信分公司 Dynamic authorization method and system based on user context and policy
CN111131301A (en) * 2019-12-31 2020-05-08 江苏徐工信息技术股份有限公司 Unified authentication and authorization scheme
CN111682941A (en) * 2020-05-18 2020-09-18 上海瑾琛网络科技有限公司 Centralized identity management, distributed authentication and authorization method based on cryptography
CN112202708A (en) * 2020-08-24 2021-01-08 国网山东省电力公司 Identity authentication method and device, electronic equipment and storage medium
CN115065717A (en) * 2022-05-24 2022-09-16 中原银行股份有限公司 Micro-service calling processing method and device
CN115134155A (en) * 2022-06-29 2022-09-30 北京天融信网络安全技术有限公司 Authentication method and device, computer program product and electronic equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104506562A (en) * 2015-01-13 2015-04-08 东北大学 Two-dimension code and face recognition fused conference identity authentication device and method
CN105577665A (en) * 2015-12-24 2016-05-11 西安电子科技大学 Identity and access control and management system and method in cloud environment
CN105897652A (en) * 2014-10-21 2016-08-24 北京京航计算通讯研究所 Standard protocol based heterogeneous terminal dynamic access method
US20180077151A1 (en) * 2016-09-09 2018-03-15 Tyco Integrated Security, LLC Architecture For Access Management
CN108073630A (en) * 2016-11-16 2018-05-25 北京京东尚科信息技术有限公司 A kind of service search access management method and system based on mobilism configuration

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105897652A (en) * 2014-10-21 2016-08-24 北京京航计算通讯研究所 Standard protocol based heterogeneous terminal dynamic access method
CN104506562A (en) * 2015-01-13 2015-04-08 东北大学 Two-dimension code and face recognition fused conference identity authentication device and method
CN105577665A (en) * 2015-12-24 2016-05-11 西安电子科技大学 Identity and access control and management system and method in cloud environment
US20180077151A1 (en) * 2016-09-09 2018-03-15 Tyco Integrated Security, LLC Architecture For Access Management
CN108073630A (en) * 2016-11-16 2018-05-25 北京京东尚科信息技术有限公司 A kind of service search access management method and system based on mobilism configuration

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
李梁磊等: "一种基于FIDO UAF架构的开放授权方案", 《信息网络安全》 *
沈桐等: "基于OAuth2.0,OpenID Connect和UMA的用户认证授权系统架构", 《软件》 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111064718A (en) * 2019-12-09 2020-04-24 国网河北省电力有限公司信息通信分公司 Dynamic authorization method and system based on user context and policy
CN111064718B (en) * 2019-12-09 2022-08-02 国网河北省电力有限公司信息通信分公司 Dynamic authorization method and system based on user context and policy
CN111131301A (en) * 2019-12-31 2020-05-08 江苏徐工信息技术股份有限公司 Unified authentication and authorization scheme
CN111682941A (en) * 2020-05-18 2020-09-18 上海瑾琛网络科技有限公司 Centralized identity management, distributed authentication and authorization method based on cryptography
CN112202708A (en) * 2020-08-24 2021-01-08 国网山东省电力公司 Identity authentication method and device, electronic equipment and storage medium
CN115065717A (en) * 2022-05-24 2022-09-16 中原银行股份有限公司 Micro-service calling processing method and device
CN115134155A (en) * 2022-06-29 2022-09-30 北京天融信网络安全技术有限公司 Authentication method and device, computer program product and electronic equipment

Similar Documents

Publication Publication Date Title
CN110535882A (en) A kind of identity authentication service method and system based on heterogeneous terminals
CN110213246B (en) Wide-area multi-factor identity authentication system
US11068575B2 (en) Authentication system
CN102067555B (en) Improved biometric authentication and identification
CN105069876B (en) The method and system of intelligent entrance guard control
CN105933353B (en) The realization method and system of secure log
US8213583B2 (en) Secure access to restricted resource
CN105246073B (en) The access authentication method and server of wireless network
EP2065798A1 (en) Method for performing secure online transactions with a mobile station and a mobile station
CN104618315B (en) A kind of method, apparatus and system of verification information push and Information Authentication
CA2557143C (en) Trust inheritance in network authentication
US20050138394A1 (en) Biometric access control using a mobile telephone terminal
US20100293376A1 (en) Method for authenticating a clent mobile terminal with a remote server
CN101714918A (en) Safety system for logging in VPN and safety method for logging in VPN
CN110545274A (en) Method, device and system for UMA service based on people and evidence integration
CN107454064A (en) A kind of visitor's authentication method and system based on public number
JP2014531070A (en) Method and system for authorizing actions at a site
CN105868975B (en) Management method, management system and the mobile terminal of electronic banking account
KR20130048695A (en) An authentication system, authentication method and authentication server
CN105162774B (en) Virtual machine entry method, the virtual machine entry method and device for terminal
WO2006065002A1 (en) User authentication method in another network using digital signature made by mobile terminal
CN104469736B (en) A kind of data processing method, server and terminal
CN107113613A (en) Server, mobile terminal, real-name network authentication system and method
CN109284599A (en) It the use of portable electronic device is the method and system that user creates strong authentication
CN106778178A (en) The call method and device of fingerprint business card

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20191203