CN110535882A - A kind of identity authentication service method and system based on heterogeneous terminals - Google Patents
A kind of identity authentication service method and system based on heterogeneous terminals Download PDFInfo
- Publication number
- CN110535882A CN110535882A CN201910925627.0A CN201910925627A CN110535882A CN 110535882 A CN110535882 A CN 110535882A CN 201910925627 A CN201910925627 A CN 201910925627A CN 110535882 A CN110535882 A CN 110535882A
- Authority
- CN
- China
- Prior art keywords
- user
- resource
- server
- authorization
- authorization server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0861—Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3231—Biological data, e.g. fingerprint, voice or retina
Abstract
The identity authentication service method and system based on heterogeneous terminals that the present invention provides a kind of, wherein method includes: the configuration information that Resource Server obtains authorization server, and Resource Server configures delegated strategy to authorization server registration resource collection;User accesses resource set by client, and whether user described in authorization server judges is registration user, if otherwise user is reminded to register;If then judging whether that resource owner is needed to carry out license confirmation according to delegated strategy, license confirmation is then if desired carried out by the resource owner;User accesses resource set by access token, and whether Resource Server judges user authorized, if then returning to resource set to the user.Identity authentication service method and system provided by the invention based on heterogeneous terminals, authorizing secure grade is set, carries out recognition of face using mobile terminal, unifies verification mode using the testimony of a witness, increase authorizing secure and convenience, enhances the applicability and scalability of system.
Description
Technical field
The present invention relates to identity identifying technology fields, more particularly to a kind of identity authentication service side based on heterogeneous terminals
Method and system.
Background technique
Currently, needing the application scenarios of authentication more and more, user with the development of wireless Internet and Internet of Things
It needs to log in different equipment, also needs to be registered in different applications under normal conditions, very cumbersome and user
Name and password are difficult to remember one by one.The development of OAuth technology provides possibility to improve user in third-party application login, uses
Family can choose and be logged in using OAuth when logging in third-party application, may have access to third-party application by OAuth, thus
It does not need to carry out registering in third-party application directly license third-party application acquisition user information.And OAuth
There is still a need for users to input username and password at OAuth authorization interface, however it remains certain security risk, and fill out by hand
The step of writing username and password, safety coefficient and user experience still have the space that can be promoted.Secondly, OAuth service is logical
It is often to be carried out in the same software environment being deployed on same terminal device, cross-platform cannot be authorized with software environment
Service, can not be using mobile terminal the characteristics of portable and integrated biometric identification capabilities progress user's identification.
As biological identification technology is increasingly mature, what can also be authenticated at the terminal is integrated, the most known to user
It is the fingerprint recognition of mobile phone, user can be very easily unlocked by fingerprint recognition, and iris recognition, hand vein recognition, people
The biological identification technologies such as face identification also gradually mature, and are gradually integrated on intelligent terminal.Current most important application be only into
The unlock of row mobile phone, for biological identification technology, application range is excessively narrow, and could not apply the skill of bio-identification well
Art.
OAuth2.0 agreement is one of current most popular API Access Controlling model.As open authorization criteria, the association
View, which is widely used in, solves the problems, such as flexible cross-domain and third party authorization under open cloud platform.However most of implementations
The authorization server and Resource Server of OAuth2.0 agreement still use traditional authentication mode based on the user name and password,
This embodiment has certain limitation: one side authorization server will manage the authorization messages such as authorization code, access token, also
The authentication informations such as username and password are managed, so that the exploitation maintenance of platform and user management high expensive, influence user's body
It tests and system effectiveness;On the other hand the authentication mode safety based on the user name and password is not high, it is easy to by dictionary or
Brute force attack cracks.
FIDO alliance is found in July, 2012, and alliance's objective is to meet the market demand, and unified professional standard dredges industry
The upstream and downstream of chain, and then promote the development of identity identifying technology.FIDO (Fast Identity Online, quick identity on line
Verifying) alliance propose the online identity certificate scheme based on biological identification technology, pass through fingerprint recognition, face recognition, vocal print
The biometric technologies such as identification, realize high safety grade but very convenient and fast user identity authentication, obtain the concern of every profession and trade
With approval.Year ends 2014, alliance release U2F (Universal Second Factor protocol) and UAF (Universal
Authentication Framework protocol) two sets of protocol schemes.Using double factor, (password and hardware are set U2F scheme
It is standby) mode protect user account and privacy;UAF scheme enhances security of user account using the mode of living things feature recognition.
This two sets of plan can simplify user experience, improve safety and protection privacy, just can have secure access to correlation without password intervention
Using with extensive scalability and development potentiality.
UAF is the authentication universal solution based on living things feature recognition on a kind of line.It is digital certification on line
The professional standard scheme of the first opening of aspect supports the living things feature recognitions modes such as fingerprint, voice, pupil, face, without input
Username-password is directly verified.Its feature protruded be authentication means and authentication protocol are carried out it is decoupling, i.e., in terminal
Any authentication mode that can be supported can be used, and terminal can be tested between service using standard set authentication protocol
Demonstrate,prove user.Diversified authentication mode takes unified authentication protocol, and system Construction cost reduces, and social concertedness is mentioned
It rises.Traditional authentication system, usually server-side have the password and password information of user, each user do authenticate when
Time will be submitted to server-side and go to compare.And this process is divided into two steps by UAF: 1) by local terminal device authentication user's body
Part, authentication means can be the biological informations such as fingerprint, vocal print or face;2) after authenticating successfully, by public private key system, by taking
Verify equipment in business end.This elder generation has very high by terminal device authentication user, then by the agreement of back-end services certification terminal device
Scalability and compatibility.
Current existing identity authorization system is unable to reach the identity of really identification and verifying user, and serious
Dependent on cable network.The authorization service of authentication based on living things feature recognition has been widely used for each service system
In.But the authentication based on living things feature recognition can only judge whether user and registrant are the same person, it can not
The true identity for really verifying registrant, is unable to satisfy safety requirements in the higher usage scenario of some security level requireds.
Summary of the invention
A kind of identity authentication service method and system based on heterogeneous terminals provided by the invention solve user traditional
To be manually entered username and password in OAuth mode every time and the problem of OAuth is unable to striding equipment authorization.
A kind of identity authentication service method based on heterogeneous terminals provided by the invention, comprising the following steps:
Resource Server obtains the configuration information of authorization server, and the Resource Server is registered to the authorization server
Resource set configures delegated strategy;
User accesses the resource set by client, and whether user described in the authorization server judges is that registration is used
Family, if the user is otherwise reminded to register;If then according to the delegated strategy judge whether to need resource owner into
Row license confirmation is transferred in next step if not needing, if desired carries out license confirmation by the resource owner;Wherein, institute
It states and registers user to have already registered with the user on the authorization server;
The user accesses the resource set by access token, wherein the access token is by the authorization service
What device was issued;
The Resource Server judges whether the user is authorized according to the verification mode of the access token, if
It is to return to resource set to the user, if otherwise not returning to resource set to the user;Wherein, the verifying of the access token
Mode is decided through consultation by the Resource Server and the authorization server.
Optionally, before Resource Server acquisition authorization server configuration information further include: resource owner selection authorization
The authorization server is introduced Resource Server by server, and the Resource Server obtains the URL of the authorization server.
Optionally, whether user described in the authorization server judges is that registration user further comprises: the authorization clothes
Business device reminds the user to authenticate by recognition of face, as the user agree to take pictures if authorizing simultaneously upload pictures to described
Authorization server, the authorization server carry out testimony of a witness unification and compare, unify comparison result according to the testimony of a witness, judge that the user is
No is registration user.
Optionally, the authorization server progress testimony of a witness unification, which compares, further comprises: the authorization server utilizes dress
The equipment for carrying FIDO UAF carries out biological information characteristics extraction and comparison.
Optionally, the Resource Server further comprises to the authorization server registration resource collection: the authorization clothes
Device be engaged in as resource set distribution unique identifier, and it is returned into the Resource Server together with a URL.
Optionally, the user accesses the resource set by access token and further comprises: the access token includes
The final access authority of the user.
The identity authentication service system based on heterogeneous terminals that the present invention also provides a kind of, comprising:
Certificate Authority service module, for authenticating and authorizing service, the Certificate Authority service module includes resource clothes
Business device module, certificate server module and authorization server module;
Resource owner module introduces resource for selecting authorization server module, and to the authorization server module
Server module carries out license confirmation to line module, returns to resource set to the line module for obtaining authorization;
Line module shows statement to the certificate server module and carries out body for being registered to authorization server module
Part certification obtains the access token that authorization server module is issued, the resource of the Resource Server is accessed by access token
Collection.
Optionally, the Resource Server module further comprises, for obtaining the configuration information of authorization server module,
The generation and verification mode that access token is decided through consultation with authorization server, to authorization server Module registers resource set, configuration authorization
Strategy.
Optionally, the certificate server module further comprises, for being authenticated to user, Xiang Suoshu authorization service
The authenticating result of device module return authentication user.
Optionally, the authorization server module further comprises, for registering to user, according to certificate server
The authenticating result of module authentication user decides whether to provide access token to the user.
Technical solution provided by the invention has the beneficial effect that
The identity authentication service method and system based on heterogeneous terminals that the present invention also provides a kind of, by awarding OAuth
The step of power, is transferred on the mobile intelligent terminal of isomery, and passes through the bio-identification function of intelligent terminal institute band, includes fingerprint,
Vein, the various bio-identification modes such as iris, face, obtains the biometric information of user, is identified by biometric information
User, and using recognition result as authorization;User can identify that the biological characteristic of oneself carries out third on mobile terminals
The authorization of Fang Yingyong greatly facilitates user in the use of third-party application;And combined positioning system obtains the position of user
It sets and temporal information, the safety and convenience of authorization service is improved in the case where not increasing hardware cost, enhances system
Applicability and scalability.
Detailed description of the invention
Fig. 1 is a kind of system architecture diagram of the identity authentication service method and system based on heterogeneous terminals of the present invention.
Fig. 2 is a kind of identity authentication service process of the identity authentication service method and system based on heterogeneous terminals of the present invention
Figure.
Specific embodiment
To facilitate the understanding of the present invention, a more comprehensive description of the invention is given in the following sections with reference to the relevant attached drawings.In attached drawing
Give preferred embodiment of the invention.But the invention can be realized in many different forms, however it is not limited to this paper institute
The embodiment of description.On the contrary, purpose of providing these embodiments is make it is more thorough and comprehensive to the disclosure.
Unless otherwise defined, all technical and scientific terms used herein and belong to technical field of the invention
The normally understood meaning of technical staff is identical.Term as used herein in the specification of the present invention is intended merely to description tool
The purpose of the embodiment of body, it is not intended that in the limitation present invention.Term " and or " used herein includes one or more phases
Any and all combinations of the listed item of pass.
Identity authentication service method and system provided in an embodiment of the present invention based on heterogeneous terminals, components of system as directed include
Certificate Authority service module, resource owner module and line module, the general frame of system are as shown in Figure 1, wherein certification is awarded
Power service module is made of Resource Server module, certificate server module and authorization server module.Main function of system behaviour
It is as described below to make process: line module requests access to some resource owner module by the client of third party application
Line module is oriented to certificate server module by the resource set being stored in certain domain cloud service, the Resource Server module in domain,
When carrying out authentication service to line module by certificate server module, needs that line module is requested to be authenticated and ask whether to award
Power, line module carry out authentication by built-in biometrics readers and agree to authorize.Authorization server module is according to third
It is that the authentication of square application program returns as a result, together with the identity of certificate server certification line module return as a result, coming
Decide whether to provide access token.After the client of third party application gets legal access token, line module is logical
It crosses access token and accesses resource to Resource Server module request.
Identity authentication service method and system provided in an embodiment of the present invention based on heterogeneous terminals, based on heterogeneous terminals
Identity authentication service system mainly includes terminal SDK and Certificate Authority service platform.Certificate Authority service platform is opened to outside
Certificate Authority service, resource owner are carried out different resources different by configuring delegated strategy on authorization server
Configuration strategy, resource here refer not only to visible resource, are also possible to a kind of permission and authorize.User is providing Certificate Authority
The registration of Certificate Authority service platform, registration user account, biological information and the terminal authorized, biological information can pass through
Third-party platform carries out validation verification.When user accesses locked resource by client, selection is carried out by authentication service
It logs in and authorization, system alert user authorizes, user carries out biological information recording in terminal if agreeing to authorization and uploads
Certificate server, certificate server comparison, judges whether it is registration user;System service judges further according to configuration strategy
It is no also to need resource owner self acknowledging, license confirmation, authorization server after confirmation are carried out by resource owner if necessary
Access token is issued to client again, client can obtain resource using access token.The embodiment of the present invention is by recognizing identity
Card service extends to mobile terminal device and using personal characteristic informations authenticating devices such as the cameras of equipment, provides for user
A kind of convenient and safe authentication business experience.
The Certificate Authority service platform of the embodiment of the present invention mainly includes Resource Server and authorization server, pair of service
As for resource owner, client, user, user and resource owner can be same people.Resource owner management authorization clothes
The relationship being engaged between device and Resource Server allows third-party application to access resource by the way that some strategies are arranged.User's control
The client of tripartite's application, can be gathered around by showing the statement including client-side information and user information when statement meets resource
Available related resource when the setting requirements for the person of having.
Identity authentication service method provided in an embodiment of the present invention based on heterogeneous terminals, comprises the following steps:
Step S1: Resource Server obtains the configuration information of authorization server, and the Resource Server takes to the authorization
Business device registration resource collection, configures delegated strategy;
Step S2: user accesses the resource set by client, user described in the authorization server judges whether be
User is registered, if the user is otherwise reminded to register;If then according to the delegated strategy judging whether that resource is needed to gather around
The person of having carries out license confirmation, is transferred in next step if not needing, if desired carries out license confirmation by the resource owner;Its
In, it is described to register user to have already registered with the user on the authorization server;
Step S3: the user accesses the resource set by access token, wherein the access token is awarded by described
Power server is issued;
Step S4: whether the Resource Server judge the user according to the verification mode of the access token
Authorization, if then returning to resource set to the user, if otherwise not returning to resource set to the user;Wherein, the access enables
The verification mode of board is decided through consultation by the Resource Server and the authorization server.
Resource owner selects the authorization server of authentication service and introduces Resource Server, resource clothes to authorization server
Business device obtains the URL of authorization server.Resource Server obtains the configuration information of authorization server, and itself is registered as authorizing
The client of server, and decide through consultation with Resource Server the generation and verification mode of subsequent access token.
Resource Server registers its resource set to authorization server, and request content is its each resource set to be protected
Details, authorization server can distribute unique identifier for resource set, and it is returned to Resource Server together with a URL,
Resource Server can guide resource owner to the URL, and resource owner can interactively manage and the resource set
Associated strategy.HTTP GET, PUT and DELETE method can be used in Resource Server, reads respectively, updates and delete it
Resource.
Resource owner configures delegated strategy on authorization server, and different resources needs different certifications;User and
Their client will show one group of statement that can satisfy policy mandates.If not being a resource set configuration strategy,
The resource set is considered as inaccessible.Once setting up strategy, resource owner can usually withdraw from the arena, when user attempts to visit
When asking resource, need resource owner when resource owner authorization that need to just appear on the scene again according to delegated strategy.
User is registered in the authorization server of system service by biometric information.
User selectes resource set by client and attempts access Resource Server, resource service in the case where with no authorized
Which resource set what device knew client trial access from this initial HTTP request context is, and then knows corresponding money
Which information declaration source owner and authorization server need.
The authorization server of authentication service reminds user to authenticate by recognition of face;User uses if agreeing to authorization
Electric terminal with camera carries out that head portrait is taken pictures and upload pictures are to authorization server, if disagreed, chooses and disappears or not
Do any operation.
The testimony of a witness in authorization server is veritified service and is mentioned using the equipment progress biological information characteristic value for loading FIDO UAF
It takes and compares, the unification of the abbreviation testimony of a witness compares.
System unifies comparison result according to the testimony of a witness, registration user is judged whether it is, if it is according to configuration strategy
Whether also need resource owner to carry out license confirmation, confirm if necessary to resource owner, then system is answered by short message, mail
Resource owner is reminded to carry out license confirmation with modes such as message push (terminal SDK reception).
Authorization server issues access token to client, and token includes the final access authority of client;User attempts
Resource Server, which is accessed, by access token obtains resource;Resource Server with the access token that authorization server is decided through consultation by testing
Card mode judges whether the user is authorized, as authorized in, returns to resource to client.
In the whole process, the personal information of resource owner and the personal information of user are not all revealed to resource clothes
Business device or client;In addition, resource owner and user are also without the personal information of mutual revealing sensitive.User only needs minimum
Proof information is provided to limit, the accessible resource of strategy of resource owner setting is met.Authorization server is served as herein
The role of identity registration and verifying, and user do not need with reality in show identity document to third party, user need to only mention
It takes biometric information to be sent to authorization server, identity verification is completed by authorization server, avoid personal in actual life
Information leakage gives third-party problem.
The identity authentication service method and system based on heterogeneous terminals of the embodiment of the present invention, add GPS in the client
Module connects remote server by Wi-Fi, obtains geographical location information in conjunction with location-server, acquisition is certified
Geographical location information and temporal information where people, a part as user information.The user location obtained according to client
The feature set of position identification is extracted in the identification of information, using identifying that the encoded feature vector of location information carries out identity and recognize
Card.
The identity authentication service method and system based on heterogeneous terminals of the embodiment of the present invention, take in conjunction with FIDO framework
Authentication mode reinforces the safety of OAuth2.0 agreement, can provide sound identification authentication mode, on the one hand to meet peace
The demands such as Quan Xing, user experience;On the other hand the shared of subscriber data may be implemented, save Internet resources, reduce opening for platform
Hair maintenance and user management cost.
The identity authentication service method and system based on heterogeneous terminals of the embodiment of the present invention, pass through authorize OAuth
Step is transferred on the mobile intelligent terminal of isomery, and passes through the bio-identification function of intelligent terminal institute band, includes fingerprint, quiet
Arteries and veins, the various bio-identification modes such as iris, face, obtains the biometric information of user, is identified and is used by biometric information
Family, and using recognition result as authorization, it is manually entered in traditional OAuth mode so that user can reduce or exempt
The number of username and password, and solve the disadvantage that OAuth is unable to striding equipment authorization, user can identify on mobile terminals
The biological characteristic of oneself carries out the authorization of third-party application, greatly facilitates user in the use of third-party application.
The identity authentication service method and system based on heterogeneous terminals that the embodiment of the invention provides a kind of are proposed based on different
The authentication identification of structure terminal and positioning system, using the authentication mode of bio-identification, and combined positioning system is obtained and is used
The position of person and temporal information improve the safety and convenience of authorization service in the case where not increasing hardware cost.Work as electricity
The staff of net is when critical facility carries out outdoor study, it can be ensured that real people's real example.Default authorizing secure grade,
The weak authentication such as Conventional account number password still can be used, and it is not high that the weak authentication such as account number cipher is only used for safety requirements
Authorization, and testimony of a witness unification etc. can be used for the higher occasion of safety requirements.
Standard configuration of the universal and camera of mobile terminal such as smart phone and tablet computer as mobile terminal, is face
Identification service provides extensive terminal device, and almost everyone carries an at least mobile terminal device now,
So authorizing secure and convenience can be increased under conditions of not increasing hardware cost.
The testimony of a witness unification verifying account number cipher or bio-identification more single than tradition is safer, and being applicable not only to must core
The usage scenario of real user's identity is also applied for general authorization and logs in, has stronger applicability.System can not only accomplish
User to user authorization can also accomplish user to third-party application authorization, and the scalability of system is stronger.
The above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although with reference to the foregoing embodiments
Invention is explained in detail, those skilled in the art should understand that: it still can be to aforementioned each implementation
Technical solution documented by example is modified or equivalent replacement of some of the technical features;And these modification or
Replacement, the spirit and scope for technical solution of various embodiments of the present invention that it does not separate the essence of the corresponding technical solution.
Claims (10)
1. a kind of identity authentication service method based on heterogeneous terminals, which comprises the following steps:
Resource Server obtains the configuration information of authorization server, and the Resource Server is to the authorization server registration resource
Collection configures delegated strategy;
User accesses the resource set by client, and whether user described in the authorization server judges is registration user, if
Otherwise the user is reminded to register;If then according to the delegated strategy judging whether that resource owner is needed to be authorized
Confirmation is transferred in next step if not needing, if desired carries out license confirmation by the resource owner;Wherein, the registration
User is the user having already registered on the authorization server;
The user accesses the resource set by access token, wherein the access token is issued by the authorization server
Hair;
The Resource Server judges whether the user is authorized, if then according to the verification mode of the access token
Resource set is returned to the user, if otherwise not returning to resource set to the user;Wherein, the verification mode of the access token
It is to be decided through consultation by the Resource Server and the authorization server.
2. the identity authentication service method according to claim 1 based on heterogeneous terminals, which is characterized in that Resource Server
Before acquisition authorization server configuration information further include: resource owner selects authorization server, and the authorization server is drawn
Enter Resource Server, the Resource Server obtains the URL of the authorization server.
3. the identity authentication service method according to claim 1 based on heterogeneous terminals, which is characterized in that the authorization clothes
Business device judges whether the user is that registration user further comprises: the authorization server reminds the user to know by face
It is not authenticated, takes pictures if the user agrees to authorization and upload pictures are to the authorization server, the authorization server
It carries out testimony of a witness unification to compare, comparison result is unified according to the testimony of a witness, judge whether the user is registration user.
4. the identity authentication service method according to claim 3 based on heterogeneous terminals, which is characterized in that the authorization clothes
Business device carries out testimony of a witness unification comparison: the authorization server carries out biological letter using the equipment for loading FIDO UAF
Cease characteristics extraction and comparison.
5. the identity authentication service method according to claim 1 based on heterogeneous terminals, which is characterized in that the resource clothes
Business device further comprises to the authorization server registration resource collection: the authorization server is the unique mark of resource set distribution
Know symbol, and it is returned into the Resource Server together with a URL.
6. the identity authentication service method according to claim 1 based on heterogeneous terminals, which is characterized in that the user is logical
Crossing the access token access resource set further comprises: the access token includes the final access authority of the user.
7. a kind of identity authentication service system based on heterogeneous terminals characterized by comprising
Certificate Authority service module, for authenticating and authorizing service, the Certificate Authority service module includes Resource Server
Module, certificate server module and authorization server module;
Resource owner module introduces resource service for selecting authorization server module, and to the authorization server module
Device module carries out license confirmation to line module, returns to resource set to the line module for obtaining authorization;
Line module shows statement and recognizes to certificate server module progress identity for being registered to authorization server module
Card obtains the access token that authorization server module is issued, the resource set of the Resource Server is accessed by access token.
8. the identity authentication service system according to right 7 based on heterogeneous terminals, which is characterized in that the Resource Server
Module further comprises, for obtaining the configuration information of authorization server module, the life of access token is decided through consultation with authorization server
Delegated strategy is configured to authorization server Module registers resource set at verification mode.
9. the identity authentication service system according to right 7 based on heterogeneous terminals, which is characterized in that the certificate server
Module further comprises, for being authenticated to user, the authenticating result of Xiang Suoshu authorization server module return authentication user.
10. the identity authentication service system according to right 7 based on heterogeneous terminals, which is characterized in that the authorization service
Device module further comprises, for registering to user, according to the authenticating result of certificate server module authentication user, determines
Whether to the user provide access token.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910925627.0A CN110535882A (en) | 2019-09-27 | 2019-09-27 | A kind of identity authentication service method and system based on heterogeneous terminals |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910925627.0A CN110535882A (en) | 2019-09-27 | 2019-09-27 | A kind of identity authentication service method and system based on heterogeneous terminals |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110535882A true CN110535882A (en) | 2019-12-03 |
Family
ID=68670999
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910925627.0A Pending CN110535882A (en) | 2019-09-27 | 2019-09-27 | A kind of identity authentication service method and system based on heterogeneous terminals |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110535882A (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111064718A (en) * | 2019-12-09 | 2020-04-24 | 国网河北省电力有限公司信息通信分公司 | Dynamic authorization method and system based on user context and policy |
CN111131301A (en) * | 2019-12-31 | 2020-05-08 | 江苏徐工信息技术股份有限公司 | Unified authentication and authorization scheme |
CN111682941A (en) * | 2020-05-18 | 2020-09-18 | 上海瑾琛网络科技有限公司 | Centralized identity management, distributed authentication and authorization method based on cryptography |
CN112202708A (en) * | 2020-08-24 | 2021-01-08 | 国网山东省电力公司 | Identity authentication method and device, electronic equipment and storage medium |
CN115065717A (en) * | 2022-05-24 | 2022-09-16 | 中原银行股份有限公司 | Micro-service calling processing method and device |
CN115134155A (en) * | 2022-06-29 | 2022-09-30 | 北京天融信网络安全技术有限公司 | Authentication method and device, computer program product and electronic equipment |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104506562A (en) * | 2015-01-13 | 2015-04-08 | 东北大学 | Two-dimension code and face recognition fused conference identity authentication device and method |
CN105577665A (en) * | 2015-12-24 | 2016-05-11 | 西安电子科技大学 | Identity and access control and management system and method in cloud environment |
CN105897652A (en) * | 2014-10-21 | 2016-08-24 | 北京京航计算通讯研究所 | Standard protocol based heterogeneous terminal dynamic access method |
US20180077151A1 (en) * | 2016-09-09 | 2018-03-15 | Tyco Integrated Security, LLC | Architecture For Access Management |
CN108073630A (en) * | 2016-11-16 | 2018-05-25 | 北京京东尚科信息技术有限公司 | A kind of service search access management method and system based on mobilism configuration |
-
2019
- 2019-09-27 CN CN201910925627.0A patent/CN110535882A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105897652A (en) * | 2014-10-21 | 2016-08-24 | 北京京航计算通讯研究所 | Standard protocol based heterogeneous terminal dynamic access method |
CN104506562A (en) * | 2015-01-13 | 2015-04-08 | 东北大学 | Two-dimension code and face recognition fused conference identity authentication device and method |
CN105577665A (en) * | 2015-12-24 | 2016-05-11 | 西安电子科技大学 | Identity and access control and management system and method in cloud environment |
US20180077151A1 (en) * | 2016-09-09 | 2018-03-15 | Tyco Integrated Security, LLC | Architecture For Access Management |
CN108073630A (en) * | 2016-11-16 | 2018-05-25 | 北京京东尚科信息技术有限公司 | A kind of service search access management method and system based on mobilism configuration |
Non-Patent Citations (2)
Title |
---|
李梁磊等: "一种基于FIDO UAF架构的开放授权方案", 《信息网络安全》 * |
沈桐等: "基于OAuth2.0,OpenID Connect和UMA的用户认证授权系统架构", 《软件》 * |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111064718A (en) * | 2019-12-09 | 2020-04-24 | 国网河北省电力有限公司信息通信分公司 | Dynamic authorization method and system based on user context and policy |
CN111064718B (en) * | 2019-12-09 | 2022-08-02 | 国网河北省电力有限公司信息通信分公司 | Dynamic authorization method and system based on user context and policy |
CN111131301A (en) * | 2019-12-31 | 2020-05-08 | 江苏徐工信息技术股份有限公司 | Unified authentication and authorization scheme |
CN111682941A (en) * | 2020-05-18 | 2020-09-18 | 上海瑾琛网络科技有限公司 | Centralized identity management, distributed authentication and authorization method based on cryptography |
CN112202708A (en) * | 2020-08-24 | 2021-01-08 | 国网山东省电力公司 | Identity authentication method and device, electronic equipment and storage medium |
CN115065717A (en) * | 2022-05-24 | 2022-09-16 | 中原银行股份有限公司 | Micro-service calling processing method and device |
CN115134155A (en) * | 2022-06-29 | 2022-09-30 | 北京天融信网络安全技术有限公司 | Authentication method and device, computer program product and electronic equipment |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110535882A (en) | A kind of identity authentication service method and system based on heterogeneous terminals | |
CN110213246B (en) | Wide-area multi-factor identity authentication system | |
US11068575B2 (en) | Authentication system | |
CN102067555B (en) | Improved biometric authentication and identification | |
CN105069876B (en) | The method and system of intelligent entrance guard control | |
CN105933353B (en) | The realization method and system of secure log | |
US8213583B2 (en) | Secure access to restricted resource | |
CN105246073B (en) | The access authentication method and server of wireless network | |
EP2065798A1 (en) | Method for performing secure online transactions with a mobile station and a mobile station | |
CN104618315B (en) | A kind of method, apparatus and system of verification information push and Information Authentication | |
CA2557143C (en) | Trust inheritance in network authentication | |
US20050138394A1 (en) | Biometric access control using a mobile telephone terminal | |
US20100293376A1 (en) | Method for authenticating a clent mobile terminal with a remote server | |
CN101714918A (en) | Safety system for logging in VPN and safety method for logging in VPN | |
CN110545274A (en) | Method, device and system for UMA service based on people and evidence integration | |
CN107454064A (en) | A kind of visitor's authentication method and system based on public number | |
JP2014531070A (en) | Method and system for authorizing actions at a site | |
CN105868975B (en) | Management method, management system and the mobile terminal of electronic banking account | |
KR20130048695A (en) | An authentication system, authentication method and authentication server | |
CN105162774B (en) | Virtual machine entry method, the virtual machine entry method and device for terminal | |
WO2006065002A1 (en) | User authentication method in another network using digital signature made by mobile terminal | |
CN104469736B (en) | A kind of data processing method, server and terminal | |
CN107113613A (en) | Server, mobile terminal, real-name network authentication system and method | |
CN109284599A (en) | It the use of portable electronic device is the method and system that user creates strong authentication | |
CN106778178A (en) | The call method and device of fingerprint business card |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191203 |