CN110572388B - Method for connecting unified authentication server and unified authentication adapter - Google Patents
Method for connecting unified authentication server and unified authentication adapter Download PDFInfo
- Publication number
- CN110572388B CN110572388B CN201910837372.2A CN201910837372A CN110572388B CN 110572388 B CN110572388 B CN 110572388B CN 201910837372 A CN201910837372 A CN 201910837372A CN 110572388 B CN110572388 B CN 110572388B
- Authority
- CN
- China
- Prior art keywords
- unified authentication
- session
- list
- user account
- authentication server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
- H04L63/0838—Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3228—One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
Abstract
The embodiment of the invention provides a method for connecting a unified authentication server and a unified authentication adapter, wherein the method comprises the following steps: receiving a dynamic verification code sent by a login service of a target server, wherein the dynamic verification code is generated and returned to a client browser after a user account and a password sent by the client browser are verified by a unified authentication server, and is sent to the login service of the target server by the client browser; sending the dynamic verification code to a unified authentication server so that the unified authentication server generates and returns a token after the received dynamic verification code passes verification; and receiving a token returned by the unified authentication server, and sending a login success message to the login service of the target server so that the login service of the target server returns a login success page to the client browser according to the login success message. The embodiment of the invention can realize the butt joint with the unified authentication server and complete the login of the target server.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a method for connecting a unified authentication server and a unified authentication adapter.
Background
Unified authentication (i.e. unified identity authentication) is a processing procedure for determining whether a user is a legitimate user, for example, when logging in a target server through a client browser, the target server can use a unified authentication server of a third party to perform unified authentication on a user account and a password input by a login user, and then login to the target server is achieved.
Currently, the mainstream way of interfacing with the unified authentication server is to realize interfacing with the unified authentication server in the login service of the target server, and referring to fig. 1, a user selects the unified authentication server on a login page displayed by a client browser, the page jumps to the login page of the unified authentication server, after inputting a correct user account and password, the unified authentication server will carry a CODE (dynamic verification CODE) and notify the client browser to jump to the login service of the target server, the CODE for the login service of the target server is exchanged for Token (Token) from the unified authentication server, and the user is guided to a welcome page after logging in.
However, the currently mainstream way to interface with the unified authentication server is to implement in the login service of the target server. The realization method has high coupling to the unified authentication server, if the jointed unified authentication server is changed or a new unified authentication server needs to be jointed, the code of the login service needs to be modified, the normal login of the user can be influenced when the login service is upgraded, and the system can not be used in a certain time.
Disclosure of Invention
Aiming at the problems in the prior art, the embodiment of the invention provides a method for connecting a unified authentication server and a unified authentication adapter.
The embodiment of the invention provides a method for connecting a unified authentication server, which is applied to a unified authentication adapter and comprises the following steps:
receiving a dynamic verification code sent by a login service of a target server, wherein the dynamic verification code is generated and returned to a client browser after a user account and a password sent by the client browser are verified by a unified authentication server, and is sent to the login service of the target server by the client browser;
sending the dynamic verification code to a unified authentication server so that the unified authentication server generates and returns a token after the received dynamic verification code passes verification;
and receiving the token returned by the unified authentication server, and sending a login success message to the login service of the target server, so that the login service of the target server returns a login success page to the client browser according to the login success message.
Optionally, the method for interfacing a unified authentication server further includes:
after receiving the token returned by the unified authentication server, adding the session with the client browser into a session list of a preset database, wherein the session comprises: the token generated this time;
checking the validity of a session list of a preset database every other preset first time period, and cleaning expired sessions in the session list.
Optionally, the checking the validity of a session list of a preset database every preset first time period, and cleaning up expired sessions in the session list includes:
acquiring a session list from a preset database every a preset first time period, and traversing each session in the session list;
when a session exists in the session list, judging whether the session is valid or not for the currently traversed session;
if the conversation is overdue, traversing the next conversation in the conversation list;
if the session is valid, judging whether a token corresponding to the session is valid;
traversing the next session in the session list if the token corresponding to the session is valid;
if the token corresponding to the session is overdue, acquiring a refresh token corresponding to the session from the unified authentication server, and judging whether the refresh token corresponding to the session is valid;
if the refresh token corresponding to the session is valid, replacing the refresh token corresponding to the session with the token corresponding to the session;
and if the refresh token corresponding to the session is expired, deleting the currently traversed session from the session list, and traversing the next session in the session list.
Optionally, the method for interfacing a unified authentication server further includes:
after receiving the token returned by the unified authentication server, adding the user account sent by the client browser into a unified authentication user list of a preset database;
and checking the validity of the user accounts in the unified authentication user list of the preset database every a preset second time period, and clearing the invalid user accounts in the unified authentication user list.
Optionally, the checking the validity of the user accounts in the unified authenticated user list of the preset database every a preset second time period, and clearing the invalid user accounts in the unified authenticated user list includes:
acquiring a unified authentication user list from a preset database every a preset second time period, and traversing each user account in the unified authentication user list;
when a user account exists in the unified authentication user list, judging whether the user account is valid or not by acquiring user information corresponding to the user account from a unified authentication server for the currently traversed user account;
if the user account is deleted, setting the state corresponding to the system user account corresponding to the user account as deleted, and traversing the next user account in the unified authentication user list;
if the user account is valid, judging whether the state corresponding to the system user account corresponding to the user account is normal or not;
if the state corresponding to the system user account corresponding to the user account is normal, traversing the next user account in the unified authentication user list;
if the state corresponding to the system user account corresponding to the user account is deleted, resetting the state corresponding to the system user account corresponding to the user account to be normal, and traversing the next user account in the unified authentication user list.
The embodiment of the invention provides a unified authentication adapter, which comprises:
the system comprises a receiving module, a login service processing module and a verification module, wherein the receiving module is used for receiving a dynamic verification code sent by the login service of a target server, and the dynamic verification code is generated and returned to a client browser after a user account and a password sent by the client browser are verified by a unified authentication server and is sent to the login service of the target server by the client browser;
the first sending module is used for sending the dynamic verification code to a unified authentication server so that the unified authentication server generates and returns a token after the received dynamic verification code is verified by the unified authentication server;
and the second sending module is used for receiving the token returned by the unified authentication server and sending a login success message to the login service of the target server so that the login service of the target server returns a login success page to the client browser according to the login success message.
Optionally, the unified authentication adapter further includes:
a first adding module, configured to add a session with the client browser to a session list of a preset database after receiving the token returned by the unified authentication server, where the session includes: the token generated this time;
the first checking module is used for checking the validity of a session list of a preset database every other preset first time period and cleaning expired sessions in the session list.
Optionally, the unified authentication adapter further includes:
the second adding module is used for adding the user account sent by the client browser into a unified authentication user list of a preset database after receiving the token returned by the unified authentication server;
and the second checking module is used for checking the validity of the user accounts in the unified authentication user list of the preset database every other preset second time period and clearing the invalid user accounts in the unified authentication user list.
An embodiment of the present invention provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and when the processor executes the computer program, the steps of the method are implemented as described above.
According to the method for connecting the unified authentication server and the unified authentication adapter provided by the embodiment of the invention, the unified authentication adapter receives a dynamic verification code sent by the login service of a target server, wherein the dynamic verification code is generated and returned to the client browser after the user account and the password sent by the client browser are verified by the unified authentication server, and is sent to the login service of the target server by the client browser; sending the dynamic verification code to a unified authentication server, and generating and returning a token after the unified authentication server passes the verification of the received dynamic verification code; and receiving the token returned by the unified authentication server, sending a login success message to the login service of the target server, and enabling the login service of the target server to return a login success page to the client browser, so that the unified authentication server can be in butt joint with the target server to finish the login of the target server, various unified authentication servers can be in seamless butt joint, and the safety of a service system of the target server can be guaranteed.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
FIG. 1 is a schematic diagram illustrating a conventional manner of interfacing a unified authentication server;
fig. 2 is a flowchart illustrating a method for interfacing a unified authentication server according to an embodiment of the present invention;
fig. 3 is a signaling diagram of a complete process of a method for interfacing a unified authentication server according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a unified authentication adapter according to an embodiment of the present invention;
fig. 5 is a schematic physical structure diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 2 is a schematic flowchart illustrating a method for interfacing a unified authentication server according to an embodiment of the present invention, and as shown in fig. 2, the method for interfacing a unified authentication server according to the embodiment includes:
s1, receiving a dynamic verification code sent by the login service of the target server, wherein the dynamic verification code is generated and returned to the client browser after the user account and the password sent by the client browser are verified by the unified authentication server, and is sent to the login service of the target server by the client browser.
It should be noted that, an execution subject of the method for interfacing a unified authentication server according to this embodiment is a unified authentication adapter, and the unified authentication adapter is actually an adapter for adapting a unified authentication server implemented in this embodiment.
It can be understood that fig. 3 is a signaling diagram of a complete process of the method for interfacing a unified authentication server according to this embodiment of the present invention, and referring to fig. 3, a system home page of a login service of a target server can be accessed through a client browser; the login service of the target server returns a login page to the client browser; the method comprises the steps that when a client browser detects that a user triggers a unified authentication link in a login page displayed by the client browser, the client browser jumps to a unified authentication login page of a unified authentication server; the unified authentication server receives a user account and a password input by a user and sent by a client browser, verifies the user account and the password, generates a dynamic verification CODE (CODE) after the user account and the password are verified, and returns the dynamic verification CODE to the client browser; the client browser sends the dynamic verification code to a login service of a target server; and the login service of the target server sends the dynamic verification code to the unified authentication adapter, so that the unified authentication adapter can be subsequently butted with the unified authentication server according to the dynamic verification code. Specifically, the login service of the target server may pass through the dynamic verification code to the unified authentication adapter.
And S2, sending the dynamic verification code to a unified authentication server, so that the unified authentication server generates and returns a token after the received dynamic verification code is verified.
It can be understood that, after receiving the dynamic verification code sent by the login service of the target server, the unified authentication adapter sends the dynamic verification code to the unified authentication server, the unified authentication server checks the received dynamic verification code, and after the received dynamic verification code is checked by the unified authentication server, a Token (Token) is generated and returned to the unified authentication adapter, which can refer to fig. 3.
And S3, receiving the token returned by the unified authentication server, and sending a login success message to the login service of the target server, so that the login service of the target server returns a login success page to the client browser according to the login success message.
It can be understood that, if the unified authentication adapter receives the token returned by the unified authentication server, the unified authentication adapter sends a login success message to the login service of the target server, and the login service of the target server returns a login success page to the client browser according to the login success message, which may refer to fig. 3.
It can be understood that, in this embodiment, a unified authentication adapter for adapting to the unified authentication server is implemented, and as an independent component, performs data interaction with the unified authentication server externally, and isolates the perception of the service system of the target server on unified authentication in terms of service. If an already-connected unified authentication server needs to be upgraded or a new unified authentication server needs to be connected, only the implementation code in the unified authentication adapter of the embodiment needs to be adjusted, and other components do not need to sense the change of the unified authentication server. The unified authentication adapter of the embodiment is a stateless component, and after the adaptation is completed, the upgrading of the unified authentication adapter can be completed without affecting the service system function of the target server. By using the unified authentication adapter of the present embodiment to execute the method for interfacing a unified authentication server of the present embodiment, the method can realize the interfacing with the unified authentication server, complete the login to the target server, ensure the security of the service system of the target server, and seamlessly interface various unified authentication servers.
In the method for docking a unified authentication server provided by this embodiment, a unified authentication adapter receives a dynamic verification code sent by a login service of a target server, where the dynamic verification code is generated and returned to a client browser after a user account and a password sent by the client browser are verified by the unified authentication server, and is sent to the login service of the target server by the client browser; sending the dynamic verification code to a unified authentication server, and generating and returning a token after the unified authentication server passes the verification of the received dynamic verification code; and receiving the token returned by the unified authentication server, sending a login success message to the login service of the target server, and enabling the login service of the target server to return a login success page to the client browser, so that the unified authentication server can be in butt joint with the target server to finish the login of the target server, various unified authentication servers can be in seamless butt joint, and the safety of a service system of the target server can be guaranteed.
Further, on the basis of the foregoing embodiment, the method for interfacing a unified authentication server according to this embodiment may further include:
after receiving the token returned by the unified authentication server, adding a Session (Session) with the client browser into a Session list of a preset database, wherein the Session comprises: the token generated this time;
checking the validity of a session list of a preset database every other preset first time period, and cleaning expired sessions in the session list.
Specifically, the checking the validity of a session list of a preset database every a preset first time period, and clearing up expired sessions in the session list may include:
acquiring a session list from a preset database every a preset first time period, and traversing each session in the session list;
when a session exists in the session list, judging whether the session is valid or not for the currently traversed session;
if the session is expired (i.e., the session is invalid), traversing the next session in the session list;
if the session is valid, judging whether a token corresponding to the session is valid;
traversing the next session in the session list if the token corresponding to the session is valid;
if the token corresponding to the session is expired (namely the token corresponding to the session is invalid), acquiring a refresh token corresponding to the session from the unified authentication server, and judging whether the refresh token corresponding to the session is valid;
if the refresh token corresponding to the session is valid, replacing the refresh token corresponding to the session with the token corresponding to the session;
and if the refresh token corresponding to the session is expired (namely the refresh token corresponding to the session is invalid), deleting the currently traversed session from the session list, and traversing the next session in the session list.
It is understood that the preset first period of time can be set according to practical situations, and the present embodiment is not limited thereto, for example, 15 minutes, 1 hour, 5 hours, and the like.
It can be understood that, the embodiment can periodically check the validity of the session in the session list of the preset database, and timely clean up the expired session, thereby improving the security.
Further, on the basis of the foregoing embodiment, the method for interfacing a unified authentication server according to this embodiment may further include:
after receiving the token returned by the unified authentication server, adding the user account sent by the client browser into a unified authentication user list of a preset database;
and checking the validity of the user accounts in the unified authentication user list of the preset database every a preset second time period, and clearing the invalid user accounts in the unified authentication user list.
Specifically, the checking the validity of the user accounts in the unified authenticated user list of the preset database every a preset second time period, and clearing the invalid user accounts in the unified authenticated user list may include:
acquiring a unified authentication user list from a preset database every a preset second time period, and traversing each user account in the unified authentication user list;
when a user account exists in the unified authentication user list, judging whether the user account is valid or not by acquiring user information corresponding to the user account from a unified authentication server for the currently traversed user account;
if the user account is deleted (namely the user account is invalid), setting the state corresponding to the system user account corresponding to the user account as deleted, and traversing the next user account in the unified authentication user list;
if the user account is valid, judging whether the state corresponding to the system user account corresponding to the user account is normal or not;
if the state corresponding to the system user account corresponding to the user account is normal, traversing the next user account in the unified authentication user list;
if the state corresponding to the system user account corresponding to the user account is deleted (that is, the state corresponding to the system user account corresponding to the user account is not normal), resetting the state corresponding to the system user account corresponding to the user account to be normal, and traversing the next user account in the unified authentication user list.
It is understood that the preset second time period can be set according to practical situations, and the present embodiment is not limited thereto, for example, 15 minutes, 1 hour, 5 hours, and the like. The value of the preset second time period can be the same as or different from that of the preset first time period, and the preset second time period and the preset first time period need to be set according to actual conditions.
It can be understood that, in the embodiment, the validity of the user accounts in the unified authenticated user list of the preset database can be periodically checked, and invalid user accounts in the unified authenticated user list can be timely cleaned, so that it is ensured that users logging in the target server are all legal, and the security is improved.
The method for docking the unified authentication server provided by the embodiment is applied to the unified authentication adapter, and can realize docking with the unified authentication server so as to complete login of a target server; various unified authentication servers can be seamlessly connected; if the unified authentication server which is already butted needs to be upgraded or a new unified authentication server needs to be butted, the upgrading of the unified authentication adapter can be completed under the condition that the service system function of a target server is not influenced as only the realization code in the unified authentication adapter needs to be adjusted and other components do not need to sense the change of the unified authentication server; the validity of the session in the session list of the preset database and the validity of the user account in the unified authentication user list of the preset database can be regularly checked, and the expired session and the expired user account can be cleaned in time, so that the users logging in the target server are all legal, and the safety is improved.
Fig. 4 is a schematic structural diagram of a unified authentication adapter according to an embodiment of the present invention, and as shown in fig. 4, the unified authentication adapter according to the embodiment includes: a receiving module 41, a first transmitting module 42 and a second transmitting module 43; wherein:
the receiving module 41 is configured to receive a dynamic verification code sent by a login service of a target server, where the dynamic verification code is generated and returned to a client browser after a user account and a password sent by the client browser are verified by the unified authentication server, and is sent to the login service of the target server by the client browser;
the first sending module 42 is configured to send the dynamic verification code to a unified authentication server, so that the unified authentication server generates and returns a token after passing the verification of the received dynamic verification code;
the second sending module 43 is configured to receive the token returned by the unified authentication server, and send a login success message to the login service of the target server, so that the login service of the target server returns a page with a successful login to the client browser according to the login success message.
Specifically, the receiving module 41 receives a dynamic verification code sent by a login service of a target server, where the dynamic verification code is generated and returned to a client browser after a user account and a password sent by the client browser are verified by the unified authentication server, and is sent to the login service of the target server by the client browser; the first sending module 42 sends the dynamic verification code to a unified authentication server, so that the unified authentication server generates and returns a token after passing the verification of the received dynamic verification code; the second sending module 43 receives the token returned by the unified authentication server, and sends a login success message to the login service of the target server, so that the login service of the target server returns a login successful page to the client browser according to the login success message.
It can be understood that, in the process of implementing the docking unified authentication, the client browser accesses the system home page of the login service of the target server; the login service of the target server returns a login page to the client browser; the method comprises the steps that when a client browser detects that a user triggers a unified authentication link in a login page displayed by the client browser, the client browser jumps to a unified authentication login page of a unified authentication server; the unified authentication server receives a user account and a password input by a user and sent by a client browser, verifies the user account and the password, generates a dynamic verification CODE (CODE) after the user account and the password are verified, and returns the dynamic verification CODE to the client browser; the client browser sends the dynamic verification code to a login service of a target server; the login service of the target server sends (such as transparent transmission) the dynamic verification code to the unified authentication adapter; after receiving the dynamic verification code sent by the login service of the target server, the unified authentication adapter sends the dynamic verification code to the unified authentication server, the unified authentication server verifies the received dynamic verification code, and after the received dynamic verification code is verified by the unified authentication server, a Token (Token) is generated and returned to the unified authentication adapter; and if the unified authentication adapter receives the token returned by the unified authentication server, sending a login success message to the login service of the target server, and returning a login success page to the client browser by the login service of the target server according to the login success message.
It can be understood that, in this embodiment, a unified authentication adapter for adapting to the unified authentication server is implemented, and as an independent component, performs data interaction with the unified authentication server externally, and isolates the perception of the service system of the target server on unified authentication in terms of service. If an already-connected unified authentication server needs to be upgraded or a new unified authentication server needs to be connected, only the implementation code in the unified authentication adapter of the embodiment needs to be adjusted, and other components do not need to sense the change of the unified authentication server. The unified authentication adapter of the embodiment is a stateless component, and after the adaptation is completed, the upgrading of the unified authentication adapter can be completed without affecting the service system function of the target server. The unified authentication adapter can be used for realizing the butt joint with the unified authentication server, completing the login of the target server, ensuring the safety of a service system of the target server and realizing the seamless butt joint of various unified authentication servers.
The unified authentication adapter provided in this embodiment receives, by a receiving module, a dynamic verification code sent by a login service of a target server, where the dynamic verification code is for a login service that the unified authentication server sends to a client browser after checking a user account and a password sent by the client browser, generates and returns the dynamic verification code to the client browser, and the client browser sends the login service to the target server, a first sending module sends the dynamic verification code to the unified authentication server, so that the unified authentication server generates and returns a token after checking the received dynamic verification code, a second sending module receives the token returned by the unified authentication server, and sends a login success message to the login service of the target server, so that the login service of the target server returns a page with successful login to the client browser according to the login success message, therefore, the system can be in butt joint with the unified authentication server to finish the login of the target server, can be in seamless butt joint with various unified authentication servers, and can ensure the safety of a service system of the target server.
Further, on the basis of the foregoing embodiment, the unified authentication adapter according to this embodiment may further include:
a first adding module, configured to add a session with the client browser to a session list of a preset database after receiving the token returned by the unified authentication server, where the session includes: the token generated this time;
the first checking module is used for checking the validity of a session list of a preset database every other preset first time period and cleaning expired sessions in the session list.
In particular, the first checking module may be particularly useful for
Acquiring a session list from a preset database every a preset first time period, and traversing each session in the session list;
when a session exists in the session list, judging whether the session is valid or not for the currently traversed session;
if the session is expired (i.e., the session is invalid), traversing the next session in the session list;
if the session is valid, judging whether a token corresponding to the session is valid;
traversing the next session in the session list if the token corresponding to the session is valid;
if the token corresponding to the session is expired (namely the token corresponding to the session is invalid), acquiring a refresh token corresponding to the session from the unified authentication server, and judging whether the refresh token corresponding to the session is valid;
if the refresh token corresponding to the session is valid, replacing the refresh token corresponding to the session with the token corresponding to the session;
and if the refresh token corresponding to the session is expired (namely the refresh token corresponding to the session is invalid), deleting the currently traversed session from the session list, and traversing the next session in the session list.
It is understood that the preset first period of time can be set according to practical situations, and the present embodiment is not limited thereto, for example, 15 minutes, 1 hour, 5 hours, and the like.
It can be understood that, the embodiment can periodically check the validity of the session in the session list of the preset database, and timely clean up the expired session, thereby improving the security.
Further, on the basis of the foregoing embodiment, the unified authentication adapter according to this embodiment may further include:
the second adding module is used for adding the user account sent by the client browser into a unified authentication user list of a preset database after receiving the token returned by the unified authentication server;
and the second checking module is used for checking the validity of the user accounts in the unified authentication user list of the preset database every other preset second time period and clearing the invalid user accounts in the unified authentication user list.
In particular, the second checking module may be particularly useful for
Acquiring a unified authentication user list from a preset database every a preset second time period, and traversing each user account in the unified authentication user list;
when a user account exists in the unified authentication user list, judging whether the user account is valid or not for the currently traversed user account;
if the user account is deleted (namely the user account is invalid), setting the state corresponding to the system user account corresponding to the user account as deleted, and traversing the next user account in the unified authentication user list;
if the user account is valid, judging whether the state corresponding to the system user account corresponding to the user account is normal or not;
if the state corresponding to the system user account corresponding to the user account is normal, traversing the next user account in the unified authentication user list;
if the state corresponding to the system user account corresponding to the user account is deleted (that is, the state corresponding to the system user account corresponding to the user account is not normal), resetting the state corresponding to the system user account corresponding to the user account to be normal, and traversing the next user account in the unified authentication user list.
It is understood that the preset second time period can be set according to practical situations, and the present embodiment is not limited thereto, for example, 15 minutes, 1 hour, 5 hours, and the like. The value of the preset second time period can be the same as or different from that of the preset first time period, and the preset second time period and the preset first time period need to be set according to actual conditions.
It can be understood that, in the embodiment, the validity of the user accounts in the unified authenticated user list of the preset database can be periodically checked, and invalid user accounts in the unified authenticated user list can be timely cleaned, so that it is ensured that users logging in the target server are all legal, and the security is improved.
The unified authentication adapter provided by the embodiment can realize the butt joint with the unified authentication server so as to complete the login of the target server; various unified authentication servers can be seamlessly connected; if the unified authentication server which is already butted needs to be upgraded or a new unified authentication server needs to be butted, the upgrading of the unified authentication adapter can be completed under the condition that the service system function of a target server is not influenced as only the realization code in the unified authentication adapter needs to be adjusted and other components do not need to sense the change of the unified authentication server; the validity of the session in the session list of the preset database and the validity of the user account in the unified authentication user list of the preset database can be regularly checked, and the expired session and the expired user account can be cleaned in time, so that the users logging in the target server are all legal, and the safety is improved.
The unified authentication adapter provided in the embodiment of the present invention may be used to implement the technical solutions of the foregoing method embodiments, and the implementation principles and technical effects thereof are similar, and are not described herein again.
Fig. 5 is a schematic physical structure diagram of an electronic device according to an embodiment of the present invention, as shown in fig. 5, the electronic device may include a memory 502, a processor 501, a bus 503, and a computer program stored in the memory 502 and executable on the processor 501, where the processor 501 and the memory 502 are in communication with each other through the bus 503. The processor 501, when executing the computer program, implements the steps of the above method, for example, including: receiving a dynamic verification code sent by a login service of a target server, wherein the dynamic verification code is generated and returned to a client browser after a user account and a password sent by the client browser are verified by a unified authentication server, and is sent to the login service of the target server by the client browser; sending the dynamic verification code to a unified authentication server so that the unified authentication server generates and returns a token after the received dynamic verification code passes verification; and receiving the token returned by the unified authentication server, and sending a login success message to the login service of the target server, so that the login service of the target server returns a login success page to the client browser according to the login success message.
An embodiment of the present invention provides a non-transitory computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the steps of the above method, for example, including: receiving a dynamic verification code sent by a login service of a target server, wherein the dynamic verification code is generated and returned to a client browser after a user account and a password sent by the client browser are verified by a unified authentication server, and is sent to the login service of the target server by the client browser; sending the dynamic verification code to a unified authentication server so that the unified authentication server generates and returns a token after the received dynamic verification code passes verification; and receiving the token returned by the unified authentication server, and sending a login success message to the login service of the target server, so that the login service of the target server returns a login success page to the client browser according to the login success message.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A method for connecting a unified authentication server is applied to a unified authentication adapter, and is characterized by comprising the following steps:
receiving a dynamic verification code sent by a login service of a target server, wherein the dynamic verification code is generated and returned to a client browser after a user account and a password sent by the client browser are verified by a unified authentication server, and is sent to the login service of the target server by the client browser;
sending the dynamic verification code to a unified authentication server so that the unified authentication server generates and returns a token after the received dynamic verification code passes verification;
and receiving the token returned by the unified authentication server, and sending a login success message to the login service of the target server, so that the login service of the target server returns a login success page to the client browser according to the login success message.
2. The method of interfacing a unified authentication server according to claim 1, further comprising:
after receiving the token returned by the unified authentication server, adding the session with the client browser into a session list of a preset database, wherein the session comprises: the token generated this time;
checking the validity of a session list of a preset database every other preset first time period, and cleaning expired sessions in the session list.
3. The method for interfacing a unified authentication server according to claim 2, wherein checking validity of a session list of a preset database every preset first time period, and cleaning out expired sessions in the session list comprises:
acquiring a session list from a preset database every a preset first time period, and traversing each session in the session list;
when a session exists in the session list, judging whether the session is valid or not for the currently traversed session;
if the conversation is invalid, traversing the next conversation in the conversation list;
if the session is valid, judging whether a token corresponding to the session is valid;
traversing the next session in the session list if the token corresponding to the session is valid;
if the token corresponding to the session is overdue, acquiring a refresh token corresponding to the session from the unified authentication server, and judging whether the refresh token corresponding to the session is valid;
if the refresh token corresponding to the session is valid, replacing the refresh token corresponding to the session with the token corresponding to the session;
and if the refresh token corresponding to the session is expired, deleting the currently traversed session from the session list, and traversing the next session in the session list.
4. The method of interfacing a unified authentication server according to claim 1, further comprising:
after receiving the token returned by the unified authentication server, adding the user account sent by the client browser into a unified authentication user list of a preset database;
and checking the validity of the user accounts in the unified authentication user list of the preset database every a preset second time period, and clearing the invalid user accounts in the unified authentication user list.
5. The method for interfacing a unified authentication server according to claim 4, wherein checking validity of user accounts in a unified authentication user list of a preset database every a preset second time period, and clearing invalid user accounts in the unified authentication user list comprises:
acquiring a unified authentication user list from a preset database every a preset second time period, and traversing each user account in the unified authentication user list;
when a user account exists in the unified authentication user list, judging whether the user account is valid or not by acquiring user information corresponding to the user account from a unified authentication server for the currently traversed user account;
if the user account is deleted, setting the state corresponding to the system user account corresponding to the user account as deleted, and traversing the next user account in the unified authentication user list;
if the user account is valid, judging whether the state corresponding to the system user account corresponding to the user account is normal or not;
if the state corresponding to the system user account corresponding to the user account is normal, traversing the next user account in the unified authentication user list;
if the state corresponding to the system user account corresponding to the user account is deleted, resetting the state corresponding to the system user account corresponding to the user account to be normal, and traversing the next user account in the unified authentication user list.
6. A unified authentication adapter, comprising:
the system comprises a receiving module, a login service processing module and a verification module, wherein the receiving module is used for receiving a dynamic verification code sent by the login service of a target server, and the dynamic verification code is generated and returned to a client browser after a user account and a password sent by the client browser are verified by a unified authentication server and is sent to the login service of the target server by the client browser;
the first sending module is used for sending the dynamic verification code to a unified authentication server so that the unified authentication server generates and returns a token after the received dynamic verification code is verified by the unified authentication server;
and the second sending module is used for receiving the token returned by the unified authentication server and sending a login success message to the login service of the target server so that the login service of the target server returns a login success page to the client browser according to the login success message.
7. The unified authentication adapter according to claim 6, further comprising:
a first adding module, configured to add a session with the client browser to a session list of a preset database after receiving the token returned by the unified authentication server, where the session includes: the token generated this time;
the first checking module is used for checking the validity of a session list of a preset database every other preset first time period and cleaning expired sessions in the session list.
8. The unified authentication adapter according to claim 6, further comprising:
the second adding module is used for adding the user account sent by the client browser into a unified authentication user list of a preset database after receiving the token returned by the unified authentication server;
and the second checking module is used for checking the validity of the user accounts in the unified authentication user list of the preset database every other preset second time period and clearing the invalid user accounts in the unified authentication user list.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the method according to any of claims 1 to 5 are implemented when the computer program is executed by the processor.
10. A non-transitory computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910837372.2A CN110572388B (en) | 2019-09-05 | 2019-09-05 | Method for connecting unified authentication server and unified authentication adapter |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910837372.2A CN110572388B (en) | 2019-09-05 | 2019-09-05 | Method for connecting unified authentication server and unified authentication adapter |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110572388A CN110572388A (en) | 2019-12-13 |
| CN110572388B true CN110572388B (en) | 2022-01-04 |
Family
ID=68778052
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910837372.2A Active CN110572388B (en) | 2019-09-05 | 2019-09-05 | Method for connecting unified authentication server and unified authentication adapter |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110572388B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111177686B (en) * | 2019-12-31 | 2022-07-29 | 华为云计算技术有限公司 | Identity authentication method, device and related equipment |
| CN111431920A (en) * | 2020-03-31 | 2020-07-17 | 中国建设银行股份有限公司 | Security control method and system based on dynamic token |
| CN112685726A (en) * | 2021-01-20 | 2021-04-20 | 浪潮云信息技术股份公司 | Single-point authentication method based on KEYCLOAK |
| CN112765583A (en) * | 2021-01-27 | 2021-05-07 | 海尔数字科技(青岛)有限公司 | Single sign-on method, device, equipment and medium |
Family Cites Families (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1937498A (en) * | 2006-10-09 | 2007-03-28 | 网之易信息技术(北京)有限公司 | Dynamic cipher authentication method, system and device |
| CN101662458A (en) * | 2008-08-28 | 2010-03-03 | 西门子(中国)有限公司 | Authentication method |
| US8990914B2 (en) * | 2012-09-28 | 2015-03-24 | Intel Corporation | Device, method, and system for augmented reality security |
| CN103078932B (en) * | 2012-12-31 | 2016-01-27 | 中国移动通信集团江苏有限公司 | A kind of methods, devices and systems realizing universal single sign-on |
| WO2014201636A1 (en) * | 2013-06-19 | 2014-12-24 | 华为技术有限公司 | Identity login method and device |
| CN104348791B (en) * | 2013-07-30 | 2017-12-01 | 北京神州泰岳软件股份有限公司 | A kind of single-point logging method and system |
| CN105812138B (en) * | 2014-12-31 | 2019-05-28 | 华为技术有限公司 | Processing method, device, user terminal and the login system of login |
| CN106230902B (en) * | 2016-07-22 | 2019-10-11 | 深圳创维数字技术有限公司 | A kind of modularization family cloud system and its control method |
| CN106686004B (en) * | 2017-02-28 | 2019-07-12 | 飞天诚信科技股份有限公司 | A kind of login authentication method and system |
| KR102049527B1 (en) * | 2017-07-20 | 2019-11-27 | 중부대학교 산학협력단 | User Authentication Server and System |
| CN108600203B (en) * | 2018-04-11 | 2021-05-14 | 四川长虹电器股份有限公司 | Cookie-based safe single sign-on method and unified authentication service system thereof |
| CN109688114B (en) * | 2018-12-10 | 2021-07-06 | 迈普通信技术股份有限公司 | Single sign-on method, authentication server and application server |
| CN109672675B (en) * | 2018-12-20 | 2021-06-25 | 成都三零瑞通移动通信有限公司 | OAuth 2.0-based WEB authentication method of password service middleware |
| CN109831310B (en) * | 2019-03-11 | 2022-02-18 | 杭州财人汇网络股份有限公司 | Identity verification method, system, equipment and computer readable storage medium |
-
2019
- 2019-09-05 CN CN201910837372.2A patent/CN110572388B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN110572388A (en) | 2019-12-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110572388B (en) | Method for connecting unified authentication server and unified authentication adapter | |
| CN112136303B (en) | Secure delegation of refresh tokens for time-consuming operations | |
| CN110351269B (en) | Method for logging in open platform through third-party server | |
| US20170063836A1 (en) | Method, device, and system for access control of a cloud hosting service | |
| US20130055362A1 (en) | Authenticating via mobile device | |
| CN106302308B (en) | Trust login method and device | |
| CN103001974A (en) | Method, system and device used for controlling login and based on two-dimensional code | |
| EP3345087A1 (en) | Method, device, and system for access control of a cloud hosting service | |
| CN102546570A (en) | Processing method and system for single sign-on | |
| CN103489095A (en) | Electronic transaction method and system and payment platform system | |
| CN112385191A (en) | Middle layer messaging system | |
| CN110958237A (en) | Authority verification method and device | |
| CN103036902A (en) | Login control method and login control system based on two-dimension code | |
| CN106161475B (en) | Method and device for realizing user authentication | |
| CN105656850A (en) | Data processing method, and related device and system | |
| CN112738105A (en) | Invitation registration method and device | |
| CN110601832A (en) | Data access method and device | |
| CN111260342B (en) | Authentication payment method and device | |
| WO2019237950A1 (en) | Security verification method and device | |
| CN114186206A (en) | Login method and device based on small program, electronic equipment and storage medium | |
| CA3058051A1 (en) | Systems and methods for multi-device multi-factor authentication | |
| US9348992B2 (en) | Linked identities | |
| CN102243738A (en) | Safety payment system and method | |
| CN115941213A (en) | Platform Invitation Activation Method and Device | |
| CN114615084B (en) | Single sign-on logout method, system, electronic equipment and storage medium applied to front-end and back-end separation scene |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |