CN110958248A - Secret-free authentication method, device and system between network service systems - Google Patents
Secret-free authentication method, device and system between network service systems Download PDFInfo
- Publication number
- CN110958248A CN110958248A CN201911218898.9A CN201911218898A CN110958248A CN 110958248 A CN110958248 A CN 110958248A CN 201911218898 A CN201911218898 A CN 201911218898A CN 110958248 A CN110958248 A CN 110958248A
- Authority
- CN
- China
- Prior art keywords
- network service
- authentication
- service system
- request
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
Landscapes
- Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A secret-free authentication method, device and system between network service systems are provided, wherein the method comprises the following steps: the method comprises the steps that a first network service system receives a service request message sent by a second network service system, wherein the service request message comprises a token identifier, and the token identifier is created after a user successfully logs in the second network service system; the first network service system accesses a trust site of a second network service system and sends a request authentication message to the second network service system, wherein the request authentication message carries the token identifier; the first network service system receives the authentication response message of the second network service system, executes the requested service if the authentication is successful, and returns a service result to the second network service system. According to the scheme, only one account is required to log in among different systems, the security authentication can be shared, a fixed secret-free authentication algorithm is not needed, token authentication is used, timeliness is achieved, and the security authentication is safer.
Description
Technical Field
The invention belongs to the field of computers, and particularly relates to a method, a device and a computer readable storage medium.
Background
In order to solve the problem of security of secret-free authentication between network service systems, a uniform authentication rule is formulated between the network service systems, a system A carries out sequencing, splicing, MD5 and other operations through parameters to be transmitted to calculate an authentication code, the authentication code and the parameters are transmitted to another system B, the system B calculates the authentication code according to the same algorithm and compares the authentication code with the authentication code transmitted by the system A, and if the authentication codes are consistent, the authentication is successful. This scheme has a security problem, and the system is vulnerable to malicious attacks as long as the authentication code rules are known by hackers.
Disclosure of Invention
In view of the above-mentioned shortcomings of the prior art, an object of the present invention is to solve the problem that a network service system is easily attacked by malicious attacks during a secret-free access process between the network service systems.
The embodiment of the invention discloses a secret-free authentication method between network service systems, which comprises the following steps: the method comprises the steps that a first network service system receives a service request message sent by a second network service system, wherein the service request message comprises a token identifier, and the token identifier is created after a user successfully logs in the second network service system; the first network service system accesses a trust site of a second network service system and sends a request authentication message to the second network service system, wherein the request authentication message carries the token identifier; the first network service system receives the authentication response message of the second network service system, executes the requested service if the authentication is successful, and returns a service result to the second network service system.
In one possible embodiment, the request service message further includes an authentication parameter and a first authentication code obtained according to the authentication parameter and a preset rule; before the first network service system queries the trust site, the method further comprises the following steps: the first network service system obtains a second authentication code according to the preset rule and the obtained authentication parameters; and comparing the first authentication code with the second authentication code, and if the first authentication code and the second authentication code are the same, successfully authenticating.
In one possible embodiment, before the first network service system queries the trust site, the first network service system performs local authentication.
In one possible embodiment, a first network service system registers with a trust site at a second network service system.
A secret-free authentication device between network service systems comprises: the first receiving module is used for receiving a service request message sent by a second network service system, wherein the service request message comprises a token identifier, and the token identifier is created after a user successfully logs in the second network service system; the sending module is used for accessing a trust site of a second network service system and sending a request authentication message to the second network service system, wherein the request authentication message carries the token identifier; and the second receiving module is used for receiving the authentication response message of the second network service system, executing the requested service if the authentication is successful, and returning a service result to the second network service system.
In one possible embodiment, the request service message further includes an authentication parameter and a first authentication code obtained according to the authentication parameter and a preset rule; the device further comprises: and the authentication module is used for obtaining a second authentication code according to the preset rule and the obtained authentication parameters, comparing the first authentication code with the second authentication code, and if the first authentication code is the same as the second authentication code, the authentication is successful.
In a possible embodiment, the sending module is further configured to perform local authentication by the first network service system before the first network service system queries the trusted site.
In one possible embodiment, the system further comprises a registration module for registering the trust site with the second network service system.
A secret-free authentication system between network service systems is characterized by comprising a first network service system and a second network service system, wherein the second network service system generates a token identifier after a user successfully logs in, and sends a service request message carrying the token identifier to the first network service system; the first network service system receives the request service message, accesses a trust site of a second network service system, and sends a request authentication message carrying the token identifier to the second network service system; the second network service system authenticates the request authentication message and returns an authentication response; the first network service system receives the authentication response message, executes the requested service if the authentication is successful, and returns a service result to the second network service system
A computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements a method of secret-less authentication between network service systems as in any one of the preceding.
The invention has the beneficial effects that: the scheme of the invention ensures that the registration between the service systems is simple and convenient without complex algorithm, and simultaneously supports mutual registration authentication between the network service systems, supports priority local authentication and then secret-free authentication, and shares interfaces. In addition, only one account is required to log in among different systems, the security authentication can be shared, a fixed secret-free authentication algorithm is not needed, token authentication is used, timeliness is achieved, and the security authentication is safer.
Drawings
FIG. 1 is a flow chart of a method according to an embodiment of the present invention;
fig. 2 is a first schematic diagram of signaling interaction according to an embodiment of the present invention;
fig. 3 is a schematic diagram of signaling interaction according to an embodiment of the present invention;
fig. 4 is a third schematic diagram of signaling interaction according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an apparatus according to an embodiment of the present invention.
Detailed Description
In order to facilitate understanding of those skilled in the art, the present invention will be further described with reference to the following examples and drawings, which are not intended to limit the present invention.
The embodiment of the invention discloses a secret-free authentication system among network service systems, which comprises a first network service system and a second network service system, wherein the second network service system generates a token identifier after a user successfully logs in and sends a service request message carrying the token identifier to the first network service system; the first network service system receives the request service message, accesses a trust site of a second network service system, and sends a request authentication message carrying the token identifier to the second network service system; the second network service system authenticates the request authentication message and returns an authentication response; the first network service system receives the authentication response message, executes the requested service if the authentication is successful, and returns a service result to the second network service system. Specific embodiments thereof are set forth in the following method examples.
The embodiment of the invention discloses a secret-free authentication method between network service systems, which is suitable for the systems, and the method comprises the following steps with reference to figure 1:
s101, a first network service system receives a service request message sent by a second network service system, wherein the service request message comprises a token identifier, and the token identifier is created after a user successfully logs in the second network service system.
For example, referring to fig. 2 and fig. 3, it is assumed that there exist network service systems a and B, where a is a first-party company service system, i.e., the aforementioned second network service system, and B is a second-party company service system, i.e., the aforementioned first network service system. The second party provides functional service for the first party, namely the system B provides service for the system A, but the system A and the system B do not share an account password. In order to access security, the system A needs to provide security authentication for the system B. The system A provides an API authentication interface, and if the token of the system A is held, correct return can be obtained.
Specifically, as shown in fig. 3, a user first requests to log in to the system a, and if the user logs in successfully, the system a creates a token na, and then sends a request to access a functional service url B of the system B to the system B, where the request information carries a token na identifier.
In one embodiment, the request service message further includes an authentication parameter and a first authentication code obtained according to the authentication parameter and a preset rule; before the first network service system queries the trust site, the method further comprises the following steps: the first network service system obtains a second authentication code according to the preset rule and the obtained authentication parameters; and comparing the first authentication code with the second authentication code, and if the first authentication code and the second authentication code are the same, successfully authenticating.
Specifically, as shown in fig. 4, the system a sends a request message to the system B, where the request message carries tokenA and other parameters and requests url B to provide service via the accessKey calculated by the parameters according to the unified network rule.
S102, the first network service system accesses a trust site of a second network service system and sends a request authentication message to the second network service system, wherein the request authentication message carries the token identifier.
Specifically, the system B registers a trust site, that is, an authentication interface of the system a, and if the system B is accessed by carrying a token parameter externally, the system B accesses the system a by using the token, if a correct return is obtained, the secret-free authentication is successful, the action is executed to provide a service, and if an error is obtained and returned, the secret-free authentication is failed, and the service is not provided. As shown in fig. 3, a system B requests a trusted site url a to authenticate with a token na identifier; the system a returns a privacy-exempt authentication result.
In one embodiment, a first network service system registers with a trust site at a second network service system. The secret-free authentication trust site can be set in a configuration file, and the migration is flexible.
Before the first network service system queries the trust site, the first network service system performs local authentication. And if the local cognition fails, carrying out secret-free authentication on the trust site.
In one embodiment, as shown in fig. 4, when the local cognitive token fails, the result obtained by the parameters except the accessKey is compared and authenticated with the accessKey by using the unified calculation rule; and if the authentication is successful, carrying out secret-free authentication on the trust site. Thereby performing multiple secret-free authentications.
S103, the first network service system receives the authentication response message of the second network service system, and if the authentication is successful, the requested service is executed, and a service result is returned to the second network service system.
Specifically, if the token parameter is carried outside to access the system B, the system B accesses the system A by using the token, if the token parameter is correctly returned, the secret-free authentication is successful, the action is executed to provide service, and if the token parameter is wrongly returned, the secret-free authentication is failed, and the service is not provided. As shown in fig. 3 and 4, the system a returns a result of successful authentication to the system B, and the system B executes url B to provide a service and returns a service result.
As shown in fig. 5, an embodiment of the present invention further discloses a secret-free authentication device 10 between network service systems, including: the first receiving module 101 is configured to receive a service request message sent by a second network service system, where the service request message includes a token identifier, and the token identifier is created after a user successfully logs in the second network service system; a sending module 102, configured to access a trusted site of a second network service system, and send a request authentication message to the second network service system, where the request authentication message carries the token identifier; a second receiving module 103, configured to receive an authentication response message of the second network service system, and if the authentication is successful, execute the requested service, and return a service result to the second network service system.
The request service message also comprises an authentication parameter and a first authentication code obtained according to the authentication parameter and a preset rule; the device further comprises: and the authentication module is used for obtaining a second authentication code according to the preset rule and the obtained authentication parameters, comparing the first authentication code with the second authentication code, and if the first authentication code is the same as the second authentication code, the authentication is successful.
The sending module 102 is further configured to perform local authentication on the first network service system before the first network service system queries the trusted site.
The apparatus 10 further includes a registration module 104 for registering the trust site with the second network service system.
For the specific implementation of the apparatus 10, reference may be made to the method embodiment, which is not described in detail.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described embodiments are merely illustrative, and for example, a division of a unit is merely a division of a logic function, and an actual implementation may have another division, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed.
Units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment of the present invention.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
While the invention has been described in terms of its preferred embodiments, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention.
Claims (10)
1. A secret-free authentication method between network service systems is characterized by comprising the following steps:
the method comprises the steps that a first network service system receives a service request message sent by a second network service system, wherein the service request message comprises a token identifier, and the token identifier is created after a user successfully logs in the second network service system;
the first network service system accesses a trust site of a second network service system and sends a request authentication message to the second network service system, wherein the request authentication message carries the token identifier;
the first network service system receives the authentication response message of the second network service system, executes the requested service if the authentication is successful, and returns a service result to the second network service system.
2. The method of claim 1, wherein the request service message further includes an authentication parameter and a first authentication code obtained according to the authentication parameter and a preset rule; before the first network service system queries the trust site, the method further comprises the following steps: the first network service system obtains a second authentication code according to the preset rule and the obtained authentication parameters; and comparing the first authentication code with the second authentication code, and if the first authentication code and the second authentication code are the same, successfully authenticating.
3. The method of claim 1 or 2, further comprising the first network service system performing local authentication before the first network service system queries the trusted site.
4. The method of claim 1, wherein the first network service system registers the trust site with the second network service system.
5. A secret-free authentication device between network service systems, comprising:
the first receiving module is used for receiving a service request message sent by a second network service system, wherein the service request message comprises a token identifier, and the token identifier is created after a user successfully logs in the second network service system;
the sending module is used for accessing a trust site of a second network service system and sending a request authentication message to the second network service system, wherein the request authentication message carries the token identifier;
and the second receiving module is used for receiving the authentication response message of the second network service system, executing the requested service if the authentication is successful, and returning a service result to the second network service system.
6. The apparatus of claim 5, wherein the request service message further includes an authentication parameter and a first authentication code obtained according to the authentication parameter and a preset rule; the device further comprises: and the authentication module is used for obtaining a second authentication code according to the preset rule and the obtained authentication parameters, comparing the first authentication code with the second authentication code, and if the first authentication code is the same as the second authentication code, the authentication is successful.
7. The apparatus of claim 5 or 6, wherein the sending module is further configured to authenticate locally by the first network service system before the first network service system queries the trusted site.
8. The apparatus of claim 5, further comprising a registration module to register the trust site with the second network service system.
9. A secret-free authentication system between network service systems is characterized by comprising a first network service system and a second network service system, wherein the second network service system generates a token identifier after a user successfully logs in, and sends a service request message carrying the token identifier to the first network service system; the first network service system receives the request service message, accesses a trust site of a second network service system, and sends a request authentication message carrying the token identifier to the second network service system; the second network service system authenticates the request authentication message and returns an authentication response; the first network service system receives the authentication response message, executes the requested service if the authentication is successful, and returns a service result to the second network service system.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, implements the method for processing concurrent requests based on distributed locks according to any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911218898.9A CN110958248A (en) | 2019-12-03 | 2019-12-03 | Secret-free authentication method, device and system between network service systems |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911218898.9A CN110958248A (en) | 2019-12-03 | 2019-12-03 | Secret-free authentication method, device and system between network service systems |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110958248A true CN110958248A (en) | 2020-04-03 |
Family
ID=69979467
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911218898.9A Pending CN110958248A (en) | 2019-12-03 | 2019-12-03 | Secret-free authentication method, device and system between network service systems |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110958248A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1918885A (en) * | 2004-02-09 | 2007-02-21 | 法国电信公司 | System and method for user authorization access management at the local administrative domain during the connection of a user to an ip network |
| CN106162574A (en) * | 2015-04-02 | 2016-11-23 | 成都鼎桥通信技术有限公司 | Group system is applied universal retrieval method, server and terminal |
| CN109063457A (en) * | 2018-06-22 | 2018-12-21 | 杭州才云科技有限公司 | The cross-platform login unified certification interconnection method of one kind, storage medium, electronic equipment |
| CN109089264A (en) * | 2018-08-02 | 2018-12-25 | 江苏满运软件科技有限公司 | A kind of mobile terminal exempts from the method and system of close login |
| US20180375863A1 (en) * | 2016-03-15 | 2018-12-27 | Alibaba Group Holding Limited | Website login method and apparatus |
-
2019
- 2019-12-03 CN CN201911218898.9A patent/CN110958248A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1918885A (en) * | 2004-02-09 | 2007-02-21 | 法国电信公司 | System and method for user authorization access management at the local administrative domain during the connection of a user to an ip network |
| CN106162574A (en) * | 2015-04-02 | 2016-11-23 | 成都鼎桥通信技术有限公司 | Group system is applied universal retrieval method, server and terminal |
| US20180375863A1 (en) * | 2016-03-15 | 2018-12-27 | Alibaba Group Holding Limited | Website login method and apparatus |
| CN109063457A (en) * | 2018-06-22 | 2018-12-21 | 杭州才云科技有限公司 | The cross-platform login unified certification interconnection method of one kind, storage medium, electronic equipment |
| CN109089264A (en) * | 2018-08-02 | 2018-12-25 | 江苏满运软件科技有限公司 | A kind of mobile terminal exempts from the method and system of close login |
Non-Patent Citations (2)
| Title |
|---|
| MUHAMAD HAEKAL 等: ""Token-based authentication using JSON Web Token on SIKASIR RESTful Web Service"", 《2016 INTERNATIONAL CONFERENCE ON INFORMATICS AND COMPUTING (ICIC)》 * |
| 裴俐春等: "一种基于信任度的跨异构域动态认证机制", 《计算机应用》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11218314B2 (en) | Network function service invocation method, apparatus, and system | |
| CN109413032B (en) | Single sign-on method, computer readable storage medium and gateway | |
| US10055561B2 (en) | Identity risk score generation and implementation | |
| CN108259438B (en) | Authentication method and device based on block chain technology | |
| US9191381B1 (en) | Strong authentication via a federated identity protocol | |
| US8327427B2 (en) | System and method for transparent single sign-on | |
| US9444806B2 (en) | Method, apparatus and server for identity authentication | |
| CN111478769A (en) | Distributed credible identity authentication method, system, storage medium and terminal | |
| CN102752319B (en) | Cloud computing secure access method, device and system | |
| US20230370265A1 (en) | Method, Apparatus and Device for Constructing Token for Cloud Platform Resource Access Control | |
| CN109587126B (en) | User authentication method and system | |
| CN110365684B (en) | Access control method and device for application cluster and electronic equipment | |
| CN110535884B (en) | Method, device and storage medium for cross-enterprise inter-system access control | |
| WO2016035015A1 (en) | System, method and process for detecting advanced and targeted attacks with the recoupling of kerberos authentication and authorization | |
| CN109388937B (en) | Single sign-on method and sign-on system for multi-factor identity authentication | |
| US9075996B2 (en) | Evaluating a security stack in response to a request to access a service | |
| CN111563279A (en) | Cloud data privacy protection system based on block chain | |
| CN111988262B (en) | Authentication method, authentication device, server and storage medium | |
| CN114385995A (en) | Handle-based method for accessing identifier analysis micro-service to industrial Internet and identifier service system | |
| CN109587098B (en) | Authentication system and method, and authorization server | |
| US11252143B2 (en) | Authentication system, authentication server and authentication method | |
| US20150295918A1 (en) | User authentication system in web mash-up circumstance and authenticating method thereof | |
| CN110958248A (en) | Secret-free authentication method, device and system between network service systems | |
| US20210288804A1 (en) | Protection of Authentication Tokens | |
| CN114024682A (en) | Cross-domain single sign-on method, service equipment and authentication equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200403 |