CN111064708B - Authorization authentication method and device and electronic equipment - Google Patents

Authorization authentication method and device and electronic equipment Download PDF

Info

Publication number
CN111064708B
CN111064708B CN201911177409.XA CN201911177409A CN111064708B CN 111064708 B CN111064708 B CN 111064708B CN 201911177409 A CN201911177409 A CN 201911177409A CN 111064708 B CN111064708 B CN 111064708B
Authority
CN
China
Prior art keywords
authorization
client terminal
configuration information
request
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911177409.XA
Other languages
Chinese (zh)
Other versions
CN111064708A (en
Inventor
陈健
魏庆颃
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Second Hand Artificial Intelligence Technology Co ltd
Original Assignee
Beijing Second Hand Artificial Intelligence Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Second Hand Artificial Intelligence Technology Co ltd filed Critical Beijing Second Hand Artificial Intelligence Technology Co ltd
Priority to CN201911177409.XA priority Critical patent/CN111064708B/en
Publication of CN111064708A publication Critical patent/CN111064708A/en
Application granted granted Critical
Publication of CN111064708B publication Critical patent/CN111064708B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions

Abstract

The application provides an authorization authentication configuration method, an authorization authentication device and electronic equipment, and relates to the technical field of computer authorization authentication. The method comprises the following steps: acquiring a plurality of configuration information, wherein the plurality of configuration information comprises first configuration information of an authorization server and second configuration information of a plurality of resource owners; and establishing a first binding relationship between the first configuration information and the identity information of the authorization server and a second binding relationship between the second configuration information and the identity information of the corresponding resource owner, wherein the first configuration information is used for establishing communication connection between the client terminal and the corresponding authorization server when the client terminal acquires the first configuration information, and the second configuration information is used for establishing communication connection between the client terminal and the resource owner when the client terminal acquires the second configuration information, so that OAuth operation and maintenance operation can be simplified, and operation and maintenance efficiency can be improved.

Description

Authorization authentication method and device and electronic equipment
Technical Field
The invention relates to the technical field of computer authorization and authentication, in particular to an authorization and authentication method, an authorization and authentication device and electronic equipment.
Background
OAuth (Open Authorization) is intended for a user to agree (authorize) to a third-party application in order for the user to access the corresponding network resource of the currently located service. In this process, the third-party application cannot know the content (such as account number and password) of the user except the authorization information. At present, when a plurality of third-party applications are docked, most of the applications are not completely standard docking interfaces, and customized development docking is needed. Writing codes are developed every time a third-party application is added, and corresponding configuration and parameters are newly added, so that OAuth operation and maintenance operation is complex and low in efficiency.
Disclosure of Invention
The application provides an authorization authentication method, an authorization authentication device and electronic equipment, which can solve the problems of complex OAuth operation and maintenance operation and low efficiency.
In order to achieve the above purpose, the technical solutions provided in the embodiments of the present application are as follows:
in a first aspect, an embodiment of the present application provides an authorization authentication configuration method, which is applied to a database server, and the method includes:
acquiring a plurality of configuration information, wherein the plurality of configuration information comprises first configuration information of an authorization server and second configuration information of a plurality of resource owners;
and establishing a first binding relationship between the first configuration information and the identity information of the authorization server and a second binding relationship between the second configuration information and the identity information of the corresponding resource owner, wherein the first configuration information is used for establishing communication connection between the client terminal and the corresponding authorization server when the client terminal acquires the first configuration information, and the second configuration information is used for establishing communication connection between the client terminal and the resource owner when the client terminal acquires the second configuration information.
In the above embodiment, the first binding relationship and the second binding relationship are established, which is beneficial to establishing corresponding communication connection based on the binding relationship for performing corresponding authorization authentication. When a new third-party application needs to be added, the configuration of authorization authentication can be completed by adding a new binding relationship, so that OAuth operation and maintenance operation can be simplified, and operation and maintenance efficiency can be improved.
With reference to the first aspect, in some optional embodiments, the method further comprises:
receiving a first access request of the client terminal, wherein the first access request comprises identification information of configuration information for accessing a target resource owner, and the identification information is associated with identity information of the target resource owner;
determining target configuration information from second configuration information of the plurality of resource owners based on the identification information, wherein the identity information bound by the target configuration information is the same as the identity information of the target resource owner associated with the identification information;
and sending the target configuration information to the client terminal.
In the above embodiment, the configuration information of the target resource owner is sent to the client terminal, which is beneficial for the client terminal to load the corresponding configuration information, so as to facilitate the open authorization of the user of the resource owner.
With reference to the first aspect, in some optional embodiments, the method further comprises:
and sending the first configuration information to the client terminal.
In the above-described embodiment, by transmitting the first configuration information of the authorization server to the client terminal, the client terminal may be enabled to communicate with the authorization server, so that the client terminal determines the access authority of the user accessing the client terminal based on the authentication structure of the authorization server.
In a second aspect, an embodiment of the present application further provides an authorization authentication method, which is applied to a client terminal in communication connection with a database server in the foregoing method, where the method includes:
sending a first authorization request to a target resource owner of the target configuration information based on the obtained second access request and the target configuration information, wherein the second access request is used for accessing the network resource corresponding to the client terminal;
receiving a first authorization credential issued by the target resource owner, wherein the first authorization credential characterizes that the resource owner allows authorization of the first authorization request;
sending a second authorization request to an authorization server according to the first configuration information, wherein the second authorization request comprises the first authorization certificate and the identity information of the client terminal;
receiving a second authorization certificate sent by the authorization server, wherein the second authorization certificate represents that the authorization server passes verification of the first authorization certificate and identity information of the client terminal;
responding to the second access request to send the network resource to the terminal equipment which sends the second access request.
In the above embodiment, when the client terminal performs open authorization on the access user, the corresponding configuration file may be acquired from the database server, so as to perform authorization authentication on the client terminal and the terminal device through the authorization server, which is helpful to simplify the flow of open authorization authentication and maintenance.
With reference to the second aspect, in some optional embodiments, before responding to the second access request, the method further comprises:
sending a third authorization request to the authorization server, wherein the third authorization request comprises the second authorization credential and the request parameters of the second access request;
and receiving a third authorization certificate sent by the authorization server, wherein the third authorization certificate represents that the authorization server passes the verification of the second authorization certificate and the request parameter.
In the above embodiment, the request parameter is authenticated, so that the request of the terminal device is prevented from exceeding the authority range, and the information security of the network resource in the process of opening the authorization is improved.
With reference to the second aspect, in some optional embodiments, before sending the first authorization request to the target resource owner of the target configuration information, the method further includes:
converting the first configuration information into a first parameter format corresponding to an OAuth interface of the authorization server, and converting the second configuration information into a second parameter format corresponding to the OAuth interface of the resource owner;
and establishing communication connection between the client terminal and the authorization server through the OAuth interface of the authorization server, and establishing communication connection between the client terminal and the resource owner through the OAuth interface of the resource owner.
In the above embodiment, the configuration information is converted into the parameter format corresponding to the corresponding OAuth interface without manually modifying the configuration, which is helpful to simplify the operation flow of establishing the corresponding communication connection by using the OAuth interface and improve the efficiency of the open authorization.
In a third aspect, an embodiment of the present application further provides an authorization authentication configuration apparatus, which is applied to a database server, and the apparatus includes:
the information acquisition unit is used for acquiring a plurality of configuration information, wherein the plurality of configuration information comprises first configuration information of an authorization server and second configuration information of a plurality of resource owners;
and the relationship establishing unit is used for establishing a first binding relationship between the first configuration information and the identity information of the authorization server and a second binding relationship between the second configuration information and the identity information of the corresponding resource owner, wherein the first configuration information is used for establishing communication connection between the client terminal and the corresponding authorization server when the client terminal acquires the first configuration information, and the second configuration information is used for establishing communication connection between the client terminal and the resource owner when the client terminal acquires the second configuration information.
In a fourth aspect, an embodiment of the present application further provides an authorization authentication apparatus, which is applied to a client terminal in communication connection with a database server in the above authorization authentication configuration method, where the apparatus includes:
a sending unit, configured to send a first authorization request to a target resource owner of target configuration information based on an acquired second access request and the target configuration information, where the second access request is used to access a network resource corresponding to the client terminal;
a receiving unit, configured to receive a first authorization credential sent by the target resource owner, where the first authorization credential represents that the resource owner allows authorization for the first authorization request;
the sending unit is further configured to send a second authorization request to an authorization server according to the first configuration information, where the second authorization request includes the first authorization credential and the identity information of the client terminal;
the receiving unit is further configured to receive a second authorization credential sent by the authorization server, where the second authorization credential represents that the authorization server passes verification of both the first authorization credential and the identity information of the client terminal;
and the response unit is used for responding to the second access request so as to send the network resource to the terminal equipment sending the second access request.
In a fifth aspect, an embodiment of the present application further provides an electronic device, where the electronic device includes a memory and a processor coupled to each other, and the memory stores a computer program, and when the computer program is executed by the processor, the electronic device executes the above authorization authentication configuration method or executes the above authorization authentication method.
In a sixth aspect, an embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored, and when the computer program runs on a computer, the computer is caused to execute the above authorization authentication configuration method or execute the above authorization authentication method.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed to be used in the embodiments will be briefly described below. It is appreciated that the following drawings depict only certain embodiments of the application and are therefore not to be considered limiting of its scope, for those skilled in the art will be able to derive additional related drawings therefrom without the benefit of the inventive faculty.
Fig. 1 is a schematic network topology diagram of an authorization and authentication system according to an embodiment of the present application.
Fig. 2 is a flowchart illustrating an authorization authentication configuration method according to an embodiment of the present application.
Fig. 3 is an interaction diagram of an authorization authentication method according to an embodiment of the present application.
Fig. 4 is a functional block diagram of an authorization authentication configuration apparatus according to an embodiment of the present application.
Fig. 5 is a functional block diagram of an authorization and authentication apparatus according to an embodiment of the present application.
Icon: 10-an authorization authentication system; 20-a terminal device; 30-a client terminal; 40-a database server; 50-resource owner; 60-an authorization server; 100-authorizing authentication configuration means; 110-an information acquisition unit; 120-a relationship establishing unit; 200-an authentication device; 210-a transmitting unit; 220-a receiving unit; 230-response unit.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application. It should be noted that the terms "first," "second," and the like are used merely to distinguish one description from another, and are not intended to indicate or imply relative importance.
Referring to fig. 1, an Authorization and authentication system 10 in the present application may include a terminal device 20, a client terminal 30, a database server 40, a resource owner 50, and an Authorization server 60, and may be configured to implement authentication of Open Authorization (OAuth). The terminal device 20, the client terminal 30, the database server 40, the resource owner 50 and the authorization server 60 can establish communication connection through a network to perform data interaction. The network may be, but is not limited to, a wired network or a wireless network.
The terminal Device 20 may be, but is not limited to, a smart phone, a Personal Computer (PC), a tablet PC, a Personal Digital Assistant (PDA), a Mobile Internet Device (MID), and the like. When a user needs to obtain the network resources stored in the client terminal 30 from the client terminal 30, the user may send a request for obtaining the network resources to the client terminal 30 by using the terminal device 20, and after the client terminal 30 completes authentication of the open authorization for the request and passes the authentication, the client terminal may issue corresponding network resources to the terminal device 20.
The client terminal 30 may be a server or other electronic device for storing network resources. The stored network resources are typically provided with corresponding access rights. The corresponding network resource can be accessed from the client terminal 30 only when the accessing user has the corresponding access right. The access policy corresponding to the access right can be set according to actual conditions. For example, the access right includes multiple right levels, such as a first level, a second level, and a third level, wherein the first level has the highest access right and the third level has the lowest access right. Understandably, the higher the access right, the more variety of network resources are accessed.
It should be noted that both the access policy and the number of levels of access rights can be set according to actual situations. The type or range of the accessible network resource corresponding to each access permission level can be set according to actual conditions.
The database server 40 is a server for storing configuration information, which may be, but is not limited to, a cloud server, a distributed server, and the like. Understandably, the database server 40 may be a server independent of the resource owner 50, the authorization server 60, or may also be the resource owner 50 or the authorization server 60. The number of stored configuration information may include a plurality. For example, the stored configuration information may include first configuration information of the authorization server 60 and second configuration information of the plurality of resource owners 50. The first configuration information is used for establishing a communication connection between the client terminal 30 and the corresponding authorization server 60 when the client terminal 30 acquires the first configuration information. The second configuration information is used to establish a communication connection between the client terminal 30 and the resource owner 50 when the client terminal 30 acquires the second configuration information.
Resource owner 50 may be a server for storing information related to accessing a user's account. The information related to the account includes, but is not limited to, the user's account number, username, login password, and other information. Understandably, the resource owner 50 is a server of a third party application. Third party applications include, but are not limited to, WeChat, QQ, Facebook, etc. applications.
The authorization server 60 is a server for performing authorization authentication on the terminal device 20 and the client terminal 30, and may store reference information for performing authorization authentication on the terminal device 20 and the client terminal 30 in advance. The reference information includes, but is not limited to, the corresponding credential information, the pre-entered identity information of the terminal device 20 and the client terminal 30. The corresponding credential information may be used to perform authentication comparison on the first authorization credential and the second authorization credential acquired by the client terminal 30.
Referring to fig. 2, an authorization authentication configuration method is further provided in the embodiment of the present application, which can be applied to the database server 40, and the database server 40 executes or implements each step in the authorization authentication configuration method. The authorization authentication configuration method may include step S310 and step S320.
Understandably, the client terminal 30 has a first partnership with the plurality of resource owners 50, and the authorization server 60 has a second partnership with the resource owners 50. That is, the first cooperation relationship is used to indicate that the client terminal 30 may grant a user in the resource owner 50 having a corresponding access right to access the network resource of the client terminal 30, and the resource owner 50 may store the identity information of the specified client terminal 30 for authenticating the identity information of the current terminal device in the authentication process of the open authorization. The second cooperation relationship is used to indicate that the authorization server 60 establishes a communication connection with the resource owner 50, and the authorization server 60 may store the authorization credential issued by the resource owner 50 to the client terminal 30 as reference information, where the reference information is used to authenticate the authorization credential uploaded by the client terminal 30 and acquired from the resource owner 50.
The following describes the steps of the authorization authentication configuration method shown in fig. 2 in detail:
step S310, a plurality of configuration information is obtained, where the plurality of configuration information includes first configuration information of the authorization server 60 and second configuration information of the plurality of resource owners 50.
In this embodiment, the administrator may obtain corresponding configuration information from the authorization server 60 and the plurality of resource owners 50 that have a cooperative relationship, and then maintain (or upload) the configuration information to the database server 40 for storage, so that the database server 40 can obtain the corresponding configuration information and the identity information of the corresponding devices (including the identity information of the authorization server 60 and the identity information of the devices of the resource owners 50). The first configuration information includes, but is not limited to, a Uniform Resource Locator (URL), a communication interface (or an interface address), and the like for establishing communication with the authorization server 60, and the second configuration information includes, but is not limited to, a Uniform Resource Locator (URL), a communication interface (or an interface address), and the like for establishing communication with the Resource owner 50.
Step S320, establishing a first binding relationship between the first configuration information and the identity information of the authorization server 60, and a second binding relationship between the second configuration information and the identity information of the corresponding resource owner 50, where the first configuration information is used to establish a communication connection between the client terminal 30 and the corresponding authorization server 60 when the client terminal 30 acquires the first configuration information, and the second configuration information is used to establish a communication connection between the client terminal 30 and the resource owner 50 when the client terminal 30 acquires the second configuration information.
In the present embodiment, the identity information of the authorization server 60 includes, but is not limited to, an IP address (or OAuth interface address) of the authorization server 60, a server name, and the like. The identity information of the resource owner 50 includes, but is not limited to, an IP address (or OAuth interface address) of the resource owner 50, a device name, and the like. After obtaining the configuration information, the database server 40 may establish a binding relationship (or mapping relationship) based on a relationship between the configuration information and the corresponding device. For example, database server 40 may bind the IP address of authorization server 60 with the URL that authorization server 60 uses for authorization authentication. During the open authorization, when the client terminal 30 receives an access request (i.e., a second access request described below) sent by the terminal device 20 to access the network resource in the client terminal 30, the client terminal 30 may generate a first access request based on the access request, the first access request is used to obtain the corresponding first configuration information and second configuration information from the database server 40, and then establish a communication connection between the client terminal 30 and the resource owner 50 and the authorization server 60 by using the obtained configuration information to perform open authorization.
The URLs for performing different types of authorization authentication may be different, for example, the URLs for authenticating the first authorization request and the second authorization request by the authorization server 60, which will be described below, may be different. The specific parameters of the URL may be set according to actual conditions, and are not described herein again. Network resources including but not limited to video, audio, pictures, text, applications, web pages, etc. may be determined based on the actual situation.
In this embodiment, the method may further include: receiving a first access request of the client terminal 30, the first access request including identification information of configuration information for accessing a target resource owner, the identification information being associated with identity information of the target resource owner; determining target configuration information from second configuration information of the plurality of resource owners 50 based on the identification information, the identity information of the target configuration information binding being the same as the identity information of the target resource owner associated with the identification information; the target configuration information is sent to the client terminal 30.
In this embodiment, the identification information of the configuration information may be set according to an actual situation, may be a number or a character, and may be used to play an index role, so that the database server 40 searches the first configuration information and the second configuration information corresponding to the current first access request from the stored multiple pieces of configuration information according to the identification information in the first access request.
Understandably, different configuration information can be distinguished by the identification information. That is, the database server 40 may store configuration information of a plurality of resource owners 50 and the authorization server 60, so that the corresponding configuration information is used to implement authentication of the open authorization when the corresponding users are subsequently subjected to open authorization. Based on this, when the authorization authentication system 10 introduces a new client terminal 30, the new client terminal 30 can directly obtain corresponding configuration information from the database server 40, and it is not necessary for a manager to load configuration to the new client terminal 30 (or simplify the configuration operation of the manager on the new client terminal 30), thereby simplifying the maintenance process of the open authorization authentication and being beneficial to improving the efficiency of configuring the open authorization.
In addition, when a new resource owner 50 joins the authorization authentication system 10, it is not necessary to change the configuration information for each client terminal 30, and the configuration information of the new resource owner 50 may be directly uploaded to the database server 40, so that the process of configuring the opening authorization authentication is simplified, and the configuration efficiency is improved.
In this embodiment, the method may further include: the first configuration information is sent to the client terminal 30.
Understandably, the database server 40 may issue the first configuration information according to a preset sending policy. Wherein, the sending strategy can be set according to the actual situation. For example, when the second configuration information is issued, the first configuration information is also sent to the client terminal 30; or, after a preset time length after the second configuration information is issued, the first configuration information is sent to the client terminal 30. The preset time period may be set according to actual conditions, and may be, for example, a short time period such as 1 second or 2 seconds. After sending the first configuration information to the client terminal 30, the client terminal 30 may establish a communication connection between the client terminal 30 and the authorization server 60 by using the first configuration information, so as to perform a subsequent authentication operation of the open authorization.
The embodiment of the present application further provides an authorization authentication method, which is applied to the client terminal 30 in communication connection with the database server in the above method, and each step in the authorization authentication method is executed or implemented by the client terminal 30. The authorization authentication method may include:
based on the obtained second access request and the target configuration information, sending a first authorization request to a target resource owner of the target configuration information, where the second access request is used to access a network resource corresponding to the client terminal 30;
receiving a first authorization credential issued by the target resource owner, the first authorization credential characterizing that the resource owner 50 is allowed to authorize the first authorization request;
sending a second authorization request to the authorization server 60 according to the first configuration information, where the second authorization request includes the first authorization credential and the identity information of the client terminal 30;
receiving a second authorization credential sent by the authorization server 60, wherein the second authorization credential represents that the authorization server 60 verifies the first authorization credential and the identity information of the client terminal 30;
responding to the second access request to send the network resource to the terminal device 20 that issued the second access request.
In the above embodiment, when the client terminal 30 performs open authorization for the access user, the corresponding configuration file may be obtained from the database server 40, so as to perform authorization authentication on the client terminal 30 and the terminal device 20 through the authorization server 60, which helps to simplify the flow of open authorization authentication and maintenance.
The following describes in detail an implementation flow in the authorization authentication method in an interactive manner with reference to fig. 3, where the implementation flow may include the following steps:
step S01, the terminal device 20 sends a second access request to the client terminal 30, where the second access request includes a request parameter for obtaining a corresponding network resource from the client terminal 30;
step S02, the client terminal 30 sends a first access request to the database server 40 based on the second access request, the first access request including identification information of configuration information for accessing the target resource owner, the identification information being associated with the identity information of the target resource owner;
step S03, the database server 40 sends first configuration information and second configuration information to the client terminal 30 based on the first access request, the first configuration information is used for the client terminal 30 to establish the communication connection between the client terminal 30 and the authorization server 60, and the second configuration information is used for the client terminal 30 to establish the communication connection between the client terminal 30 and the target resource owner;
step S04, after the client terminal 30 loads or installs the first configuration information and the second configuration information, the client terminal 30 sends a first authorization request to the target resource owner, where the first authorization request carries identity information of the client terminal 30, and is used for the target resource owner to determine whether a cooperation relationship is established between the client terminal 30 and the target resource owner, where if the target resource owner determines that the target resource owner itself stores identity information that is the same as the current identity information of the client terminal 30, it indicates that a cooperation relationship is established between the client terminal 30 and the target resource owner, and if the target resource owner determines that the target resource owner does not store identity information that is the same as the current identity information of the client terminal 30, it indicates that a cooperation relationship is not established between the client terminal 30 and the target resource owner, where the cooperation relationship may be used to indicate that the client terminal 30 has a qualification for authenticating the second access request (or the terminal device 20) through the authorization server 60;
step S05, when the target resource owner determines that the target resource owner establishes a cooperative relationship with the client terminal 30, the target resource owner sends a first authorization credential to the client terminal 30, and the first authorization credential is obtained by the authorization server 60, where the first authorization credential represents that the resource owner 50 allows authorization for the first authorization request;
step S06, after the client terminal 30 receives the first authorization certificate, the client terminal 30 may send a second authorization request to the authorization server 60, where the second authorization request includes the first authorization certificate and the identity information of the client terminal 30, and the authorization server 60 may authenticate the first authorization certificate and the identity information of the client terminal 30;
step S07, after the authorization server 60 authenticates the first authorization ticket and the identity information of the client, the authorization server 60 sends a second authorization ticket to the client terminal 30, where the second authorization ticket represents that the authorization server 60 verifies that both the first authorization ticket and the identity information of the client terminal 30 pass;
step S08, after the client terminal 30 receives the second authorization ticket, the client terminal 30 may send a third authorization request to the authorization server 60, where the third authorization request includes the second authorization ticket and the request parameter in the second access request, so that the authorization server 60 can determine the access right of the resource corresponding to the second authorization ticket and the request parameter;
step S09, when the authorization server 60 verifies that both the second authorization ticket and the request parameter pass, the authorization server 60 sends a third authorization ticket to the client terminal 30, that is, the third authorization ticket represents that the access right of the network resource corresponding to the request parameter does not exceed the access right range of the current user;
in step S10, after the client terminal 30 receives the third authorization ticket, the client terminal 30 grants the terminal device 20 to access the network resource corresponding to the request parameter, that is, the client terminal 30 may return the network resource corresponding to the request parameter to the terminal device 20, so that the user can view the requested network resource through the terminal device 20.
As an optional implementation manner, the second authorization request in step S06 may include a request parameter, and in step S07, the authorization server 60 may further authenticate the request parameter, and send the second authorization credential to the client terminal 30 after the first authorization credential, the identity information of the client terminal 30, and the request parameter are authenticated. The client terminal 30, upon receiving the authorization ticket, may grant the terminal device 20 access to the network resource corresponding to the request parameter. At this time, in the authorization authentication process, the steps S08 and S09 may not need to be performed.
As an alternative, after step S07, after the client terminal 30 receives the second authorization ticket, the client terminal 30 may grant the terminal device 20 access to the network resource corresponding to the request parameter. At this time, in the authorization authentication process, the steps S08 and S09 may not be required to be performed.
In this embodiment, the authorization server 60 authenticates the first authorization ticket, the identity information of the client terminal 30, and the second authorization ticket in a similar manner. For example, after the resource owner 50 sends the first authorization credential to the client terminal 30, the authorization server 60 may obtain the first authorization credential from the resource owner 50 as the reference information, and in the later verification process, the first authorization credential from the client terminal 30 may be compared with the reference information, and if the two are the same, the authorization server indicates that the first authorization credential is authenticated. If the two are not the same, the authentication of the first authorization certificate is not passed.
When authenticating the request parameter, the authorization server 60 may determine the level of the access right corresponding to the requested network resource from the request parameter, and then determine whether the current access user has the right to access the requested network resource based on the current access right level of the access user. For example, if the current access permission level of the user (or the user account) is greater than or equal to the access permission level of the network resource, it indicates that the accessing user has the permission to access the requested network resource, and at this time, the client terminal 30 may grant the terminal device 20 access to the corresponding network resource. If the current access permission level of the user is less than the access permission level of the network resource, it indicates that the accessing user does not have the permission to access the requested network resource, and at this time, the terminal device 20 is prohibited from accessing the requested network resource.
The types and contents of the first authorization voucher, the second authorization voucher, the third authorization voucher and the like can be set according to actual conditions. For example, the first authorization credential may be code in OAuth, and the second and third authorization credentials may be Access Token in OAuth.
It should be noted that the user can log in his account on the resource owner 50 through the terminal device 20. For example, when the user needs to access the network resource on the client terminal 30 through the terminal device 20, if the network resource is a web page connection, when the user clicks the link to access the web page of the client terminal 30 without logging in the user account, the link is skipped to the resource owner 50 to pop up the login window of the user for logging in the account of the resource owner 50, at this time, the user logs in through the terminal device 20, the password of the login operation and the account are authenticated by the resource owner 50, and the account can be successfully logged in if the authentication is successful. After the login is successful, the user may click the previous web page connection again, thereby generating the second access request. Or generating a second access request based on the previous click operation and login operation. The second access request includes a user account (or a user name) and a request parameter. The authorization operation is then performed as shown in fig. 3. During open authorization, the client terminal 30 may authorize access to the user's account without obtaining the user's account password or other private information for the access user.
As an optional implementation manner, before the client terminal 30 sends the first authorization request to the target resource owner of the target configuration information, the authorization authentication method includes: converting the first configuration information into a first parameter format corresponding to the OAuth interface of the authorization server 60, and converting the second configuration information into a second parameter format corresponding to the OAuth interface of the resource owner 50; the communication connection between the client terminal 30 and the authorization server 60 is established through the OAuth interface of the authorization server 60, and the communication connection between the client terminal 30 and the resource owner 50 is established through the OAuth interface of the resource owner 50. The first parameter format and the second parameter format may be set according to the actual content of the URL, which is not described herein again.
For example, the client terminal 30 may utilize a software tool (e.g., script engine manager) to convert the configuration information into a parameter format required by the OAuth interface, and then call the OAuth interface of the third-party application so that a communication connection between the client terminal 30 and the authorization server 60 and the resource owner 50 can be established. If the format of the converted configuration information of the script engine manager is used, as long as the OAuth interface flow of the third-party application is standard, the changes of the specific called parameter form, the URL and the like can be satisfied by the database configuration in the client terminal 30, and no code needs to be written manually. The functional role of the script Engineer tool is well known to those skilled in the art and will not be described herein.
Understandably, the administrator may upload parameters such as the access address, URL, etc. of the OAuth interface of the third-party application to the database server 40. During the open authorized docking, the client terminal 30 takes out the corresponding configuration information from the database server 40, and automatically assembles the configuration information, so that the docking joint debugging can be directly performed without developing the docking content by a programmer. In addition, the parameter taken out of the database is automatically assembled by using the script Engineer manager of Java, and development of the third-party application OAuth interface is avoided each time due to different parameters, so that the process of opening authorization configuration is simplified, and the configuration efficiency is improved.
The embodiment of the present application further provides an electronic device, which may be the database server 40 or the client terminal 30. Understandably, an electronic device comprises a memory and a processor coupled to each other, the memory storing a computer program. When the electronic device is the database server 40 and the computer program is executed by the processor, it causes the electronic device to perform the authorization authentication configuration method in the above-described embodiments. When the electronic device is a client terminal 30, and when the computer program is executed by the processor, it causes the electronic device to perform the authorization authentication method in the above-described embodiments.
In this embodiment, the electronic device may include a processing module, a communication module, and a storage module, and the processing module, the communication module, and the storage module are electrically connected directly or indirectly to implement data transmission or interaction. For example, the components may be electrically connected to each other via one or more communication buses or signal lines.
The processing module may be an integrated circuit chip having signal processing capabilities. The processing module may be a general purpose processor. For example, the processor may be a Central Processing Unit (CPU), a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component, and may implement or execute the methods, steps, and logic blocks disclosed in the embodiments of the present Application.
The memory module may be, but is not limited to, a random access memory, a read only memory, a programmable read only memory, an erasable programmable read only memory, an electrically erasable programmable read only memory, and the like. In this embodiment, the storage module may be configured to store the first configuration information, the second configuration information, and the like. Of course, the storage module may also be used to store a program, and the processing module executes the program after receiving the execution instruction.
When the electronic device is the database server 40, the communication module may be configured to establish a communication connection between the database server 40 and the client terminal 30 through a network, and to transmit and receive data through the network. When the electronic device is a client terminal 30, the communication module may establish a communication connection between the client terminal 30 and the database server 40, the authorization server 60, and the like through a network.
Referring to fig. 4, an authorization configuration device 100 is further provided in the embodiment of the present application, and can be applied to the database server 40. The authorization authentication configuration apparatus 100 includes at least one software function module which may be stored in a memory module of the database server 40 in the form of software or firmware (firmware) or solidified in an Operating System (OS) of the database server 40. The processing module of the database server 40 is used for executing executable modules stored in the storage module, such as software function modules and computer programs included in the authorization authentication configuration device 100. The authorization authentication configuration apparatus 100 may include an information obtaining unit 110 and a relationship establishing unit 120.
The information obtaining unit 110 is configured to obtain a plurality of configuration information, where the configuration information includes first configuration information of the authorization server 60 and second configuration information of the resource owners 50.
A relationship establishing unit 120, configured to establish a first binding relationship between the first configuration information and the identity information of the authorization server 60, and a second binding relationship between the second configuration information and the identity information of the corresponding resource owner 50, where the first configuration information is used to establish a communication connection between the client terminal 30 and the corresponding authorization server 60 when the client terminal 30 acquires the first configuration information, and the second configuration information is used to establish a communication connection between the client terminal 30 and the resource owner 50 when the client terminal 30 acquires the second configuration information.
Optionally, the authorization authentication configuration apparatus 100 may further include a request obtaining unit, an information determining unit, and a issuing unit.
The request obtaining unit is configured to receive a first access request of the client terminal 30, where the first access request includes identification information of configuration information for accessing a target resource owner, and the identification information is associated with identity information of the target resource owner. The information determining unit is configured to determine target configuration information from second configuration information of the plurality of resource owners 50 based on the identification information, and the identity information of the target configuration information binding is the same as the identity information of the target resource owner associated with the identification information. The issuing unit is configured to send the target configuration information to the client terminal 30.
Optionally, the issuing unit may be further configured to send the first configuration information to the client terminal 30.
Referring to fig. 5, an authorization and authentication apparatus 200 is further provided in the present embodiment, which can be applied to the client terminal 30. The authorization and authentication device 200 includes at least one software function module which can be stored in a memory module of the client terminal 30 in the form of software or firmware (firmware) or solidified in an Operating System (OS) of the client terminal 30. The processing module of the client terminal 30 is used to execute executable modules stored in the storage module, such as software function modules and computer programs included in the authorization authentication apparatus 200. The authorization and authentication apparatus 200 may include a receiving unit 220, a transmitting unit 210, and a responding unit 230.
A sending unit 210, configured to send a first authorization request to a target resource owner of the target configuration information based on the obtained second access request and the target configuration information, where the second access request is used to access a network resource corresponding to the client terminal 30.
A receiving unit 220, configured to receive a first authorization credential issued by the target resource owner, where the first authorization credential characterizes that the resource owner 50 allows authorization of the first authorization request;
the sending unit 210 is further configured to send a second authorization request to the authorization server 60 according to the first configuration information, where the second authorization request includes the first authorization credential and the identity information of the client terminal 30.
The receiving unit 220 is further configured to receive a second authorization credential sent by the authorization server 60, where the second authorization credential represents that the authorization server 60 verifies the first authorization credential and the identity information of the client terminal 30.
A responding unit 230, configured to respond to the second access request, so as to send the network resource to the terminal device 20 that sent the second access request.
Optionally, before the responding unit 230 responds to the second access request, the sending unit 210 may be further configured to send a third authorization request to the authorization server 60, where the third authorization request includes the second authorization credential and the request parameter of the second access request. The receiving unit 220 may be further configured to receive a third authorization credential issued by the authorization server 60, where the third authorization credential represents that the authorization server 60 verifies the second authorization credential and the request parameter.
Optionally, the authorization authentication apparatus 200 may further include a parameter format conversion unit and a communication establishment unit. Before the sending unit 210 sends the first authorization request to the target resource owner of the target configuration information, the parameter format converting unit is configured to: the first configuration information is converted into a first parameter format corresponding to the OAuth interface of the authorization server 60, and the second configuration information is converted into a second parameter format corresponding to the OAuth interface of the resource owner 50. The communication establishing unit is used for: the communication connection between the client terminal 30 and the authorization server 60 is established through the OAuth interface of the authorization server 60, and the communication connection between the client terminal 30 and the resource owner 50 is established through the OAuth interface of the resource owner 50.
It should be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the electronic device (including the client terminal 30, the database server 40), the authorization authentication configuration apparatus 100, and the authorization authentication apparatus 200 described above may refer to the corresponding processes of the steps in the foregoing method, and are not described in detail herein.
The embodiment of the application also provides a computer readable storage medium. The readable storage medium has stored therein a computer program that, when run on a computer, causes the computer to execute the authorization authentication configuration method described in the above embodiments, or execute the authorization authentication method.
From the above description of the embodiments, it is clear to those skilled in the art that the present application can be implemented by hardware, or by software plus a necessary general hardware platform, and based on such understanding, the technical solution of the present application can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (which can be a CD-ROM, a usb disk, a removable hard disk, etc.), and includes several instructions to enable a computer device (which can be a personal computer, a server, or a network device, etc.) to execute the method described in the embodiments of the present application.
In summary, the present application provides an authorization authentication method, an authorization authentication device, and an electronic device. The method comprises the following steps: acquiring a plurality of configuration information, wherein the plurality of configuration information comprises first configuration information of an authorization server and second configuration information of a plurality of resource owners; and establishing a first binding relationship between the first configuration information and the identity information of the authorization server and a second binding relationship between the second configuration information and the identity information of the corresponding resource owner, wherein the first configuration information is used for establishing communication connection between the client terminal and the corresponding authorization server when the client terminal acquires the first configuration information, and the second configuration information is used for establishing communication connection between the client terminal and the resource owner when the client terminal acquires the second configuration information. In the scheme, the first binding relationship and the second binding relationship are established, so that the corresponding communication connection can be established based on the binding relationship, and the corresponding authorization authentication can be performed. When a new third-party application needs to be added, the configuration of authorization authentication can be completed by adding a new binding relationship, so that OAuth operation and maintenance operation can be simplified, and operation and maintenance efficiency can be improved.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus, system, and method may be implemented in other ways. The apparatus, system, and method embodiments described above are illustrative only, as the flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions. In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The above description is only a preferred embodiment of the present application and is not intended to limit the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.

Claims (5)

1. An authorization authentication method applied to a client terminal in communication connection with a database server, the method comprising:
converting the first configuration information into a first parameter format corresponding to an OAuth interface of an authorization server, and converting the second configuration information into a second parameter format corresponding to the OAuth interface of a resource owner;
establishing communication connection between the client terminal and the authorization server through an OAuth interface of the authorization server, and establishing communication connection between the client terminal and the resource owner through the OAuth interface of the resource owner;
sending a first authorization request to a target resource owner of the target configuration information based on the obtained second access request and the target configuration information, wherein the second access request is used for accessing the network resource corresponding to the client terminal;
receiving a first authorization certificate sent by the target resource owner, wherein the first authorization certificate characterizes that the target resource owner allows authorization of the first authorization request;
sending a second authorization request to an authorization server according to the first configuration information, wherein the second authorization request comprises the first authorization certificate and the identity information of the client terminal;
receiving a second authorization certificate sent by the authorization server, wherein the second authorization certificate represents that the authorization server passes verification of the first authorization certificate and identity information of the client terminal;
responding to the second access request to send the network resource to the terminal equipment which sends the second access request.
2. The method of claim 1, wherein prior to responding to the second access request, the method further comprises:
sending a third authorization request to the authorization server, wherein the third authorization request comprises the second authorization credential and the request parameters of the second access request;
and receiving a third authorization credential sent by the authorization server, wherein the third authorization credential represents that the authorization server verifies the second authorization credential and the request parameter.
3. An authorization authentication apparatus applied to a client terminal communicatively connected to a database server, the apparatus comprising:
the parameter format conversion unit is used for converting the first configuration information into a first parameter format corresponding to an OAuth interface of the authorization server and converting the second configuration information into a second parameter format corresponding to the OAuth interface of the resource owner;
a communication establishing unit, configured to establish a communication connection between the client terminal and the authorization server through an OAuth interface of the authorization server, and establish a communication connection between the client terminal and the resource owner through an OAuth interface of the resource owner;
a sending unit, configured to send a first authorization request to a target resource owner of target configuration information based on an acquired second access request and the target configuration information, where the second access request is used to access a network resource corresponding to the client terminal;
a receiving unit, configured to receive a first authorization credential sent by the target resource owner, where the first authorization credential represents that the target resource owner allows authorization for the first authorization request;
the sending unit is further configured to send a second authorization request to an authorization server according to the first configuration information, where the second authorization request includes the first authorization credential and the identity information of the client terminal;
the receiving unit is further configured to receive a second authorization credential sent by the authorization server, where the second authorization credential represents that the authorization server passes verification of both the first authorization credential and the identity information of the client terminal;
and the response unit is used for responding to the second access request so as to send the network resource to the terminal equipment sending the second access request.
4. An electronic device, characterized in that the electronic device comprises a memory and a processor coupled to each other, the memory storing a computer program which, when executed by the processor, causes the electronic device to perform the authorization authentication method according to claim 1 or 2.
5. A computer-readable storage medium, in which a computer program is stored which, when run on a computer, causes the computer to perform the authorization authentication method according to claim 1 or 2.
CN201911177409.XA 2019-11-25 2019-11-25 Authorization authentication method and device and electronic equipment Active CN111064708B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911177409.XA CN111064708B (en) 2019-11-25 2019-11-25 Authorization authentication method and device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911177409.XA CN111064708B (en) 2019-11-25 2019-11-25 Authorization authentication method and device and electronic equipment

Publications (2)

Publication Number Publication Date
CN111064708A CN111064708A (en) 2020-04-24
CN111064708B true CN111064708B (en) 2022-05-17

Family

ID=70298812

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911177409.XA Active CN111064708B (en) 2019-11-25 2019-11-25 Authorization authentication method and device and electronic equipment

Country Status (1)

Country Link
CN (1) CN111064708B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111737681A (en) * 2020-06-08 2020-10-02 海尔优家智能科技(北京)有限公司 Resource acquisition method and device, storage medium and electronic device
CN111966992A (en) * 2020-08-17 2020-11-20 中消云(北京)物联网科技研究院有限公司 Processing method and device of docking equipment
CN113079006B (en) * 2021-03-29 2021-11-30 上海纬百科技有限公司 Information processing method for key, electronic device and storage medium
CN113377369A (en) * 2021-05-17 2021-09-10 广州有信科技有限公司 Universal method and device for interfacing third-party service system and terminal equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104144195A (en) * 2013-06-26 2014-11-12 腾讯科技(深圳)有限公司 Method, system and device for showing medium information on microblog homepage
CN104378382A (en) * 2014-11-28 2015-02-25 上海斐讯数据通信技术有限公司 Multiple client wireless authentication system and authentication method thereof
CN105830414A (en) * 2013-10-01 2016-08-03 鲁库斯无线公司 Secure network access using credentials
CN106953831A (en) * 2016-01-06 2017-07-14 阿里巴巴集团控股有限公司 A kind of authorization method of user resources, apparatus and system
CN109033774A (en) * 2018-08-31 2018-12-18 阿里巴巴集团控股有限公司 Acquisition, the method, apparatus of feedback user resource and electronic equipment
CN110138718A (en) * 2018-02-09 2019-08-16 佳能株式会社 Information processing system and its control method

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104144195A (en) * 2013-06-26 2014-11-12 腾讯科技(深圳)有限公司 Method, system and device for showing medium information on microblog homepage
CN105830414A (en) * 2013-10-01 2016-08-03 鲁库斯无线公司 Secure network access using credentials
CN104378382A (en) * 2014-11-28 2015-02-25 上海斐讯数据通信技术有限公司 Multiple client wireless authentication system and authentication method thereof
CN106953831A (en) * 2016-01-06 2017-07-14 阿里巴巴集团控股有限公司 A kind of authorization method of user resources, apparatus and system
CN110138718A (en) * 2018-02-09 2019-08-16 佳能株式会社 Information processing system and its control method
CN109033774A (en) * 2018-08-31 2018-12-18 阿里巴巴集团控股有限公司 Acquisition, the method, apparatus of feedback user resource and electronic equipment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于 OAuth2.0 的认证授权技术研究;魏成坤等;《信息网络安全》;20160930;第1节-第3节 *

Also Published As

Publication number Publication date
CN111064708A (en) 2020-04-24

Similar Documents

Publication Publication Date Title
CN111064708B (en) Authorization authentication method and device and electronic equipment
US20200304485A1 (en) Controlling Access to Resources on a Network
TWI725958B (en) Cloud host service authority control method, device and system
US9059978B2 (en) System and methods for remote maintenance in an electronic network with multiple clients
US8713646B2 (en) Controlling access to resources on a network
EP3333744A1 (en) Authorization code flow for in-browser applications
CN111698250B (en) Access request processing method and device, electronic equipment and computer storage medium
KR101795592B1 (en) Control method of access to cloud service for business
CN112597472B (en) Single sign-on method, device and storage medium
CN110278187B (en) Multi-terminal single sign-on method, system, synchronous server and medium
US20180205745A1 (en) System, method and computer program product for access authentication
US20130246515A1 (en) Securing asynchronous client server transactions
WO2014082555A1 (en) Login method, device and open platform system
CN110784450A (en) Single sign-on method and device based on browser
CN105897757B (en) Authorization identifying system and authorization and authentication method
CN110069909B (en) Method and device for login of third-party system without secret
CN105162775A (en) Logging method and device of virtual machine
CN113341798A (en) Method, system, device, equipment and storage medium for remotely accessing application
CN112507320A (en) Access control method, device, system, electronic equipment and storage medium
CN113901429A (en) Access method and device of multi-tenant system
CN117251837A (en) System access method and device, electronic equipment and storage medium
CN112417403B (en) Automatic system authentication and authorization processing method based on GitLab API
CN107172082B (en) File sharing method and system
CN112597118B (en) Shared file adding method and device
CN113901428A (en) Login method and device of multi-tenant system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20210113

Address after: A108, 1 / F, curling hall, winter training center, 68 Shijingshan Road, Shijingshan District, Beijing 100041

Applicant after: Beijing second hand Artificial Intelligence Technology Co.,Ltd.

Address before: Room 9014, 9 / F, building 3, yard 30, Shixing street, Shijingshan District, Beijing

Applicant before: ADMASTER TECHNOLOGY (BEIJING) Co.,Ltd.

GR01 Patent grant
GR01 Patent grant