Detailed Description
Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the invention are shown in the drawings, it should be understood that the invention can be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
The current single sign-on mode generally transmits a bill when an application jumps to realize bill sharing, and although encryption is performed when the bill is transmitted, all applications share the same secret key, so that the security is not high.
Based on this, embodiments of the present invention provide a single sign-on method, apparatus, and device, which can improve the security of single sign-on.
Specifically, the embodiments of the present invention will be further explained below with reference to the drawings.
It should be understood that the following examples are provided by way of illustration and are not intended to limit the invention in any way to the particular embodiment disclosed.
Fig. 1 shows a schematic structural diagram of a single sign-on system according to an embodiment of the present invention. As shown in fig. 1, the single sign-on system 10 includes: unified authentication system 11, first application system 12 and second application system 13. The first application system 12 and the second application system 13 communicate with the unified authentication system 11, respectively.
The unified authentication system 11 may be a unified login platform of an enterprise, where the enterprise has a plurality of accessible applications (e.g., a first application and a second application), the first application system 12 may be a background server of the first application, and the second application system 13 may be a background server of the second application. The user may log in to the first application through the unified authentication system 11, may log in to the second application through the unified authentication system 11, may jump from the first application to the second application, or may jump from the second application to the first application.
Fig. 2 is a flowchart illustrating a single sign-on method according to an embodiment of the present invention. The single sign-on method can be applied to the unified authentication system in fig. 1. As shown in fig. 2, the single sign-on method includes:
step 210, the unified authentication system receives a random string generation request sent by the first application system, and generates a first dynamic password and a user identifier, wherein the random string generation request includes user information and a root ticket.
Wherein the root ticket is generated according to the user information. Prior to step 210, the method further comprises: step 201, the unified authentication system generates a root bill according to login information including user information. When a user logs in the first application system through the unified authentication system, the unified authentication system acquires login information including user information, generates a root bill according to the login information, and returns the user information and the root bill to the first application system.
Wherein, the root ticket may be jwt (json web token). The JWT is an encryption string containing a signature and carrying user related information, when a page request verifies a login interface, a request head carries the JWT string to a back-end service, the back-end verifies through matching of the signature encryption string to ensure that the information is not tampered, and if the verification is passed, the JWT is regarded as a reliable request and data is normally returned. In this embodiment, the generating the root ticket according to the login information including the user information may specifically be: the login information including the user information is encrypted by a root ticket key to generate a root ticket. The root ticket key may be preset for encrypting the login information.
The login information includes one or more kinds of information such as user information and login time. The user information may include a user account or a user name. In some embodiments, the user information may also include a login password. When a user wants to access the first application, the user jumps to the unified authentication system from the first application, the user logs in the unified authentication system, after the user inputs user information, the unified authentication system authenticates the user information, generates a root bill by the login information such as the user information and returns the root bill to the first application system, the first application system sends the root bill to the unified authentication system for verification, and after the verification is passed, the login of the first application is completed.
After the unified authentication system generates the root bill, the unified authentication system sends the root bill and the user information to the first application system. The unified authentication system returns user information for logging in the first application to the first application system, and the user information can be recorded as a primary account. When the user has only one account, the user can log in the first application and the second application through the primary account; when the user has a plurality of accounts, the user can log in the first application through the primary account and log in the second application through the sub-account.
In step 210, when the user wishes to jump from the first application to the second application, the user triggers a jump request for the second application, and after the first application system receives the jump request, the first application system sends a random string generation request to the unified authentication system. Wherein the random string generation request includes user information and a root ticket. When the unified authentication system receives the random string generation request, the unified authentication system verifies the root bill contained in the random string generation request, and only after the verification is successful, the step of generating the first dynamic password and the user identification is executed, so that a person can be prevented from jumping by using a forged account.
The generating of the first dynamic password and the user identifier may specifically include:
step 211, obtaining the current encryption time;
the current encryption time refers to the time when the unified authentication system generates the first dynamic password.
Step 212, generating a first dynamic password according to the current encryption time, the preset fixed key and the preset encryption algorithm.
The preset fixed key is preset, and in order to increase the concealment, the preset fixed key is stored in the unified authentication system after being split, and the character string is not directly stored. For example, the predetermined fixed key is written in the code in a byte split manner, and assuming that the predetermined fixed key is 521, the predetermined fixed key is written in the code as follows:
charr szInitKey [512 ];/definition
szInitKey [0] = (char)0x 99;/assign value to 0 th byte
szInitKey [1] = (char)0x 01;/assign value to byte 1
…
szInitKey [511] = (char)0x 02// assign value to 511 th byte
The preset encryption algorithm may be a Time-based One-Time password (TOTP) algorithm, which is an algorithm for calculating a One-Time password from a shared key and a current Time. In this embodiment, the first dynamic password is calculated using a TOTP algorithm according to the current encryption time and the preset fixed key. In such a TOTP algorithm, the generated dynamic password is consistent for a certain time.
Step 213, generating a user identification.
The user Identifier is a Unique Identifier (UUID). The user identity can be generated in Java by uuid. And the user identification and the root bill are in one-to-one correspondence, namely only one user identification of one root bill corresponds to the root bill.
Step 220, the unified authentication system generates a request according to the random string, and encrypts the user information and the user identifier through the first dynamic password to generate a random string.
Wherein the AES algorithm may be used to encrypt the user information and the user identification with the first dynamic password. Of course, in some other embodiments, other algorithms may also be used, and this embodiment does not limit this.
In some embodiments, since there is still a small probability that the user information and the user identifier will be repeated, in order to ensure the uniqueness of the random string, step 220 may further be: and encrypting the user information, the user identification and the current encryption time through the first dynamic password to generate a random string.
In some embodiments, when the user has multiple accounts, the user may use different accounts in different applications, and before step 220, the method may further include: step 202, determining target information according to the second application jump information, and using the target information as user information.
In step 202, the target information determined by the unified authentication system is user information for logging in the second application, and may be recorded as a sub-account. For example, if the account number used by the user in the first application is zhangsan and the account number used by the user in the second application is zhangsan1, the account number of the jump destination application needs to be determined before the jump.
And the corresponding relation between each application and the user account is stored in the unified authentication system. The second application skip information is information for instructing to skip to the second application, and may include, for example, identification information of the second application, so that the unified authentication system may acquire user information, that is, target information, used in the second application according to the second application skip information, thereby taking the target information as the user information. For example, if the account used by the user in the first application is zhangsan (primary account), and the account used by the second application is zhangsan1 (secondary account), when the unified authentication system obtains that the jump-destination application is the second application, the unified authentication system searches the account (i.e., target information) used by the user in the second application according to the corresponding relationship between each application and the user account, so as to use the target information as the user information, that is, the user information is zhangsan 1.
Step 230, the unified authentication system correspondingly stores the user identifier and the root ticket into the database.
Because the user identification and the root bill are in one-to-one correspondence, the unified authentication system can correspondingly store the user identification and the root bill. The database can be Redis, and the unified authentication system can store random _ sso: uuid as a key and a root bill as a value in Redis.
Step 240, the unified authentication system sends the random string to the first application system, so that the first application system sends the random string to the second application system.
After generating the random string, the unified authentication system sends the random string to the first application system to cause the first application system to pass the random string to the second application system. The first application system can directly send the random string to the second application system, and the random string can also be sent to the second application system through a third party.
And step 250, when the random string sent by the second application system is received, the unified authentication system generates a second dynamic password, and when the second dynamic password is the same as the first dynamic password, the random string is decrypted through the second dynamic password to obtain the user information and the user identification.
When the second application system receives the random string, the second application system sends the random string to the unified authentication system to request the unified authentication system for the required login information.
The generating of the second dynamic password may specifically include:
step 251, the current decryption time is obtained.
The current decryption time refers to the time when the unified authentication system generates the second dynamic password.
Step 252, a second dynamic password is generated according to the current decryption time, the preset fixed key and the preset encryption algorithm.
And the preset fixed key and the preset encryption algorithm used for generating the second dynamic password are the same as the preset fixed key and the preset encryption algorithm used for generating the first dynamic password. Then in step 252 a second dynamic password is calculated using the TOTP algorithm based on the current decryption time and the preset fixed key. Since in the TOTP algorithm, the dynamic password generated within a certain time is consistent. Therefore, if the time interval between the current encryption time and the current decryption time is within the preset time interval range set by the preset encryption algorithm, the generated first dynamic password is the same as the generated second dynamic password; and if the time interval between the current encryption time and the current decryption time exceeds the preset time interval range set by the preset encryption algorithm, the generated first dynamic password is different from the generated second dynamic password. Alternatively, the preset time interval range set by the preset encryption algorithm may be 30 seconds.
And after the second dynamic password is generated, the unified authentication system decrypts the random string through the second dynamic password, if the second dynamic password is the same as the first dynamic password, the user information and the user identifier are obtained through decryption, and the unified authentication system obtains the user information and the user identifier in the random string sent by the second application system. If the user only has the primary account number, the user information including the primary account number is obtained through decryption, and if the user has the primary account number and the sub-account number and logs in the second application through the sub-account number, the user information including the sub-account number is obtained through decryption.
And step 260, the unified authentication system acquires the root bill from the database according to the user identification.
When the unified authentication system takes random _ sso: uuid as a key and stores the root note as a value in Redis, after the unified authentication system obtains the user identifier uuid, the unified authentication system finds the corresponding key from random _ sso: uuid to Redis, and if the key exists, the root note in the value corresponding to the key is taken out, so that the root note is obtained.
And 270, returning the user information and the root bill to the second application system by the unified authentication system so as to complete the single sign-on of the second application system.
Before step 270, the method may further include: the unified authentication system verifies the root ticket according to the root ticket key, and if the root ticket passes the verification, step 270 is executed. When the root bill is generated, the root bill can be verified according to the root bill key by encrypting the root bill key, if the information obtained by decrypting the root bill through the root bill key is the same as the information before encrypting through the root bill key, the root bill passes verification, and the unified authentication system returns the user information and the root bill to the second application system.
In this embodiment, after the second application system obtains the user information and the root ticket returned by the unified authentication system, the second application system generates a ticket of the cost application according to the user information and the root ticket, thereby completing single sign-on.
The embodiment of the invention generates a root bill according to login information including user information when logging in a first application system through a unified authentication system, receives a random string generation request sent by the first application system, generates a first dynamic password and a user identification, encrypts the user information and the user identification through the first dynamic password to generate a random string, correspondingly stores the user identification and the root bill in a database, sends the random string to the first application system to enable the first application system to send the random string to a second application system, generates a second dynamic password when receiving the random string sent by the second application system, decrypts the random string through the second dynamic password to obtain the user information and the user identification when the second dynamic password is the same as the first dynamic password, obtains the root bill from the database according to the user identification, the user information and the root bill are returned to the second application system to complete single sign-on of the second application system, and the transmission safety of the root bill can be ensured when the application of the single sign-on skips, so that the safety of the single sign-on can be improved.
Fig. 3 is a flowchart illustrating a single sign-on method according to an embodiment of the present invention. The single sign-on method can be applied to the single sign-on system in fig. 1. As shown in fig. 3, the single sign-on method includes:
step 301, a user inputs a primary account and a password in the unified authentication system to log in a first application through the unified authentication system.
For example, the primary account number input by the user in the unified authentication system is zhangsan.
Step 302, the unified authentication system obtains login information including a primary account, and returns the primary account and the root bill to the first application system after generating the root bill according to the login information.
And 303, the first application system sends the root bill to the unified authentication system, the unified authentication system verifies the root bill sent by the first application system, and after the root bill passes the verification, the first application is logged in to complete the verification.
And 304, when the user triggers a jump request aiming at the second application, the first application system receives the jump request, generates a random string generation request according to the jump information of the second application, the primary account number and the root bill contained in the jump request, and sends the random string generation request to the unified authentication system.
And 305, when the unified authentication system receives a random string generation request sent by the first application system, verifying a root bill in the random string generation request, after the verification is successful, determining target information according to the second application skip information and the primary account number, and taking the target information as user information.
For example, if a sub-account (i.e., target information) of the second application is determined among the sub-accounts associated with the primary account, and the determined target information is zhangsan1, zhangsan1 is used as the user information.
And step 306, the unified authentication system acquires the current encryption time and generates a first dynamic password according to the current encryption time, the preset fixed key and the preset encryption algorithm.
And 307, generating the user identification by the unified authentication system, and storing the user identification into Redis by taking random _ sso: uuid as a key and the root bill as a value.
Step 308, the unified authentication system encrypts the user information, the user identifier and the current encryption time through the first dynamic password to generate a random string.
Step 309, the unified authentication system sends the random string to the first application system.
Step 310, the first application system transmits the random string to the second application system, so that the second application system sends the random string to the unified authentication system.
And 311, when the random string is received, the unified authentication system acquires the current decryption time, and generates a second dynamic password according to the current decryption time, the preset fixed key and the preset encryption algorithm.
And step 312, when the second dynamic password is the same as the first dynamic password, the unified authentication system decrypts the random string sent by the second application system through the second dynamic password to obtain the user information and the user identifier.
And 313, finding the corresponding key from random _ sso: uuid to Redis by the unified authentication system, and if the key exists, taking out the root bill in the value corresponding to the key.
And step 314, the unified authentication system returns the user information and the root ticket to the second application system, so that the second application system completes the login of the second application according to the user information and the root ticket.
The embodiment of the invention generates a root bill according to login information including user information when logging in a first application system through a unified authentication system, receives a random string generation request sent by the first application system, generates a first dynamic password and a user identification, encrypts the user information and the user identification through the first dynamic password to generate a random string, correspondingly stores the user identification and the root bill in a database, sends the random string to the first application system to enable the first application system to send the random string to a second application system, generates a second dynamic password when receiving the random string sent by the second application system, decrypts the random string through the second dynamic password to obtain the user information and the user identification when the second dynamic password is the same as the first dynamic password, obtains the root bill from the database according to the user identification, the user information and the root bill are returned to the second application system to complete single sign-on of the second application system, and the transmission safety of the root bill can be ensured when the application of the single sign-on skips, so that the safety of the single sign-on can be improved.
Fig. 4 is a schematic structural diagram of a single sign-on apparatus according to an embodiment of the present invention. As shown in fig. 4, the apparatus 400 includes: a request receiving module 410, an encryption module 420, a storage module 430, a sending module 440, a decryption module 450, a root ticket acquiring module 460, a root ticket sending module 470.
The request receiving module 410 is configured to receive, by the unified authentication system, a random string generation request sent by the first application system, and generate a first dynamic password and a user identifier, where the random string generation request includes user information and a root ticket, and the root ticket is generated according to the user information; the encryption module 420 is configured to encrypt the user information and the user identifier by using the first dynamic password to generate a random string according to a request generated by the unified authentication system according to the random string; the storage module 430 is configured to correspondingly store the user identifier and the root ticket in a database by the unified authentication system; the sending module 440 is configured to send the random string to the first application system by the unified authentication system, so that the first application system sends the random string to a second application system; the decryption module 450 is configured to, when receiving the random string sent by a second application system, generate a second dynamic password by the unified authentication system, and when the second dynamic password is the same as the first dynamic password, decrypt the random string through the second dynamic password to obtain the user information and the user identifier; the root bill acquiring module 460 is configured to acquire, by the unified authentication system, the root bill from the database according to the user identifier; the root ticket sending module 470 is configured to the unified authentication system return the user information and the root ticket to the second application system, so as to complete single sign-on of the second application system.
In an alternative manner, the random string generation request includes second application jump information; the encryption module 420 is further configured to: and determining target information according to the second application jump information, and taking the target information as the user information.
In an optional manner, the encryption module 420 is specifically configured to: and encrypting the determined user information, the user identification and the current encryption time through the first dynamic password to generate the random string.
In an optional manner, the encryption module 420 is further specifically configured to: acquiring current encryption time; generating the first dynamic password according to the current encryption time, a preset fixed key and a preset encryption algorithm; the decryption module 450 is specifically configured to: acquiring current decryption time; generating the second dynamic password according to the current decryption time, the preset fixed key and the preset encryption algorithm; wherein the preset encryption algorithm comprises: and if the time interval between the current encryption time and the current decryption time is within a preset time interval range, the generated first dynamic password and the second dynamic password are the same.
In an optional manner, the predetermined fixed key is stored in the unified authentication system after being split.
In an alternative, the user identification is a unique identification code.
In an optional manner, the apparatus further comprises: and a root bill generation module. The root note generating module is specifically configured to: encrypting login information including the user information by a root ticket key to generate the root ticket.
In an optional manner, the apparatus further comprises: and a verification module. And the verification module is used for verifying the root bill according to the root bill key, and if the root bill passes the verification, executing the step that the unified authentication system returns the user information and the root bill to the second application system.
It should be noted that the single sign-on apparatus provided in the embodiments of the present invention is an apparatus capable of executing the single sign-on method, and all embodiments based on the single sign-on method are applicable to the apparatus and can achieve the same or similar beneficial effects.
The embodiment of the invention generates a root bill according to login information including user information when logging in a first application system through a unified authentication system, receives a random string generation request sent by the first application system, generates a first dynamic password and a user identification, encrypts the user information and the user identification through the first dynamic password to generate a random string, correspondingly stores the user identification and the root bill in a database, sends the random string to the first application system to enable the first application system to send the random string to a second application system, generates a second dynamic password when receiving the random string sent by the second application system, decrypts the random string through the second dynamic password to obtain the user information and the user identification when the second dynamic password is the same as the first dynamic password, obtains the root bill from the database according to the user identification, the user information and the root bill are returned to the second application system to complete single sign-on of the second application system, and the transmission safety of the root bill can be ensured when the application of the single sign-on skips, so that the safety of the single sign-on can be improved.
An embodiment of the present invention provides a computer-readable storage medium, where at least one executable instruction is stored in the storage medium, and the executable instruction causes a processor to execute the single sign-on method in any of the above method embodiments.
Embodiments of the present invention provide a computer program product comprising a computer program stored on a computer storage medium, the computer program comprising program instructions that, when executed by a computer, cause the computer to perform a single sign-on method of any of the above method embodiments.
Fig. 5 is a schematic structural diagram of the unified authentication system according to an embodiment of the present invention, and the specific embodiment of the present invention does not limit the specific implementation of the unified authentication system.
Wherein, unified authentication system includes: a processor and a memory. The memory is configured to store at least one executable instruction, and when the unified authentication system is running, the processor executes the executable instruction to cause the processor to perform the steps of the single sign-on method according to any of the above-mentioned method embodiments.
Optionally, as shown in fig. 5, the unified authentication system may include: a processor (processor)502, a Communications Interface 504, a memory 506, and a communication bus 508.
Wherein: the processor 502, communication interface 504, and memory 506 communicate with one another via a communication bus 508. A communication interface 504 for communicating with a network element of the first application system, the second application system or other servers, etc. The processor 502 is configured to execute the program 510, and may specifically execute the single sign-on method in any of the above-described method embodiments.
In particular, program 510 may include program code that includes computer operating instructions.
The processor 502 may be a central processing unit CPU, or an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits configured to implement an embodiment of the invention. The cloud server comprises one or more processors, which can be processors of the same type, such as one or more CPUs; or may be different types of processors such as one or more CPUs and one or more ASICs.
And a memory 506 for storing a program 510. The memory 506 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The embodiment of the invention generates a root bill according to login information including user information when logging in a first application system through a unified authentication system, receives a random string generation request sent by the first application system, generates a first dynamic password and a user identification, encrypts the user information and the user identification through the first dynamic password to generate a random string, correspondingly stores the user identification and the root bill in a database, sends the random string to the first application system to enable the first application system to send the random string to a second application system, generates a second dynamic password when receiving the random string sent by the second application system, decrypts the random string through the second dynamic password to obtain the user information and the user identification when the second dynamic password is the same as the first dynamic password, obtains the root bill from the database according to the user identification, the user information and the root bill are returned to the second application system to complete single sign-on of the second application system, and the transmission safety of the root bill can be ensured when the application of the single sign-on skips, so that the safety of the single sign-on can be improved.
The algorithms or displays presented herein are not inherently related to any particular computer, virtual system, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. In addition, embodiments of the present invention are not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the embodiments of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the invention and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names. The steps in the above embodiments should not be construed as limiting the order of execution unless specified otherwise.