CN111639327A - Authentication method and device for open platform - Google Patents

Authentication method and device for open platform Download PDF

Info

Publication number
CN111639327A
CN111639327A CN202010473036.7A CN202010473036A CN111639327A CN 111639327 A CN111639327 A CN 111639327A CN 202010473036 A CN202010473036 A CN 202010473036A CN 111639327 A CN111639327 A CN 111639327A
Authority
CN
China
Prior art keywords
token
service
platform
authentication
open platform
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010473036.7A
Other languages
Chinese (zh)
Inventor
胡思文
毕玉龙
郑喜生
陈杰
边元乔
陈晓峰
黄叶飞
罗锶
卢道和
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
WeBank Co Ltd
Original Assignee
WeBank Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by WeBank Co Ltd filed Critical WeBank Co Ltd
Priority to CN202010473036.7A priority Critical patent/CN111639327A/en
Publication of CN111639327A publication Critical patent/CN111639327A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/101Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM] by binding digital rights to specific entities
    • G06F21/1014Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM] by binding digital rights to specific entities to tokens
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Multimedia (AREA)
  • Technology Law (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to the field of financial technology (Fintech), and discloses an authentication method and device for an open platform, wherein the method comprises the following steps: the method comprises the steps that an open platform receives a service access request sent by a service requester, and after the open platform verifies that a first token identifier passes, the open platform determines a first token corresponding to the first token identifier in an authentication platform; and after the signature of the first token and the verification of the first token are passed, the open platform sends the service access request to a corresponding service system. According to the invention, signature verification and access control service is introduced on the open platform side, so that the pressure on the authentication platform is greatly reduced, the service required by the authentication platform is lighter, and the introduction of the first token identification facilitates the access of a service requester and the troubleshooting of abnormal problems.

Description

Authentication method and device for open platform
Technical Field
The invention relates to the technical field of financial technology (Fintech), in particular to an authentication method and device for an open platform.
Background
With the development of computer technology, more and more technologies (such as distributed architecture, cloud computing or big data) are applied in the financial field, the traditional financial industry is gradually changing to the financial technology, and big data technology is no exception, but higher requirements are also put forward on big data technology due to the security and real-time requirements of the financial and payment industries.
Currently, many large-scale internet enterprises provide open platforms, such as a new wave microblog, an Tencent WeChat public number open platform, a Baidu AI open platform, a Ali Baoba Taoba open platform and the like, and the open platforms are greatly convenient for developers to access. While providing a set of complete access system, the services of calculation, storage and the like of the system are provided for developers well, thereby bringing infinite value to the developers.
By analysis, many enterprises offer open platforms based on the oauth2.0 protocol, which provides a secure, open and easy standard for authorization of user resources. Based on the architecture scheme of the protocol, firstly, a service provider distributes a service requester identifier and a service requester key to a service requester (site A), wherein the service requester identifier is used for uniquely identifying the service requester, and the main interaction between the service requester and an open platform (site B) comprises the following steps:
step 1, A uses the service requester's mark and the service requester's secret key to access the open platform, and requests an authorization code; and the open platform B site receives the request of the A and confirms the identity correctness of the A.
And 2, after the authentication is passed, B sends an authorization code token to the service requester A, wherein the token has certain timeliness.
And step 3, after receiving the token, the A obtains the access token of the relevant service from the open platform B again by carrying the token, the open platform B judges the validity of the token, judges whether the service requester has the authority of the relevant service or not, and sends the access token to the service requester after the judgment.
And 4, after the A obtains the access token, the access token can be used for accessing the related service.
Through the process, the access process of the current open platform is complex; it may also happen that the authorization code is not updated in time, or an old token information is used to request an open platform, thereby generating an illegal request, so an efficient and safe cognitive manner is urgently needed.
Disclosure of Invention
The application provides an authentication method and an authentication device for an open platform, which are used for solving the problem of how to efficiently and safely authenticate the open platform.
In a first aspect, an embodiment of the present application provides an authentication method for an open platform, including:
the method comprises the steps that an open platform receives a service access request sent by a service requester, wherein the service access request carries first token information, and the first token information comprises a first token identifier and a first token signature;
after the open platform verifies that the first token identification passes the verification, determining a first token corresponding to the first token identification in an authentication platform; the first token is a token corresponding to the first token identification issued after the authentication platform verifies an authorization request sent by a service requester;
and after the first token signature and the first token verification are passed, the open platform sends the service access request to a corresponding service system.
According to the scheme, the token authorization process can be obtained by the authentication platform based on one authorization request, the process of authorization codes is cancelled, the token authorization flow is simplified, and the problem that the authorization codes are not updated in time is solved; meanwhile, the verification of the service access request is introduced into the open platform, so that the pressure on the authentication platform is greatly reduced; finally, the authentication platform generates the corresponding relation between the token identification and the token and sends the corresponding relation to the service request party, so that the service request party can find the corresponding token through the token identification when performing service access request, the problem of illegal request caused by opening the platform by using an old token request is avoided, and in the process, the open platform also verifies the token signature and the token, thereby realizing high-efficiency and safety of open platform authentication.
Optionally, the verifying, which is identified by the first token, includes:
the open platform generates a first check value according to the first part of the first token identifier and the second part of the first token identifier;
and when the current time is consistent with the effective time indicated by the second part of the first token identifier and the first check value is consistent with the third part of the first token identifier, determining that the first token identifier passes the verification.
According to the scheme, the first token identification is verified by extracting the information of different positions of the first token identification and the validation time, so that an invalid request is avoided, the open platform is prevented from being maliciously attacked, and the safety is improved.
Optionally, the service access request includes a service requester identifier, and the determining of the first token identifier is a first token corresponding to the authentication platform includes:
determining a token set corresponding to the service requester identifier according to the service requester identifier;
determining a first token corresponding to the first token identification from the token set according to the first token identification;
the open platform verifies the first token signature and the first token, including:
and the open platform signs and signs the first token according to the service requester identifier to obtain a first hash value, and determines whether a second hash value corresponding to the first token is consistent with the first hash value.
According to the scheme, the secret key distributed to the service request party by the open platform cannot be transmitted in the network, and the risk of secret key leakage in the public network is avoided. The safety is improved while the user experience is improved.
Optionally, before the open platform verifies that the first token identifier passes, the method further includes:
the open platform determines that the service access request is verified by the open platform; otherwise, the open platform forwards the service access request to the authentication platform; the authentication platform is used for determining whether the service access request is verified.
According to the scheme, if the open platform has problems and cannot provide related authentication service, the open platform forwards the service access request to the authentication platform, and the authentication service is completed by the authentication platform, so that the light weight of the authentication platform is realized; or in order to improve the authentication efficiency, the authentication service on the open platform or the authentication platform is more balanced, and the open platform forwards the service access request to the authentication platform to complete the authentication service by the authentication platform.
In a second aspect, an embodiment of the present application provides an authentication method for an open platform, including:
the authentication platform receives an authorization request sent by a service requester, wherein the authorization request comprises a service requester identifier and an authorization signature; the authorization signature is generated according to a secret key of the service requester;
the authentication platform verifies the authorization signature according to the service requester identifier;
when the authentication platform passes the verification and the authorization request has the access right, generating second token information of the authorization request, and sending the second token information to the service requester; the second token information includes a second token identification and a second token.
According to the scheme, the authentication platform verifies the authorization signature and generates the second token information of the authorization request, so that the verification safety is improved, meanwhile, the authentication platform generates the corresponding relation between the token identification and the token and sends the token identification and the token to the service requester, so that the service requester can find the corresponding token through the token identification when performing a service access request, the problem that an old token is used for requesting the platform to open the platform to cause illegal requests is solved, and the verification efficiency is improved.
Optionally, after the sending the second token information to the service requester, the method further includes:
the authentication platform sends the second token information to an open platform; or
The authentication platform sends the second token information to the open platform based on the acquisition request sent by the open platform; the acquisition request is sent by the open platform after receiving the service access request.
According to the scheme, the open platform periodically or actively pulls the second token information of the authentication platform, so that the open platform has the related service function of the authentication platform.
Optionally, the method further includes:
the authentication platform receives a service access request forwarded by the open platform;
after verifying a second token identifier in a service access request, the authentication platform determines a second token corresponding to the second token identifier;
and after the authentication platform passes the verification of the second token signature and the second token in the service access request, sending the service access request to a corresponding service system.
According to the scheme, when the open platform is abnormal, the authentication platform checks the signature, so that the high efficiency and the safety of the authentication process are ensured.
In a third aspect, an embodiment of the present application provides an authentication apparatus for an open platform, where the apparatus includes:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for receiving a service access request sent by a service requester, the service access request carries first token information, and the first token information comprises a first token identifier and a first token signature;
the processing module is used for determining a first token corresponding to the first token identifier in the authentication platform after the first token identifier is verified; the first token is a token corresponding to the first token identification issued after the authentication platform verifies an authorization request sent by a service requester;
and the processing module is further configured to send the service access request to a corresponding service system after the first token signature and the first token are verified.
Optionally, the processing module is specifically configured to:
generating a first check value according to the first part of the first token identifier and the second part of the first token identifier;
and when the current time is consistent with the effective time indicated by the second part of the first token identifier and the first check value is consistent with the third part of the first token identifier, determining that the first token identifier passes the verification.
Optionally, the processing module is specifically configured to:
determining a token set corresponding to the service requester identifier according to the service requester identifier;
determining a first token corresponding to the first token identification from the token set according to the first token identification;
verifying the first token signature with the first token, comprising:
and according to the service requester identifier, signing and de-signing the first token to obtain a first hash value, and determining whether a second hash value corresponding to the first token is consistent with the first hash value.
Optionally, the processing module is further configured to:
before the first token identification is verified, determining that the service access request is verified by the open platform; otherwise, forwarding the service access request to the authentication platform; the authentication platform is used for determining whether the service access request is verified.
In a fourth aspect, an embodiment of the present application provides an authentication apparatus for an open platform, where the apparatus includes:
the system comprises an acquisition module, a service request module and a service processing module, wherein the acquisition module is used for receiving an authorization request sent by a service request party, and the authorization request comprises a service request party identifier and an authorization signature; the authorization signature is generated according to a secret key of the service requester;
the processing module is used for verifying the authorization signature according to the service requester identifier;
the processing module is further used for generating second token information of the authorization request and sending the second token information to the service requester when the authorization request passes the verification and has the access right; the second token information includes a second token identification and a second token.
Optionally, the processing module is further configured to:
after the second token information is sent to the service requester, sending the second token information to an open platform; or
Sending the second token information to the open platform based on the acquisition request sent by the open platform; the acquisition request is sent by the open platform after receiving the service access request.
Optionally, the processing module is further configured to:
receiving a service access request forwarded by an open platform;
after a second token identifier in a service access request is verified, a second token corresponding to the second token identifier is determined;
and after the second token signature in the service access request and the second token pass verification, sending the service access request to a corresponding service system.
Correspondingly, an embodiment of the present invention further provides a computing device, including:
a memory for storing program instructions;
and the processor is used for calling the program instruction stored in the memory and executing the authentication method of the open platform according to the obtained program.
Accordingly, an embodiment of the present invention further provides a computer-readable non-volatile storage medium, which includes computer-readable instructions, and when the computer reads and executes the computer-readable instructions, the computer is enabled to execute the authentication method of the open platform.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a system framework of an authentication method for an open platform according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of an authentication method for an open platform according to an embodiment of the present invention;
fig. 3 is a flowchart illustrating an authentication method for an open platform according to an embodiment of the present invention;
fig. 4 is a schematic flowchart of an authorization method of an authentication platform according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an open platform authentication apparatus according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of an authentication apparatus of an open platform according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be described in further detail with reference to the accompanying drawings, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
First, some terms in the present application are explained so as to be understood by those skilled in the art.
OAuth: OAuth is a protocol that provides a secure, open, yet easy standard for authorization of user resources. The OAuth authorization does not make the service requester reach the account information of the user, such as the user name and password, i.e. the service requester can apply for obtaining the authorization of the user resource without using the user name and password of the user.
OPENAPI: i.e., open APIs, also known as open platforms. The so-called open API (openapi) is a common application of a service-type website, and a website service provider encapsulates its website service into a series of APIs (application programming interfaces) to be opened for a third-party developer to use.
WOPNG: open Platform (Webank Openapi Platform Next Generation).
WOPNG-SDK: open platform openpi SDK. The SDK encapsulates the relevant services that request to obtain tokens, authentication, etc.
WOPNG-AUTH: and (5) an authentication platform.
Before describing embodiments of the present invention, the following description of the prior art will be given in conjunction with specific embodiments to better understand the present invention.
The following takes the WeChat public platform as an example:
firstly, a service requester calls a related interface to obtain an authorization code by using a requester identifier AppID and a corresponding password AppSecret distributed by a WeChat public platform, wherein the validity period of the authorization code is 2 hours.
And the service requester applies for a related token jsapi _ ticket to the WeChat public number by using the acquired authorization code, wherein the jsapi _ ticket is used for calling a WeChat JS interface, and the validity period of the token jsapi _ ticket is 7200 s.
After the service requester obtains the token jsapi _ ticket, other services can be accessed by the token.
It should be noted that, in the foregoing embodiment, the wechat public number platform may control the request frequency of the authorization code and the token jsapi _ ticket, and meanwhile, the service requester needs to cache the latest acquired authorization code and token jsapi _ ticket.
Take the micro-public bank generation open platform (WOP) as an example:
firstly, when a first generation of a micro-banking open platform is used for accessing a service requester, an identity identifier AppID and a corresponding AppSecret are distributed to the service requester, and the service requester applies for obtaining authorization to an authentication platform (WOP-AUTH) by using the AppID and the AppSecret.
Then, the service requester applies for a related sign _ token to an authentication platform (WOP-AUTH) by carrying the acquired authorization code, and after the sign _ token is successfully acquired, the service requester can use the token to perform subsequent service requests.
As can be seen from the above, two steps of requesting to obtain the sign _ token are required, that is, obtaining the authorization code and then obtaining the token, and the process is complex, which increases the complexity of accessing the service requester.
Meanwhile, the process adopts a centralized authentication mode and strongly depends on an authentication platform AUTH, all authentication and authorization requests need to be carried out through AUTH, and the dependence on AUTH is heavy.
In addition, the AppSecret has the risk of exposure in the public network, and the problem that the clear text transmission of the AppSecret is unsafe exists.
Based on this, the invention cancels the step of obtaining the authorization code, but adopts the ways of calculating the signature and authenticating to ensure that the information is not rewritten and tampered in order to ensure the security.
The embodiment of the present invention provides an authentication method for an open platform, which may be applied to a system architecture shown in fig. 1, where the system architecture includes a service requester 100, an open platform 200, an authentication platform 300, and a service system 400.
The open platform 200 is configured to receive a service access request sent by a service requester 100.
The open platform 200 is configured to determine a first token identifier corresponding to the first token identifier in the authentication platform 300 after the first token identifier is verified.
It should be noted that the first token is a token corresponding to the first token identifier issued after the authentication platform 300 verifies the authorization request sent by the service requestor 100.
After the signature and verification of the first token are passed, the open platform 200 sends the service access request to the corresponding service system 400.
Further, before the open platform 200 receives the service access request sent by the service requester 100, the authentication platform 300 is configured to receive the authorization request sent by the service requester 100, verify the authorization signature according to the service requester identifier, generate second token information of the authorization request when the verification is passed and the authorization request has an access right, and send the second token information to the service requester 100.
It should be noted that fig. 1 is only an example of a system architecture according to an embodiment of the present application, and the present application is not limited to this specifically.
Based on this, in the embodiment of the present application, as shown in fig. 2, the service requester accesses the subsystem, which is usually an open platform, and the WOPNG-SDK provided by the integrated WOPNG has related services of the open platform, and the WOPNG-SDK interacts with the WOPNG-AUTH background server of the authentication platform to update the configuration information.
It should be noted that the open platform only needs to call the corresponding interface without knowing the internal execution flow of the authentication platform AUTH.
Furthermore, the service requester accesses the load balancer through a bidirectional authentication HTTPS mode, and the load balancer forwards the service request to each open platform according to the configuration route. The WOPNG-SDK encapsulates and forwards the request related to authentication and authentication to the authentication platform, so that the authentication platform agent opens the platform to complete the related authentication and authentication service.
Based on the above illustrated system architecture, fig. 3 is a schematic flowchart corresponding to an authentication method for an open platform according to an embodiment of the present invention, as shown in fig. 3, the method includes:
step 301, the open platform receives a service access request sent by a service requester.
It should be noted that the service access request carries first token information, and the first token information includes a first token identifier and a first token signature.
Step 302, after the open platform verifies that the first token identifier passes through, determining a first token corresponding to the first token identifier in the authentication platform.
It should be noted that the first token is a token corresponding to a first token identifier issued after the authentication platform verifies the authorization request sent by the service requester.
Step 303, after the open platform passes the verification of the first token signature and the first token, the open platform sends the service access request to the corresponding service system.
In this embodiment of the application, in step 301, a POST mode is adopted instead of a GET mode in the prior art when the first token information is acquired.
It should be noted that both POST and GET submit data to the server and acquire data from the server.
With the above scheme, Get is not secure because data is placed in the URL of the request during the transmission process; all operations of Post are invisible to the user, and the security of the authentication process is improved.
In step 302, the open platform generates a first check value according to the first part of the first token identifier and the second part of the first token identifier;
and when the current time accords with the effective time indicated by the second part of the first token identifier and the first check value is consistent with the third part of the first token identifier, determining that the first token identifier passes the verification.
In one possible implementation, the first part, the second part and the third part of the first token identification are determined by extracting information of the set position.
The setting positions of the first portion, the second portion and the third portion are not limited, and the present application does not specifically limit the setting positions.
For example, firstly, a first token identifier format is defined, a relevant check bit is added, and an illegal request is directly returned by a service access request corresponding to a first token identifier which fails to pass the check.
In addition, a life cycle is defined for the first token identification, and a service access request corresponding to the first token identification with the survival time exceeding the life cycle is directly returned to the state that the request is expired, so that a service requester is reminded to update the token.
In one possible embodiment, the lifetime identified by the first token is defined by the validation time indicated by the second part.
Specifically, during verification, it is first determined whether the first token identifier is legal, and in one possible implementation, the first 16 bits of the first token identifier are extracted, then the 13-bit salt value is spliced to perform MD5 calculation once, and it is determined whether the first four bits of the MD5 value are consistent with the last 4 bits of the first token identifier, and a consistency indicates that the first token identifier is legal.
It should be noted that the MD5 Message Digest Algorithm (MD5 Message-Digest Algorithm) is a widely used cryptographic hash function for ensuring the integrity and consistency of information transmission. In the embodiment of the present application, encryption algorithms such as SHA and DES may also be used, and other first token identifications with lifetime may also be designed through symmetric encryption and decryption, which is not specifically limited in the present application.
For example, the first token is identified as 5DAD5FA6SGDA3G8Y 3277.
It can be seen that the first token id is composed of a first part of the preset bit random string (in this embodiment, the optional 8-bit random string 5DAD5FA6), a second part of the preset bit creation time (in this embodiment, the optional 8-bit creation time SGDA3G8Y), and a third part of the preset bit algorithm calculated value (in this embodiment, the optional 4-bit MD5 calculated value 3277).
Further, MD5 of the first token id is calculated, that is, MD5 is calculated for the random 8-bit character of the first part + 8-bit creation time of the second part + 13-bit salt value, and if the value of the last four bits of the calculation result is 3277, it indicates that the first token id is legal.
Next, whether the first token id is expired is determined, and in a possible implementation, whether the token is expired can be determined by extracting the 17 th bit string of the first token id.
For example, in the above example, if the 8-bit creation time SGDA3G8Y is determined not to have expired, the verification is passed.
It should be noted that, in order to avoid time consumption when the service access request is propagated on the network, the open platform performs 10min redundancy on the expired first token identifier, so as to avoid that the token is valid when being issued and invalid due to a time difference after being received by the authentication platform.
In the embodiment of the application, the salt value is secret and unique, so the verification rule is safe. In addition, after the validity of the first token identification is verified, illegal requests such as malicious attacks on a public network are effectively avoided, and the first token identification generated by the malicious attacks is directly rejected.
By the scheme, invalid requests are avoided, the open platform is prevented from being maliciously attacked, and safety is improved.
In step 302, the service access request includes a service requester identifier, and a token set corresponding to the service requester identifier is determined according to the service requester identifier;
and determining a first token corresponding to the first token identification from the token set according to the first token identification.
For example, the authentication platform generates different tokens, namely token 1, token 2, token 3, token 4 and token 5, for the service requester a at different time points, and finds out the token 3 having the same creation time information from the 5 tokens according to the information of the token id1 identified by the first token, so that the token 3 identifies the corresponding first token for the first token.
It can be seen from the above contents that the first token identifier is used to identify which token participates in the verification of the signature, the open platform caches the tokens obtained from the authentication platform through the SDK, single-point fault dependence of the authentication platform is reduced, meanwhile, the open platform avoids strong dependence on the database through caching, and the open platform caches each token through integrating the SDK, thereby having the signature verification function.
In step 303, the open platform signs and signs the first token according to the service requester identifier to obtain a first hash value, and determines whether a second hash value corresponding to the first token is consistent with the first hash value.
It should be noted that the first hash value is obtained by decrypting the first token signature with the public key of the requestor.
Further, before the open platform obtains the service access request, the present application provides an authorization procedure of the authentication platform as shown in fig. 4.
As shown in fig. 4:
step 401, the authentication platform receives an authorization request sent by a service requester.
It should be noted that the authorization request includes a service requester identifier and an authorization signature; the authorization signature is generated from a key of the service requester.
Step 402, the authentication platform verifies the authorization signature according to the service requester identifier.
And step 403, when the authentication platform passes the verification and the authorization request has the access right, generating second token information of the authorization request, and sending the second token information to the service requester.
It should be noted that the second token information includes a second token identifier and a second token.
In the embodiment of the application, an authentication platform generates second token information of an authorization request in an authorization process of the authentication platform and sends the second token information to a service requester, in an authentication process of an open platform, the open platform receives first token information sent by the service requester, if data is not tampered in a sending process of the service requester, the first token information is consistent with the second token information, and if the data is tampered, the first token information is inconsistent with the second token information.
In step 401, the authorization request sent by the service requester is the service requester identifier and the authorization signature, so that the AppSecret assigned to the service requester by the authentication platform is not transmitted in the network, thereby avoiding the risk of the AppSecret being leaked in the public network. Meanwhile, the authorization signature is generated by using AppSecre, so that the authorization signature can be verified by the authentication platform, and the user experience is improved while the safety is also improved.
In this embodiment, in step 403, the authentication platform determines whether the authorization request has an access right, that is, the authorization Control on acl (access Control lists) is implemented.
Furthermore, the authorization is realized by an authentication platform, and when the service is normal, the verification and the authentication of the ACL access control are carried out on an open platform.
It should be noted that, in the prior art, all ACL authentications for service access request access are performed through the authentication platform, which results in strong dependence on the authentication platform, and the services provided by the authentication platform become heavy, so that the quality of ACL services provided by the authentication platform affects the quality of the entire authentication service, and meanwhile, if the services of the authentication platform are unavailable, all ACL authentication service requests are unavailable.
In the embodiment of the application, the open platform firstly obtains an ACL access control list corresponding to the service requester identifier from the authentication platform, and caches the ACL access control list locally. If the list is not cached locally, the WOPNG-SDK can be automatically pulled from the authentication platform once, and the authentication is directly carried out on the condition table with the ACL column existing locally, so that the illegal request is effectively intercepted.
Further, the authentication platform sends the second token information to the open platform; or
The authentication platform sends the second token information to the open platform based on the acquisition request sent by the open platform; the acquisition request is sent by the open platform after receiving the service access request.
In the embodiment of the application, in consideration of node distributed deployment, the open platform may deploy a plurality of nodes, and if a corresponding token is not hit in the current node cache, the open platform requests the authentication platform to perform one-time acquisition, and simultaneously caches the acquired token.
In the embodiment of the application, before the open platform passes the first token identification, the open platform determines that the service access request is verified by the open platform; otherwise, the open platform forwards the service access request to an authentication platform; the authentication platform is used for determining whether the service access request is verified.
It can be seen from the above solutions that, since signature verification services of the access channel in the prior art are all performed via the authentication platform, the signature verification services strongly depend on the authentication platform, and the services provided by the authentication platform become heavy. In the embodiment of the application, the open platform and the authentication platform have the signature verification function, and all signature verification is completed by the open platform under the normal condition. This reduces the AUTH request pressure.
Further, the authentication platform receives a service access request forwarded by the open platform;
after verifying the second token identification in the service access request, the authentication platform determines a second token corresponding to the second token identification;
and after the authentication platform passes the verification of the second token signature and the second token in the service access request, the service access request is sent to the corresponding service system.
It can be seen from the above contents that the embodiment of the present application also supports degraded handover, that is, if the open platform has a problem and cannot provide the relevant authentication service, the open platform forwards the service access request to the authentication platform and the authentication platform completes the authentication service.
In the embodiment of the application, each service access request needing signature verification carries a first token identifier, so that the open platform knows that the signature is calculated by using the token corresponding to the cache, and if the signatures on two sides are inconsistent, the first token identifier used can be determined at first, and the problem analysis and solution are facilitated. In the prior art, signatures are calculated based on the latest token, and in actual production, a certain service access request of a user often occurs on line, and an old token is used for signature verification request, so that the problem of analyzing and positioning is complex and difficult. The difficulty of problem analysis investigation is effectively reduced through the first token identification.
According to the scheme, the open platform cancels the step of obtaining the authorization code. The service requester no longer needs to go through the steps of first obtaining the authorization code and locally caching the authorization code. Instead, the user can directly obtain the token by calculating a signature sign through the AppID and AppSecret information applied by the open platform, and a service requester can carry the first token identifier in a subsequent request to perform a subsequent service processing flow after obtaining the token. If the authentication fails and other problems occur, the first token used for calculating the signature can be determined through the first token identification. Meanwhile, AppSecret distributed to the service request party by the open platform cannot be transmitted in the network, so that the risk of leakage of the AppSecret in the public network is avoided. The safety is improved while the user experience is improved.
Based on the same inventive concept, fig. 5 exemplarily illustrates an open platform authentication apparatus according to an embodiment of the present invention, which may be a flow of an open platform authentication method.
The device for acquiring the label comprises:
an obtaining module 501, configured to receive a service access request sent by a service requester, where the service access request carries first token information, and the first token information includes a first token identifier and a first token signature;
a processing module 502, configured to determine, after the first token identifier is verified, a first token corresponding to the first token identifier in an authentication platform; the first token is a token corresponding to the first token identification issued after the authentication platform verifies an authorization request sent by a service requester;
the processing module 502 is further configured to send the service access request to a corresponding service system after the first token signature and the first token are verified.
Optionally, the processing module 502 is specifically configured to:
generating a first check value according to the first part of the first token identifier and the second part of the first token identifier;
and when the current time is consistent with the effective time indicated by the second part of the first token identifier and the first check value is consistent with the third part of the first token identifier, determining that the first token identifier passes the verification.
Optionally, the processing module 502 is specifically configured to:
determining a token set corresponding to the service requester identifier according to the service requester identifier;
determining a first token corresponding to the first token identification from the token set according to the first token identification;
verifying the first token signature with the first token, comprising:
and according to the service requester identifier, signing and de-signing the first token to obtain a first hash value, and determining whether a second hash value corresponding to the first token is consistent with the first hash value.
Optionally, the processing module 502 is further configured to:
before the first token identification is verified, determining that the service access request is verified by the open platform; otherwise, forwarding the service access request to the authentication platform; the authentication platform is used for determining whether the service access request is verified.
Based on the same inventive concept, fig. 6 exemplarily illustrates an open platform authentication apparatus provided in an embodiment of the present invention, which may be a flow of an open platform authentication method.
An obtaining module 601, configured to receive an authorization request sent by a service requester, where the authorization request includes a service requester identifier and an authorization signature; the authorization signature is generated according to a secret key of the service requester;
a processing module 602, configured to verify the authorization signature according to the service requester identifier;
the processing module 602 is further configured to generate second token information of the authorization request and send the second token information to the service requester when the authorization request passes the verification and has the access right; the second token information includes a second token identification and a second token.
Optionally, the processing module 602 is further configured to:
after the second token information is sent to the service requester, sending the second token information to an open platform; or
Sending the second token information to the open platform based on the acquisition request sent by the open platform; the acquisition request is sent by the open platform after receiving the service access request.
Optionally, the processing module 602 is further configured to:
receiving a service access request forwarded by an open platform;
after a second token identifier in a service access request is verified, a second token corresponding to the second token identifier is determined;
and after the second token signature in the service access request and the second token pass verification, sending the service access request to a corresponding service system.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims (11)

1. An authentication method for an open platform, comprising:
the method comprises the steps that an open platform receives a service access request sent by a service requester, wherein the service access request carries first token information, and the first token information comprises a first token identifier and a first token signature;
after the open platform verifies that the first token identification passes the verification, determining a first token corresponding to the first token identification in an authentication platform; the first token is a token corresponding to the first token identification issued after the authentication platform verifies an authorization request sent by a service requester;
and after the first token signature and the first token verification are passed, the open platform sends the service access request to a corresponding service system.
2. The method of claim 1, wherein the verifying is identified by the first token, comprising:
the open platform generates a first check value according to the first part of the first token identifier and the second part of the first token identifier;
and when the current time is consistent with the effective time indicated by the second part of the first token identifier and the first check value is consistent with the third part of the first token identifier, determining that the first token identifier passes the verification.
3. The method of claim 1, wherein the service access request includes a service requestor identification, and wherein the determining that the first token identifies a corresponding first token in an authentication platform comprises:
determining a token set corresponding to the service requester identifier according to the service requester identifier;
determining a first token corresponding to the first token identification from the token set according to the first token identification;
the open platform verifies the first token signature and the first token, including:
and the open platform signs and signs the first token according to the service requester identifier to obtain a first hash value, and determines whether a second hash value corresponding to the first token is consistent with the first hash value.
4. The method of any of claims 1 to 3, wherein prior to the open platform verifying the first token identification, the method further comprises:
the open platform determines that the service access request is verified by the open platform; otherwise, the open platform forwards the service access request to the authentication platform; the authentication platform is used for determining whether the service access request is verified.
5. An authentication method for an open platform, comprising:
the authentication platform receives an authorization request sent by a service requester, wherein the authorization request comprises a service requester identifier and an authorization signature; the authorization signature is generated according to a secret key of the service requester;
the authentication platform verifies the authorization signature according to the service requester identifier;
when the authentication platform passes the verification and the authorization request has the access right, generating second token information of the authorization request, and sending the second token information to the service requester; the second token information includes a second token identification and a second token.
6. The method of claim 5, wherein after said sending the second token information to the service requestor, the method further comprises:
the authentication platform sends the second token information to an open platform; or
The authentication platform sends the second token information to the open platform based on the acquisition request sent by the open platform; the acquisition request is sent by the open platform after receiving the service access request.
7. The method of claim 5 or 6, further comprising:
the authentication platform receives a service access request forwarded by the open platform;
after verifying a second token identifier in a service access request, the authentication platform determines a second token corresponding to the second token identifier;
and after the authentication platform passes the verification of the second token signature and the second token in the service access request, sending the service access request to a corresponding service system.
8. An open platform authentication apparatus, comprising:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for receiving a service access request sent by a service requester, the service access request carries first token information, and the first token information comprises a first token identifier and a first token signature;
the processing module is used for determining a first token corresponding to the first token identifier in the authentication platform after the first token identifier is verified; the first token is a token corresponding to the first token identification issued after the authentication platform verifies an authorization request sent by a service requester;
and the processing module is further configured to send the service access request to a corresponding service system after the first token signature and the first token are verified.
9. An open platform authentication apparatus, comprising:
the system comprises an acquisition module, a service request module and a service processing module, wherein the acquisition module is used for receiving an authorization request sent by a service request party, and the authorization request comprises a service request party identifier and an authorization signature; the authorization signature is generated according to a secret key of the service requester;
the processing module is used for verifying the authorization signature according to the service requester identifier;
the processing module is further used for generating second token information of the authorization request and sending the second token information to the service requester when the authorization request passes the verification and has the access right; the second token information includes a second token identification and a second token.
10. A computing device, comprising:
a memory for storing program instructions;
a processor for calling program instructions stored in said memory to perform the method of any one of claims 1 to 4 or 5 to 7 in accordance with the obtained program.
11. A computer readable non-transitory storage medium including computer readable instructions which, when read and executed by a computer, cause the computer to perform the method of any one of claims 1 to 4 or 5 to 7.
CN202010473036.7A 2020-05-29 2020-05-29 Authentication method and device for open platform Pending CN111639327A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010473036.7A CN111639327A (en) 2020-05-29 2020-05-29 Authentication method and device for open platform

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010473036.7A CN111639327A (en) 2020-05-29 2020-05-29 Authentication method and device for open platform

Publications (1)

Publication Number Publication Date
CN111639327A true CN111639327A (en) 2020-09-08

Family

ID=72329289

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010473036.7A Pending CN111639327A (en) 2020-05-29 2020-05-29 Authentication method and device for open platform

Country Status (1)

Country Link
CN (1) CN111639327A (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112187786A (en) * 2020-09-25 2021-01-05 深圳乐信软件技术有限公司 Service processing method, device, server and storage medium of network service
CN112416624A (en) * 2020-11-28 2021-02-26 郑州信大捷安信息技术股份有限公司 Application data interaction method and system based on open platform
CN112464176A (en) * 2020-11-26 2021-03-09 中国建设银行股份有限公司 Authority management method and device, electronic equipment and storage medium
CN112613073A (en) * 2020-12-28 2021-04-06 中国农业银行股份有限公司 Open platform authentication and authorization method and device
CN112822258A (en) * 2020-12-31 2021-05-18 北京神州数字科技有限公司 Bank open system access method and system
CN113259323A (en) * 2021-04-20 2021-08-13 新华三大数据技术有限公司 Dual access authority service authentication method, device, system and storage medium
CN114117551A (en) * 2021-11-26 2022-03-01 深圳前海微众银行股份有限公司 Access verification method and device
CN114266574A (en) * 2021-09-30 2022-04-01 西南电子技术研究所(中国电子科技集团公司第十研究所) Method for checking authority among service systems based on block chain platform
CN114567460A (en) * 2022-01-30 2022-05-31 上海浦东发展银行股份有限公司 Identity authentication method of ESB port to access system

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112187786A (en) * 2020-09-25 2021-01-05 深圳乐信软件技术有限公司 Service processing method, device, server and storage medium of network service
CN112187786B (en) * 2020-09-25 2023-08-22 深圳乐信软件技术有限公司 Service processing method, device, server and storage medium for network service
CN112464176A (en) * 2020-11-26 2021-03-09 中国建设银行股份有限公司 Authority management method and device, electronic equipment and storage medium
CN112464176B (en) * 2020-11-26 2024-05-10 中国建设银行股份有限公司 Authority management method and device, electronic equipment and storage medium
CN112416624A (en) * 2020-11-28 2021-02-26 郑州信大捷安信息技术股份有限公司 Application data interaction method and system based on open platform
CN112613073A (en) * 2020-12-28 2021-04-06 中国农业银行股份有限公司 Open platform authentication and authorization method and device
CN112822258B (en) * 2020-12-31 2023-04-07 北京神州数字科技有限公司 Bank open system access method and system
CN112822258A (en) * 2020-12-31 2021-05-18 北京神州数字科技有限公司 Bank open system access method and system
CN113259323A (en) * 2021-04-20 2021-08-13 新华三大数据技术有限公司 Dual access authority service authentication method, device, system and storage medium
CN113259323B (en) * 2021-04-20 2022-05-27 新华三大数据技术有限公司 Dual access authority service authentication method, device, system and storage medium
CN114266574A (en) * 2021-09-30 2022-04-01 西南电子技术研究所(中国电子科技集团公司第十研究所) Method for checking authority among service systems based on block chain platform
CN114117551A (en) * 2021-11-26 2022-03-01 深圳前海微众银行股份有限公司 Access verification method and device
WO2023093500A1 (en) * 2021-11-26 2023-06-01 深圳前海微众银行股份有限公司 Access verification method and apparatus
CN114117551B (en) * 2021-11-26 2022-12-27 深圳前海微众银行股份有限公司 Access verification method and device
CN114567460A (en) * 2022-01-30 2022-05-31 上海浦东发展银行股份有限公司 Identity authentication method of ESB port to access system

Similar Documents

Publication Publication Date Title
CN111639327A (en) Authentication method and device for open platform
CN107483509B (en) A kind of auth method, server and readable storage medium storing program for executing
CN110535648B (en) Electronic certificate generation and verification and key control method, device, system and medium
CN112311735B (en) Credible authentication method, network equipment, system and storage medium
US8417964B2 (en) Software module management device and program
CN112671720B (en) Token construction method, device and equipment for cloud platform resource access control
CN112000951B (en) Access method, device, system, electronic equipment and storage medium
CN110535807B (en) Service authentication method, device and medium
CN110175466B (en) Security management method and device for open platform, computer equipment and storage medium
CN113312664B (en) User data authorization method and user data authorization system
CN111130798A (en) Request authentication method and related equipment
CN114117551B (en) Access verification method and device
CN112862487A (en) Digital certificate authentication method, equipment and storage medium
WO2021170049A1 (en) Method and apparatus for recording access behavior
CN116996305A (en) Multi-level security authentication method, system, equipment, storage medium and entry gateway
CN112118292A (en) Method, apparatus, network node and storage medium for cross-link communication
CN114172923B (en) Data transmission method, communication system and communication device
CN106878378B (en) Scatter processing method in network communication management
CN112422534B (en) Credit evaluation method and equipment for electronic certificate
KR20160109241A (en) Method and apparatus for secure accecss to resources
CN109191116B (en) Resource management method and system and payment management method and system
CN113595731A (en) Protection method and device for shared link and computer readable storage medium
CN115146284A (en) Data processing method and device, electronic equipment and storage medium
CN115150154B (en) User login authentication method and related device
CN113556365B (en) Authentication result data transmission system, method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination