CN111698312A - Service processing method, device, equipment and storage medium based on open platform - Google Patents

Service processing method, device, equipment and storage medium based on open platform Download PDF

Info

Publication number
CN111698312A
CN111698312A CN202010514445.7A CN202010514445A CN111698312A CN 111698312 A CN111698312 A CN 111698312A CN 202010514445 A CN202010514445 A CN 202010514445A CN 111698312 A CN111698312 A CN 111698312A
Authority
CN
China
Prior art keywords
user information
service request
processed
service
client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010514445.7A
Other languages
Chinese (zh)
Other versions
CN111698312B (en
Inventor
吴一凡
黄志敏
赵炎
杨洋
周军
李承文
彭云
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Construction Bank Corp
Original Assignee
China Construction Bank Corp
CCB Finetech Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Construction Bank Corp, CCB Finetech Co Ltd filed Critical China Construction Bank Corp
Priority to CN202010514445.7A priority Critical patent/CN111698312B/en
Publication of CN111698312A publication Critical patent/CN111698312A/en
Application granted granted Critical
Publication of CN111698312B publication Critical patent/CN111698312B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/568Storing data temporarily at an intermediate stage, e.g. caching
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources

Abstract

The embodiment of the invention discloses a service processing method, a device, equipment and a storage medium based on an open platform. The service processing method based on the open platform comprises the following steps: acquiring a service request to be processed and a communication token; determining user information associated with the communication token according to the communication token; the user information is cached in advance when the identity authentication is carried out on a user sending a service request to be processed; and sending the service request to be processed and the user information to a service component so that the service component can directly process the service request to be processed according to the user information. The embodiment of the invention realizes the reduction of the coupling degree between the open platform and the service component and improves the safety of the open platform.

Description

Service processing method, device, equipment and storage medium based on open platform
Technical Field
The embodiment of the invention relates to the technical field of internet, in particular to a service processing method, a device, equipment and a storage medium based on an open platform.
Background
The open API is a common Application of a service-type website, a website facilitator encapsulates a website service into a series of APIs (Application Programming interfaces) to be opened for a third-party merchant to use, the opened APIs are called openapis, and a platform providing the open APIs is called an open platform. The user triggers an OpenAPI request through a presentation layer provided by a third-party merchant, such as in the form of HTML5(Hyper Text Markup Language), APP (Application, mobile software), or applet, and the request is forwarded to a corresponding service component for service processing through an open platform.
However, when the service component processes each service request of the user, the identity information of the user needs to be acquired once through the open platform for interactive authentication, so that the coupling degree between the open platform and the service component is high, and the open platform has potential safety hazards in calling.
Disclosure of Invention
Embodiments of the present invention provide a service processing method, an apparatus, a device, and a storage medium based on an open platform, so as to reduce a coupling degree between the open platform and a service component and improve security of the open platform.
In a first aspect, an embodiment of the present invention provides a service processing method based on an open platform, including:
acquiring a service request to be processed and a communication token;
determining user information associated with the communication token according to the communication token; the user information is cached in advance when the identity authentication is carried out on a user sending a service request to be processed;
and sending the service request to be processed and the user information to a service component so that the service component can directly process the service request to be processed according to the user information.
Optionally, before acquiring the service request to be processed and the communication token, the method further includes:
and performing authentication according to the service request to be processed and user information submitted by a user through a client.
Optionally, the method further includes:
acquiring a service request encryption message, wherein the service request encryption message is content encrypted by a client through a platform public key disclosed by an open platform, and the encrypted content at least comprises: user information, a communication encryption key and client identity information which are submitted by a user through a client;
correspondingly, according to the service request to be processed and the user information submitted by the user through the client, the authentication comprises the following steps:
decrypting the service request encryption message by using a platform private key to obtain user information, a communication encryption key and client identity information submitted by a user through a client;
verifying the identity information of the client to determine the calling authority of the client to the open platform;
if the user information has the authority, caching the communication encryption key and the user information, and sending a communication token; wherein there is an association between the communication token and the communication encryption key and the user information.
Optionally, the service request to be processed is determined by encrypting the client by using the communication encryption key;
correspondingly, determining the user information associated with the communication token according to the communication token comprises the following steps:
determining a communication encryption key associated with the communication token according to the communication token, and decrypting the to-be-processed service request by using the communication encryption key to obtain a decrypted to-be-processed service request so that a service component can process the decrypted to-be-processed service request;
and if the communication token is valid, determining user information associated with the communication token according to the communication token.
Optionally, the user information is sent to a service component so that the service component performs authentication according to the user information, and if the authentication passes, the service request to be processed is directly processed.
In a second aspect, an embodiment of the present invention further provides an open platform-based service processing apparatus, including:
the service information acquisition module is used for acquiring a service request to be processed and a communication token;
the user information determining module is used for determining user information related to the communication token according to the communication token; the user information is cached in advance when the identity authentication is carried out on a user sending a service request to be processed;
and the information sending module is used for sending the service request to be processed and the user information to a service component so that the service component can directly process the service request to be processed according to the user information.
Optionally, the apparatus further comprises:
and the authentication module is used for authenticating according to the service request to be processed and the user information submitted by the user through the client.
Optionally, the apparatus further comprises:
an encrypted message obtaining module, configured to obtain a service request encrypted message, where the service request encrypted message is a content encrypted by a platform public key disclosed by an open platform at a client, and the encrypted content at least includes: user information, a communication encryption key and client identity information which are submitted by a user through a client;
correspondingly, the authentication module is specifically configured to:
decrypting the service request encryption message by using a platform private key to obtain user information, a communication encryption key and client identity information submitted by a user through a client;
verifying the identity information of the client to determine the calling authority of the client to the open platform;
if the user information has the authority, caching the communication encryption key and the user information, and sending a communication token; wherein there is an association between the communication token and the communication encryption key and the user information.
Optionally, the service request to be processed is determined by encrypting the client by using the communication encryption key;
correspondingly, the user information determining module is specifically configured to:
determining a communication encryption key associated with the communication token according to the communication token, and decrypting the to-be-processed service request by using the communication encryption key to obtain a decrypted to-be-processed service request so that a service component can process the decrypted to-be-processed service request;
and if the communication token is valid, determining user information associated with the communication token according to the communication token.
Optionally, the user information is sent to a service component so that the service component performs authentication according to the user information, and if the authentication passes, the service request to be processed is directly processed.
In a third aspect, an embodiment of the present invention further provides an apparatus, including:
one or more processors;
a storage device for storing one or more programs,
when the one or more programs are executed by the one or more processors, the one or more processors implement the open platform based service processing method according to any embodiment of the present invention.
In a fourth aspect, an embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the method for service processing based on an open platform according to any embodiment of the present invention.
The embodiment of the invention determines the pre-cached user information associated with the service request to be processed based on the acquired communication token, and sends the user information and the service request to be processed to the service component together. When the service component processes the service request to be processed, interactive authentication with the open platform is not needed, and the service component directly processes the service request to be processed according to the user information, so that the coupling degree between the open platform and the service component is reduced, and the safety of the open platform is improved.
Drawings
Fig. 1 is a flowchart of an open platform-based service processing method according to a first embodiment of the present invention;
fig. 2 is a flowchart of an open platform-based service processing method according to a second embodiment of the present invention;
fig. 3A is a line chart of an open platform-based service processing method according to a third embodiment of the present invention;
fig. 3B is a usage scenario diagram of the service processing method based on the open platform in the third embodiment of the present invention;
fig. 4 is a schematic structural diagram of an open platform-based service processing apparatus according to a fourth embodiment of the present invention;
fig. 5 is a schematic structural diagram of an apparatus in the fourth embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
Example one
Fig. 1 is a flowchart of a service processing method based on an open platform in an embodiment of the present invention, which is applicable to a case where a user performs service logic processing through the open platform. The method can be executed by an open platform-based service processing apparatus, which can be implemented in software and/or hardware and can be configured in a device, for example, the device can be a device with communication and computing capabilities, such as a background server. Specifically, in this embodiment of the present application, the computing device for executing the solution of the embodiment of the present application may be an open platform corresponding to a client used by a user. As shown in fig. 1, the method specifically includes:
step 101, obtaining a service request to be processed and a communication token.
The service request to be processed is determined according to the specific service operation content performed by the user through the client. The clients are provided by third party merchants, such as HTML5, APP, applets, etc., the third party merchants refer to callers of the open platform OpenAPI and the users refer to customers of the third party merchants. The user can perform relevant business processing through the client. The communication token is a license certificate for the user to perform the business operation, and is issued by the open platform according to the specific business operation content of the user.
Specifically, the open platform acquires a to-be-processed service request of a user, and determines a communication token according to service operation content submitted by the user through a client. For example, the communication token may be determined according to whether the client is eligible to access the open platform call OpenAPI and whether the identity information of the user is complete.
In this embodiment, optionally, before step 101, the method further includes:
and performing authentication according to the service request to be processed and user information submitted by a user through a client.
Before an open platform processes a to-be-processed service request submitted by a user, whether the user performs service processing for the first time needs to be judged, and if the user performs service processing for the first time, a first identity authentication request is automatically triggered preferentially before the service request is processed.
When identity authentication is carried out, whether user identity information is correct is determined according to user information submitted by a user through a client, and whether the client has the qualification of calling OpenAPI is determined according to an identity authentication result of the client to which a request belongs to the service request to be processed. Optionally, the user information is cached in advance during authentication, so that the user information can be directly called during subsequent service request processing.
Step 102, determining user information associated with the communication token according to the communication token; the user information is cached in advance when the identity authentication is carried out on the user sending the service request to be processed.
The user information is information which is cached in a corresponding memory area in advance when the user performs identity authentication during the first service request, and the open platform establishes the association relationship between the communication token and the user information stored in the memory when issuing the communication token for the service request of the user according to the authentication result, so that the corresponding associated user information can be searched from the memory area according to the communication token.
Specifically, according to a communication token issued by the open platform for a service request of a user, searching for associated user information in a memory area for storing the user information, where the user information is identity information of the user sending the service request. Illustratively, the user information is user identity information input by a user in the client presentation interface, such as three elements: name, identification card number and mobile phone number.
After the user information is cached in advance, the user information related to the communication token can be directly obtained from the cache in the valid period of the communication token, and the utilization rate of the user information is improved.
Step 103, sending the service request to be processed and the user information to a service component, so that the service component can directly process the service request to be processed according to the user information.
The service component is a part for performing service logic processing on the service request. The open platform splices the service request to be processed and the user information and sends the service request spliced with the user information to the service component, and the service component can directly carry out related service logic processing according to the received information without carrying out related interaction with the service component.
In this embodiment, optionally, the user information is sent to a service component so that the service component performs authentication according to the user information, and if the authentication passes, the service request to be processed is directly processed.
In the prior art, the open platform only sends the service request to be processed to the service component, and the service component needs to perform interactive authentication with the open platform after receiving the service request so as to authenticate user information and obtain an authentication result. In the embodiment of the invention, the open platform and the service component only relate to request forwarding and do not relate to interactive authentication, and the user identity is subjected to secondary authentication according to the service request and then is processed by the service component.
After receiving a to-be-processed service request for splicing user information, the service component performs secondary authentication on the user according to the user information to ensure safety, processes corresponding service logic simultaneously, and returns a response result to the open platform, so that information interaction between the service component and the open platform is only limited to sending the request and the response, and the coupling degree is greatly reduced.
The embodiment of the invention meets the condition that the open platform and the back-end service component are in low coupling, the user identity information is cached for the first time, the user identity information is spliced in a subsequent request, the information is transmitted to the service component, the service component performs corresponding user identity authentication instead of direct interactive authentication with the service component, and therefore the safety of direct calling at a client side by an OpenAPI is ensured.
The embodiment of the invention determines the pre-cached user information associated with the service request to be processed based on the acquired communication token, and sends the user information and the service request to be processed to the service component together. When the service component processes the service request to be processed, interactive authentication with the open platform is not needed, and the service component directly processes the service request to be processed according to the user information, so that the coupling degree between the open platform and the service component is reduced, and the safety of the open platform is improved.
Example two
Fig. 2 is a flowchart of an open platform-based service processing method in the second embodiment of the present invention, and the second embodiment further optimizes the service processing method based on the first embodiment. As shown in fig. 2, the method includes:
step 201, obtaining a service request encryption message, where the service request encryption message is a content encrypted by a client through a platform public key disclosed by an open platform, and the encrypted content at least includes: user information, a communication encryption key and client identity information which are submitted by a user through a client.
The service request encryption message is user service request information directly sent to the open platform by the client. In order to ensure the safety of information transmission, the information submitted by the client to the user is encrypted, and the encrypted content is sent to the open platform for processing.
Specifically, the client determines user information submitted by the user, and the user information at least comprises user identity information. The communication encryption key is provided by the client, and the information returned to the client by the open platform needs to be encrypted by the communication encryption key so as to ensure the safety of information transmission. The client identity information is convenient for the open platform to determine the access right of the client, exemplarily, after the third-party merchant registers in the open platform, the OpenAPI provided by the open platform is called to determine the client, the open platform can issue corresponding authorization IDs for different clients, the third-party merchant needs to upload a public key and locally retains a private key for secure communication, the private key of the third-party merchant signs communication content, so that the open API is guaranteed to be only trusted by the third-party merchant, the client identity information can be the corresponding authorization ID, and the open platform can determine whether the client has the qualification of calling the corresponding OpenAPI according to the authorization ID.
Step 202, decrypting the service request encrypted message by using a platform private key to obtain user information, a communication encryption key and client identity information submitted by a user through a client.
And the open platform decrypts the service request encrypted message by using a platform private key corresponding to the platform public key so as to obtain the user information, the communication encryption key and the client identity information in the encrypted message.
Step 203, verifying the identity information of the client to determine the calling authority of the client to the open platform.
And the platform authentication component of the open platform checks whether the client has the authority to call the OpenAPI or not according to the identity information of the client, if so, the communication encryption key is cached, and otherwise, failure information is returned. Wherein, the calling authority of the client to the open platform is predetermined.
Step 204, if the user has the authority, caching the communication encryption key and the user information, and sending a communication token; wherein there is an association between the communication token and the communication encryption key and the user information.
And if the open platform identifies that the client has the access right, caching the communication encryption key and the user information. Illustratively, a client information component of the open platform caches user information to a data structure server stored in a memory; the client information component returns the success or failure of the cache; if the caching result is successful, a communication token within the limited time limit is issued for the client identity information, a subsequent request can carry the communication token, and the client invoking authority and the user identity are authenticated; if the failure occurs, failure details are returned.
And step 205, acquiring the service request to be processed and the communication token.
If the user information is successfully cached according to the steps, the service processing request is automatically triggered.
In this embodiment, optionally, the to-be-processed service request is determined by encrypting the client using the communication encryption key.
The service request to be processed sent by the client to the open platform is encrypted by using the communication encryption key, and the open platform decrypts the service request to be processed according to the communication encryption key cached in the authentication process after receiving the service request to be processed, so that the transmission safety of the service request is ensured.
Step 206, determining user information associated with the communication token according to the communication token; the user information is cached in advance when the identity authentication is carried out on the user sending the service request to be processed.
In this embodiment, optionally, step 206 includes:
determining a communication encryption key associated with the communication token according to the communication token, and decrypting the to-be-processed service request by using the communication encryption key to obtain a decrypted to-be-processed service request so that a service component can process the decrypted to-be-processed service request;
and if the communication token is valid, determining user information associated with the communication token according to the communication token.
The communication encryption key is sent by a client and cached in the open platform when authentication is successful, so that the encryption and decryption of the service request to be processed by using the communication encryption key are beneficial to improving the security and privacy of request sending. And searching the corresponding cached user information according to the communication token.
Step 207, sending the service request to be processed and the user information to a service component, so that the service component can directly process the service request to be processed according to the user information.
The embodiment of the invention determines the pre-cached user information associated with the service request to be processed based on the acquired communication token, and sends the user information and the service request to be processed to the service component together. When the service component processes the service request to be processed, interactive authentication with the open platform is not needed, and the service component directly processes the service request to be processed according to the user information, so that the coupling degree between the open platform and the service component is reduced, and the safety of the open platform is improved.
EXAMPLE III
Fig. 3A is a line diagram of a service processing method based on an open platform in a third embodiment of the present invention, which is applicable to a case where a user performs service logic processing through the open platform. Fig. 3B is a usage scenario diagram of the service processing method based on the open platform, as shown in fig. 3B:
the method comprises the steps that a user triggers an OpenAPI request through a presentation layer provided by a client, such as an HTML5, APP or an applet, and the like, the request passes through an OpenAPI gateway, a platform authentication component and a client information component in an open platform, and finally the service request is forwarded to a corresponding service component through the open platform, wherein the open platform is low in coupling degree with the corresponding service component and only relates to request response forwarding.
As shown in fig. 3A, when a user makes a first service request, an authentication request is automatically triggered, and the specific process is as follows:
401: after a user opens a display layer page of a client for the first time, when a service request is carried out, a first identity verification request is automatically triggered preferentially.
402: the display layer transmits the user identity information through the APP or the superior display layer, or requires the user to input the user identity information, such as three elements of the user: name, identification card number and mobile phone number. After the user identity information is obtained, the open platform public key is used for encrypting a request P1 at least comprising the user identity information U, a communication symmetric encryption key and information m for APP ID authentication, and the request P1 is sent to an OpenAPI gateway in the open platform.
403: the OpenAPI gateway receives the request P1, decrypts the request P1 by using the open platform private key to obtain user identity information U, a communication symmetric encryption key and information m for APP ID authentication, and forwards the decrypted request message to the platform authentication component.
404: the platform authentication component verifies whether the APP ID has the authority of calling the OpenAPI or not according to the information m of the APP ID authentication, if so, the communication symmetric encryption key is cached, and the request message is continuously forwarded to the client information component; otherwise, returning failure information to the OpenAPI gateway.
405: and the client information component caches the user identity information U to a data structure server stored in the memory.
406: the client information component returns a cache success or failure to the platform authentication component.
407: if the platform authentication component receives the cache result, the cache result is successful, a communication token within the limited time limit is issued for the APP ID, the communication token can be carried by the subsequent service request, and the APP calling authority and the user identity are authenticated; if the failure occurs, failure details are returned.
408: the OpenAPI gateway encrypts returned result information by using the symmetric encryption key and returns the result information to the display layer; the display layer receives the returned result, if the returned result is in a successful state, a second request is triggered, and the second service request is a real service request submitted by the user; and if the failure state is returned, prompting that the authentication fails at the display layer.
The processing procedure for triggering the second request is as follows, for the first service request submitted by the user, the authentication request is automatically triggered, so the second request triggered after the authentication request passes is the real service request of the service request submitted by the user this time.
409: and automatically triggering a second request, calling a real service request operated by the user, and symmetrically encrypting the request by using a communication symmetric encryption key and carrying a communication token.
410: and the OpenAPI gateway calls the platform authentication component to obtain a communication symmetric encryption key corresponding to the communication token, decrypts the request message, and forwards the decrypted request to the platform authentication component.
411: and the platform authentication component verifies the APP ID authority according to the communication token and simultaneously forwards the original service request to the client information component.
412: and the client information component inquires user identity information U associated with the communication token from the data structure server according to the communication token, analyzes the original request message M, and splices the user identity information to the original request message to obtain a new request message M ═ M + U.
413: and the client information component forwards the new request message M' to a corresponding service component specified by the OpenAPI gateway.
414: and the service component performs secondary authentication on the user according to the user identity information U transmitted by the client information component to ensure the safety and process corresponding service logic.
415: and the service component returns a corresponding service request response to the OpenAPI gateway.
416: and the OpenAPI gateway encrypts the response message according to the communication symmetric encryption key and responds to the display layer.
417: the display layer decrypts the response message by using the communication symmetric encryption key and displays the service request response result by using corresponding page interaction logic.
Until the first service request submitted by the user is processed, the user can continue to trigger the subsequent service request processing in the validity period of the communication token, and the request and response processes are the same as those in steps 409 to 417; after the communication token fails, the identity authentication process is re-executed from step 401.
According to the embodiment of the invention, the user identity information is spliced into the service request message through the client information component, so that the third-party merchant can directly call the OpenAPI at the front-end level of the page HTML, the APP, the small program and the like, secondary packaging of corresponding OpenAPI services is not needed, and the development cost of the third-party merchant can be reduced; and the open platform does not need to be interactively authenticated with a third-party merchant, so that the development cost is reduced. The method for directly calling the OpenAPI on the display layer is realized; the open platform and the service component are coupled in a low mode, so that the number of times of signature verification can be reduced, the coupling degree of the service component and the open platform component is reduced, more real service logics are given to the service component for processing, the responsibility division of each component is clear, and the service processing efficiency is improved.
The patent provides a customer information security guarantee mechanism, which can realize that an open platform directly provides a page integrating authentication logic, service logic and interactive logic packaging for a user under the principle of guaranteeing security after an OpenAPI authorizes a third-party merchant, so that the development cost of the third-party merchant can be reduced, and the service of the open platform can be conveniently popularized.
Example four
Fig. 4 is a schematic structural diagram of a service processing apparatus based on an open platform in a fourth embodiment of the present invention, which is applicable to a case where a user performs service logic processing through the open platform. As shown in fig. 4, the apparatus includes:
a service information obtaining module 410, configured to obtain a service request to be processed and a communication token;
a user information determining module 420, configured to determine, according to the communication token, user information associated with the communication token; the user information is cached in advance when the identity authentication is carried out on a user sending a service request to be processed;
an information sending module 430, configured to send the service request to be processed and the user information to a service component, so that the service component directly processes the service request to be processed according to the user information.
The embodiment of the invention determines the pre-cached user information associated with the service request to be processed based on the acquired communication token, and sends the user information and the service request to be processed to the service component together. When the service component processes the service request to be processed, interactive authentication with the open platform is not needed, and the service component directly processes the service request to be processed according to the user information, so that the coupling degree between the open platform and the service component is reduced, and the safety of the open platform is improved.
Optionally, the apparatus further comprises:
and the authentication module is used for authenticating according to the service request to be processed and the user information submitted by the user through the client.
Optionally, the apparatus further comprises:
an encrypted message obtaining module, configured to obtain a service request encrypted message, where the service request encrypted message is a content encrypted by a platform public key disclosed by an open platform at a client, and the encrypted content at least includes: user information, a communication encryption key and client identity information which are submitted by a user through a client;
correspondingly, the authentication module is specifically configured to:
decrypting the service request encryption message by using a platform private key to obtain user information, a communication encryption key and client identity information submitted by a user through a client;
verifying the identity information of the client to determine the calling authority of the client to the open platform;
if the user information has the authority, caching the communication encryption key and the user information, and sending a communication token; wherein there is an association between the communication token and the communication encryption key and the user information.
Optionally, the service request to be processed is determined by encrypting the client by using the communication encryption key;
correspondingly, the user information determining module is specifically configured to:
determining a communication encryption key associated with the communication token according to the communication token, and decrypting the to-be-processed service request by using the communication encryption key to obtain a decrypted to-be-processed service request so that a service component can process the decrypted to-be-processed service request;
and if the communication token is valid, determining user information associated with the communication token according to the communication token.
Optionally, the user information is sent to a service component so that the service component performs authentication according to the user information, and if the authentication passes, the service request to be processed is directly processed.
The service processing device based on the open platform provided by the embodiment of the invention can execute the service processing method based on the open platform provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of executing the service processing method based on the open platform.
EXAMPLE five
Fig. 5 is a schematic structural diagram of an apparatus according to a fifth embodiment of the present invention. Fig. 5 illustrates a block diagram of an exemplary device 12 suitable for use in implementing embodiments of the present invention. The device 12 shown in fig. 5 is only an example and should not bring any limitations to the functionality and scope of use of the embodiments of the present invention.
As shown in FIG. 5, device 12 is in the form of a general purpose computing device. The components of device 12 may include, but are not limited to: one or more processors or processing units 16, a system memory device 28, and a bus 18 that couples various system components including the system memory device 28 and the processing unit 16.
Bus 18 represents one or more of any of several types of bus structures, including a memory device bus or memory device controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. By way of example, such architectures include, but are not limited to, Industry Standard Architecture (ISA) bus, micro-channel architecture (MAC) bus, enhanced ISA bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus.
Device 12 typically includes a variety of computer system readable media. Such media may be any available media that is accessible by device 12 and includes both volatile and nonvolatile media, removable and non-removable media.
The system storage 28 may include computer system readable media in the form of volatile storage, such as Random Access Memory (RAM)30 and/or cache storage 32. Device 12 may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, storage system 34 may be used to read from and write to non-removable, nonvolatile magnetic media (not shown in FIG. 5, and commonly referred to as a "hard drive"). Although not shown in FIG. 5, a magnetic disk drive for reading from and writing to a removable, nonvolatile magnetic disk (e.g., a "floppy disk") and an optical disk drive for reading from or writing to a removable, nonvolatile optical disk (e.g., a CD-ROM, DVD-ROM, or other optical media) may be provided. In these cases, each drive may be connected to bus 18 by one or more data media interfaces. Storage 28 may include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of embodiments of the invention.
A program/utility 40 having a set (at least one) of program modules 42 may be stored, for example, in storage 28, such program modules 42 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each of which examples or some combination thereof may comprise an implementation of a network environment. Program modules 42 generally carry out the functions and/or methodologies of the described embodiments of the invention.
Device 12 may also communicate with one or more external devices 14 (e.g., keyboard, pointing device, display 24, etc.), with one or more devices that enable a user to interact with device 12, and/or with any devices (e.g., network card, modem, etc.) that enable device 12 to communicate with one or more other computing devices. Such communication may be through an input/output (I/O) interface 22. Also, the device 12 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the Internet) via the network adapter 20. As shown in FIG. 5, the network adapter 20 communicates with the other modules of the device 12 via the bus 18. It should be appreciated that although not shown in FIG. 5, other hardware and/or software modules may be used in conjunction with device 12, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
The processing unit 16 executes various functional applications and data processing by running programs stored in the system storage device 28, for example, implementing the service processing method based on the open platform provided by the embodiment of the present invention, including:
acquiring a service request to be processed and a communication token;
determining user information associated with the communication token according to the communication token; the user information is cached in advance when the identity authentication is carried out on a user sending a service request to be processed;
and sending the service request to be processed and the user information to a service component so that the service component can directly process the service request to be processed according to the user information.
EXAMPLE six
The sixth embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored thereon, and when the computer program is executed by a processor, the method for implementing the service processing method based on the open platform provided in the sixth embodiment of the present invention includes:
acquiring a service request to be processed and a communication token;
determining user information associated with the communication token according to the communication token; the user information is cached in advance when the identity authentication is carried out on a user sending a service request to be processed;
and sending the service request to be processed and the user information to a service component so that the service component can directly process the service request to be processed according to the user information.
Computer storage media for embodiments of the invention may employ any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.

Claims (10)

1. A service processing method based on an open platform is characterized by comprising the following steps:
acquiring a service request to be processed and a communication token;
determining user information associated with the communication token according to the communication token; the user information is cached in advance when the identity authentication is carried out on a user sending a service request to be processed;
and sending the service request to be processed and the user information to a service component so that the service component can directly process the service request to be processed according to the user information.
2. The method of claim 1, wherein before obtaining the pending service request and the communication token, further comprising:
and performing authentication according to the service request to be processed and user information submitted by a user through a client.
3. The method of claim 2, further comprising:
acquiring a service request encryption message, wherein the service request encryption message is content encrypted by a client through a platform public key disclosed by an open platform, and the encrypted content at least comprises: user information, a communication encryption key and client identity information which are submitted by a user through a client;
correspondingly, according to the service request to be processed and the user information submitted by the user through the client, the authentication comprises the following steps:
decrypting the service request encryption message by using a platform private key to obtain user information, a communication encryption key and client identity information submitted by a user through a client;
verifying the identity information of the client to determine the calling authority of the client to the open platform;
if the user information has the authority, caching the communication encryption key and the user information, and sending a communication token; wherein there is an association between the communication token and the communication encryption key and the user information.
4. The method of claim 3, wherein the pending service request is determined for the client by encryption using the communication encryption key;
correspondingly, determining the user information associated with the communication token according to the communication token comprises the following steps:
determining a communication encryption key associated with the communication token according to the communication token, and decrypting the to-be-processed service request by using the communication encryption key to obtain a decrypted to-be-processed service request so that a service component can process the decrypted to-be-processed service request;
and if the communication token is valid, determining user information associated with the communication token according to the communication token.
5. The method of claim 1, wherein the user information is sent to a service component so that the service component performs authentication according to the user information, and if the authentication is passed, the service request to be processed is directly processed.
6. An open platform-based service processing device, comprising:
the service information acquisition module is used for acquiring a service request to be processed and a communication token;
the user information determining module is used for determining user information related to the communication token according to the communication token; the user information is cached in advance when the identity authentication is carried out on a user sending a service request to be processed;
and the information sending module is used for sending the service request to be processed and the user information to a service component so that the service component can directly process the service request to be processed according to the user information.
7. The apparatus of claim 6, further comprising:
and the authentication module is used for authenticating according to the service request to be processed and the user information submitted by the user through the client.
8. The apparatus of claim 7, further comprising:
an encrypted message obtaining module, configured to obtain a service request encrypted message, where the service request encrypted message is a content encrypted by a platform public key disclosed by an open platform at a client, and the encrypted content at least includes: user information, a communication encryption key and client identity information which are submitted by a user through a client;
correspondingly, the authentication module is specifically configured to:
decrypting the service request encryption message by using a platform private key to obtain user information, a communication encryption key and client identity information submitted by a user through a client;
verifying the identity information of the client to determine the calling authority of the client to the open platform;
if the user information has the authority, caching the communication encryption key and the user information, and sending a communication token; wherein there is an association between the communication token and the communication encryption key and the user information.
9. An apparatus, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the open platform based service processing method of any of claims 1-5.
10. A computer-readable storage medium on which a computer program is stored, the program, when executed by a processor, implementing the open platform based service processing method according to any one of claims 1 to 5.
CN202010514445.7A 2020-06-08 2020-06-08 Service processing method, device, equipment and storage medium based on open platform Active CN111698312B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010514445.7A CN111698312B (en) 2020-06-08 2020-06-08 Service processing method, device, equipment and storage medium based on open platform

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010514445.7A CN111698312B (en) 2020-06-08 2020-06-08 Service processing method, device, equipment and storage medium based on open platform

Publications (2)

Publication Number Publication Date
CN111698312A true CN111698312A (en) 2020-09-22
CN111698312B CN111698312B (en) 2022-10-21

Family

ID=72479829

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010514445.7A Active CN111698312B (en) 2020-06-08 2020-06-08 Service processing method, device, equipment and storage medium based on open platform

Country Status (1)

Country Link
CN (1) CN111698312B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112187786A (en) * 2020-09-25 2021-01-05 深圳乐信软件技术有限公司 Service processing method, device, server and storage medium of network service
CN112465432A (en) * 2020-12-07 2021-03-09 合肥维天运通信息科技股份有限公司 Waybill information processing method
CN112600813A (en) * 2020-12-08 2021-04-02 武汉卓尔信息科技有限公司 UKEY-based multi-application unified authentication method
CN113297629A (en) * 2021-05-26 2021-08-24 杭州安恒信息技术股份有限公司 Authentication method, device, system, electronic equipment and storage medium

Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101471939A (en) * 2007-12-28 2009-07-01 中国科学院声学研究所 Multitime user authentication method for fusion business system with SOA architecture
CN104468518A (en) * 2014-11-10 2015-03-25 腾讯科技(深圳)有限公司 Service management method, device and system
US20160162893A1 (en) * 2014-12-05 2016-06-09 Mastercard International Incorporated Open, on-device cardholder verification method for mobile devices
CN106302346A (en) * 2015-05-27 2017-01-04 阿里巴巴集团控股有限公司 The safety certifying method of API Calls, device, system
CN106921636A (en) * 2015-12-28 2017-07-04 华为技术有限公司 Identity identifying method and device
CN109327477A (en) * 2018-12-06 2019-02-12 泰康保险集团股份有限公司 Authentication method, device and storage medium
CN109617907A (en) * 2019-01-04 2019-04-12 平安科技(深圳)有限公司 Authentication method, electronic device and computer readable storage medium
CN109743163A (en) * 2019-01-03 2019-05-10 优信拍(北京)信息科技有限公司 Purview certification method, apparatus and system in micro services framework
CN110175466A (en) * 2019-04-16 2019-08-27 平安科技(深圳)有限公司 Method for managing security, device, computer equipment and the storage medium of open platform
CN110324276A (en) * 2018-03-28 2019-10-11 腾讯科技(深圳)有限公司 A kind of method, system, terminal and electronic equipment logging in application
CN110365483A (en) * 2018-04-11 2019-10-22 中国移动通信集团广东有限公司 Cloud platform authentication method, client, middleware and system
CN110740136A (en) * 2019-10-22 2020-01-31 神州数码融信软件有限公司 Network security control method for open bank and open bank platform
CN111030818A (en) * 2020-01-09 2020-04-17 上海金仕达软件科技有限公司 Uniform session management method and system based on micro-service gateway
CN111160845A (en) * 2019-12-06 2020-05-15 中国建设银行股份有限公司 Service processing method and device

Patent Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101471939A (en) * 2007-12-28 2009-07-01 中国科学院声学研究所 Multitime user authentication method for fusion business system with SOA architecture
CN104468518A (en) * 2014-11-10 2015-03-25 腾讯科技(深圳)有限公司 Service management method, device and system
US20160162893A1 (en) * 2014-12-05 2016-06-09 Mastercard International Incorporated Open, on-device cardholder verification method for mobile devices
CN106302346A (en) * 2015-05-27 2017-01-04 阿里巴巴集团控股有限公司 The safety certifying method of API Calls, device, system
CN106921636A (en) * 2015-12-28 2017-07-04 华为技术有限公司 Identity identifying method and device
CN110324276A (en) * 2018-03-28 2019-10-11 腾讯科技(深圳)有限公司 A kind of method, system, terminal and electronic equipment logging in application
CN110365483A (en) * 2018-04-11 2019-10-22 中国移动通信集团广东有限公司 Cloud platform authentication method, client, middleware and system
CN109327477A (en) * 2018-12-06 2019-02-12 泰康保险集团股份有限公司 Authentication method, device and storage medium
CN109743163A (en) * 2019-01-03 2019-05-10 优信拍(北京)信息科技有限公司 Purview certification method, apparatus and system in micro services framework
CN109617907A (en) * 2019-01-04 2019-04-12 平安科技(深圳)有限公司 Authentication method, electronic device and computer readable storage medium
CN110175466A (en) * 2019-04-16 2019-08-27 平安科技(深圳)有限公司 Method for managing security, device, computer equipment and the storage medium of open platform
CN110740136A (en) * 2019-10-22 2020-01-31 神州数码融信软件有限公司 Network security control method for open bank and open bank platform
CN111160845A (en) * 2019-12-06 2020-05-15 中国建设银行股份有限公司 Service processing method and device
CN111030818A (en) * 2020-01-09 2020-04-17 上海金仕达软件科技有限公司 Uniform session management method and system based on micro-service gateway

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
张宇等: "OpenID与OAuth融合认证中令牌安全提升方法", 《网络新媒体技术》 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112187786A (en) * 2020-09-25 2021-01-05 深圳乐信软件技术有限公司 Service processing method, device, server and storage medium of network service
CN112187786B (en) * 2020-09-25 2023-08-22 深圳乐信软件技术有限公司 Service processing method, device, server and storage medium for network service
CN112465432A (en) * 2020-12-07 2021-03-09 合肥维天运通信息科技股份有限公司 Waybill information processing method
WO2022121291A1 (en) * 2020-12-07 2022-06-16 合肥维天运通信息科技股份有限公司 Waybill information processing method
CN112600813A (en) * 2020-12-08 2021-04-02 武汉卓尔信息科技有限公司 UKEY-based multi-application unified authentication method
CN113297629A (en) * 2021-05-26 2021-08-24 杭州安恒信息技术股份有限公司 Authentication method, device, system, electronic equipment and storage medium
CN113297629B (en) * 2021-05-26 2023-03-14 杭州安恒信息技术股份有限公司 Authentication method, device, system, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN111698312B (en) 2022-10-21

Similar Documents

Publication Publication Date Title
CN111698312B (en) Service processing method, device, equipment and storage medium based on open platform
US9560033B2 (en) Method and system for authenticating user identity
CN110515678B (en) Information processing method, equipment and computer storage medium
CN110740136B (en) Network security control method for open bank and open bank platform
US9894053B2 (en) Method and system for authenticating service
CN112039826B (en) Login method and device applied to applet end, electronic equipment and readable medium
JP7449952B2 (en) System and method for pre-authorization of customer support calls
CN112866225A (en) Authentication method, authentication device, electronic device, and storage medium
CN110599290A (en) Data processing method and system for cross-border transaction
CN111832005A (en) Application authorization method, application authorization device and electronic equipment
CN114584381A (en) Security authentication method and device based on gateway, electronic equipment and storage medium
CN110601836B (en) Key acquisition method, device, server and medium
CN110719590B (en) One-key login method, device, equipment and storage medium based on mobile phone number
CN110830479B (en) Multi-card-based one-key login method, device, equipment and storage medium
CN112202794A (en) Transaction data protection method and device, electronic equipment and medium
CN114584378B (en) Data processing method, device, electronic equipment and medium
CN114117404A (en) User authentication method, device, equipment, system and storage medium
CN112613025A (en) Communication method of USB (universal serial bus) equipment and browser on computer
CN106534047A (en) Information transmitting method and apparatus based on Trust application
CN114785560B (en) Information processing method, device, equipment and medium
CN114826616B (en) Data processing method, device, electronic equipment and medium
CN114844694B (en) Information processing method, apparatus, device and storage medium
CN111583036A (en) Counter transaction information interaction method, device, equipment and medium
CN114820166A (en) Method and device for processing pre-account opening request and electronic equipment
CN114826616A (en) Data processing method, device, electronic equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20220920

Address after: 25 Financial Street, Xicheng District, Beijing 100033

Applicant after: CHINA CONSTRUCTION BANK Corp.

Address before: 25 Financial Street, Xicheng District, Beijing 100033

Applicant before: CHINA CONSTRUCTION BANK Corp.

Applicant before: Jianxin Financial Science and Technology Co.,Ltd.

GR01 Patent grant
GR01 Patent grant