CN111832000A - Single sign-on method, system, equipment and computer readable storage medium - Google Patents
Single sign-on method, system, equipment and computer readable storage medium Download PDFInfo
- Publication number
- CN111832000A CN111832000A CN202010691717.0A CN202010691717A CN111832000A CN 111832000 A CN111832000 A CN 111832000A CN 202010691717 A CN202010691717 A CN 202010691717A CN 111832000 A CN111832000 A CN 111832000A
- Authority
- CN
- China
- Prior art keywords
- client
- user information
- access token
- target
- management server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 85
- 238000013475 authorization Methods 0.000 claims description 48
- 238000004590 computer program Methods 0.000 claims description 10
- 230000008569 process Effects 0.000 abstract description 17
- 238000010586 diagram Methods 0.000 description 6
- 230000001360 synchronised effect Effects 0.000 description 6
- 238000004891 communication Methods 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000010354 integration Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/41—User authentication where a single sign-on provides access to a plurality of computers
Abstract
The application discloses a single sign-on method, a single sign-on system, a single sign-on device and a computer-readable storage medium, which are applied to a client and used for generating a user information acquisition request based on a target access token; sending a user information acquisition request to a management server; receiving target user information sent by a management server; finishing login based on the target user information, and generating display information after login based on the operation authority of the target user information; and returning the display information to the management server. In the application, the client acquires corresponding target user information from the management server based on the target access token, finishes login based on the target user information and generates display information after login based on the operation authority of the target user information, so that the display information corresponds to the operation authority of the target user information, independent access control is realized while single-point login is realized, the login process is not influenced by the IP address of the management server, and the applicability is high.
Description
Technical Field
The present application relates to the field of single sign-on technologies, and in particular, to a single sign-on method, system, device, and computer readable storage medium.
Background
Single Sign On (SSO) is one of the more popular solutions for business integration of enterprises. SSO is defined as the fact that in multiple applications, a user only needs to log in once to access all mutually trusted applications. Since the single sign-on can reduce the number of sign-on times of the user and bring about the convenience of sign-on for the user, the single sign-on is also used in the management network to realize the sign-on of the application system, in this process, the participation of the management server is required, for example, after the management server receives the request of the sign-on client, the management server adopts the own IP (Internet Protocol) address to complete the sign-on the client, that is, the sign-on is performed through the IP address of the management server when the client is logged on.
Although single sign-on can be realized by the IP address of the management server, since the IP address of the management server is not changed, the sign-on information of all the clients is consistent, which makes the operating authority presented by the client to each user of the management server consistent and does not meet the requirement of autonomous access control; and after the IP address of the management server is changed, single sign-on cannot be realized, and the applicability is poor.
In summary, how to improve the applicability of the single sign-on method is a problem to be solved urgently by those skilled in the art.
Disclosure of Invention
The present application aims to provide a single sign-on method, which can solve the technical problem of how to improve the applicability of the single sign-on method to a certain extent. The application also provides a single sign-on system, a single sign-on device and a computer readable storage medium.
In order to achieve the above purpose, the present application provides the following technical solutions:
a single sign-on method is applied to a client and comprises the following steps:
generating a user information acquisition request based on the acquired target access token;
sending the user information acquisition request to a management server so that the management server determines corresponding target user information based on the target access token;
receiving the target user information sent by the management server;
finishing login based on the target user information, and generating display information after login based on the operation authority of the target user information;
returning the display information to the management server;
wherein the management server comprises a server that manages the client.
Preferably, the management server comprises a server API, a browser and a reverse proxy system;
before generating the user information acquisition request based on the acquired target access token, the method further includes:
receiving an access token acquisition request of the reverse proxy system agent, wherein the access token acquisition request is generated by the browser based on a target authorization code and is sent to the reverse proxy system by the browser through a reverse proxy link of the client;
sending the access token acquisition request to the server API, so that the server API determines the target access token based on the target authorization code;
receiving the target access token sent by the server API;
the target authorization code is determined by the server API based on a client login request and is sent to the browser by the server API; the reverse proxy link of the client is generated by the server API based on the client login request and is sent to the browser by the server API; the client login request is generated by the browser and sent to the server API.
Preferably, the management server comprises a server API, a browser and a reverse proxy system;
before generating the user information acquisition request based on the acquired target access token, the method further includes:
receiving the target access token proxied by the reverse proxy system, wherein the target access token is sent to the reverse proxy system by the browser through a reverse proxy link of the client;
the target access token is determined by the server API based on a target authorization code in an access token acquisition request, and the access token acquisition request is generated by the browser based on the target authorization code and is sent to the server API by the browser; the reverse proxy link of the client is generated by the server API based on the client login request and is sent to the browser by the server API; the target authorization code is determined by the server API based on the client login request and sent to the browser by the server API; the client login request is generated by the browser and sent to the server API.
Preferably, the generating a user information acquisition request based on the acquired target access token includes:
judging whether the target access token is correct or not;
and if the target access token is correct, executing the step of generating a user information acquisition request based on the acquired target access token.
Preferably, the completing login based on the target user information includes:
judging whether account information and session information corresponding to the target user information exist or not;
if the account information and the session information exist, logging in is directly completed based on the account information and the session information;
and if the account information and the session information do not exist, generating the account information and the session information based on the target user information, and then completing login based on the account information and the session information.
Preferably, the client comprises a security component, and the management server comprises a cloud security service platform.
Preferably, the single sign-on protocol applied between the client and the management server includes an OAUTH protocol.
A single sign-on method is applied to a management server and comprises the following steps:
receiving a user information acquisition request sent by a client, wherein the user information acquisition request comprises a request generated by the client based on an acquired target access token;
determining corresponding target user information based on the target access token;
sending the target user information to the client so that the client can complete login based on the target user information and generate display information after login based on the operation authority of the target user information;
receiving the display information sent by the client;
wherein the management server comprises a server that manages the client.
A single sign-on system is applied to a client and comprises:
the first generation module is used for generating a user information acquisition request based on the acquired target access token;
the first sending module is used for sending the user information acquisition request to a management server so that the management server determines corresponding target user information based on the target access token;
the first receiving module is used for receiving the target user information sent by the management server;
the second generation module is used for completing login based on the target user information and generating display information after login based on the operation authority of the target user information;
the second sending module is used for returning the display information to the management server;
wherein the management server comprises a server that manages the client.
A single sign-on device comprising:
a memory for storing a computer program;
a processor for implementing the steps of any of the above single sign-on methods when executing the computer program.
A computer readable storage medium having stored thereon a computer program which, when executed by a processor, carries out the steps of the single sign-on method as described in any one of the preceding claims.
The single sign-on method is applied to a client, and a user information acquisition request is generated based on an acquired target access token; sending a user information acquisition request to a management server so that the management server determines corresponding target user information based on the target access token; receiving target user information sent by a management server; finishing login based on the target user information, and generating display information after login based on the operation authority of the target user information; returning the display information to the management server; wherein the management server comprises a server for managing the client. According to the method and the system, when the client logs in, the client does not log in according to the IP address of the management server, corresponding target user information is obtained from the management server based on the target access token, the client logs in based on the target user information and generates display information after logging in based on the operation authority of the target user information, so that the display information corresponds to the operation authority of the target user information, independent access control is achieved while single sign-on is achieved, the logging-in process is not affected by the IP address of the management server, and the method and the system are high in applicability. The single sign-on system, the single sign-on equipment and the computer readable storage medium solve the corresponding technical problems.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a first flowchart of a single sign-on method according to an embodiment of the present application;
fig. 2 is a second flowchart of a single sign-on method according to an embodiment of the present application;
fig. 3 is a third flowchart of a single sign-on method according to an embodiment of the present application;
fig. 4 is a fourth flowchart of a single sign-on method according to an embodiment of the present application;
fig. 5 is a first structural schematic diagram of a single sign-on system according to an embodiment of the present application;
fig. 6 is a second structural diagram of a single sign-on system according to an embodiment of the present disclosure;
fig. 7 is a schematic diagram of a hardware component structure of an electronic device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Single Sign On (SSO) is one of the more popular solutions for business integration of enterprises. SSO is defined as the fact that in multiple applications, a user only needs to log in once to access all mutually trusted applications. Since the single sign-on can reduce the number of sign-on times of the user and bring about the convenience of sign-on for the user, the single sign-on is also used in the management network to realize the sign-on of the application system, in this process, the participation of the management server is required, for example, after the management server receives the request of the sign-on client, the management server adopts the own IP (Internet Protocol) address to complete the sign-on the client, that is, the sign-on is performed through the IP address of the management server when the client is logged on. Although single sign-on can be realized by the IP address of the management server, since the IP address of the management server is not changed, the login information of all the clients is consistent, which makes the operating authority presented by the client to each user of the management server consistent, because the operating authority is determined according to the IP address of the management server, it is not in line with the requirement of autonomous access control; and after the IP address of the management server is changed, single sign-on cannot be realized, and the applicability is poor. It should be noted that, the autonomous access control means that a user should have corresponding access operation rights to an object created by the user within the scope of security policy control, and can grant part or all of the rights to other users, the granularity of the autonomous access control subject is at the user level, the granularity of the object is at the file or database table level and/or record or field level, and the autonomous access operation includes creation, reading, writing, modifying, deleting, etc. of the object. The single sign-on method can improve the applicability.
Referring to fig. 1, fig. 1 is a first flowchart of a single sign-on method according to an embodiment of the present disclosure.
The single sign-on method provided by the embodiment of the application is applied to a client, and comprises the following steps:
step (S) 101: and generating a user information acquisition request based on the acquired target access token.
In practical application, a client may first obtain a target access token, and generate a user information obtaining request based on the target access token, where it should be noted that the access token is a token for obtaining corresponding user information in single sign-on, and the target access token is also a token for obtaining target user information.
Step (S) 102: and sending a user information acquisition request to the management server so that the management server determines corresponding target user information based on the target access token.
In practical application, after generating a user information acquisition request based on an acquired target access token, a client may send the user information acquisition request to a management server, so that the management server determines corresponding target user information based on the target access token, that is, the management server needs to determine corresponding target user information based on the target access token, and thus it can be seen that, in a specific application scenario, the management server stores the access token and the corresponding user information, and the management server may manage the access token and the user information in single sign-on, for example, the management server generates the access token of a user, and updates and deletes the access token.
Step (S) 103: and receiving the target user information sent by the management server.
In practical application, after the management server determines the corresponding target user information based on the target access token, the management server sends the target user information to the client, and correspondingly, the client needs to receive the target user information sent by the management server so as to log in based on the target user information, where the target user information is information of a user who logs in the client at this time, and the content of the target user information may be determined according to actual needs, for example, the user information may include a user name, role information, and the like.
Step (S) 104: and finishing login based on the target user information, and generating display information after login based on the operation authority of the target user information.
In practical application, after receiving the target user information, the client can complete login based on the target user information, and display information after login is generated based on the operation authority of the target user information, so that a user can only check data information in the operation authority of the user through the display information, and the display information of different users is different when the operation authorities of different users are different, so that the process of logging in the client by the user can be managed according to the operation authority of the user to achieve autonomous access control.
It should be noted that, in the process of single sign-on of the same user to different clients, although the user information applied when different clients sign-on is different, the operation permissions of the user to each client are not necessarily the same, so even in the process of single sign-on of the same user to different clients, the method provided by the present application can also distinguish the operation permissions of the same user after sign-on at different clients through the display information, for example, the user has write permission to the client a, and does not have write permission to the client B, and after the user performs single sign-on through the management server, the display information of the client a carries the content corresponding to the write permission, for example, has the modification option, and the display information of the client B does not carry the content corresponding to the write permission, for example, does not have the modification option, and the like.
Step (S) 105: returning the display information to the management server; wherein the management server comprises a server for managing the client.
In practical application, after the client generates the display information, the client can return the display information to the management server, so that the management server presents the display information to the user.
It should be noted that the types of the management server and the client in the present application may be determined according to actual needs, and the management server refers to a server that manages the client, for example, the client may be a security component, and the management server is a cloud security service platform.
The single sign-on method is applied to a client, and a user information acquisition request is generated based on an acquired target access token; sending a user information acquisition request to a management server so that the management server determines corresponding target user information based on the target access token; receiving target user information sent by a management server; finishing login based on the target user information, and generating display information after login based on the operation authority of the target user information; returning the display information to the management server; wherein the management server comprises a server for managing the client. According to the method and the system, when the client logs in, the client does not log in according to the IP address of the management server, corresponding target user information is obtained from the management server based on the target access token, the client logs in based on the target user information and generates display information after logging in based on the operation authority of the target user information, so that the display information corresponds to the operation authority of the target user information, independent access control is achieved while single sign-on is achieved, the logging-in process is not affected by the IP address of the management server, and the method and the system are high in applicability.
Referring to fig. 2, fig. 2 is a second flowchart of a single sign-on method according to an embodiment of the present application.
In this Application, the management server may include a server API (Application programming interface), a browser, and a reverse proxy system, and in the single sign-on method provided in this Application, the client may perform the following steps:
receiving an access token acquisition request of a reverse proxy system proxy, wherein the access token acquisition request is generated by a browser based on a target authorization code and is sent to the reverse proxy system by the browser through a reverse proxy link of a client;
sending an access token acquisition request to a server API, so that the server API determines a target access token based on the target authorization code;
receiving a target access token sent by a server API; the target authorization code is determined by the server API based on the client login request and is sent to the browser by the server API; the reverse proxy link of the client is generated by a server API based on the client login request and is sent to the browser by the server API; a client login request is generated by a browser and is sent to a server API;
generating a user information acquisition request based on the acquired target access token;
sending a user information acquisition request to a management server so that the management server determines corresponding target user information based on the target access token;
receiving target user information sent by a management server;
finishing login based on the target user information, and generating display information after login based on the operation authority of the target user information;
returning the display information to the management server; wherein the management server comprises a server for managing the client.
That is, in the application, the browser may generate a client login request under the operation of the user, and send the client login request to the server API; after receiving a client login request, a server API determines a target authorization code and generates a reverse proxy link of a client, and then the server API sends the target authorization code and the reverse proxy link of the client to a browser; after receiving the target authorization code and the reverse proxy link of the client, the browser generates an access token acquisition request based on the target authorization code and sends the access token acquisition request to a reverse proxy system through the reverse proxy link of the client; after receiving the access token acquisition request, the reverse proxy system sends the access token acquisition request to the client; and after receiving the access token acquisition request, the client sends the access token acquisition request to a server API (application program interface) so as to acquire target user information based on the access token acquisition request, complete login and generate display information.
It should be noted that the management server itself may implement autonomous access control, that is, the management server may manage whether the user has the right to operate the client, in this process, corresponding information of the client managed by the management server may be managed by the server API, for example, the client operated by the user may be registered, deleted, modified, queried, re-keyed, and the like through the server API, and corresponding information of the client may be recorded through the client application table; the authorization code and the access token applied in the single sign-on process can be correspondingly managed through a server API, for example, the authorization code can be generated, the access token can be generated, the expired authorization code can be deleted, the expired access token can be deleted, the access token can be refreshed, and the corresponding information of the authorization code can be recorded through an authorization code table, and the corresponding information of the access token can be recorded through an access token table; in addition, the client which can be managed by the management server can be managed and controlled through the server API, and the information and the like of the client which can be managed by the management server can be recorded through the client configuration table.
Referring to fig. 3, fig. 3 is a third flowchart of a single sign-on method according to an embodiment of the present application.
In this application, the management server may include a server API, a browser, and a reverse proxy system, and in the single sign-on method provided in the embodiment of the present application, the client may perform the following steps:
receiving a target access token of a reverse proxy system proxy, wherein the target access token is sent to the reverse proxy system by a browser through a reverse proxy link of a client; the target access token is determined by the server API based on a target authorization code in the access token acquisition request, and the access token acquisition request is generated by the browser based on the target authorization code and is sent to the server API by the browser; the reverse proxy link of the client is generated by a server API based on the client login request and is sent to the browser by the server API; the target authorization code is determined by the server API based on the client login request and is sent to the browser by the server API; client login request is generated by browser and sent to server API
Generating a user information acquisition request based on the acquired target access token;
sending a user information acquisition request to a management server so that the management server determines corresponding target user information based on the target access token;
receiving target user information sent by a management server;
finishing login based on the target user information, and generating display information after login based on the operation authority of the target user information;
returning the display information to the management server; wherein the management server comprises a server for managing the client.
That is, in the application, the browser may generate a client login request under the operation of the user, and send the client login request to the server API; after receiving a client login request, a server API determines a target authorization code, and then sends the target authorization code to a browser; after receiving the target authorization code, the browser generates an access token acquisition request based on the target authorization code and sends the access token acquisition request to a server API; after receiving the access token acquisition request, the server API determines a target access token based on the target authorization code, generates a reverse proxy link of the client, and sends the target access token and the reverse proxy link of the client to the browser; the browser receives the target access token and sends the target access token to a reverse proxy system through a reverse proxy link of the client; the reverse proxy system sends the target access token to the client; after receiving the target access token, the client can acquire target user information based on the target access token, complete login and generate display information.
It should be noted that, in a specific application scenario, there may be other ways for the client to obtain the target access token and the target user information, and the application is not specifically limited herein.
In the single sign-on method provided by the embodiment of the application, in order to ensure the correctness of the obtained target user information, the client side can firstly judge whether the target access token is correct or not in the process of generating the user information obtaining request based on the obtained target access token; and if the target access token is correct, then generating a user information acquisition request based on the acquired target access token.
It should be noted that the method for determining whether the target access token is correct by the client may be determined according to actual needs, for example, to avoid that the target access token is invalid and whether the target access token is valid needs to be verified, at this time, the client may send the target access token to the management server for verification, if the management server verifies that the target access token is valid, the client may determine that the target access token is correct, and if the management server verifies that the target access token is invalid, the client may determine that the target access token is wrong; in order to avoid that the login information does not conform to the user, whether the target access token is consistent with the target authorization code or not needs to be verified, at this time, the client can judge whether the target access token is consistent with the target authorization code or not, if the target access token is consistent with the target authorization code or not, the target access token can be judged to be correct, and if the target access token is inconsistent with the target authorization code or not, the target access token can be judged to be wrong.
In the single sign-on method provided by the embodiment of the application, the client needs to judge whether account information and session information corresponding to target user information exist or not according to corresponding account information and session information in the process of finishing sign-on based on the target user information; if the account information and the session information exist, the login is directly completed based on the account information and the session information; and if the account information and the session information do not exist, generating the account information and the session information based on the target user information, and then completing login based on the account information and the session information.
In the single sign-on method provided in the embodiment of the present application, the single sign-on protocol applied between the client and the management server may include an OAUTH protocol, and at this time, information such as an authorization code and an access token applied in the single sign-on process may be generated according to the QAUTH protocol.
It should be noted that the OAUTH (open authorization) protocol provides a secure, open, and simple standard for authorization of user resources, and is different from the previous authorization method in that the authorization of OAUTH does not allow a third party to reach account information (such as a user name and a password) of a user, that is, the third party can apply for obtaining authorization of the user resources without using the user name and the password of the user, so that OAUTH is secure, that is, the single sign-on method provided by the present application is secure. Of course, in a specific application scenario, the single sign-on may also be performed through other protocols, and the application is not specifically limited herein.
Referring to fig. 4, fig. 4 is a fourth flowchart of a single sign-on method according to an embodiment of the present disclosure.
The single sign-on method provided by the embodiment of the application is applied to a management server and comprises the following steps:
step (S) 401: and receiving a user information acquisition request sent by the client, wherein the user information acquisition request comprises a request generated by the client based on the acquired target access token.
Step (S) 402: corresponding target user information is determined based on the target access token.
Step (S) 403: and sending the target user information to the client so that the client completes login based on the target user information and generates display information after login based on the operation authority of the target user information.
Step (S) 404: receiving display information sent by a client; wherein the management server comprises a server for managing the client.
The description of the corresponding steps in the embodiments of the present application may refer to the above embodiments, and is not repeated herein.
Referring to fig. 5, fig. 5 is a first structural schematic diagram of a single sign-on system according to an embodiment of the present disclosure.
The single sign-on system provided by the embodiment of the application is applied to a client, and can include:
a first generating module 501, configured to generate a user information obtaining request based on the obtained target access token;
a first sending module 502, configured to send a user information obtaining request to the management server, so that the management server determines, based on the target access token, corresponding target user information;
a first receiving module 503, configured to receive target user information sent by the management server;
a second generating module 504, configured to complete login based on the target user information, and generate display information after login based on an operation authority of the target user information;
a second sending module 505, configured to return display information to the management server;
wherein the management server comprises a server for managing the client.
In the single sign-on system provided by the embodiment of the application, the management server may include a server API, a browser, and a reverse proxy system;
correspondingly, the client may further include:
the second receiving module is used for receiving an access token acquisition request of a reverse proxy system agent before the first generating module generates a user information acquisition request based on the acquired target access token, wherein the access token acquisition request is generated by the browser based on the target authorization code and is sent to the reverse proxy system by the browser through a reverse proxy link of the client;
a third sending module, configured to send an access token obtaining request to the server API, so that the server API determines a target access token based on the target authorization code;
the third receiving module is used for receiving the target access token sent by the server API;
the target authorization code is determined by the server API based on the client login request and is sent to the browser by the server API; the reverse proxy link of the client is generated by a server API based on the client login request and is sent to the browser by the server API; the client login request is generated by the browser and sent to the server API.
In the single sign-on system provided by the embodiment of the application, the management server may include a server API, a browser, and a reverse proxy system;
correspondingly, the client may further include:
the fourth receiving module is used for receiving the target access token of the reverse proxy system agent before the first generating module generates the user information acquisition request based on the acquired target access token, and the target access token is sent to the reverse proxy system by the browser through a reverse proxy link of the client;
the target access token is determined by the server API based on a target authorization code in the access token acquisition request, and the access token acquisition request is generated by the browser based on the target authorization code and is sent to the server API by the browser; the reverse proxy link of the client is generated by a server API based on the client login request and is sent to the browser by the server API; the target authorization code is determined by the server API based on the client login request and is sent to the browser by the server API; the client login request is generated by the browser and sent to the server API.
The single sign-on system provided by the embodiment of the application is applied to a client, and the first generating module may include:
the first judgment unit is used for judging whether the target access token is correct or not; and if the target access token is correct, prompting the first generation module to execute a step of generating a user information acquisition request based on the acquired target access token.
The single sign-on system provided by the embodiment of the application is applied to a client, and the second generation module may include:
the second judging unit is used for judging whether account information and session information corresponding to the target user information exist or not; if the account information and the session information exist, the login is directly completed based on the account information and the session information; and if the account information and the session information do not exist, generating the account information and the session information based on the target user information, and then completing login based on the account information and the session information.
The single sign-on system provided by the embodiment of the application is applied to the client, the client can comprise a security component, and the management server can comprise a cloud security service platform.
The single sign-on system provided by the embodiment of the application is applied to the client, and the single sign-on protocol applied between the client and the management server can comprise an OAUTH protocol.
Referring to fig. 6, fig. 6 is a second structural schematic diagram of a single sign-on system according to an embodiment of the present application.
The single sign-on system provided by the embodiment of the application is applied to a management server and can comprise:
a fifth receiving module 601, configured to receive a user information obtaining request sent by a client, where the user information obtaining request includes a request generated by the client based on an obtained target access token;
a first determining module 602, configured to determine corresponding target user information based on the target access token;
a fourth sending module 603, configured to send the target user information to the client, so that the client completes login based on the target user information and generates display information after login based on an operation permission of the target user information;
a sixth receiving module 604, configured to receive display information sent by the client;
wherein the management server comprises a server for managing the client.
Based on the hardware implementation of the program module, and in order to implement the method according to the embodiment of the present invention, an embodiment of the present invention further provides an electronic device, fig. 7 is a schematic diagram of a hardware composition structure of the electronic device according to the embodiment of the present invention, and as shown in fig. 7, the electronic device includes:
a communication interface 1 capable of information interaction with other devices such as network devices and the like;
and the processor 2 is connected with the communication interface 1 to realize information interaction with other equipment, and is used for executing an access method of an application provided by one or more technical schemes when running a computer program. And the computer program is stored on the memory 3.
In practice, of course, the various components in the electronic device are coupled together by the bus system 4. It will be appreciated that the bus system 4 is used to enable connection communication between these components. The bus system 4 comprises, in addition to a data bus, a power bus, a control bus and a status signal bus. For the sake of clarity, however, the various buses are labeled as bus system 4 in fig. 7.
The memory 3 in the embodiment of the present invention is used to store various types of data to support the operation of the electronic device. Examples of such data include: any computer program for operating on an electronic device.
It will be appreciated that the memory 3 may be either volatile memory or nonvolatile memory, and may include both volatile and nonvolatile memory. Among them, the nonvolatile Memory may be a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Programmable Read-Only Memory (EPROM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a magnetic random access Memory (FRAM), a Flash Memory (Flash Memory), a magnetic surface Memory, an optical disk, or a Compact Disc Read-Only Memory (CD-ROM); the magnetic surface storage may be disk storage or tape storage. Volatile memory can be Random Access Memory (RAM), which acts as external cache memory. By way of illustration and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Synchronous Static Random Access Memory (SSRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic Random Access Memory (SDRAM), Double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM), Enhanced Synchronous Dynamic Random Access Memory (ESDRAM), Enhanced Synchronous Dynamic Random Access Memory (Enhanced DRAM), Synchronous Dynamic Random Access Memory (SLDRAM), Direct Memory (DRmb Access), and Random Access Memory (DRAM). The memory 2 described in the embodiments of the present invention is intended to comprise, without being limited to, these and any other suitable types of memory.
The method disclosed by the above embodiment of the present invention can be applied to the processor 2, or implemented by the processor 2. The processor 2 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 2. The processor 2 described above may be a general purpose processor, a DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The processor 2 may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the present invention. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed by the embodiment of the invention can be directly implemented by a hardware decoding processor, or can be implemented by combining hardware and software modules in the decoding processor. The software modules may be located in a storage medium located in the memory 3, and the processor 2 reads the program in the memory 3 and in combination with its hardware performs the steps of the aforementioned method.
When the processor 2 executes the program, the corresponding processes in the methods according to the embodiments of the present invention are realized, and for brevity, are not described herein again.
In an exemplary embodiment, the present invention further provides a storage medium, i.e. a computer storage medium, in particular a computer readable storage medium, for example comprising a memory 3 storing a computer program, which is executable by a processor 2 to perform the steps of the aforementioned method. The computer readable storage medium may be Memory such as FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface Memory, optical disk, or CD-ROM.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus, terminal and method may be implemented in other manners. The above-described device embodiments are only illustrative, for example, the division of the unit is only one logical function division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, all the functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may be separately regarded as one unit, or two or more units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.
Alternatively, the integrated unit of the present invention may be stored in a computer-readable storage medium if it is implemented in the form of a software functional module and sold or used as a separate product. Based on such understanding, the technical solutions of the embodiments of the present invention may be essentially implemented or a part contributing to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for enabling an electronic device (which may be a personal computer, a server, or a network device) to execute all or part of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.
For a description of relevant parts in the single sign-on system, the single sign-on device, and the computer readable storage medium provided in the embodiments of the present application, reference is made to detailed descriptions of corresponding parts in the single sign-on method provided in the embodiments of the present application, and details are not repeated here. In addition, parts of the above technical solutions provided in the embodiments of the present application, which are consistent with the implementation principles of corresponding technical solutions in the prior art, are not described in detail so as to avoid redundant description.
It is further noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (11)
1. A single sign-on method is applied to a client and comprises the following steps:
generating a user information acquisition request based on the acquired target access token;
sending the user information acquisition request to a management server so that the management server determines corresponding target user information based on the target access token;
receiving the target user information sent by the management server;
finishing login based on the target user information, and generating display information after login based on the operation authority of the target user information;
returning the display information to the management server;
wherein the management server comprises a server that manages the client.
2. The method of claim 1, wherein the management server comprises a server API, a browser, and a reverse proxy system;
before generating the user information acquisition request based on the acquired target access token, the method further includes:
receiving an access token acquisition request of the reverse proxy system agent, wherein the access token acquisition request is generated by the browser based on a target authorization code and is sent to the reverse proxy system by the browser through a reverse proxy link of the client;
sending the access token acquisition request to the server API, so that the server API determines the target access token based on the target authorization code;
receiving the target access token sent by the server API;
the target authorization code is determined by the server API based on a client login request and is sent to the browser by the server API; the reverse proxy link of the client is generated by the server API based on the client login request and is sent to the browser by the server API; the client login request is generated by the browser and sent to the server API.
3. The method of claim 1, wherein the management server comprises a server API, a browser, and a reverse proxy system;
before generating the user information acquisition request based on the acquired target access token, the method further includes:
receiving the target access token proxied by the reverse proxy system, wherein the target access token is sent to the reverse proxy system by the browser through a reverse proxy link of the client;
the target access token is determined by the server API based on a target authorization code in an access token acquisition request, and the access token acquisition request is generated by the browser based on the target authorization code and is sent to the server API by the browser; the reverse proxy link of the client is generated by the server API based on the client login request and is sent to the browser by the server API; the target authorization code is determined by the server API based on the client login request and sent to the browser by the server API; the client login request is generated by the browser and sent to the server API.
4. The method of claim 1, wherein generating a user information acquisition request based on the acquired target access token comprises:
judging whether the target access token is correct or not;
and if the target access token is correct, executing the step of generating a user information acquisition request based on the acquired target access token.
5. The method of claim 1, wherein said completing the login based on the target user information comprises:
judging whether account information and session information corresponding to the target user information exist or not;
if the account information and the session information exist, logging in is directly completed based on the account information and the session information;
and if the account information and the session information do not exist, generating the account information and the session information based on the target user information, and then completing login based on the account information and the session information.
6. The method of any of claims 1 to 5, wherein the client comprises a security component and the management server comprises a cloud security services platform.
7. The method of claim 6, wherein the single sign-on protocol applied between the client and the management server comprises OAUTH protocol.
8. A single sign-on method is applied to a management server and comprises the following steps:
receiving a user information acquisition request sent by a client, wherein the user information acquisition request comprises a request generated by the client based on an acquired target access token;
determining corresponding target user information based on the target access token;
sending the target user information to the client so that the client can complete login based on the target user information and generate display information after login based on the operation authority of the target user information;
receiving the display information sent by the client;
wherein the management server comprises a server that manages the client.
9. A single sign-on system, applied to a client, comprising:
the first generation module is used for generating a user information acquisition request based on the acquired target access token;
the first sending module is used for sending the user information acquisition request to a management server so that the management server determines corresponding target user information based on the target access token;
the first receiving module is used for receiving the target user information sent by the management server;
the second generation module is used for completing login based on the target user information and generating display information after login based on the operation authority of the target user information;
the second sending module is used for returning the display information to the management server;
wherein the management server comprises a server that manages the client.
10. A single sign-on device, comprising:
a memory for storing a computer program;
processor for implementing the steps of the single sign-on method of any one of claims 1 to 8 when executing said computer program.
11. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the steps of the single sign-on method according to any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010691717.0A CN111832000A (en) | 2020-07-17 | 2020-07-17 | Single sign-on method, system, equipment and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010691717.0A CN111832000A (en) | 2020-07-17 | 2020-07-17 | Single sign-on method, system, equipment and computer readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111832000A true CN111832000A (en) | 2020-10-27 |
Family
ID=72924344
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010691717.0A Pending CN111832000A (en) | 2020-07-17 | 2020-07-17 | Single sign-on method, system, equipment and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111832000A (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112468549A (en) * | 2020-11-13 | 2021-03-09 | 浪潮云信息技术股份公司 | Method, equipment and storage medium for reverse communication and management of server |
| CN112650999A (en) * | 2020-12-29 | 2021-04-13 | 北京字节跳动网络技术有限公司 | User identity authentication control method, device and system |
| CN113239400A (en) * | 2021-05-26 | 2021-08-10 | 上海斯俊慕智能科技有限公司 | Asset management method, device and system and electronic equipment |
| CN113312595A (en) * | 2021-05-26 | 2021-08-27 | 上海斯俊慕智能科技有限公司 | Collection management method, device and system and electronic equipment |
| CN113312571A (en) * | 2021-05-12 | 2021-08-27 | 武汉联影医疗科技有限公司 | Page management method and device, computer equipment and storage medium |
| CN113472840A (en) * | 2021-05-13 | 2021-10-01 | 新华三大数据技术有限公司 | Cloud service dynamic management method and device |
| CN114844636A (en) * | 2022-05-19 | 2022-08-02 | 青岛海尔科技有限公司 | Method and device for updating access token, storage medium and electronic device |
| CN115242658A (en) * | 2022-07-22 | 2022-10-25 | 中国平安财产保险股份有限公司 | Open system access method, open system access device, computer equipment and storage medium |
| CN116720224A (en) * | 2023-06-28 | 2023-09-08 | 北京和德宇航技术有限公司 | Display method, device, equipment and storage medium |
| CN116992419A (en) * | 2023-09-28 | 2023-11-03 | 江西省信息中心(江西省电子政务网络管理中心、江西省信用中心、江西省大数据中心) | Map service sharing authority control method, system, electronic equipment and storage medium |
| CN116720224B (en) * | 2023-06-28 | 2024-04-26 | 北京和德宇航技术有限公司 | Display method, device, equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150106905A1 (en) * | 2013-10-14 | 2015-04-16 | Alibaba Group Holding Limited | Login method for client application and corresponding server |
| WO2016173199A1 (en) * | 2015-04-30 | 2016-11-03 | 中兴通讯股份有限公司 | Mobile application single sign-on method and device |
| CN108200050A (en) * | 2017-12-29 | 2018-06-22 | 重庆金融资产交易所有限责任公司 | Single logging-on server, method and computer readable storage medium |
| CN111143814A (en) * | 2019-12-30 | 2020-05-12 | 武汉佰钧成技术有限责任公司 | Single sign-on method, micro-service access platform and storage medium |
-
2020
- 2020-07-17 CN CN202010691717.0A patent/CN111832000A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150106905A1 (en) * | 2013-10-14 | 2015-04-16 | Alibaba Group Holding Limited | Login method for client application and corresponding server |
| WO2016173199A1 (en) * | 2015-04-30 | 2016-11-03 | 中兴通讯股份有限公司 | Mobile application single sign-on method and device |
| CN108200050A (en) * | 2017-12-29 | 2018-06-22 | 重庆金融资产交易所有限责任公司 | Single logging-on server, method and computer readable storage medium |
| CN111143814A (en) * | 2019-12-30 | 2020-05-12 | 武汉佰钧成技术有限责任公司 | Single sign-on method, micro-service access platform and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 张程: "《分布式系统架构》" * |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112468549A (en) * | 2020-11-13 | 2021-03-09 | 浪潮云信息技术股份公司 | Method, equipment and storage medium for reverse communication and management of server |
| CN112650999A (en) * | 2020-12-29 | 2021-04-13 | 北京字节跳动网络技术有限公司 | User identity authentication control method, device and system |
| CN113312571B (en) * | 2021-05-12 | 2022-04-26 | 武汉联影医疗科技有限公司 | Page management method and device, computer equipment and storage medium |
| CN113312571A (en) * | 2021-05-12 | 2021-08-27 | 武汉联影医疗科技有限公司 | Page management method and device, computer equipment and storage medium |
| CN113472840B (en) * | 2021-05-13 | 2023-12-26 | 新华三大数据技术有限公司 | Cloud service dynamic management method and device |
| CN113472840A (en) * | 2021-05-13 | 2021-10-01 | 新华三大数据技术有限公司 | Cloud service dynamic management method and device |
| CN113312595A (en) * | 2021-05-26 | 2021-08-27 | 上海斯俊慕智能科技有限公司 | Collection management method, device and system and electronic equipment |
| CN113239400A (en) * | 2021-05-26 | 2021-08-10 | 上海斯俊慕智能科技有限公司 | Asset management method, device and system and electronic equipment |
| CN114844636A (en) * | 2022-05-19 | 2022-08-02 | 青岛海尔科技有限公司 | Method and device for updating access token, storage medium and electronic device |
| CN115242658A (en) * | 2022-07-22 | 2022-10-25 | 中国平安财产保险股份有限公司 | Open system access method, open system access device, computer equipment and storage medium |
| CN115242658B (en) * | 2022-07-22 | 2023-08-29 | 中国平安财产保险股份有限公司 | Open system access method, device, computer equipment and storage medium |
| CN116720224A (en) * | 2023-06-28 | 2023-09-08 | 北京和德宇航技术有限公司 | Display method, device, equipment and storage medium |
| CN116720224B (en) * | 2023-06-28 | 2024-04-26 | 北京和德宇航技术有限公司 | Display method, device, equipment and storage medium |
| CN116992419A (en) * | 2023-09-28 | 2023-11-03 | 江西省信息中心(江西省电子政务网络管理中心、江西省信用中心、江西省大数据中心) | Map service sharing authority control method, system, electronic equipment and storage medium |
| CN116992419B (en) * | 2023-09-28 | 2024-01-02 | 江西省信息中心(江西省电子政务网络管理中心、江西省信用中心、江西省大数据中心) | Map service sharing authority control method, system, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111832000A (en) | Single sign-on method, system, equipment and computer readable storage medium | |
| CN109309683B (en) | Token-based client identity authentication method and system | |
| TWI706263B (en) | Trust registration method, server and system | |
| US20180278603A1 (en) | Control method for authentication/authorization server, resource server, and authentication/authorization system | |
| US7827318B2 (en) | User enrollment in an e-community | |
| US9473419B2 (en) | Multi-tenant cloud storage system | |
| US7788711B1 (en) | Method and system for transferring identity assertion information between trusted partner sites in a network using artifacts | |
| US9130926B2 (en) | Authorization messaging with integral delegation data | |
| CN102201915B (en) | Terminal authentication method and device based on single sign-on | |
| US9825938B2 (en) | System and method for managing certificate based secure network access with a certificate having a buffer period prior to expiration | |
| US20100071056A1 (en) | Method and system for multi-protocol single logout | |
| US20080301784A1 (en) | Native Use Of Web Service Protocols And Claims In Server Authentication | |
| JP2010531516A (en) | Device provisioning and domain join emulation over insecure networks | |
| CN105659558A (en) | Multiple resource servers with single, flexible, pluggable OAuth server and OAuth-protected RESTful OAuth consent management service, and mobile application single sign on OAuth service | |
| US20080270571A1 (en) | Method and system of verifying permission for a remote computer system to access a web page | |
| CN109495486B (en) | Single-page Web application integration CAS method based on JWT | |
| US20120159601A1 (en) | Transition from WS-Federation Passive Profile to Active Profile | |
| CN111343145A (en) | Redis-based single sign-on method and device | |
| US20140317187A1 (en) | Information processing system, document managing server, document managing method, and storage medium | |
| CN111355713A (en) | Proxy access method, device, proxy gateway and readable storage medium | |
| TWI516965B (en) | File sharing method and file sharing system utilizing the same | |
| US20170104748A1 (en) | System and method for managing network access with a certificate having soft expiration | |
| US7233927B1 (en) | Method and system for authenticating accounts on a remote server | |
| JP7308554B2 (en) | Security authentication method, device and server for B2B service based on corporate official mailbox | |
| JP6848275B2 (en) | Program, authentication system and authentication cooperation system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |