CN111914229A

CN111914229A - Identity authentication method and device, electronic equipment and storage medium

Info

Publication number: CN111914229A
Application number: CN202010680952.8A
Authority: CN
Inventors: 王刚; 李永进; 于明亮; 彭振
Original assignee: China Travelsky Holding Co
Current assignee: China Travelsky Technology Co Ltd; China Travelsky Holding Co
Priority date: 2020-07-15
Filing date: 2020-07-15
Publication date: 2020-11-10

Abstract

The application provides an identity verification method, an identity verification device, electronic equipment and a storage medium.A business front end sends account information of a user to an IAM (integrated access module), the IAM generates an authentication token of the user according to the account information, the authentication token carries the identity information of the user, and the identity information of the user is irrelevant to the account information of the user; correspondingly, when the background service is called at the front end of the service, the authentication token of the user can be sent to the SAT, the SAT transmits the authentication token to the IAM to realize user identity verification, account information of the user does not need to be transmitted to the SAT in the identity verification process, the safety of the account information of the user is guaranteed, and the aim of verifying the identity of the user is fulfilled on the basis of reducing potential safety hazards caused by leakage of the account information.

Description

Identity authentication method and device, electronic equipment and storage medium

Technical Field

The invention relates to the technical field of civil aviation, in particular to an identity authentication method, an identity authentication device, electronic equipment and a storage medium.

Background

At present, all business operations at the business front end of an airline company are realized by calling background services of a host and an open system through a hosting service interface (SAT); meanwhile, the service front end and the managed interface complete the authentication and authorization of the user through a user authentication and management system (IAM).

The process of calling background service by the service front end in the prior art is generally as follows: the SAT uses the account information to call the identity authentication service provided by the IAM, and checks whether the user has the authority to call the background service.

Although the background service calling mode can realize user identity verification, account information needs to be transmitted to the IAM through the SAT for identity authentication, and information leakage is easily generated in the transmission process of the account information, so that potential safety hazards are caused.

Disclosure of Invention

In view of this, the present application provides an identity authentication method, an identity authentication device, an electronic device, and a storage medium, so as to implement identity authentication of a user on the basis of reducing potential safety hazards caused by leakage of account information. The technical scheme is as follows:

an identity verification method comprising:

receiving a service calling request sent by a target service front end, and acquiring a target service called by a user request sending the service calling request according to an authentication token, wherein the authentication token is generated by a user authentication and management system (IAM) in advance according to account information of the user sent by the service front end;

transmitting the authentication token to the IAM;

receiving the identity information of the user returned by the IAM for analyzing the authentication token, wherein the identity information is different from the account information;

and generating an authentication result of the user for the target service based on the identity information, wherein the authentication result represents that the user is allowed to call the target service or the user is not allowed to call the target service.

An identity verification method comprising:

receiving an authentication token generation request sent by a service front end, wherein the authentication token generation request indicates account information of a user sending the authentication token generation request;

generating and returning an authentication token of the user to the service front end according to the account information;

obtaining the authentication token carried by the service calling request sent by a managed service interface (SAT) after receiving the service calling request, wherein the service calling request is generated by a target service front end responding to the user request to call a target service according to the authentication token;

and analyzing the authentication token generation and returning the identity information of the user to the SAT.

An authentication apparatus comprising:

the service calling request receiving unit is used for receiving a service calling request sent by a target service front end and acquiring a target service called by a user request for sending the service calling request according to an authentication token, wherein the authentication token is generated by a user authentication and management system (IAM) in advance according to account information of the user sent by the service front end;

an authentication token transmission unit for transmitting the authentication token to the IAM;

an identity information receiving unit, configured to receive identity information of the user, which is returned by the IAM analyzing the authentication token, where the identity information is different from the account information;

and the identity authentication result generation unit is used for generating an identity authentication result of the user for the target service based on the identity information, and the identity authentication result represents that the user is allowed to call the target service or not.

An authentication apparatus comprising:

the authentication token generation request receiving unit is used for receiving an authentication token generation request sent by a service front end, wherein the authentication token generation request indicates account information of a user sending the authentication token generation request;

the authentication token generating unit is used for generating and returning an authentication token of the user to the service front end according to the account information;

the authentication token obtaining unit is used for obtaining the authentication token carried by the service calling request sent by the escrow service interface SAT after receiving the service calling request, wherein the service calling request is generated by a target service front end responding to the user request to call a target service according to the authentication token;

and the authentication token analysis unit is used for analyzing the authentication token generation and returning the identity information of the user to the SAT.

An electronic device, comprising: the system comprises a processor and a memory, wherein the processor and the memory are connected through a communication bus; the processor is used for calling and executing the program stored in the memory; the memory is used for storing programs, and the programs are used for realizing the identity authentication method.

A computer-readable storage medium having stored therein computer-executable instructions for performing the method of identity verification.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.

The above and other features, advantages and aspects of various embodiments of the present disclosure will become more apparent by referring to the following detailed description when taken in conjunction with the accompanying drawings. Throughout the drawings, the same or similar reference numbers refer to the same or similar elements. It should be understood that the drawings are schematic and that elements and features are not necessarily drawn to scale.

Fig. 1 is a timing diagram of an authentication method according to an embodiment of the present application;

fig. 2 is a schematic flowchart of an identity authentication method performed from the perspective of an IAM according to an embodiment of the present application;

fig. 3 is a schematic flowchart of a method for generating and returning an authentication token of a user to a service front end according to account information according to an embodiment of the present application;

FIG. 4 is a flowchart illustrating a method for parsing an authentication token to generate and return identity information of a user to an SAT according to an embodiment of the present disclosure;

FIG. 5 is a flowchart illustrating a method for performing identity verification from the perspective of SAT according to an embodiment of the present application;

fig. 6 is a flowchart illustrating a method for generating an authentication result of a user for a target service based on identity information according to an embodiment of the present application;

fig. 7 is a schematic flowchart of another authentication method according to an embodiment of the present application;

fig. 8 is a schematic structural diagram of an authentication apparatus according to an embodiment of the present application;

fig. 9 is a schematic structural diagram of another authentication device according to an embodiment of the present application;

fig. 10 is a schematic structural diagram of an electronic device according to an embodiment of the present application.

Detailed Description

Embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While certain embodiments of the present disclosure are shown in the drawings, it is to be understood that the present disclosure may be embodied in various forms and should not be construed as limited to the embodiments set forth herein, but rather are provided for a more thorough and complete understanding of the present disclosure. It should be understood that the drawings and examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure.

The term "include" and variations thereof as used herein are open-ended, i.e., "including but not limited to". The term "based on" is "based, at least in part, on". The term "one embodiment" means "at least one embodiment"; the term "another embodiment" means "at least one additional embodiment"; the term "some embodiments" means "at least some embodiments". Relevant definitions for other terms will be given in the following description.

It should be noted that the terms "first", "second", and the like in the present disclosure are only used for distinguishing different devices, modules, or units, and are not used for limiting the order or interdependence of the functions performed by the devices, modules, or units.

It is noted that references to "a", "an", and "the" modifications in the disclosure are exemplary rather than limiting, and that those skilled in the art will understand that "one or more" unless the context clearly dictates otherwise.

The application provides an identity authentication method which is applied to an identity authentication system, wherein the identity authentication system is composed of an IAM, an SAT and at least one service front end.

The IAM is a user authentication and management system.

SAT is a hosted service interface and is a channel for an external application system to access background services.

The at least one business front end may include an ALG (airline business front end system), an APG (airline departure business front end system), a PCS (pss community service front end), and the like.

The above is only the preferred content of the at least one service front end provided in the embodiment of the present application, and the inventor may set the content according to his own needs, which is not limited herein.

An identity authentication method provided in the embodiments of the present application is described in detail with reference to the above identity authentication system, and please refer to fig. 1 specifically. Fig. 1 is a timing diagram of an authentication method according to an embodiment of the present application.

As shown in fig. 1, the method includes:

s101, the service front end sends an authentication token generation request to the IAM, and the authentication token generation request indicates account information of a user sending the authentication token generation request;

in the embodiment of the application, the IAM is used to implement authentication and authorization of the user, for example, the user may perform user registration at any service front end of at least one service front end, the IAM responds to the user registration request to allocate a user account of the user at the service front end where the user registration is performed to the user, and the user account and a password set by the user for the user account may be regarded as account information of the user.

It should be noted that the same account information may be registered in multiple service front ends of at least one service front end, so that a user may log in at each service front end of multiple service front ends by holding only one account information.

The user may request an authentication token from the IAM through any of the at least one service front-end. For example, after a user logs in a service front end through account information, an authentication token generation request may be sent to the IAM through the service front end, where the authentication token generation request carries the account information.

S102, generating an authentication token of the user by the IAM according to the account information;

the IAM receives an authentication token generation request sent by a user through a service front end, acquires account information of the user carried in the authentication token generation request, and generates an authentication token of the user according to the account information.

The user authentication token generated by the IAM according to the user account information carries the user identity information (i.e., the user authentication token represents the user identity information), but the user identity information is different from the user account information, i.e., the user identity information is not the user account information.

S103, returning an authentication token to the service front end by the IAM;

and the IAM returns the authentication token to the service front end after receiving the authentication token generation request sent by the user through the service front end and generating the authentication token of the user.

And after receiving the returned authentication token, the service front end stores the authentication token in a memory, and the memory can be read and written by any one of the at least one service front end. For example, at least one service front end includes a service front end 1, a service front end 2, and a service front end 3, the user 1 logs in the service front end 2 through the account information 1 to send an authentication token generation request to the IAM, and after receiving the authentication token 1 of the user 1 (i.e., the authentication token 1 of the account information 1) returned by the IAM, the service front end 2 may store the authentication token 1 in a memory, and the memory may be read and written by the service front end 1, the service front end 2, and the service front end 3.

Based on this, after the user logs in the service front end 1 through the account information 1, the authentication token of the user (i.e. the authentication token 1 of the account information 1) can be read from the memory according to the account information 1, a service invocation request is generated according to the authentication token 1 and the service to be invoked (for the convenience of differentiation, the service to be invoked is referred to as a target service in the present application), and the service invocation request is sent to the SAT to request to invoke the target service according to the authentication token 1.

In this embodiment of the present application, the memory may be a cache of an electronic device where a service front end that sends a request for generating an authentication token is located, which is only a preferred expression form of the memory provided in this embodiment of the present application, and an inventor of a specific expression form of the memory may set the memory according to his own needs, which is not limited herein.

S104, the service front end responds to the user operation and sends a service calling request to the SAT, and the service calling request calls the target service according to the authentication token;

in this embodiment, the service front end in step S101 and the service front end in step S104 may be the same service front end, or may not be the same service front end.

After the user logs in the front end of the business through the account information, if the user needs to call the target service, the user can respond to the operation of calling the target service to generate a service calling request, and the service calling request is sent to the SAT. If the authentication token of the account information is not stored in the storage, the service calling request is generated according to the account information.

Further, if the authentication token of the account information is not stored in the memory, a reminding message can be returned to the service front end to remind the user that an authentication token generation request can be sent to the IAM, so that the authentication token can be generated according to the account information.

S105, the SAT transmits the authentication token to the IAM;

after receiving the service calling request, the SAT obtains a target service requested to be called by the service calling request and an authentication token carried by the service calling request, and transmits the obtained authentication token to the IAM.

S106, analyzing the authentication token by the IAM to obtain identity information of the user, wherein the identity information of the user is different from account information of the user;

the IAM may parse the authentication token of the user to obtain identity information of the user, and return the identity information of the user to the SAT.

S107, returning the identity information of the user to the SAT by the IAM;

s108, the SAT generates an authentication result of the user to the target service based on the identity information, and the authentication result represents that the user is allowed to call the target service or not.

After receiving the identity information of the user returned by the IAM, the SAT may determine whether the user has the right to call the target service according to the identity information of the user, and further obtain an authentication result of the user. If the user has the right to call the target service, generating an authentication result representing that the user is allowed to call the target service (for convenience of distinguishing, the authentication result can be called a first authentication result); if the user does not have the right to invoke the target service, an authentication result representing that the user is not allowed to invoke the target service is generated (for the sake of distinction, the authentication result may be referred to as a second authentication result).

Further, if the generated authentication result represents that the user is not allowed to call the target service, the SAT determines that the target service call fails, and may further feed back prompt information of the target service call failure to the service front end of step S104.

Furthermore, if the generated identity verification result representation allows the user to call the target service, the SAT calls the target service, and then the purpose that the business front end calls the target service through the SAT is achieved.

The above describes an authentication method provided in the embodiment of the present application from the perspective of an authentication system. An identity authentication method provided in the embodiment of the present application will now be described in detail from the view point of IAM, specifically referring to fig. 2.

As shown in fig. 2, the method includes:

s201, receiving an authentication token generation request sent by a service front end, wherein the authentication token generation request indicates account information of a user sending the authentication token generation request;

in the embodiment of the application, the identity authentication system comprises at least one service front end, and an account information applicable to each service front end in the at least one service front end can be obtained through the IAM user. If a user wants to generate an authentication token, the user can log in any one of the at least one service front end through the account information, and sends an authentication token generation request to the IAM through the service front end logged in with the account information, wherein the authentication token generation request carries the account information.

S202, generating and returning an authentication token of the user to the service front end according to the account information;

the IAM acquires account information carried by an authentication token generation request after receiving the authentication token generation request sent by a user through a service front end, and generates an authentication token of the user according to the account information. It should be noted that the authentication token of the user represents the identity information of the user, and the identity information of the user is different from the account information of the user.

After receiving an authentication token generation request sent by a user through a service front end and generating an authentication token of the user, the IAM may return the authentication token to the service front end, so that the service front end stores the authentication token in a memory. The memory may be read by each of the at least one business front end.

S203, acquiring an authentication token carried by a service calling request sent by a managed service interface (SAT) after receiving the service calling request, wherein the service calling request is generated by a target service front end responding to a user request to call a target service according to the authentication token;

the user can log in any one of the at least one service front end through the account information, and send the service call request to the SAT through the service front end, and the service front end sending the service call request to the SAT can be called a target service front end for the convenience of distinguishing. It should be noted that the service front end where the user sends the service invocation request and the service front end where the user sends the authentication token generation request may or may not be the same service front end.

When the user transmits a service invocation request for invoking the target service to the SAT through the target service front end, if the authentication token of the user is stored in the memory, the service invocation request transmitted to the SAT is generated based on the authentication token of the user, but not based on the account information of the user.

Correspondingly, after receiving the service calling request, the SAT obtains the authentication token carried by the service calling request, and passes the authentication token through to the IAM.

And S204, analyzing the authentication token to generate and returning the identity information of the user to the SAT.

After receiving the authentication token, the IAM may analyze the authentication token to obtain the identity information of the user, and return the identity information of the user to the IAM, so that the IAM may generate an identity verification result of the user for the target service based on the identity information of the user.

In order to facilitate understanding of the authentication token generation method provided in the embodiment of the present application, a method for generating and returning an authentication token of a user to a service front end according to account information provided in the embodiment of the present application is described in detail, and please refer to fig. 3 specifically.

As shown in fig. 3, the method includes:

s301, acquiring a role list owned by account information, wherein the role list is composed of at least one role;

the method comprises the steps that a user logs in a service front end through account information, an authentication token generation request is sent to an IAM through the service front end, the authentication token generation request carries the account information of the user, the IAM obtains the account information carried by the authentication token generation request after receiving the authentication token generation request, and a role list owned by the account information is determined, wherein the role list is composed of at least one role. Wherein the at least one role may include an administrator role, a ticket seller role, a prepaid service sales role, and the like.

It should be noted that the IAM is a user authentication and management system, and the user interacts with the IAM through the service front end, and the IAM allocates account information to the user. Furthermore, the IAM also manages the account information of the user, and the role list owned by the account information of the user is managed by the IAM.

S302, generating authentication token information of the user according to the role list;

the IAM receives an authentication token generation request sent by a user, acquires account information carried by the authentication token generation request, and further generates authentication token information according to a role list after acquiring the role list owned by the account information.

In the embodiment of the application, the authentication token information may be generated according to any one or more of a role list owned by the account information, a client identifier of a service front end that sends an authentication token generation request, a user name of the account information, authentication token creation time, and authentication token expiration time. The authentication token creation time may be sending time of the authentication token generation request, and the authentication token expiration time may be a sum of the sending time of the authentication token generation request and a preset time duration, for example, the authentication token creation time is 2020.07.07-10:00, and the preset time duration is 30 minutes, and then the authentication token expiration time is 2020.07.07-10: 30.

Referring to the following authentication token information table, the authentication token information may be composed of the following elements:

for example, the IAM generates authentication token information as follows:

s303, encrypting the authentication token information to obtain an authentication token of the user;

in this embodiment of the application, the IAM may obtain the symmetric key from the hardware encryption device through a key escrow system (EKMS), and encrypt the authentication token information by using a cryptographic algorithm using the obtained symmetric key to obtain the authentication token.

The national cryptographic algorithm, namely the domestic cryptographic algorithm, is a domestic commercial cryptographic algorithm identified by the national crypto authority, and is currently mainly used in the civil aviation field, namely, the three types of algorithms disclosed as SM2, SM3 and SM 4.

In this embodiment of the present application, preferably, the obtained symmetric key is used to encrypt the authentication token information by using an SM4 algorithm to obtain the authentication token.

The hardware encryption machine is an encryption device which is independently developed in China and is identified and approved to be used by the national commercial code administration, and meets the equal security 2.0 standard and the national password administration standard.

S304, signing the authentication token by using the authentication token information to obtain signature information of the authentication token;

further, the IAM may further obtain an encryption key from the hardware encryption device through the EKMS, and encrypt target information in the authentication token information by using the encryption key to obtain signature information of the authentication token.

In the embodiment of the application, the IAM may acquire the target information from the authentication token information according to a preset information acquisition rule, and the target information may be part of/all of the information in the authentication token information. For example, the target information may be a client identifier, an authentication token expiration time, and the like in the authentication token information.

The specific content of the information acquisition rule may be set by the inventor according to the needs of the inventor, and is not limited herein.

S305, returning the authentication token carrying the signature information to the service front end.

After generating the authentication token of the user and generating the signature information of the authentication token, the IAM may return the authentication token carrying the signature information to the service front end sending the authentication token generation request, so that the service front end stores the authentication token carrying the signature information in the memory, and further, the target service front end in the at least one service front end sends the service invocation request to the SAT based on the authentication token stored in the memory. That is, the authentication token carried in the service invocation request carries the signature information.

Further, on the basis of the method for generating and returning the authentication token of the user to the service front end according to the account information as shown in fig. 3 in the embodiment of the present application, a method for analyzing the generation of the authentication token and returning the identity information of the user to the SAT provided in the embodiment of the present application is described in detail, specifically referring to fig. 4.

As shown in fig. 4, the method includes:

s401, checking the authentication token according to the signature information to obtain a checking result of the authentication token;

and the SAT receives a service calling request sent by the target service front end, acquires an authentication token carrying the signature information in the service calling request, and then sends the authentication token carrying the signature information to the IAM.

After receiving the authentication token carrying the signature information, the IAM may check the authentication token according to the signature information carried by the authentication token to obtain a result of checking the authentication token.

In the embodiment of the application, the IAM acquires the decryption key from the hardware encryption machine through the EKMS, and decrypts the signature information of the authentication token by using the decryption key to obtain the target information. And the IAM decrypts the authentication token according to the symmetric key to obtain authentication token information, and can obtain target information from the authentication token information according to the information obtaining rule. If the target information acquired from the authentication token information is consistent with the target information obtained by decrypting the signature information, generating a signature verification result representing that the authentication token passes the signature verification; on the contrary, if the target information acquired from the authentication token information is inconsistent with the target information acquired by decrypting the signature information, a signature verification result representing that the authentication token fails to be verified is generated.

S402, if the signature verification result represents that the signature verification is successful, decrypting the authentication token to obtain authentication token information and acquiring a role list;

in the embodiment of the application, if the signature verification information represents that the signature verification of the authentication token is successful, the authentication token is determined to be decrypted to obtain the authentication token information, and the role list is obtained from the authentication token information.

Further, the target service front end sends a service invocation request to the SAT, the authentication token carried by the service invocation request may further include an authentication token identifier, that is, when the authentication token is generated, the authentication token information may be encrypted by a symmetric key to obtain the authentication token, and the authentication token identifier may also be obtained from the authentication token information, and the obtained authentication token identifier is set as the authentication token identifier carried by the authentication token.

Correspondingly, after the IAM successfully checks the authentication token, the IAM acquires an authentication token identifier of the authentication token, determines whether the authentication token is cancelled or not according to the authentication token identifier, if the authentication token is cancelled, returns prompt information for representing that the authentication token is cancelled to the SAT, and generates a second identity verification result after the SAT receives the prompt information for representing that the authentication token is cancelled; if the authentication token is not cancelled, the IAM decrypts the authentication token to obtain authentication token information, and acquires a role list from the authentication token information.

In the embodiment of the application, after the user logs off the authentication token, the authentication token stored in the memory is deleted; correspondingly, the method for determining whether the authentication token is revoked according to the authentication token identifier may be: searching whether an authentication token carrying an authentication token identification exists in a memory, and if so, determining that the authentication token is not cancelled; if not, the authentication token is determined to have been revoked.

Furthermore, before the role list in the authentication token information is obtained, the authentication token failure time in the authentication token information can be obtained, and whether the current time exceeds the authentication token failure time or not is judged; if the current time does not exceed the failure time of the authentication token, acquiring a role list in the authentication token information; and if the current time exceeds the failure time of the authentication token, determining that the authentication token is invalid, and further returning prompt information indicating that the authentication token is invalid to the SAT, so that the SAT generates a second identity verification result based on the prompt information indicating that the authentication token is invalid and returned by the IAM.

S403, return the role list in the authentication token information to the SAT.

In the embodiment of the application, the IAM returns the role list in the authentication token information to the SAT, so that the SAT can determine whether the user has the right to call the target service according to the role list. The role list in the authentication token information of the user returned to the SAT by the IAM may be regarded as the identity information of the user returned to the SAT by the IAM.

The above is a description of an authentication method provided in the embodiment of the present application from the viewpoint of IAM. An identity verification method provided in the embodiments of the present application will now be described in detail with reference to fig. 5.

As shown in fig. 5, the method includes:

s501, receiving a service calling request sent by a target service front end, and acquiring a target service called by a user request for sending the service calling request according to an authentication token, wherein the authentication token is generated by a user authentication and management system (IAM) in advance according to account information of a user sent by the service front end;

the identity verification method shown in fig. 5 provided in the embodiment of the present application is applied to the SAT, and for convenience of distinction, the embodiment of the present application refers to a service front end that sends a service invocation request to the SAT as a target service front end.

A user at the front end side of the target service can request to call the target service by sending a service call request to the SAT after logging in the front end of the target service through account information. If the user sends a service call, the memory stores the authentication token of the user (i.e., the authentication token of the account information of the user), a service call request may be generated based on the authentication token and the target service that the user requests to call, and the service call request may be sent to the SAT.

Correspondingly, after receiving the service call request sent by the target service front end, the SAT can acquire the target service called by the user request sending the service call request according to the authentication token. Namely, the authentication token carried by the service calling request and the target service called by the request are obtained.

S502, transmitting the authentication token to the IAM;

the SAT receives a service calling request sent by the target service front end, and after acquiring an authentication token carried by the service calling request, the SAT can send the acquired authentication token to the IAM, so that the IAM can analyze the authentication token to obtain the identity information of the user after receiving the authentication token, and return the identity information of the user to the SAT.

S503, receiving the identity information of the user returned by the IAM analysis authentication token, wherein the identity information is different from the account information;

and the SAT receives the identity information of the user returned by the IAM, judges whether the user has the authority of calling the target service according to the identity information of the user and generates an identity verification result of the user according to the judgment result.

S504, an authentication result of the user for the target service is generated based on the identity information, and the authentication result represents that the user is allowed to call the target service or not.

In the embodiment of the application, if the judgment result represents that the user does not have the authority of calling the target service, the generated identity verification result represents that the user is not allowed to call the target service; and if the judgment result represents that the user has the authority of calling the target service, the generated identity authentication result represents that the user is allowed to call the target service.

Specifically, please refer to fig. 6 for a method for generating an authentication result of a user for a target service based on identity information according to an embodiment of the present application.

As shown in fig. 6, the method includes:

s601, searching a preset corresponding relation between roles and permissions, and respectively acquiring the permission corresponding to each role in at least one role;

the IAM returns the identity information of the user to the SAT, where the identity information of the user may be a role list in authentication token information obtained by the IAM analyzing an authentication token of the user, and the role list includes at least one role. The SAT is preset with the corresponding relation between roles and authorities, and after receiving the role list returned by the IAM, the SAT searches the corresponding relation between the preset roles and authorities to respectively acquire the authorities corresponding to each role in the role list.

In the embodiment of the application, the authority may be an interface, the SAT sets a correspondence between a role and the interface in advance, and the interface corresponding to each role in the role list returned by the IAM is obtained by searching the correspondence between the role and the interface set in advance. It should be noted that, in the preset correspondence relationship between the roles and the interfaces, a many-to-many relationship may be used between the roles and the interfaces.

For example, a role 1 preset by the SAT corresponds to an interface 1 and an interface 2, a role 2 corresponds to an interface 3, and a role 3 corresponds to an interface 1, an interface 2, and an interface 4, respectively, if a role list returned by the received IAM includes a role 2 and a role 3, by searching for a correspondence between the preset role and the interface, it can be determined that the interface corresponding to the role 2 is the interface 3, the interface corresponding to the role 3 includes the interface 1, the interface 2, and the interface 4, and further it is determined that all the interfaces corresponding to the obtained role list include the interface 1, the interface 2, the interface 3, and the interface 4.

S602, judging whether the obtained authorities have the authority related to the target service; if the obtained all the permissions have the permission related to the target service, executing the step S603; if the obtained all the permissions do not have the permission related to the target service, executing the step S604;

the SAT searches for a preset corresponding relationship between the roles and the interfaces, respectively obtains the interfaces corresponding to each role in at least one role, and considers the union of the interfaces corresponding to each role as all the permissions of the obtained role list. For example, all the interfaces (interface 1, interface 2, interface 3, and interface 4) corresponding to the obtained role list are all the permissions of the obtained role list.

The request of the target service front end to the SAT for the call of the target service may be understood as essentially an interface of the target service front end to the SAT for the call of the target service (for ease of partitioning, the interface of the target service may be referred to as a target interface).

The SAT judges whether a target interface exists in all interfaces corresponding to the obtained role list, and if the target interface exists in all the interfaces corresponding to the obtained role list, the SAT determines that all the obtained permissions have permissions related to the target service; and if the target interface does not exist in all the interfaces corresponding to the acquired role list, determining that the authority related to the target service does not exist in all the acquired authorities.

S603, generating a first identity verification result, wherein the first identity verification result represents that the user is allowed to call the target service;

if the SAT determines that the acquired all the authorities have the authority related to the target service, an authentication result representing that the user is allowed to call the target service is generated (for convenience of distinguishing, the authentication result is called a first authentication result).

S604, generating a second authentication result, wherein the second authentication result represents that the user is not allowed to call the target service.

If the SAT determines that the obtained all the authorities do not have the authority related to the target service, an authentication result representing that the user is not allowed to call the target service is generated (for convenience of distinguishing, the authentication result is called as a second authentication result).

Further, a white list is preset in the SAT, the white list comprises a service front end which allows service calling, after the SAT receives a service calling request sent by the target service front end, whether the target service front end is the service front end indicated by the white list or not can be determined, if the target service front end is the service front end indicated by the white list, the SAT obtains an authentication token carried in the service calling request sent by the target service front end, and the authentication token is transmitted to the IAM; and if the target service front end is not the service front end indicated by the white list, the SAT directly generates a second identity verification result.

This is described in detail below in connection with another method of identity verification as shown in fig. 7.

As shown in fig. 7, the method includes:

s701, receiving a service calling request sent by a target service front end, and acquiring a target service called by a user request for sending the service calling request according to an authentication token, wherein the authentication token is generated by a user authentication and management system (IAM) in advance according to account information of a user sent by the service front end;

s702, acquiring a preset white list, wherein the white list indicates a service front end which allows identity verification according to an authentication token;

s703, judging whether the target service front end is the service front end indicated by the white list; if the target service front end is the service front end indicated by the white list, executing step S704; if the target service front end is not the service front end indicated by the white list, executing step S709;

s704, transmitting the authentication token to the IAM;

s705, receiving identity information of the user returned by the IAM analysis authentication token, wherein the identity information comprises at least one role owned by the user;

s706, searching a preset corresponding relation between roles and permissions, and respectively acquiring the permission corresponding to each role in at least one role;

s707, judging whether the obtained all the authorities have the authority related to the target service; if the acquired permissions have permissions related to the target service, executing step S708; if the obtained all the permissions do not have the permission related to the target service, executing the step S709;

s708, generating a first identity verification result, wherein the first identity verification result represents that the user is allowed to call the target service;

s709, generating a second authentication result, wherein the second authentication result represents that the user is not allowed to call the target service.

According to the embodiment of the application, after account information of a user at a service front-end application (such as ALG) side passes IAM authentication, an authentication token is generated, and the user can select to cache the authentication token. When the SAT hosting service interface calls the background service, the authentication token is transmitted to the SAT, the SAT transmits the authentication token to the IAM for authentication through the https channel, and meanwhile, the authentication token is marked to be transmitted by the ALG application. The IAM preferably checks the integrity of the authentication token through a check server, decrypts the authentication token if the check is passed, acquires detailed information (namely authentication token information) in the authentication token, checks the validity period of the authentication token and a role list in the authentication token information, returns the role list in the authentication token information to the SAT if the check is passed, and determines whether the ALG can call the background service through the role list.

The checking of the role list in the authentication token of the account information mainly involves: determining whether a role list owned by a user account of the account information is consistent with a role list in an authentication token of the account information; if the character lists are consistent, the character lists are determined to pass the verification; and if the character list is inconsistent, determining that the character list check fails.

The application provides an identity verification method, a business front end sends account information of a user to an IAM, the IAM generates an authentication token of the user according to the account information, the authentication token carries the identity information of the user, and the identity information of the user is irrelevant to the account information of the user (namely, the identity information of the user is not the account information of the user); correspondingly, when the background service is called at the front end of the service, the authentication token of the user can be sent to the SAT, the SAT transmits the authentication token to the IAM to realize user identity verification, account information of the user does not need to be transmitted to the SAT in the identity verification process, the safety of the account information of the user is guaranteed, and the aim of verifying the identity of the user is fulfilled on the basis of reducing potential safety hazards caused by leakage of the account information.

The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

In some embodiments, the clients, servers may communicate using any currently known or future developed network Protocol, such as HTTP (HyperText Transfer Protocol), and may interconnect with any form or medium of digital data communication (e.g., a communications network). Examples of communication networks include a local area network ("LAN"), a wide area network ("WAN"), the Internet (e.g., the Internet), and peer-to-peer networks (e.g., ad hoc peer-to-peer networks), as well as any currently known or future developed network.

The names of messages or information exchanged between devices in the embodiments of the present disclosure are for illustrative purposes only, and are not intended to limit the scope of the messages or information.

Although the operations are depicted in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order. Under certain circumstances, multitasking and parallel processing may be advantageous.

It should be understood that the various steps recited in the method embodiments of the present disclosure may be performed in a different order, and/or performed in parallel. Moreover, method embodiments may include additional steps and/or omit performing the illustrated steps. The scope of the present disclosure is not limited in this respect.

Computer program code for carrying out operations for the present disclosure may be written in any combination of one or more programming languages, including but not limited to an object oriented programming language such as Java, Smalltalk, C + +, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).

Fig. 8 is a schematic structural diagram of an authentication device according to an embodiment of the present application.

As shown in fig. 8, the apparatus includes:

a service invocation request receiving unit 81, configured to receive a service invocation request sent by a target service front end, and obtain a target service invoked according to an authentication token by a user request for sending the service invocation request, where the authentication token is generated in advance by a user authentication and management system IAM according to account information of a user sent by the service front end;

an authentication token transmission unit 82 for transmitting an authentication token to the IAM;

the identity information receiving unit 83 is configured to receive identity information of the user, which is returned by the IAM analysis authentication token, where the identity information is different from the account information;

and an authentication result generating unit 84, configured to generate an authentication result of the user for the target service based on the identity information, where the authentication result represents whether the user is allowed to invoke the target service or not.

In this embodiment of the present application, preferably, the identity information includes at least one role owned by the user, and the identity verification result generating unit includes:

the permission acquiring unit is used for searching the preset corresponding relation between the roles and the permissions and respectively acquiring the permission corresponding to each role in at least one role;

the first judgment unit is used for judging whether the obtained authorities have the authority related to the target service;

the first authentication result generation unit is used for generating a first authentication result if the obtained all the authorities have the authority related to the target service, and the first authentication result represents that the user is allowed to call the target service;

and the second authentication result generation unit is used for generating a second authentication result if the obtained all the authorities do not have the authority related to the target service, and the second authentication result represents that the user is not allowed to call the target service.

Further, an identity authentication apparatus provided in an embodiment of the present application further includes a second determining unit, where the second determining unit includes:

the system comprises a white list acquisition unit, a verification unit and a verification unit, wherein the white list acquisition unit is used for acquiring a preset white list, and the white list indicates a service front end which allows identity verification according to an authentication token;

the judging subunit is used for judging whether the target service front end is a service front end indicated by a white list;

the second verification result generation unit is also used for generating a second identity verification result if the target service front end is not the service front end indicated by the white list;

the authentication token transmission unit is specifically configured to: and if the target service front end is the service front end indicated by the white list, transmitting the authentication token to the IAM.

Fig. 9 is a schematic structural diagram of another authentication device according to an embodiment of the present application.

As shown in fig. 9, the apparatus includes:

an authentication token generation request receiving unit 91, configured to receive an authentication token generation request sent by a service front end, where the authentication token generation request indicates account information of a user who sends the authentication token generation request;

the authentication token generation unit 92 is used for generating and returning an authentication token of the user to the service front end according to the account information;

the authentication token obtaining unit 93 is configured to obtain an authentication token carried in a service invocation request sent by the hosted service interface SAT after receiving the service invocation request, where the service invocation request is generated according to the authentication token by an operation of the target service front end responding to the user request to invoke the target service;

and an authentication token parsing unit 94 for parsing the authentication token generation and returning the identity information of the user to the SAT.

In the embodiment of the present application, preferably, the authentication token generation unit includes:

the account information acquiring unit is used for acquiring account information of the account;

the authentication token information generating unit is used for generating authentication token information of the user according to the role list;

the authentication token generation subunit is used for encrypting the authentication token information to obtain an authentication token of the user;

the signature verification information generating unit is used for signing the authentication token by using the authentication token information to obtain signature information of the authentication token;

and the authentication token returning unit is used for returning the authentication token carrying the signature information to the service front end.

In this embodiment, preferably, the authentication token parsing unit includes:

the signature verification unit is used for verifying the signature of the authentication token according to the signature information to obtain a signature verification result of the authentication token;

the obtaining unit is used for obtaining a role list from the authentication token information obtained by decrypting the authentication token if the signature verification result represents that the signature verification is successful;

and a returning unit for returning the role list in the authentication token information to the SAT.

The units described in the embodiments of the present disclosure may be implemented by software or hardware. Where the name of a unit does not in some cases constitute a limitation of the unit itself, for example, the first retrieving unit may also be described as a "unit for retrieving at least two internet protocol addresses".

The functions described herein above may be performed, at least in part, by one or more hardware logic components. For example, without limitation, exemplary types of hardware logic components that may be used include: field Programmable Gate Arrays (FPGAs), Application Specific Integrated Circuits (ASICs), Application Specific Standard Products (ASSPs), systems on a chip (SOCs), Complex Programmable Logic Devices (CPLDs), and the like.

An embodiment of the present application further provides an electronic device, which includes: the system comprises a processor and a memory, wherein the processor and the memory are connected through a communication bus; the processor is used for calling and executing the program stored in the memory; the memory is used for storing a program, and the program is used for realizing the identity authentication method.

Referring now to FIG. 10, a block diagram of an electronic device 10 suitable for use in implementing embodiments of the present disclosure is shown. The electronic devices in the embodiments of the present disclosure may include, but are not limited to, mobile terminals such as mobile phones, notebook computers, digital broadcast receivers, PDAs (personal digital assistants), PADs (tablet computers), PMPs (portable multimedia players), in-vehicle terminals (e.g., car navigation terminals), and the like, and fixed terminals such as digital TVs, desktop computers, and the like. The electronic device shown in fig. 10 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.

As shown in fig. 10, the electronic apparatus may include a processing device (e.g., a central processing unit, a graphic processor, etc.) 1001 that may perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)1002 or a program loaded from a storage device 1006 into a Random Access Memory (RAM) 1003. In the RAM 1003, various programs and data necessary for the operation of the electronic apparatus 10 are also stored. The processing device 1001, the ROM 1002, and the RAM 1003 are connected to each other by a bus 1004. An input/output (I/O) interface 1005 is also connected to bus 1004.

Generally, the following devices may be connected to the I/O interface 1005: input devices 1006 including, for example, a touch screen, touch pad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, etc.; an output device 1007 including, for example, a Liquid Crystal Display (LCD), a speaker, a vibrator, and the like; storage devices 1008 including, for example, magnetic tape, hard disk, and the like; and a communication device 1009. The communications apparatus 1009 may allow the electronic device 10 to communicate with other devices wirelessly or by wire to exchange data. While fig. 10 illustrates an electronic device 10 having various means, it is to be understood that not all illustrated means are required to be implemented or provided. More or fewer devices may alternatively be implemented or provided.

In particular, according to an embodiment of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program carried on a non-transitory computer readable medium, the computer program containing program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication means 1009, or installed from the storage means 1008, or installed from the ROM 1002. The computer program, when executed by the processing device 1001, performs the above-described functions defined in the methods of the embodiments of the present disclosure.

Furthermore, an embodiment of the present application further provides a computer-readable storage medium, where computer-executable instructions are stored in the computer-readable storage medium, and the computer-executable instructions are used for executing an identity verification method.

The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: receiving a service calling request sent by a target service front end, and acquiring a target service called by a user request sending the service calling request according to an authentication token, wherein the authentication token is generated by a user authentication and management system (IAM) in advance according to account information of the user sent by the service front end; transmitting the authentication token to the IAM; receiving the identity information of the user returned by the IAM for analyzing the authentication token, wherein the identity information is different from the account information; and generating an authentication result of the user for the target service based on the identity information, wherein the authentication result represents that the user is allowed to call the target service or the user is not allowed to call the target service.

Alternatively, the computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: receiving an authentication token generation request sent by a service front end, wherein the authentication token generation request indicates account information of a user sending the authentication token generation request; generating and returning an authentication token of the user to the service front end according to the account information; obtaining the authentication token carried by the service calling request sent by a managed service interface (SAT) after receiving the service calling request, wherein the service calling request is generated by a target service front end responding to the user request to call a target service according to the authentication token; and analyzing the authentication token generation and returning the identity information of the user to the SAT.

In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.

It should be noted that the computer readable medium in the present disclosure can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In contrast, in the present disclosure, a computer readable signal medium may comprise a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, optical cables, RF (radio frequency), etc., or any suitable combination of the foregoing.

The computer readable medium may be embodied in the electronic device; or may exist separately without being assembled into the electronic device.

According to one or more embodiments of the present disclosure, there is provided an identity verification method [ an example as shown in fig. 1 ], comprising: receiving a service calling request sent by a target service front end, and acquiring a target service called by a user request sending the service calling request according to an authentication token, wherein the authentication token is generated by a user authentication and management system (IAM) in advance according to account information of the user sent by the service front end; transmitting the authentication token to the IAM; receiving the identity information of the user returned by the IAM for analyzing the authentication token, wherein the identity information is different from the account information; generating an authentication result of the user for the target service based on the identity information, wherein the authentication result represents that the user is allowed to call the target service or the user is not allowed to call the target service;

and the number of the first and second groups,

receiving an authentication token generation request sent by a service front end, wherein the authentication token generation request indicates account information of a user sending the authentication token generation request; generating and returning an authentication token of the user to the service front end according to the account information; obtaining the authentication token carried by the service calling request sent by a managed service interface (SAT) after receiving the service calling request, wherein the service calling request is generated by a target service front end responding to the user request to call a target service according to the authentication token; and analyzing the authentication token generation and returning the identity information of the user to the SAT.

According to one or more embodiments of the present disclosure, an identity verification method is provided [ an example as shown in fig. 2 ], comprising: receiving an authentication token generation request sent by a service front end, wherein the authentication token generation request indicates account information of a user sending the authentication token generation request; generating and returning an authentication token of the user to the service front end according to the account information; obtaining the authentication token carried by the service calling request sent by a managed service interface (SAT) after receiving the service calling request, wherein the service calling request is generated by a target service front end responding to the user request to call a target service according to the authentication token; and analyzing the authentication token generation and returning the identity information of the user to the SAT.

According to one or more embodiments of the present disclosure, an example as shown in fig. 3 is provided for a method of generating and returning an authentication token of the user to the service front end according to the account information, including: acquiring a role list owned by the account information, wherein the role list is composed of at least one role; generating authentication token information of the user according to the role list; encrypting the authentication token information to obtain an authentication token of the user; signing the authentication token by using the authentication token information to obtain signature information of the authentication token; and returning the authentication token carrying the signature information to the service front end.

According to one or more embodiments of the present disclosure, an example as shown in fig. 4 is provided of a method of parsing the authentication token generation and returning identity information of the user to the SAT, comprising: checking the authentication token according to the signature information to obtain a checking result of the authentication token; if the signature verification result represents that signature verification is successful, acquiring a role list from authentication token information obtained by decrypting the authentication token; returning the role list in the authentication token information to the SAT.

According to one or more embodiments of the present disclosure, there is provided a method of identity verification [ an example as shown in fig. 5 ], comprising: receiving a service calling request sent by a target service front end, and acquiring a target service called by a user request sending the service calling request according to an authentication token, wherein the authentication token is generated by a user authentication and management system (IAM) in advance according to account information of the user sent by the service front end; transmitting the authentication token to the IAM; receiving the identity information of the user returned by the IAM for analyzing the authentication token, wherein the identity information is different from the account information; and generating an authentication result of the user for the target service based on the identity information, wherein the authentication result represents that the user is allowed to call the target service or the user is not allowed to call the target service.

According to one or more embodiments of the present disclosure, an example as shown in fig. 6 is provided for a method of generating an authentication result of the user for the target service based on the identity information, including: searching a preset corresponding relation between roles and permissions, and respectively acquiring the permission corresponding to each role in the at least one role; judging whether the obtained all the permissions have the permission related to the target service or not; if the obtained all the authorities have the authority related to the target service, generating a first identity verification result, wherein the first identity verification result represents that the user is allowed to call the target service; and if the obtained all the authorities do not have the authority related to the target service, generating a second identity authentication result, wherein the second identity authentication result represents that the user is not allowed to call the target service.

According to one or more embodiments of the present disclosure, an example as shown in fig. 7 provides a method of identity verification, the method comprising: acquiring a preset white list, wherein the white list indicates a service front end which allows identity verification according to an authentication token; judging whether the target service front end is the service front end indicated by the white list; if the target service front end is not the service front end indicated by the white list, generating a second identity verification result; the transmitting the authentication token to the IAM, comprising: and if the target service front end is the service front end indicated by the white list, transmitting the authentication token to the IAM.

According to one or more embodiments of the present disclosure, there is provided an authentication apparatus [ an example as shown in fig. 8 ], including: the service calling request receiving unit is used for receiving a service calling request sent by a target service front end and acquiring a target service called by a user request for sending the service calling request according to an authentication token, wherein the authentication token is generated by a user authentication and management system (IAM) in advance according to account information of the user sent by the service front end; an authentication token transmission unit for transmitting the authentication token to the IAM; an identity information receiving unit, configured to receive identity information of the user, which is returned by the IAM analyzing the authentication token, where the identity information is different from the account information; and the identity authentication result generation unit is used for generating an identity authentication result of the user for the target service based on the identity information, and the identity authentication result represents that the user is allowed to call the target service or not.

According to one or more embodiments of the present disclosure, there is provided [ an example as shown in fig. 8 ] another authentication apparatus, including: the authentication token generation request receiving unit is used for receiving an authentication token generation request sent by a service front end, wherein the authentication token generation request indicates account information of a user sending the authentication token generation request; the authentication token generating unit is used for generating and returning an authentication token of the user to the service front end according to the account information; the authentication token obtaining unit is used for obtaining the authentication token carried by the service calling request sent by the escrow service interface SAT after receiving the service calling request, wherein the service calling request is generated by a target service front end responding to the user request to call a target service according to the authentication token; and the authentication token analysis unit is used for analyzing the authentication token generation and returning the identity information of the user to the SAT.

Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims.

While several specific implementation details are included in the above discussion, these should not be construed as limitations on the scope of the disclosure. Certain features that are described in the context of separate embodiments can also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment can also be implemented in multiple embodiments separately or in any suitable subcombination.

The foregoing description is only exemplary of the preferred embodiments of the disclosure and is illustrative of the principles of the technology employed. It will be appreciated by those skilled in the art that the scope of the disclosure herein is not limited to the particular combination of features described above, but also encompasses other embodiments in which any combination of the features described above or their equivalents does not depart from the spirit of the disclosure. For example, the above features and (but not limited to) the features disclosed in this disclosure having similar functions are replaced with each other to form the technical solution.

Claims

1. An identity verification method, comprising:

transmitting the authentication token to the IAM;

2. The method of claim 1, wherein the identity information comprises at least one role owned by the user, and wherein generating the authentication result of the user for the target service based on the identity information comprises:

searching a preset corresponding relation between roles and permissions, and respectively acquiring the permission corresponding to each role in the at least one role;

judging whether the obtained all the permissions have the permission related to the target service or not;

if the obtained all the authorities have the authority related to the target service, generating a first identity verification result, wherein the first identity verification result represents that the user is allowed to call the target service;

and if the obtained all the authorities do not have the authority related to the target service, generating a second identity authentication result, wherein the second identity authentication result represents that the user is not allowed to call the target service.

3. The method of claim 2, further comprising:

acquiring a preset white list, wherein the white list indicates a service front end which allows identity verification according to an authentication token;

judging whether the target service front end is the service front end indicated by the white list;

if the target service front end is not the service front end indicated by the white list, generating a second identity verification result;

the transmitting the authentication token to the IAM, comprising: and if the target service front end is the service front end indicated by the white list, transmitting the authentication token to the IAM.

4. An identity verification method, comprising:

5. The method of claim 4, wherein the generating and returning the authentication token of the user to the service front end according to the account information comprises:

acquiring a role list owned by the account information, wherein the role list is composed of at least one role;

generating authentication token information of the user according to the role list;

encrypting the authentication token information to obtain an authentication token of the user;

signing the authentication token by using the authentication token information to obtain signature information of the authentication token;

and returning the authentication token carrying the signature information to the service front end.

6. The method of claim 5, wherein parsing the authentication token to generate and return identity information of the user to the SAT comprises:

checking the authentication token according to the signature information to obtain a checking result of the authentication token;

if the signature verification result represents that signature verification is successful, acquiring a role list from authentication token information obtained by decrypting the authentication token;

returning the role list in the authentication token information to the SAT.

7. An authentication apparatus, comprising:

8. An authentication apparatus, comprising:

9. An electronic device, comprising: the system comprises a processor and a memory, wherein the processor and the memory are connected through a communication bus; the processor is used for calling and executing the program stored in the memory; the memory for storing a program for implementing the authentication method of any one of claims 1-3 or the authentication method of any one of claims 4-6.

10. A computer-readable storage medium having stored thereon computer-executable instructions for performing the authentication method of any one of claims 1-3 or the authentication method of any one of claims 4-6.