CN111953708A - Cross-account login method and device based on cloud platform and server - Google Patents

Cross-account login method and device based on cloud platform and server Download PDF

Info

Publication number
CN111953708A
CN111953708A CN202010860952.6A CN202010860952A CN111953708A CN 111953708 A CN111953708 A CN 111953708A CN 202010860952 A CN202010860952 A CN 202010860952A CN 111953708 A CN111953708 A CN 111953708A
Authority
CN
China
Prior art keywords
identity
tenant
information
target role
security token
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010860952.6A
Other languages
Chinese (zh)
Other versions
CN111953708B (en
Inventor
李严
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Kingsoft Cloud Network Technology Co Ltd
Original Assignee
Beijing Kingsoft Cloud Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Kingsoft Cloud Network Technology Co Ltd filed Critical Beijing Kingsoft Cloud Network Technology Co Ltd
Priority to CN202010860952.6A priority Critical patent/CN111953708B/en
Publication of CN111953708A publication Critical patent/CN111953708A/en
Application granted granted Critical
Publication of CN111953708B publication Critical patent/CN111953708B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/108Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Abstract

The invention provides a cross-account login method, a device and a server based on a cloud platform, and relates to the technical field of cloud computing, wherein the method comprises the following steps: receiving an identity switching request sent by a first tenant, wherein the identity switching request is sent by the first tenant after logging in a cloud platform with a sub-user identity; the identity switching request carries an identifier of the target role identity; the target role identity is a role identity which is pre-established by a second tenant and has a preset access right to the cloud platform; extracting the identification of the target role identity, and generating temporary identity information corresponding to the target role identity based on the identification of the target role identity; and sending the temporary identity information to the first tenant so that the first tenant can log in an account corresponding to the target role identity according to the temporary identity information. According to the cloud platform-based cross-account login method, device and server, the verification function of the client does not need to be developed on the target service line, and the development and application cost of the service line is effectively reduced.

Description

Cross-account login method and device based on cloud platform and server
Technical Field
The invention relates to the technical field of cloud computing, in particular to a cross-account login method, a cross-account login device and a cross-account login server based on a cloud platform.
Background
With the continuous development of cloud computing technology, cloud resources have more and more functions, so that cloud product service lines are more and more. And each service line of the cloud product needs to support corresponding role information, a user can carry out access control on the service line by transmitting correct role information to the service line, and the service line can also obtain related resources according to the role information and return the resources to the user.
Therefore, in order to realize that a user can control each service line of a cloud product, each service line needs to support authentication of role information and determine whether the user has a control authority, so that each service line needs to be developed during development, and the use cost of the service line of the cloud product is increased.
Disclosure of Invention
In view of the above, the present invention provides a cross-account login method, device and server based on a cloud platform, so as to alleviate the above technical problems.
In a first aspect, an embodiment of the present invention provides a cross-account login method based on a cloud platform, which is applied to the cloud platform, and the method includes: receiving an identity switching request sent by a first tenant, wherein the identity switching request is sent by the first tenant after logging in the cloud platform in a sub-user identity; the identity switching request carries an identifier of a target role identity; the target role identity is a role identity which is pre-established by a second tenant and has a preset access right to the cloud platform; extracting the identification of the target role identity, and generating temporary identity information corresponding to the target role identity based on the identification of the target role identity; and sending the temporary identity information to the first tenant so that the first tenant logs in an account corresponding to the target role identity according to the temporary identity information.
In a preferred embodiment, the method further comprises: receiving sub-user login information sent by the first tenant; verifying whether the login information of the sub-user is legal or not; if yes, determining that the first tenant logs in the cloud platform in a sub-user identity.
In a preferred embodiment, the step of generating the temporary identity information corresponding to the target role identity based on the identifier of the target role identity includes: acquiring a pre-established authority policy table; the authority policy table comprises a plurality of role identities and access authorities corresponding to the role identities; searching the access authority corresponding to the target role identity in the authority policy table according to the identifier of the target role identity; generating the temporary identity information based on the access right; the temporary identity information comprises key information and a first security token, and the key information is used for authenticating the target role identity; the first security token carries the target role identity, the access authority corresponding to the target role identity, and the validity period of the temporary identity information.
In a preferred embodiment, after the sending the temporary identity information to the first tenant, the method further includes: receiving interface request information of a target service line sent by the first tenant based on the temporary identity information; extracting a second security token of the temporary identity information carried in the interface request information; verifying the second security token; and if the verification is passed, determining that the temporary identity logged in by the first tenant has access right to the target service line.
In a preferred embodiment, the step of sending the temporary identity information to the first tenant comprises: encrypting the first security token information to generate an encrypted security token; sending temporary identity information containing the key information and the encrypted security token to the first tenant.
In a preferred embodiment, after the generating the temporary identity information based on the access right, the method further includes: and extracting the first security token and generating signature information of the first security token.
In a preferred embodiment, the step of extracting the second security token of the temporary identity information carried in the interface request information includes: extracting an encrypted second security token of the temporary identity information carried in the interface request information; the step of verifying the second security token comprises: decrypting the encrypted second security token to obtain the second security token; acquiring signature information of the first security token, and verifying the second security token according to the signature information of the first security token; determining that the second security token is validated if the first security token matches the second security token.
In a preferred embodiment, after determining that the temporary identity of the first tenant login has the access right to the target service line, the method further includes: creating sub-user information representing the target role identity, the sub-user comprising a sub-user ID, the key information, and the first security token; storing the sub-user information to a preset cache region; and when the cache region is monitored to be successfully written, determining that the current identity of the first tenant is the target role identity.
In a preferred embodiment, the method further comprises: receiving a resource control request sent by the first tenant in the target role identity; acquiring sub-user information of the target role identity in the cache region; authenticating the target role identity corresponding to the first tenant according to the sub-user information of the target role identity in the cache region; and if the authentication is passed, acquiring a service line interface corresponding to the resource control request so that the first tenant controls the resources of the service line through the service line interface.
In a preferred embodiment, the method further comprises: if the resource management and control request is a purchase request for cloud resources of a target service line, calling order service, and authenticating the target role identity corresponding to the first tenant through the order service request; and if the authentication is passed, acquiring a service line interface of the order service so as to enable the first tenant to purchase the target service line.
In a second aspect, an embodiment of the present invention provides a cross-account login device based on a cloud platform, which is applied to the cloud platform, and the device includes: the system comprises a receiving module, a sending module and a switching module, wherein the receiving module is used for receiving an identity switching request sent by a first tenant, and the identity switching request is sent by the first tenant after the first tenant logs in the cloud platform in a sub-user identity; the identity switching request carries an identifier of a target role identity; the target role identity is a role identity which is pre-established by a second tenant and has a preset access right to the cloud platform; the extraction module is used for extracting the identification of the target role identity and generating temporary identity information corresponding to the target role identity based on the identification of the target role identity; and the login module is used for sending the temporary identity information to the first tenant so that the first tenant can log in an account corresponding to the target role identity according to the temporary identity information.
In a third aspect, an embodiment of the present invention provides a server, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor implements the method according to the first aspect when executing the computer program.
In a fourth aspect, the present invention provides a computer-readable storage medium, on which a computer program is stored, where the computer program is executed by a processor to perform the method of the first aspect.
The embodiment of the invention has the following beneficial effects:
the cloud platform-based cross-account login method, the cloud platform-based cross-account login device and the cloud platform-based cross-account login server provided by the embodiment of the invention can receive an identification identity switching request which is sent by a first tenant and carries a target role identity, further extract the identification of the target role identity, generate temporary identity information corresponding to the target role identity based on the identification of the target role identity so as to send the temporary identity information to the first tenant, so that the first tenant can log in an account corresponding to the target role identity according to the temporary identity information, and because the target role identity is a role identity which is pre-established by a second tenant and has a preset access right to a cloud platform, the first tenant can directly use the target role identity to perform cross-account login on the cloud platform, so that cloud resources are controlled, and the first tenant performs a cross-account login process by using the target role identity, the role authentication and verification functions do not need to be developed on the corresponding service line, and the development and application cost of the service line is effectively reduced.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a flowchart of a cross-account login method based on a cloud platform according to an embodiment of the present invention;
fig. 2 is an interaction diagram of cross-account login based on a cloud platform according to an embodiment of the present invention;
fig. 3 is a schematic diagram of another interaction of cross-account login based on a cloud platform according to an embodiment of the present invention;
fig. 4 is a schematic diagram of another interaction of cross-account login based on a cloud platform according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a cross-account login device based on a cloud platform according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a server according to an embodiment of the present invention.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
At present, each product service line on a server of a cloud resource platform is in butt joint with a corresponding role identity, so that role identity switching is conveniently carried out when a user logs in the cloud resource platform, and role playing is carried out. When a user manages the cloud product service lines, role information needs to be transmitted among the service lines so that the user can continuously access and control the service lines, the role information is transmitted to the cloud product service lines after the access control is determined to have the authority, and the cloud product service lines acquire related resources according to the role information and return the resources to the user.
In order to enable each service line to transmit role information, each service line needs to support verification processing of the role information to be docked when the service line is developed, so that each service line needs to develop a docking function to transmit the role information besides own service when the service line is developed, and development and use costs of the service line of the cloud product are increased.
Based on this, the embodiment of the invention provides a cross-account login method, device and server based on a cloud platform, which can alleviate the technical problems and reduce the development and use cost of a cloud product service line.
In order to facilitate understanding of the embodiment, a detailed description is first given of a cross-account login method based on a cloud platform disclosed in the embodiment of the present invention.
In a possible implementation manner, an embodiment of the present invention provides a cross-account login method based on a cloud platform, and the method is applied to the cloud platform.
Specifically, the cloud platform may be implemented by a server disposed on a side of a cloud service provider, and the cloud platform may provide a plurality of cloud product service lines for tenants to use, specifically, a Tenant (Tenant) refers to a user using a cloud product service line or a computing resource, and includes all Data recognizable as a specific user in the cloud product service line, such as an account and statistical information (Accounting Data) created in the cloud product service line, and various Data and application program environments set in the cloud product service line, which all belong to the scope of the Tenant.
Specifically, as shown in fig. 1, a flowchart of a cloud platform-based cross-account login method includes the following steps:
step S102, receiving an identity switching request sent by a first tenant;
the identity switching request is sent by a first tenant after logging in a cloud platform by using a sub-user identity; the identity switching request carries an identifier of the target role identity; the target role identity is a role identity which is pre-established by a second tenant and has a preset access right to the cloud platform;
step S104, extracting the identification of the target role identity, and generating temporary identity information corresponding to the target role identity based on the identification of the target role identity;
and step S106, sending the temporary identity information to the first tenant, so that the first tenant logs in an account corresponding to the target role identity according to the temporary identity information.
In specific implementation, a tenant (or a user) wants to log in a cloud platform, and needs to log in a server of the cloud platform through a client and be authorized to use or access a cloud product service line. Therefore, the tenant needs to log in the cloud platform through the client, and then sends an identity switching request to the server, at this time, the server may execute step S102 described above to receive the identity switching request, so as to obtain the target role identity that the tenant wants to log in.
Since the target role identity is a role identity which is created by the second tenant in advance and has a preset access right to the cloud platform, after the temporary identity information is fed back to the client of the first tenant in the step S106, the first tenant can use the temporary identity information to log in an account corresponding to the target role identity through the client, so as to access and control resources of the service line.
Therefore, the cloud platform-based cross-account login method provided by the embodiment of the invention can receive an identity switching request which is sent by a first tenant and carries a target role identity, further extract the identity of the target role identity, and generate temporary identity information corresponding to the target role identity based on the identity of the target role identity, so as to send the temporary identity information to the first tenant, so that the first tenant can log in to an account corresponding to the target role identity according to the temporary identity information, because the target role identity is a role identity which is pre-established by a second tenant and has a preset access right to a cloud platform, the first tenant can directly use the target role identity to perform cross-account login on the cloud platform, so that cloud resources are controlled, and the process of the first tenant using the target role identity to perform cross-account login does not need to develop role authentication and verification functions on corresponding service lines, effectively reducing the development and application cost of the service line.
In actual use, the identity switching request is sent after the first tenant logs in the cloud platform in the identity of the sub-user, so that the first tenant needs to register in the cloud platform in advance to become the sub-user of the cloud platform. Specifically, the sub-user is also called an IAM (Identity and Access Management) user, and the IAM user is an entity Identity type of the IAM and has a certain Identity ID and Identity credential, which generally corresponds to a certain person or application one to one. A plurality of IAM users can be created under one tenant account, and correspond to employees, systems or application programs in an enterprise, the IAM users do not have resources, but belong to a cloud account and can only be visible in the space of the cloud account, rather than an independent cloud account, so that the IAM users can log in a console or use an API to operate resources under the cloud account after obtaining authorization of the cloud account, such as a certain cloud product service line. When an enterprise has various cloud resources, the authorization management function of the IAM is used, so that user authorization and resource unified management can be realized.
For the login condition of the first tenant on the cloud platform, the cloud platform also has a corresponding verification process, and specifically, when the first tenant logs in the cloud platform in the sub-user identity through the client, the cloud platform can receive sub-user login information sent by the first tenant; and verify whether the sub-user login information is legal; if the first tenant logs in the cloud platform in the sub-user identity, the first tenant can perform identity switching at the moment, and use or access control is performed on a preset cloud product service line or computing resources on the cloud platform. If the login information of the sub-user is verified to be illegal, the first tenant cannot log in the cloud platform and cannot perform further identity switching operation.
The first tenant is usually a purchasing user of the cloud service, that is, a user of the cloud platform, and further, the second tenant refers to a developer on one side of the cloud service, that is, a user who develops and maintains the cloud platform, so that the second tenant can create one or more role identities having corresponding access rights to the cloud platform, and when the child user logs in the cloud platform through the login information of the first tenant, the first tenant only has access or viewing rights to a few or part of resources, and if the first tenant needs to manage and control more resources, the cloud platform-based cross-account login method provided by the embodiment of the present invention needs to be executed to perform cross-account login, so that the cloud platform-based cross-account login method can have more access or viewing rights.
Further, considering that the cloud platform generally has a plurality of cloud resources and a plurality of service lines, when the second tenant creates a role identity, a corresponding permission policy table may be established, and at least one created role identity and access permission corresponding to the role identity are recorded, so as to generate temporary identity information.
Therefore, in the step S104, when generating the temporary identity information, the temporary identity information may be implemented based on the authority policy table, and specifically, the process of generating the temporary identity information may include the following steps:
(1) acquiring a pre-established authority policy table; the authority policy table comprises a plurality of role identities and access authority corresponding to each role identity;
(2) searching the access authority corresponding to the target role identity in an authority policy table according to the identifier of the target role identity;
(3) generating temporary identity information based on the access rights; the temporary identity information comprises key information and a first security token, and the key information is used for authenticating the identity of the target role; the first security token carries the target role identity, the access authority corresponding to the target role identity and the validity period of the temporary identity information.
After the cloud platform sends the temporary identity information to the first tenant, the first tenant can log in to an account corresponding to the target role identity according to the temporary identity information, and then the cloud platform is logged in a cross-account mode, and meanwhile, the first tenant also obtains access permission of the target role identity. In addition, because the temporary identity information is obtained, the first tenant needs to manage and control the service line of the cloud platform within the validity period of the temporary identity information.
In actual use, the server disposed at the cloud service provider side is usually provided with a plurality of sub-services, and the plurality of sub-services operate cooperatively to form the cloud platform and provide a cloud product service line to a tenant, but the cross-account login method based on the cloud platform shown in fig. 1 may also be implemented by cooperation of the plurality of sub-services of the server.
In particular, the sub-services of a server typically include one or more of the following services:
order service: the method comprises the following steps of (1) uniformly ordering service, wherein all cloud products use the service to order;
IAM service, identity and access control service;
service line: the cloud product service of each service line is responsible;
Kop/Kop _ inner service: the unified gateway system provides authentication service;
caching service: for public caching services;
STS (Security Token Service, STS) Service: a security token service responsible for generating role-playing temporary identity information;
a console: a frame of a server console;
the platform login authentication service is carried out on the control platform;
SSO service (singleSignOn, SSO, Single sign on) provides single sign on services.
Based on the sub-services, when a first tenant logs in the cloud platform with a sub-user identity, a login address of a cloud product service line can be input on a browser of a client to log in, at the moment, the first tenant can log in the console, then the console can verify whether the login information of the sub-user is legal through the Passport service, and if the login information is authenticated, a cookie of the sub-user can be returned to the first tenant to confirm so that the first tenant can continue the identity switching process. Further, the process of receiving the identity switching request in step S102 and generating the temporary identity information in step S104 may be implemented on the STS service.
For convenience of understanding, on the basis of fig. 1, fig. 2 shows an interaction schematic diagram of cross-account login based on a cloud platform, specifically, taking an example that a client interacts with a server of the cloud platform through a browser, an identity switching process of the client is described, and also taking an example that the server includes the above sub-services as an example, as shown in fig. 2, the method includes the following steps:
step S202, a tenant logs in a console through a client by using a sub-user identity;
specifically, the console serves as a sub-service in the server of the cloud platform.
Step S204, the server requests a Passport service to carry out identity authentication on the client through the console so as to verify whether the login information of the sub-user is legal or not;
specifically, the Passport service verifies whether the user name and the password of the sub-user are correct; if the result is correct, the authentication is passed, and then the following steps are carried out.
Step S206, the Passport service returns the verification text file to the console to indicate that the verification is passed, and further determines that the first tenant can perform identity switching.
The authentication text file returned by the Passport service to the console may be a sub-user cookie.
Step S208, the first tenant sends an identity switching request to the cloud platform;
specifically, the first tenant successfully logs in the cloud platform with the identity of the sub-user through the verification, and then sends an identity switching request to the STS service;
step S210, STS service extracts the identification of the target role identity; generating temporary identity information corresponding to the target role identity based on the identifier of the target role identity and feeding the temporary identity information back to the first tenant;
in actual use, when the first tenant switches identities, multiple role identities may be switched, and therefore, the identity switching request usually carries an identifier of a target role identity, so as to determine to which role identity the client specifically switches. Specifically, when sending the identity switching request, the first tenant may send a request for querying role identities to the console to query the number of currently switchable role identities, select a desired role identity, and then send an identity switching request carrying an identifier of a target role identity to the cloud platform.
Wherein the temporary identity information comprises: the key information can also be represented by ak/sk (key access key/secret key), and the first security token can also be represented by security _ token, specifically, the security _ token further includes a target role identity, access right information of the target role identity, and a validity period of the temporary identity information.
Further, in order to prevent the temporary identity information from being tampered, the first security token may be extracted after the temporary identity information is generated, and signature information of the first security token is generated, that is, the signature token _ sign of the security token _ token is generated.
In addition, in order to improve the security of the cloud platform, the first security token information can be encrypted to generate an encrypted security token; the temporary identity information, including the key information and the encrypted security token, is then sent to the first tenant.
Step S212, the first tenant uses the key information and the first security token to request a service line interface from the server;
specifically, since the Kop/Kop _ inner service in the server may provide the authentication service, when the first tenant requests the service line interface, the Kop/Kop _ inner service of the server may obtain the interface request information and then authenticate the temporary identity information of the first tenant to determine whether the first tenant has the access right.
Therefore, for the cloud platform (or a server of the cloud platform), after the temporary identity information is sent to the first tenant, the interface request information of the target service line sent by the first tenant based on the temporary identity information may also be continuously received; extracting a second security token of the temporary identity information carried in the interface request information; verifying the second security token; and if the verification is passed, determining that the temporary identity of the first tenant login has access right to the target service line.
Specifically, the process of authenticating the second security token at this time is performed in the Kop/Kop _ inner service described above, and if the authentication is passed, the following steps are continuously performed.
In step S214, the Kop/Kop _ inner service requests a service line service from the service line.
Step S216, the service line returns a corresponding result to the first tenant.
Further, if the first tenant receives the encrypted security token, in the step S212, when the first tenant requests the service line interface, the first tenant also uses the encrypted security token, and in order to distinguish from the first security token generated by the cloud platform side, the security token used when the first tenant requests the service line interface is taken as the second security token for example, specifically, if the first tenant requests the service line interface, the Kop/Kop _ inner service extracts the second security token for verification, extracts the encrypted second security token of the temporary identity information carried in the interface request information, and during verification, decrypts the encrypted second security token to obtain the second security token; then, signature information of a first security token generated by the cloud platform side is acquired, and a second security token is verified according to the signature information of the first security token; and if the first security token matches the second security token, determining that the second security token is verified.
The Kop/Kop _ inner service decrypts the encrypted second security token, verifies the signature information of the first security token and then determines the identity information of the first tenant, and can verify the authority of the current temporary identity information logged by the first tenant, so that the first tenant can conveniently access and control the target service line after confirming that the first tenant has the access authority to the target service line.
Further, after the cloud platform determines that the temporary identity logged in by the first tenant has access right to the target service line, the cloud platform can also create sub-user information representing the identity of the target role, wherein the sub-user comprises a sub-user ID, the key information and a first security token; then storing the sub-user information to a preset cache region; when the cache area is successfully written, the current identity of the first tenant can be determined to be the target role identity, and at the moment, the switching process of the first tenant from the sub-user identity to the target role identity is completed, so that the first tenant achieves the purpose of logging in the cloud platform across accounts.
Specifically, the process of creating the sub-user information representing the target role identity by the cloud platform is equivalent to creating a special sub-user identity, where the special sub-user identity includes a sub-user ID, key information, a first security token, and the like, so that the first tenant can switch to the special sub-user identity to access and control the target service line.
The special sub-user information generally includes spec _ user _ id and spec _ user _ info, that is, an identifier of a target role identity, to record which role identity the first tenant currently wants to switch to, and the above temporary identity information, that is, temporary ak/sk and security _ token.
Further, the process of storing the sub-user information into the preset cache region is actually realized by the console, and specifically, the console writes the special sub-user information into the preset cache; the cache service returns cache success information to the console; at this time, the console may request the Passport service to obtain the text file of the target role identity; as, the sub-user cookie in the previous step; and then the Passport service returns the text file of the target role identity to the console, and switches the login identity of the client to the target role identity.
Further, after the client is switched to the target role identity through the process shown in fig. 2, the management and control operation of the cloud product service line can be performed with the target role identity, and when the tenant does not need to use the target role identity, the original login identity, that is, the sub-user identity, can be switched back from the target role identity.
Further, when the tenant manages and controls the cloud resource, the tenant may send a resource management and control request to the cloud platform, specifically, the resource management and control request is sent by the first tenant in the target role identity, and at this time, the cloud platform may receive the resource management and control request sent by the first tenant in the target role identity; acquiring sub-user information of the target role identity in the cache region; authenticating the target role identity corresponding to the first tenant according to the sub-user information of the target role identity in the cache region; and if the authentication is passed, acquiring a service line interface corresponding to the resource management and control request so that the first tenant manages and controls the resources of the service line through the service line interface.
For convenience of understanding, on the basis of fig. 2, fig. 3 further shows another interaction diagram of cross-account login based on a cloud platform, and a process of managing and controlling cloud resources by a client is described, as shown in fig. 3, the method includes the following steps:
step S302, a first tenant logs in a console with a target role identity and sends a resource management and control request;
step S304, the console requests a Passport service to acquire role information of a first tenant;
specifically, in this step, the identity information of the current first tenant login is acquired.
Step S306, the Passsport service returns the role information in the sub-user format to the console;
specifically, the role information in the sub-user format includes: type, which indicates that the current identity is a child user; a user [ id ] to the account id of the client of the current first tenant, namely account _ id; IAM _ user [ id ], representing the sub-user id of the role, i.e., the aforementioned spec _ user _ id;
step S308, the console uses the account _ id and the spec _ user _ id to request the Kop/Kop _ inner service for authentication;
step S310, the Kop/Kop _ inner service extracts temporary identity information from the preset buffer area for authentication;
specifically, acquiring sub-user information of a target role identity from a cache region, wherein the sub-user information comprises ak/sk and security _ token, and authenticating by using the security _ token; if the authentication is passed, requesting a service line interface, and returning a response to the console by the service line, wherein the client of the first tenant can continue to execute the following process;
step S312, the first tenant manages and controls the cloud resources on the console in a target role identity;
in step S314, the IAM service returns the item information of which the current role identity of the client is visible to the client of the first tenant.
Further, if the management and control operation is a purchase operation of cloud resources of the target service line, an order service may be invoked, and role authentication is performed on the first tenant through an order service request.
Specifically, if the resource management and control request is a purchase request for cloud resources of a target service line, invoking an order service, and authenticating a target role identity corresponding to a first tenant through the order service request; and if the authentication is passed, acquiring a service line interface of the order service so that the first tenant purchases the target service line.
In specific implementation, when the first tenant purchases the cloud resource at the console with the corresponding role identity, the cloud resource is actually managed and controlled, so that a server of the cloud platform can obtain the current identity information of the client and request order service to place an order.
Specifically, fig. 4 shows another interaction diagram of cross-account login based on a cloud platform, which illustrates a purchase operation of a cloud resource, and as shown in fig. 4, the method includes the following steps:
step S402, a console receives a purchase request for cloud resources of a target service line, which is sent by a first tenant;
step S404, the console calls an order placing interface of order service;
step S406, the order service uses the account _ id and the spec _ user _ id to request the Kop/Kop _ inner service to perform role authentication on the first tenant;
step S408, if the Kop/Kop _ inner service judges that the current role identity is in accordance with, obtaining temporary ak/sk and security _ token from the caching service, and authenticating the client by using the security _ token;
and step S410, the authentication is passed, the order service is returned to the console, and the first tenant is prompted to successfully place the order.
As can be seen from the processes of fig. 2 to 4, the access to the cloud platform resources and the authentication process for the first tenant are both implemented on one side of the cloud platform, so that there is no need to develop an authentication and verification function on each service line of the cloud product, that is, when a service line is developed, only a service function other than the service is developed, and there is no need to develop a docking function of the service line, and the authentication and verification process for the role can be implemented on one side of the cloud platform, that is, the cloud platform-based cross-account login method provided by the embodiment of the present invention is executed on one side of the cloud platform, so that the authentication and verification of the tenant can be implemented, the role information is transferred, and the development and application costs of the service line are effectively reduced.
On the basis of the foregoing embodiment, an embodiment of the present invention further provides a cross-account login apparatus based on a cloud platform, which is applied to a cloud platform, and as shown in fig. 5, the cross-account login apparatus based on a cloud platform has a schematic structural diagram, and the apparatus includes:
a receiving module 50, configured to receive an identity switching request sent by a first tenant, where the identity switching request is sent by the first tenant after logging in the cloud platform in a sub-user identity; the identity switching request carries an identifier of a target role identity; the target role identity is a role identity which is pre-established by a second tenant and has a preset access right to the cloud platform;
an extracting module 52, configured to extract the identifier of the target role identity, and generate temporary identity information corresponding to the target role identity based on the identifier of the target role identity;
the login module 54 is configured to send the temporary identity information to the first tenant, so that the first tenant logs in to an account corresponding to the target role identity according to the temporary identity information.
The cross-account login device based on the cloud platform provided by the embodiment of the invention has the same technical characteristics as the cross-account login method based on the cloud platform provided by the embodiment, so that the same technical problems can be solved, and the same technical effect can be achieved.
Further, an embodiment of the present invention further provides a server, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor executes the computer program to implement the methods shown in fig. 1 to fig. 4.
Further, an embodiment of the present invention further provides a schematic structural diagram of a server, as shown in fig. 6, which is the schematic structural diagram of the server, where the server includes a processor 101 and a memory 100, the memory 100 stores computer-executable instructions that can be executed by the processor 101, and the processor 101 executes the computer-executable instructions to implement the cloud platform-based cross-account login method.
In the embodiment shown in fig. 6, the server further comprises a bus 102 and a communication interface 103, wherein the processor 101, the communication interface 103 and the memory 100 are connected by the bus 102.
The Memory 100 may include a high-speed Random Access Memory (RAM) and may further include a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. The communication connection between the network element of the system and at least one other network element is realized through at least one communication interface 103 (which may be wired or wireless), and the internet, a wide area network, a local network, a metropolitan area network, and the like can be used. The bus 102 may be an ISA (Industry Standard Architecture) bus, a PCI (Peripheral Component Interconnect) bus, an EISA (Extended Industry Standard Architecture) bus, or the like. The bus 102 may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one double-headed arrow is shown in FIG. 6, but that does not indicate only one bus or one type of bus.
The processor 101 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 101. The Processor 101 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the device can also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, or a discrete hardware component. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in the memory, and the processor 101 reads information in the memory and completes the cloud platform-based cross-account login method in the foregoing embodiment in combination with hardware thereof.
The embodiment of the invention also provides a computer-readable storage medium, wherein a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the cloud platform-based cross-account login method is executed.
The cloud platform-based cross-account login method, device and server computer program product provided by the embodiments of the present invention includes a computer-readable storage medium storing a program code, where instructions included in the program code may be used to execute the method described in the foregoing method embodiments, and specific implementation may refer to the method embodiments, and will not be described herein again.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the system and the apparatus described above may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In addition, in the description of the embodiments of the present invention, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, e.g., as meaning either a fixed connection, a removable connection, or an integral connection; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meaning of the above terms in the present invention can be understood in specific cases for those skilled in the art.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In the description of the present invention, it should be noted that the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", etc., indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings, and are only for convenience of description and simplicity of description, but do not indicate or imply that the device or element being referred to must have a particular orientation, be constructed and operated in a particular orientation, and thus, should not be construed as limiting the present invention. Furthermore, the terms "first," "second," and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
Finally, it should be noted that: although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art will understand that the following embodiments are merely illustrative of the present invention, and not restrictive, and the scope of the present invention is not limited thereto: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the embodiments of the present invention, and they should be construed as being included therein. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (13)

1. A cross-account login method based on a cloud platform is applied to the cloud platform, and comprises the following steps:
receiving an identity switching request sent by a first tenant, wherein the identity switching request is sent by the first tenant after logging in the cloud platform in a sub-user identity; the identity switching request carries an identifier of a target role identity; the target role identity is a role identity which is pre-established by a second tenant and has a preset access right to the cloud platform;
extracting the identification of the target role identity, and generating temporary identity information corresponding to the target role identity based on the identification of the target role identity;
and sending the temporary identity information to the first tenant so that the first tenant logs in an account corresponding to the target role identity according to the temporary identity information.
2. The method of claim 1, further comprising:
receiving sub-user login information sent by the first tenant;
verifying whether the login information of the sub-user is legal or not;
if yes, determining that the first tenant logs in the cloud platform in a sub-user identity.
3. The method of claim 1, wherein generating temporary identity information corresponding to the target role identity based on the identifier of the target role identity comprises:
acquiring a pre-established authority policy table; the authority policy table comprises a plurality of role identities and access authorities corresponding to the role identities;
searching the access authority corresponding to the target role identity in the authority policy table according to the identifier of the target role identity;
generating the temporary identity information based on the access right; the temporary identity information comprises key information and a first security token, and the key information is used for authenticating the target role identity; the first security token carries the target role identity, the access authority corresponding to the target role identity, and the validity period of the temporary identity information.
4. The method of claim 3, wherein after sending the temporary identity information to the first tenant, the method further comprises:
receiving interface request information of a target service line sent by the first tenant based on the temporary identity information;
extracting a second security token of the temporary identity information carried in the interface request information;
verifying the second security token;
and if the verification is passed, determining that the temporary identity logged in by the first tenant has access right to the target service line.
5. The method of claim 4, wherein the step of sending the temporary identity information to the first tenant comprises:
encrypting the first security token information to generate an encrypted security token;
sending temporary identity information containing the key information and the encrypted security token to the first tenant.
6. The method of claim 5, wherein after generating the temporary identity information based on the access rights, the method further comprises:
and extracting the first security token and generating signature information of the first security token.
7. The method according to claim 6, wherein the step of extracting the second security token of the temporary identity information carried in the interface request information comprises:
extracting an encrypted second security token of the temporary identity information carried in the interface request information;
the step of verifying the second security token comprises:
decrypting the encrypted second security token to obtain the second security token;
acquiring signature information of the first security token, and verifying the second security token according to the signature information of the first security token;
determining that the second security token is validated if the first security token matches the second security token.
8. The method of claim 4, wherein after determining that the temporary identity of the first tenant login has access to the target service line, the method further comprises:
creating sub-user information representing the target role identity, the sub-user comprising a sub-user ID, the key information, and the first security token;
storing the sub-user information to a preset cache region;
and when the cache region is monitored to be successfully written, determining that the current identity of the first tenant is the target role identity.
9. The method of claim 8, further comprising:
receiving a resource control request sent by the first tenant in the target role identity;
acquiring sub-user information of the target role identity in the cache region;
authenticating the target role identity corresponding to the first tenant according to the sub-user information of the target role identity in the cache region;
and if the authentication is passed, acquiring a service line interface corresponding to the resource control request so that the first tenant controls the resources of the service line through the service line interface.
10. The method of claim 9, further comprising:
if the resource management and control request is a purchase request for cloud resources of a target service line, calling order service, and authenticating the target role identity corresponding to the first tenant through the order service request;
and if the authentication is passed, acquiring a service line interface of the order service so as to enable the first tenant to purchase the target service line.
11. A cross-account login device based on a cloud platform is applied to the cloud platform, and comprises:
the system comprises a receiving module, a sending module and a switching module, wherein the receiving module is used for receiving an identity switching request sent by a first tenant, and the identity switching request is sent by the first tenant after the first tenant logs in the cloud platform in a sub-user identity; the identity switching request carries an identifier of a target role identity; the target role identity is a role identity which is pre-established by a second tenant and has a preset access right to the cloud platform;
the extraction module is used for extracting the identification of the target role identity and generating temporary identity information corresponding to the target role identity based on the identification of the target role identity;
and the login module is used for sending the temporary identity information to the first tenant so that the first tenant can log in an account corresponding to the target role identity according to the temporary identity information.
12. A server comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of any of claims 1-10 when executing the computer program.
13. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, is adapted to carry out the method of any of the preceding claims 1-10.
CN202010860952.6A 2020-08-24 2020-08-24 Cross-account login method and device based on cloud platform and server Active CN111953708B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010860952.6A CN111953708B (en) 2020-08-24 2020-08-24 Cross-account login method and device based on cloud platform and server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010860952.6A CN111953708B (en) 2020-08-24 2020-08-24 Cross-account login method and device based on cloud platform and server

Publications (2)

Publication Number Publication Date
CN111953708A true CN111953708A (en) 2020-11-17
CN111953708B CN111953708B (en) 2022-08-26

Family

ID=73360106

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010860952.6A Active CN111953708B (en) 2020-08-24 2020-08-24 Cross-account login method and device based on cloud platform and server

Country Status (1)

Country Link
CN (1) CN111953708B (en)

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112383556A (en) * 2020-11-17 2021-02-19 珠海大横琴科技发展有限公司 Data processing method and device
CN112487402A (en) * 2020-11-30 2021-03-12 浪潮通用软件有限公司 Multi-tenant login method, equipment and medium based on ERP system
CN112637214A (en) * 2020-12-24 2021-04-09 北京金山云网络技术有限公司 Resource access method and device and electronic equipment
CN112685719A (en) * 2020-12-29 2021-04-20 武汉联影医疗科技有限公司 Single sign-on method, device, system, computer equipment and storage medium
CN113742749A (en) * 2021-09-10 2021-12-03 广州市奥威亚电子科技有限公司 Method, device and equipment for managing platform user authority and storage medium
CN113923023A (en) * 2021-10-09 2022-01-11 京东科技信息技术有限公司 Authority configuration and data processing method, device, electronic equipment and medium
CN114095200A (en) * 2021-09-28 2022-02-25 阿里巴巴(中国)有限公司 Resource access authority management method and device, electronic equipment and medium
WO2022116575A1 (en) * 2020-12-03 2022-06-09 亿咖通(湖北)科技有限公司 Service platform access permission acquisition method and service platform access control method
CN114866268A (en) * 2021-02-04 2022-08-05 腾讯科技(深圳)有限公司 Method and device for realizing account intercommunication and electronic equipment
CN114884733A (en) * 2022-05-10 2022-08-09 中国农业银行股份有限公司 Authority management method and device, electronic equipment and storage medium
WO2023134144A1 (en) * 2022-01-11 2023-07-20 华为云计算技术有限公司 Method for processing cloud service in cloud system, and related apparatus
WO2023160632A1 (en) * 2022-02-25 2023-08-31 华为云计算技术有限公司 Method for setting cloud service access permissions of enclave instance, and cloud management platform
CN116962019A (en) * 2023-06-27 2023-10-27 北京一心向上科技有限公司 Temporary management method, system and storage medium for employee-side account

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1667542A (en) * 2004-03-09 2005-09-14 国际商业机器公司 System and method for identity switching on a computer system
CN101951385A (en) * 2010-09-30 2011-01-19 西本新干线股份有限公司 Service switching method for electronic transaction platform
CN101977184A (en) * 2010-09-30 2011-02-16 西本新干线股份有限公司 Multi-identity selection landing device and service system
CN104270348A (en) * 2014-09-17 2015-01-07 深圳市多彩人生技术有限公司 Method and system for achieving and switching multiple roles of same account of social network
CN105338005A (en) * 2015-12-15 2016-02-17 盛趣信息技术(上海)有限公司 Login method and system based on account group and login client
CN108322468A (en) * 2018-02-02 2018-07-24 广州南洋理工职业学院 Identity authorization system
US20180287794A1 (en) * 2017-04-04 2018-10-04 Microsoft Technology Licensing, Llc Optimized sign out for single account services
US20180302405A1 (en) * 2017-04-18 2018-10-18 Microsoft Technology Licensing, Llc Organizational sign-in across sovereign environments
CN110213303A (en) * 2019-07-16 2019-09-06 北京计算机技术及应用研究所 A kind of mobile terminal single-point logging method and system based on 5G network
CN110582769A (en) * 2019-07-11 2019-12-17 深圳市鹰硕技术有限公司 single-account multi-identity login method, device, server and storage medium

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1667542A (en) * 2004-03-09 2005-09-14 国际商业机器公司 System and method for identity switching on a computer system
US20050204146A1 (en) * 2004-03-09 2005-09-15 International Business Machines Corporation System, method, and program product for identity switching on a computer system
CN101951385A (en) * 2010-09-30 2011-01-19 西本新干线股份有限公司 Service switching method for electronic transaction platform
CN101977184A (en) * 2010-09-30 2011-02-16 西本新干线股份有限公司 Multi-identity selection landing device and service system
CN104270348A (en) * 2014-09-17 2015-01-07 深圳市多彩人生技术有限公司 Method and system for achieving and switching multiple roles of same account of social network
CN105338005A (en) * 2015-12-15 2016-02-17 盛趣信息技术(上海)有限公司 Login method and system based on account group and login client
US20180287794A1 (en) * 2017-04-04 2018-10-04 Microsoft Technology Licensing, Llc Optimized sign out for single account services
US20180302405A1 (en) * 2017-04-18 2018-10-18 Microsoft Technology Licensing, Llc Organizational sign-in across sovereign environments
CN108322468A (en) * 2018-02-02 2018-07-24 广州南洋理工职业学院 Identity authorization system
CN110582769A (en) * 2019-07-11 2019-12-17 深圳市鹰硕技术有限公司 single-account multi-identity login method, device, server and storage medium
CN110213303A (en) * 2019-07-16 2019-09-06 北京计算机技术及应用研究所 A kind of mobile terminal single-point logging method and system based on 5G network

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112383556B (en) * 2020-11-17 2023-04-21 珠海大横琴科技发展有限公司 Data processing method and device
CN112383556A (en) * 2020-11-17 2021-02-19 珠海大横琴科技发展有限公司 Data processing method and device
CN112487402A (en) * 2020-11-30 2021-03-12 浪潮通用软件有限公司 Multi-tenant login method, equipment and medium based on ERP system
WO2022116575A1 (en) * 2020-12-03 2022-06-09 亿咖通(湖北)科技有限公司 Service platform access permission acquisition method and service platform access control method
CN112637214A (en) * 2020-12-24 2021-04-09 北京金山云网络技术有限公司 Resource access method and device and electronic equipment
CN112637214B (en) * 2020-12-24 2023-04-07 北京金山云网络技术有限公司 Resource access method and device and electronic equipment
CN112685719A (en) * 2020-12-29 2021-04-20 武汉联影医疗科技有限公司 Single sign-on method, device, system, computer equipment and storage medium
CN114866268B (en) * 2021-02-04 2023-03-17 腾讯科技(深圳)有限公司 Method and device for realizing account intercommunication and electronic equipment
CN114866268A (en) * 2021-02-04 2022-08-05 腾讯科技(深圳)有限公司 Method and device for realizing account intercommunication and electronic equipment
CN113742749B (en) * 2021-09-10 2024-03-29 广州市奥威亚电子科技有限公司 Platform user authority management method, device, equipment and storage medium
CN113742749A (en) * 2021-09-10 2021-12-03 广州市奥威亚电子科技有限公司 Method, device and equipment for managing platform user authority and storage medium
CN114095200B (en) * 2021-09-28 2023-12-01 阿里巴巴(中国)有限公司 Resource access authority management method and device, electronic equipment and medium
CN114095200A (en) * 2021-09-28 2022-02-25 阿里巴巴(中国)有限公司 Resource access authority management method and device, electronic equipment and medium
CN113923023A (en) * 2021-10-09 2022-01-11 京东科技信息技术有限公司 Authority configuration and data processing method, device, electronic equipment and medium
CN113923023B (en) * 2021-10-09 2024-04-05 京东科技信息技术有限公司 Authority configuration and data processing method, device, electronic equipment and medium
WO2023134144A1 (en) * 2022-01-11 2023-07-20 华为云计算技术有限公司 Method for processing cloud service in cloud system, and related apparatus
WO2023160632A1 (en) * 2022-02-25 2023-08-31 华为云计算技术有限公司 Method for setting cloud service access permissions of enclave instance, and cloud management platform
CN114884733A (en) * 2022-05-10 2022-08-09 中国农业银行股份有限公司 Authority management method and device, electronic equipment and storage medium
CN116962019A (en) * 2023-06-27 2023-10-27 北京一心向上科技有限公司 Temporary management method, system and storage medium for employee-side account
CN116962019B (en) * 2023-06-27 2024-02-20 北京一心向上科技有限公司 Temporary management method, system and storage medium for employee-side account

Also Published As

Publication number Publication date
CN111953708B (en) 2022-08-26

Similar Documents

Publication Publication Date Title
CN111953708B (en) Cross-account login method and device based on cloud platform and server
EP3424179B1 (en) Method and system for authenticated login using static or dynamic codes
CN108684041B (en) System and method for login authentication
US8984284B2 (en) Method and system for verifying entitlement to access content by URL validation
US9537661B2 (en) Password-less authentication service
CN101647254B (en) Method and system for the provision of services for terminal devices
US20220394026A1 (en) Network identity protection method and device, and electronic equipment and storage medium
US20050021975A1 (en) Proxy based adaptive two factor authentication having automated enrollment
EP3065435A1 (en) Method for generating a digital identity for a user of a mobile device, digital user identity, and authentication method using said digital user identity
US20070208950A1 (en) Secure object for convenient identification
CN111901346B (en) Identity authentication system
US20160381001A1 (en) Method and apparatus for identity authentication between systems
CN105577612B (en) Identity authentication method, third-party server, merchant server and user terminal
US9124571B1 (en) Network authentication method for secure user identity verification
JP6572750B2 (en) Authentication control program, authentication control device, and authentication control method
US11165768B2 (en) Technique for connecting to a service
CN112688773A (en) Token generation and verification method and device
CN113312664B (en) User data authorization method and user data authorization system
CN109842616B (en) Account binding method and device and server
CN111800378A (en) Login authentication method, device, system and storage medium
CN111786996B (en) Cross-domain synchronous login state method and device and cross-domain synchronous login system
CN111669351A (en) Authentication method and related equipment
US20230299973A1 (en) Service registration method and device
KR101803535B1 (en) Single Sign-On Service Authentication Method Using One-Time-Token
KR102062851B1 (en) Single sign on service authentication method and system using token management demon

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant