CN112188493A - Authentication method, system and related equipment - Google Patents

Authentication method, system and related equipment Download PDF

Info

Publication number
CN112188493A
CN112188493A CN202011137879.6A CN202011137879A CN112188493A CN 112188493 A CN112188493 A CN 112188493A CN 202011137879 A CN202011137879 A CN 202011137879A CN 112188493 A CN112188493 A CN 112188493A
Authority
CN
China
Prior art keywords
authentication
service
service request
resource group
identity
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011137879.6A
Other languages
Chinese (zh)
Other versions
CN112188493B (en
Inventor
王振宇
唐国伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Yunzhijia Network Co ltd
Original Assignee
Shenzhen Yunzhijia Network Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Yunzhijia Network Co ltd filed Critical Shenzhen Yunzhijia Network Co ltd
Priority to CN202011137879.6A priority Critical patent/CN112188493B/en
Publication of CN112188493A publication Critical patent/CN112188493A/en
Application granted granted Critical
Publication of CN112188493B publication Critical patent/CN112188493B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Abstract

The embodiment of the invention provides an authentication method, an authentication system and related equipment, which are used for improving the authentication efficiency and saving network resources. The method provided by the embodiment of the invention comprises the following steps: receiving an identity identifier of an accessor and a key of a target resource group requesting to access, wherein at least two service interfaces are recorded in each resource group; verifying the validity of the visitor identity and the secret key; and when the visitor identity identification and the validity check of the secret key pass, returning an access token corresponding to the target resource group to the client.

Description

Authentication method, system and related equipment
Technical Field
The present invention relates to the field of authentication technology, and in particular, to an authentication method, system and related device.
Background
One trend of existing application development is to rely on an open platform to implement a service scenario, for example, to rely on a cloud home open platform to implement services such as sign-in, approval, report show, and ecosphere.
After a developer develops a Light application (Light APP) based on an open platform, when a service API of the open platform needs to be called to perform a service, the authentication modes of the basic service interface of each service are often different, and when at least two services are realized by calling the same open platform, each service needs to be authenticated independently, which wastes time and labor and is low in efficiency.
Disclosure of Invention
The embodiment of the invention provides an authentication method, an authentication system and related equipment, which are used for improving the authentication efficiency and saving network resources.
The first aspect of the embodiments of the present invention provides an authentication method, which is applied to authorization authentication under OAuth2 protocol, and may include:
receiving an identity identifier of an accessor and a key of a target resource group requesting to access, wherein at least two service interfaces are recorded in each resource group;
verifying the validity of the visitor identity and the secret key;
and when the visitor identity identification and the validity check of the secret key pass, returning an access token corresponding to the target resource group to the client.
Optionally, as a possible implementation manner, the authentication method in the embodiment of the present invention may further include:
receiving service request information sent by gateway equipment, wherein the service request information comprises an access token and service request parameters;
and when the validity check of the access token passes, performing service authority verification according to the service request parameters, and if the service authority verification passes, controlling the gateway equipment to forward the service request to a corresponding service server.
Optionally, as a possible implementation manner, in the embodiment of the present invention, the performing service right verification according to the service request parameter may include:
configuring at least two types of authentication schemes;
and selecting a target authentication scheme according to the identity of the visitor, and performing service authority verification according to the target authentication scheme.
Optionally, as a possible implementation manner, in the embodiment of the present invention, the performing service right verification according to the service request parameter may include:
configuring at least two types of authentication schemes;
and performing service authority verification according to the configuration sequence, wherein the verification is passed if any authentication scheme passes the authentication.
A second aspect of the embodiments of the present invention provides an authentication system, which may include:
the first receiving module is used for receiving the identity of the visitor and the key of the target resource group requesting to access, wherein at least two service interfaces are recorded in each resource group;
the verification module is used for verifying the identity of the visitor and the validity of the secret key;
and the sending module is used for returning the access token corresponding to the target resource group to the client when the visitor identity identification and the validity check of the secret key pass.
Optionally, as a possible implementation manner, the authentication system in the embodiment of the present invention may further include:
the second receiving module is used for receiving service request information sent by the gateway equipment, wherein the service request information comprises an access token and a service request parameter;
and the authentication module is used for verifying the service authority according to the service request parameter when the validity of the access token passes the verification, and controlling the gateway equipment to forward the service request to a corresponding service server if the service authority passes the verification.
Optionally, as a possible implementation manner, the authentication module in the embodiment of the present invention may include:
a first configuration unit, configured to configure at least two types of authentication schemes;
the first authentication unit selects a target authentication scheme according to the identity of the visitor and verifies the service authority according to the target authentication scheme.
Optionally, as a possible implementation manner, the authentication module in the embodiment of the present invention may include:
the second configuration unit is used for configuring at least two types of authentication schemes;
and the second authentication unit is used for verifying the service authority according to the configuration sequence, and if any authentication scheme passes the authentication, the authentication passes.
A third aspect of embodiments of the present invention provides a computer apparatus, which includes a processor, and the processor is configured to implement the steps in any one of the possible implementation manners of the first aspect and the first aspect when executing a computer program stored in a memory.
A fourth aspect of the embodiments of the present invention provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps in any one of the possible implementations of the first aspect and the first aspect.
According to the technical scheme, the embodiment of the invention has the following advantages:
in the embodiment of the invention, the authentication server can receive the identity identifier of the visitor and the key of the target resource group requesting to access, wherein at least two service interfaces are recorded in each resource group, and when the validity check of the identity identifier of the visitor and the key of the target resource group is passed, the access token corresponding to the target resource group is returned to the client, so that the client accesses the service interfaces in the target resource group according to the access token. Compared with the prior art, the authentication process of at least two service interfaces is associated and bound in advance to form a plurality of resource groups, the access token of each resource group is uniformly issued, the access tokens of the service interfaces in the target resource group can be obtained through one-time authentication, multiple authentication interactions are not needed, the authentication efficiency is improved, and network resources are saved.
Drawings
Fig. 1 is a schematic diagram of an embodiment of an authentication method according to an embodiment of the present invention;
fig. 2 is a schematic diagram of another embodiment of an authentication method according to an embodiment of the present invention;
fig. 3 is a schematic diagram of an embodiment of an authentication method according to the present invention;
fig. 4 is a schematic diagram of another embodiment of the present invention;
fig. 5 is a schematic diagram of an embodiment of an authentication system according to an embodiment of the present invention;
FIG. 6 is a diagram of a computer device according to an embodiment of the present invention.
Detailed Description
The embodiment of the invention provides an authentication method, an authentication system and related equipment, which are used for improving the authentication efficiency and saving network resources.
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims, as well as in the drawings, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The embodiment of the invention is suitable for authorization authentication under an OAuth2 protocol, wherein the OAuth2 protocol is a protocol standard which enables a third party to be applied to a user (resource holder) to authorize AccssToken, and corresponding resources are safely obtained on a resource server through authentication of an authentication server, the protocol standard is continuation of OAuth1.0, the OAuth1.0 core is verification of a signature string, and OAuth2.0 is re-interactive, so that resource allocation is more flexible.
For convenience of understanding, a specific flow in the embodiment of the present invention is described below, and referring to fig. 1, an embodiment of an authentication method in the embodiment of the present invention may include:
101. receiving an identity identifier of an accessor and a key of a target resource group requesting to access, wherein at least two service interfaces are recorded in each resource group;
in the authorization authentication process under the existing OAuth1 or OAuth2 protocol, when at least two services need to be implemented by calling the same open platform, each service needs to be authenticated separately. For example, when a developer develops a Light application (Light APP) based on a cloud home open platform, the developer needs to call an API to send a to-do public number message, and to perform services such as sign-in, approval, report show, and ecosphere, authorization authentication needs to be performed on each service, and each authorization authentication needs to interact with an authorization server to obtain a corresponding access token, which wastes network resources and is low in authentication efficiency.
It can be understood that the visitor identity may be a unique identity set based on a user group (the same company or the same project group), or may be a unique identity (APP ID) corresponding to a light application APP developed based on an open platform, which is not limited herein.
In order to save network resources and improve authentication efficiency, in the embodiment of the present invention, the authentication server may perform association binding on the authentications of at least two service interfaces in advance to form a plurality of resource groups, and perform uniform issuing on the access token of each resource group.
When a user needs to access a plurality of services, the authentication server may associate the services that need to be accessed in advance to form a target resource group, and then send a request message to the authentication server based on the identity of the visitor and the key of the target resource group. In practical application, the authentication of at least two service interfaces in the target resource group may be added or deleted in the management center according to requirements, which is not limited herein.
It is understood that the key of the target resource group may be set by the user himself or may be set by the open platform, which is not limited herein.
102. Verifying the validity of the visitor identity and the secret key;
after obtaining the identity of the visitor and the key of the target resource group requested to be accessed, the authentication server may perform validity check, and if the validity check passes, step 103 may be performed, otherwise, the access request may not be responded.
103. And when the validity of the visitor identity and the key of the target resource group is verified, returning an access token corresponding to the target resource group to the client.
After receiving the visitor identity and the key of the target resource group, the authentication server can verify the validity of the received information, and when the validity of the visitor identity and the key of the target resource group is verified, an access token corresponding to the target resource group is returned to the client, so that the client can access the service interface in the target resource group according to the access token.
In the embodiment of the invention, the authentication server can receive the identity identifier of the visitor and the key of the target resource group requesting to access, wherein at least two service interfaces are recorded in each resource group, and when the validity check of the identity identifier of the visitor and the key of the target resource group is passed, the access token corresponding to the target resource group is returned to the client, so that the client accesses the service interfaces in the target resource group according to the access token. Compared with the prior art, the authentication process of at least two service interfaces is associated and bound in advance to form a plurality of resource groups, the access token of each resource group is uniformly issued, the access tokens of the service interfaces in the target resource group can be obtained through one-time authentication, multiple authentication interactions are not needed, the authentication efficiency is improved, and network resources are saved.
In practical applications, the operation authority authentication of different services includes not only the identity authentication based on the access token, but also logic authentication of the services, such as authority authentication of each level, operation time authentication, and the like. On the basis of the embodiment shown in fig. 1, referring to fig. 2, another embodiment of an authentication method according to an embodiment of the present invention may include:
201. receiving an identity identifier of an accessor and a key of a target resource group requesting to access, wherein at least two service interfaces are recorded in each resource group;
202. verifying the validity of the visitor identity and the secret key;
203. when the validity of the visitor identity identification and the key of the target resource group passes the verification, returning an access token corresponding to the target resource group to the client;
the contents described in steps 201 to 203 in this embodiment are similar to the contents described in steps 101 to 103 in the embodiment shown in fig. 1, and are not repeated here.
204. Receiving service request information sent by gateway equipment, wherein the service request information comprises an access token and a service request parameter;
after the client acquires the access token, the authentication server can generate service request information according to the access token and the service request parameters, and the service request information is transmitted to the authentication server through the gateway equipment for authentication.
205. And when the validity check of the access token passes, performing service authority verification according to the service request parameters, and if the service authority verification passes, controlling the gateway equipment to forward the service request to the corresponding service server.
When the validity of the access token is verified by the authentication server, the service authority can be verified according to the service request parameters, and a specific service authority verification scheme can be reasonably set according to actual service logic, and is not limited in the specific description. And if the service authority passes the verification, the control gateway equipment forwards the service request to the corresponding service server.
Optionally, in order to improve compatibility of authentication, in the embodiment of the present invention, performing service right verification according to the service request parameter may include: configuring at least two types of authentication schemes; and selecting a target authentication scheme according to the identity of the visitor, and performing service authority verification according to the target authentication scheme.
In practical application, the authentication schemes corresponding to each service are different, in order to improve compatibility, at least two types of authentication schemes can be configured on an authentication and authentication interface (API) corresponding to an open platform, and a single API can be compatible with different types of authentication modes existing at multiple ends, so that the API reusability is improved.
Optionally, in order to improve compatibility of authentication, in the embodiment of the present invention, performing service right verification according to the service request parameter includes: configuring at least two types of authentication schemes; and performing service authority verification according to the configuration sequence, wherein the verification is passed if any authentication scheme passes the authentication.
For example, as shown in fig. 3, A, B, C three types of authentication schemes may be set, and authentication are performed in sequence, if the authentication of scheme a fails, the authentication of scheme B is performed in sequence, and if the authentication of scheme B fails, the authentication of scheme C is performed in sequence, and if any authentication scheme passes, the authentication passes.
For easy understanding, please refer to fig. 4, the following describes the authentication method in the embodiment of the present invention with reference to a specific application embodiment, which may specifically include the following steps:
1. the client acquires an API Access Token according to the current working circle Eid and the authorized group Secret;
herein, the unique identifier of the cloud home (mobile collaborative office cloud platform) to the group or enterprise is referred to as the work circle ID. For Resource groups (Resource groups) of a type of open API, each API Group corresponds to a Resource Secret that can be repeatedly generated.
2. The client side carries out authentication Access through the unified gateway according to the Access Token, the interface API URL and the parameters;
3. the unified gateway accesses the Authserver authentication server through RPC to carry out legal verification and exchange authentication identity;
the Authserver authentication server can be configured with at least two types of authentication schemes, selects a target authentication scheme according to the identity of an accessor, and verifies the service authority according to the target authentication scheme; or the service authority is verified according to the configuration sequence, and if any authentication scheme passes the authentication, the verification is passed.
4. After passing the authentication of the authentication service, the parameters and the identity information are transmitted to a downstream business API;
5. if the authentication of the authentication service fails, the authentication failure Errorcode is directly returned.
Configurable grouping management is carried out according to the working circle characteristics of cloud family (mobile office cloud platform) products, different working circles can carry out free root grouping API resource management to carry out fine-grained authorization developers to obtain the application right of API, and enterprise open resources can be recycled and distributed as required; the open API supports at least two authentication modes, a single API can be compatible with different types of authentication modes at multiple ends, the API reusability is improved, the probability of passing API authentication can be improved by implementing the authentication method, and the confidence that a caller is correctly applicable to the open API is enhanced.
Referring to fig. 5, an embodiment of the present invention further provides an authentication system, which includes:
a first receiving module 501, configured to receive an identifier of an accessor and a key of a target resource group requesting access, where each resource group records at least two service interfaces;
the verification module 502 is used for verifying the validity of the visitor identity and the secret key;
and the sending module 503, when the validity check of the visitor identity and the key passes, returns an access token corresponding to the target resource group to the client.
Optionally, as a possible implementation manner, the authentication system in the embodiment of the present invention may further include:
the second receiving module is used for receiving service request information sent by the gateway equipment, and the service request information comprises an access token and a service request parameter;
and the authentication module is used for verifying the service authority according to the service request parameters when the validity of the access token is verified, and controlling the gateway equipment to forward the service request to the corresponding service server if the service authority is verified.
Optionally, as a possible implementation manner, the authentication module in the embodiment of the present invention may include:
a first configuration unit, configured to configure at least two types of authentication schemes;
the first authentication unit selects a target authentication scheme according to the identity of the visitor and verifies the service authority according to the target authentication scheme.
Optionally, as a possible implementation manner, the authentication module in the embodiment of the present invention may include:
the second configuration unit is used for configuring at least two types of authentication schemes;
and the second authentication unit is used for verifying the service authority according to the configuration sequence, and if any authentication scheme passes the authentication, the authentication passes.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
While the network diagram editor in the embodiment of the present invention is described above from the perspective of the modular functional entity, referring to fig. 6, the computer apparatus in the embodiment of the present invention is described below from the perspective of hardware processing:
the computer device 1 may include a memory 11, a processor 12 and an input output bus 13. The processor 11, when executing the computer program, implements the steps in the above-described embodiment of the authentication and authentication method shown in fig. 1, such as the steps 101 to 102 shown in fig. 1. Alternatively, the processor, when executing the computer program, implements the functions of each module or unit in the above-described device embodiments.
In some embodiments of the present invention, the processor is specifically configured to implement the following steps:
receiving an identity identifier of an accessor and a key of a target resource group requesting to access, wherein at least two service interfaces are recorded in each resource group;
verifying the validity of the visitor identity and the secret key;
and when the validity of the visitor identity and the key passes the verification, returning an access token corresponding to the target resource group to the client, so that the client accesses the service interface in the target resource group according to the access token.
Optionally, as a possible implementation manner, the processor may be further configured to implement the following steps:
receiving service request information sent by gateway equipment, wherein the service request information comprises an access token and a service request parameter;
and when the validity check of the access token passes, performing service authority verification according to the service request parameters, and if the service authority verification passes, controlling the gateway equipment to forward the service request to the corresponding service server.
Optionally, as a possible implementation manner, the processor may be further configured to implement the following steps:
configuring at least two types of authentication schemes;
and selecting a target authentication scheme according to the identity of the visitor, and performing service authority verification according to the target authentication scheme.
Optionally, as a possible implementation manner, the processor may be further configured to implement the following steps:
configuring at least two types of authentication schemes;
and performing service authority verification according to the configuration sequence, wherein the verification is passed if any authentication scheme passes the authentication.
The memory 11 includes at least one type of readable storage medium, and the readable storage medium includes a flash memory, a hard disk, a multimedia card, a card type memory (e.g., SD or DX memory, etc.), a magnetic memory, a magnetic disk, an optical disk, and the like. The memory 11 may in some embodiments be an internal storage unit of the computer device 1, for example a hard disk of the computer device 1. The memory 11 may also be an external storage device of the computer apparatus 1 in other embodiments, such as a plug-in hard disk provided on the computer apparatus 1, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like. Further, the memory 11 may also include both an internal storage unit and an external storage device of the computer apparatus 1. The memory 11 may be used not only to store application software installed in the computer apparatus 1 and various types of data, such as codes of the computer program 01, but also to temporarily store data that has been output or is to be output.
The processor 12 may be a Central Processing Unit (CPU), controller, microcontroller, microprocessor or other data Processing chip in some embodiments, and is used for executing program codes stored in the memory 11 or Processing data, such as executing the computer program 01.
The input/output bus 13 may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc.
Further, the computer apparatus may further include a wired or wireless network interface 14, and the network interface 14 may optionally include a wired interface and/or a wireless interface (such as a WI-FI interface, a bluetooth interface, etc.), which are generally used for establishing a communication connection between the computer apparatus 1 and other electronic devices.
Optionally, the computer device 1 may further include a user interface, the user interface may include a Display (Display), an input unit such as a Keyboard (Keyboard), and optionally, the user interface may further include a standard wired interface and a wireless interface. Alternatively, in some embodiments, the display may be an LED display, a liquid crystal display, a touch-sensitive liquid crystal display, an OLED (Organic Light-Emitting Diode) touch device, or the like. The display, which may also be referred to as a display screen or display unit, is suitable for displaying information processed in the computer device 1 and for displaying a visualized user interface.
Fig. 6 shows only the computer arrangement 1 with the components 11-14 and the computer program 01, it being understood by a person skilled in the art that the structure shown in fig. 6 does not constitute a limitation of the computer arrangement 1, but may comprise fewer or more components than shown, or a combination of certain components, or a different arrangement of components.
The present invention also provides a computer-readable storage medium having a computer program stored thereon, which when executed by a processor, performs the steps of:
receiving an identity identifier of an accessor and a key of a target resource group requesting to access, wherein at least two service interfaces are recorded in each resource group;
verifying the validity of the visitor identity and the secret key;
and when the validity of the visitor identity and the key passes the verification, returning an access token corresponding to the target resource group to the client, so that the client accesses the service interface in the target resource group according to the access token.
Optionally, as a possible implementation manner, the processor may be further configured to implement the following steps:
receiving service request information sent by gateway equipment, wherein the service request information comprises an access token and a service request parameter;
and when the validity check of the access token passes, performing service authority verification according to the service request parameters, and if the service authority verification passes, controlling the gateway equipment to forward the service request to the corresponding service server.
Optionally, as a possible implementation manner, the processor may be further configured to implement the following steps:
configuring at least two types of authentication schemes;
and selecting a target authentication scheme according to the identity of the visitor, and performing service authority verification according to the target authentication scheme.
Optionally, as a possible implementation manner, the processor may be further configured to implement the following steps:
configuring at least two types of authentication schemes;
and performing service authority verification according to the configuration sequence, wherein the verification is passed if any authentication scheme passes the authentication.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (10)

1. An authentication and authorization method, which is applied to authorization and authorization under OAuth2 protocol, the method includes:
receiving an identity identifier of an accessor and a key of a target resource group requesting to access, wherein at least two service interfaces are recorded in each resource group;
verifying the validity of the visitor identity and the secret key;
and when the visitor identity identification and the validity check of the secret key pass, returning an access token corresponding to the target resource group to the client.
2. The method of claim 1, further comprising:
receiving service request information sent by gateway equipment, wherein the service request information comprises an access token and service request parameters;
and when the validity check of the access token passes, performing service authority verification according to the service request parameters, and if the service authority verification passes, controlling the gateway equipment to forward the service request to a corresponding service server.
3. The method of claim 2, wherein the performing service authorization verification according to the service request parameter comprises:
configuring at least two types of authentication schemes;
and selecting a target authentication scheme according to the identity of the visitor, and performing service authority verification according to the target authentication scheme.
4. The method of claim 2, wherein the performing service authorization verification according to the service request parameter comprises:
configuring at least two types of authentication schemes;
and performing service authority verification according to the configuration sequence, wherein the verification is passed if any authentication scheme passes the authentication.
5. An authentication system, comprising:
the first receiving module is used for receiving the identity of the visitor and the key of the target resource group requesting to access, wherein at least two service interfaces are recorded in each resource group;
the verification module is used for verifying the identity of the visitor and the validity of the secret key;
and the sending module is used for returning the access token corresponding to the target resource group to the client when the visitor identity identification and the validity check of the secret key pass.
6. The system of claim 5, further comprising:
the second receiving module is used for receiving service request information sent by the gateway equipment, wherein the service request information comprises an access token and a service request parameter;
and the authentication module is used for verifying the service authority according to the service request parameter when the validity of the access token passes the verification, and controlling the gateway equipment to forward the service request to a corresponding service server if the service authority passes the verification.
7. The system of claim 6, wherein the authentication module comprises:
a first configuration unit, configured to configure at least two types of authentication schemes;
the first authentication unit selects a target authentication scheme according to the identity of the visitor and verifies the service authority according to the target authentication scheme.
8. The system of claim 6, wherein the authentication module comprises:
the second configuration unit is used for configuring at least two types of authentication schemes;
and the second authentication unit is used for verifying the service authority according to the configuration sequence, and if any authentication scheme passes the authentication, the authentication passes.
9. A computer arrangement, characterized in that the computer arrangement comprises a processor for implementing the steps of the method according to any one of claims 1 to 4 when executing a computer program stored in a memory.
10. A computer-readable storage medium having stored thereon a computer program, characterized in that: the computer program when executed by a processor implementing the steps of the method according to any one of claims 1 to 4.
CN202011137879.6A 2020-10-22 2020-10-22 Authentication method, system and related equipment Active CN112188493B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011137879.6A CN112188493B (en) 2020-10-22 2020-10-22 Authentication method, system and related equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011137879.6A CN112188493B (en) 2020-10-22 2020-10-22 Authentication method, system and related equipment

Publications (2)

Publication Number Publication Date
CN112188493A true CN112188493A (en) 2021-01-05
CN112188493B CN112188493B (en) 2023-08-15

Family

ID=73922564

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011137879.6A Active CN112188493B (en) 2020-10-22 2020-10-22 Authentication method, system and related equipment

Country Status (1)

Country Link
CN (1) CN112188493B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112804224A (en) * 2021-01-07 2021-05-14 沈阳麟龙科技股份有限公司 Authentication method, device, medium and electronic equipment based on micro service
CN112995164A (en) * 2021-02-10 2021-06-18 北京金山云网络技术有限公司 Resource access authentication method and device, storage medium and electronic equipment
CN112995165A (en) * 2021-02-10 2021-06-18 北京金山云网络技术有限公司 Resource access authentication method and device, storage medium and electronic equipment
CN113342667A (en) * 2021-06-18 2021-09-03 杭州网易再顾科技有限公司 Data processing method, data processing device, electronic equipment and computer readable storage medium
CN113411349A (en) * 2021-07-22 2021-09-17 用友汽车信息科技(上海)股份有限公司 Authentication method, authentication system, computer device and storage medium
CN114598540A (en) * 2022-03-18 2022-06-07 北京启明星辰信息安全技术有限公司 Access control system, method, device and storage medium
CN114614993A (en) * 2022-03-22 2022-06-10 平安证券股份有限公司 System interaction method and device, electronic equipment and storage medium
CN116319096A (en) * 2023-05-19 2023-06-23 浪潮通信信息系统有限公司 Access system, method, device, equipment and medium of computing power network operation system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107493280A (en) * 2017-08-15 2017-12-19 中国联合网络通信集团有限公司 Method, intelligent gateway and the certificate server of user authentication
CN108512784A (en) * 2018-06-21 2018-09-07 珠海宏桥高科技有限公司 Authentication method based on gateway routing forwarding
CN109327477A (en) * 2018-12-06 2019-02-12 泰康保险集团股份有限公司 Authentication method, device and storage medium
CN109617907A (en) * 2019-01-04 2019-04-12 平安科技(深圳)有限公司 Authentication method, electronic device and computer readable storage medium
CN111405036A (en) * 2020-03-13 2020-07-10 北京奇艺世纪科技有限公司 Service access method, device, related equipment and computer readable storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107493280A (en) * 2017-08-15 2017-12-19 中国联合网络通信集团有限公司 Method, intelligent gateway and the certificate server of user authentication
CN108512784A (en) * 2018-06-21 2018-09-07 珠海宏桥高科技有限公司 Authentication method based on gateway routing forwarding
CN109327477A (en) * 2018-12-06 2019-02-12 泰康保险集团股份有限公司 Authentication method, device and storage medium
CN109617907A (en) * 2019-01-04 2019-04-12 平安科技(深圳)有限公司 Authentication method, electronic device and computer readable storage medium
CN111405036A (en) * 2020-03-13 2020-07-10 北京奇艺世纪科技有限公司 Service access method, device, related equipment and computer readable storage medium

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112804224A (en) * 2021-01-07 2021-05-14 沈阳麟龙科技股份有限公司 Authentication method, device, medium and electronic equipment based on micro service
CN112995165B (en) * 2021-02-10 2023-04-14 北京金山云网络技术有限公司 Resource access authentication method and device, storage medium and electronic equipment
CN112995164A (en) * 2021-02-10 2021-06-18 北京金山云网络技术有限公司 Resource access authentication method and device, storage medium and electronic equipment
CN112995165A (en) * 2021-02-10 2021-06-18 北京金山云网络技术有限公司 Resource access authentication method and device, storage medium and electronic equipment
CN112995164B (en) * 2021-02-10 2023-04-14 北京金山云网络技术有限公司 Resource access authentication method and device, storage medium and electronic equipment
CN113342667A (en) * 2021-06-18 2021-09-03 杭州网易再顾科技有限公司 Data processing method, data processing device, electronic equipment and computer readable storage medium
CN113411349B (en) * 2021-07-22 2022-09-02 用友汽车信息科技(上海)股份有限公司 Authentication method, authentication system, computer device and storage medium
CN113411349A (en) * 2021-07-22 2021-09-17 用友汽车信息科技(上海)股份有限公司 Authentication method, authentication system, computer device and storage medium
CN114598540A (en) * 2022-03-18 2022-06-07 北京启明星辰信息安全技术有限公司 Access control system, method, device and storage medium
CN114598540B (en) * 2022-03-18 2024-03-15 北京启明星辰信息安全技术有限公司 Access control system, method, device and storage medium
CN114614993A (en) * 2022-03-22 2022-06-10 平安证券股份有限公司 System interaction method and device, electronic equipment and storage medium
CN114614993B (en) * 2022-03-22 2024-02-06 平安证券股份有限公司 System interaction method and device, electronic equipment and storage medium
CN116319096A (en) * 2023-05-19 2023-06-23 浪潮通信信息系统有限公司 Access system, method, device, equipment and medium of computing power network operation system
CN116319096B (en) * 2023-05-19 2023-09-05 浪潮通信信息系统有限公司 Access system, method, device, equipment and medium of computing power network operation system

Also Published As

Publication number Publication date
CN112188493B (en) 2023-08-15

Similar Documents

Publication Publication Date Title
CN112188493B (en) Authentication method, system and related equipment
CN108200050B (en) Single sign-on server, method and computer readable storage medium
EP3429243B1 (en) Remote management method and device
CN102231746B (en) Method for validating identification information and terminal thereof
CN101562621B (en) User authorization method and system and device thereof
CN102439898B (en) Based on the multi-tier authentication method and system of model
CN102629929B (en) Method and system and device for obtaining data
CN106452772B (en) Terminal authentication method and device
CN102710640A (en) Authorization requesting method, device and system
EP3047626A1 (en) Multiple resource servers with single, flexible, pluggable oauth server and oauth-protected restful oauth consent management service, and mobile application single sign on oauth service
CN109379336A (en) A kind of uniform authentication method, distributed system and computer readable storage medium
CN103685139A (en) Authentication and authorization processing method and device
CN108022100B (en) Cross authentication system and method based on block chain technology
US10027642B2 (en) Method of access by a telecommunications terminal to a database hosted by a service platform that is accessible via a telecommunications network
CN111526111B (en) Control method, device and equipment for logging in light application and computer storage medium
CN109716805A (en) A kind of installation method, terminal and the server of subscription data collection
CN110545272B (en) Identity authentication method, authority authentication method, device, user management system and storage medium
CN104717648A (en) Unified authentication method and device based on SIM card
CN111818088A (en) Authorization mode management method and device, computer equipment and readable storage medium
CN106453263A (en) Method and system of binding cellphone number with APP
CN105991610A (en) Method and device for logging into application server
CN114500082A (en) Access authentication method and device, equipment, server, storage medium and system
CN102420808A (en) Method for realizing single signon on telecom on-line business hall
CN103559430B (en) application account management method and device based on Android system
CN104079527A (en) Information processing method and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant