CN112422477A - Service authentication method, server, electronic device and storage medium - Google Patents
Service authentication method, server, electronic device and storage medium Download PDFInfo
- Publication number
- CN112422477A CN112422477A CN201910775528.9A CN201910775528A CN112422477A CN 112422477 A CN112422477 A CN 112422477A CN 201910775528 A CN201910775528 A CN 201910775528A CN 112422477 A CN112422477 A CN 112422477A
- Authority
- CN
- China
- Prior art keywords
- token
- authentication
- client
- interaction
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the invention provides a service authentication method, a server, electronic equipment and a storage medium, wherein the method comprises the following steps: receiving an interactive token and request resource information sent by a client; determining an authentication token corresponding to the interaction token; the authentication token is generated and stored in the server after the client side passes the authentication of the authorized user, and the interaction token is generated based on the authentication token; and determining the access right of the client to the request resource information based on the authentication token. According to the method, the server, the electronic device and the storage medium provided by the embodiment of the invention, the interactive tokens which are in one-to-one correspondence with the authentication tokens are adopted for the interaction between the client and the server, and the interactive tokens cannot be directly used for service authentication, so that the problem that all authorities authorized by a user are coded in the tokens held by the client to cause easy information leakage is solved, and the safety and reliability of service authentication are effectively improved.
Description
Technical Field
The present invention relates to the field of authorized access technologies, and in particular, to a service authentication method, a server, an electronic device, and a storage medium.
Background
oAuth (Open Authorization protocol) has been widely used on the internet as the most popular third party API (Application Programming Interface) authentication Authorization access protocol in the industry at present. The oAuth can enable the user to expose the privacy information stored by the user at a certain service provider to the third-party application under the condition of not exposing the user key, thereby greatly promoting the opening of the internet.
Currently, the service authentication process under the oAuth framework includes the following steps: (1) after a user opens a client, the client requires the user to give authorization; (2) the user agrees to give authorization to the client; (3) the client applies for a token from the authentication server by using the authorization obtained in the step (2); (4) after the authentication server authenticates the client, the client confirms that the client is correct and issues a token; (5) the client applies for obtaining resources from the resource server by using the token; (6) and the resource server confirms that the token is correct and agrees to open the resources to the client.
In the existing service authentication process, all the authority authorized by a user is coded in a token held by a client, so that the authority is easy to crack, information leakage is caused, and the safety is low.
Disclosure of Invention
The embodiment of the invention provides a service authentication method, a server, electronic equipment and a storage medium, which are used for solving the problem of low security of the existing service authentication method.
In a first aspect, an embodiment of the present invention provides a service authentication method, including:
receiving an interactive token and request resource information sent by a client;
determining an authentication token corresponding to the interaction token; the authentication token is generated and stored in the server after the client side passes the authentication of the authorized user, and the interaction token is generated based on the authentication token;
and determining the access right of the client to the request resource information based on the authentication token.
Preferably, the receiving the interaction token and the request resource information sent by the client further includes:
receiving client information and authorized user information sent by the client;
authenticating the authorized user information, and if the authorized user information passes the authentication, generating the authentication token based on the client information and the authorized user information;
and generating the interaction token based on the authentication token, and returning the interaction token to the client.
Preferably, the generating the authentication token based on the client information and the authorized user information specifically includes:
determining access authority information of the client based on the client information;
determining access authority information of an authorized user based on the authorized user information;
and generating the authentication token based on the access authority information of the client and the access authority information of the authorized user.
Preferably, the generating the interaction token based on the authentication token further comprises:
caching a token pair formed by the authentication token and the interaction token in a database of the server;
correspondingly, the determining the authentication token corresponding to the interaction token specifically includes:
and determining a token pair to which the interaction token belongs in the database, and extracting the authentication token from the token pair.
Preferably, the caching a token pair formed by the authentication token and the interaction token in a database of the server, and then further comprising:
if the preset destroying condition is met, destroying the token pair;
the preset destroying condition is that the client logs out from the server, or the current moment is the preset destroying moment.
Preferably, the determining a token pair to which the interaction token belongs in the database, and extracting the authentication token from the token pair, then further includes:
and if the authentication token is expired, regenerating an authentication token based on the interaction token, and refreshing the authentication token in the token pair into the regenerated authentication token.
Preferably, the authentication token is a JWT token.
In a second aspect, an embodiment of the present invention provides a server, including:
the interactive token receiving unit is used for receiving the interactive token and the request resource information sent by the client;
the authentication token determining unit is used for determining an authentication token corresponding to the interaction token; the authentication token is generated and stored in the server after the client side passes the authentication of the authorized user, and the interaction token is generated based on the authentication token;
and the service authentication unit is used for determining the access right of the client to the request resource information based on the authentication token.
In a third aspect, an embodiment of the present invention provides an electronic device, including a processor, a communication interface, a memory, and a bus, where the processor and the communication interface, the memory complete communication with each other through the bus, and the processor may call a logic instruction in the memory to perform the steps of the method provided in the first aspect.
In a fourth aspect, an embodiment of the present invention provides a non-transitory computer readable storage medium, on which a computer program is stored, which when executed by a processor, implements the steps of the method as provided in the first aspect.
According to the service authentication method, the server, the electronic device and the storage medium provided by the embodiment of the invention, the corresponding authentication token is determined through the interactive token sent by the client so as to determine the access authority aiming at the request resource information. In the process, the interactive tokens corresponding to the authentication tokens one by one are adopted by the client and the server in an interactive mode, the interactive tokens cannot be directly used for service authentication, the problem that all authorities authorized by a user are coded in the tokens held by the client to cause easy information leakage is solved, and the safety and the reliability of the service authentication are effectively improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
Fig. 1 is a schematic flowchart of a service authentication method according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating a service authentication method according to another embodiment of the present invention;
fig. 3 is a schematic flowchart of a token generation method according to an embodiment of the present invention;
fig. 4 is a schematic flowchart of a token destruction mechanism according to an embodiment of the present invention;
FIG. 5 is a flow chart of a token refresh mechanism according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a server according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the existing service authentication process, all the authority authorized by a user is coded in a token held by a client, so that the authority is easy to crack and forge, information leakage is caused, and the safety is low. In view of the foregoing problems, an embodiment of the present invention provides a service authentication method. Fig. 1 is a schematic flow chart of a service authentication method according to an embodiment of the present invention, and as shown in fig. 1, the method includes:
In a service authentication process under a general oAuth framework, a client applies for a token from an authentication server, and the authentication server issues the token if the client authenticates an authorized user and confirms that the client is correct. In the embodiment of the invention, after the client is authenticated by the authorized user, the generated token is a pair of tokens, including an authentication token and an interaction token. The authentication token is equivalent to a single token generated in the prior art, all permissions authorized by the user are encoded in the authentication token, and the access permission of the client can be determined by verifying the authentication token. The interactive token is a token which is generated based on a preset mapping algorithm and corresponds to the authentication token one by one after the authentication token is generated. The mapping algorithm here may be a hash mapping algorithm, or MD5 message digest algorithm, etc.
In order to avoid information leakage during the token application process, the interactive token may not contain any information with practical significance, and is only used for determining the corresponding authentication token. And after the server generates a pair of tokens, the server sends the interactive token to the client and stores the authentication token in the server.
When the client needs to access the resource of the server, the interactive token and the request resource information need to be sent. Here, the request resource information is used to represent information of a resource that the client desires to access, such as a resource address, a resource name, a type to which the resource belongs, and the like, which is not specifically limited in this embodiment of the present invention.
After receiving the interaction token, the server selects an authentication token corresponding to the interaction token from a plurality of pre-stored authentication tokens so as to determine the access right of the client by applying the authentication token.
And step 130, determining the access right of the client to the request resource information based on the authentication token.
Here, the access right of the client for requesting the resource information is used to characterize whether the client has the right to access the resource corresponding to the requested resource information, and the access right may be to allow access or to prohibit access. And when the access authority is access permission, the client is permitted to access the resource corresponding to the request resource information, and when the access authority is access prohibition, the client is prohibited from accessing the resource corresponding to the request resource information. In addition, a corresponding response message can be returned according to the access authority so as to inform the client whether the client has the right to access the resource corresponding to the resource request information.
According to the method provided by the embodiment of the invention, the corresponding authentication token is determined through the interactive token sent by the client side so as to determine the access authority aiming at the request resource information. In the process, the interactive tokens corresponding to the authentication tokens one by one are adopted by the client and the server in an interactive mode, the interactive tokens cannot be directly used for service authentication, the problem that all authorities authorized by a user are coded in the tokens held by the client to cause easy information leakage is solved, and the safety and the reliability of the service authentication are effectively improved.
Based on the above embodiment, in the method, step 110 further includes: receiving client information and authorized user information sent by a client; authenticating the authorized user information, and if the authentication is passed, generating an authentication token based on the client information and the authorized user information; and generating an interaction token based on the authentication token, and returning the interaction token to the client.
Specifically, before the client requests resources from the server based on the interactive token, the client needs to request the server for authorization user authentication to obtain the interactive token. When a client requests a server for authorization user authentication, the client needs to send client information and authorization user information to the server, where the client information may be information capable of representing the identity of the client, such as a client name and a client identifier, and the authorization user information may be information for the server to perform user authentication, such as an account and a password of an authorization user. Here, the client information and the authorized user information may be included in the request authorization message and sent to the server, or may be sent to the server separately.
After receiving the client information and the authorized user information, performing user identity authentication on the authorized user information, if the authentication passes, generating an authentication token based on the client information and the authorized user information, if the authentication does not pass, not executing the following steps, and returning an authentication failure message to the client. And after the authentication token is generated, generating interactive tokens which are in one-to-one correspondence with the authentication tokens based on a preset mapping algorithm, and returning the interactive tokens to the client so that the client can execute the subsequent service authentication step. The mapping algorithm here may be a hash mapping algorithm, or MD5 message digest algorithm, etc.
Based on any of the above embodiments, in the method, generating the authentication token based on the client information and the authorized user information specifically includes: determining access authority information of the client based on the client information; determining access authority information of an authorized user based on the authorized user information; and generating an authentication token based on the access authority information of the client and the access authority information of the authorized user.
Specifically, after the user identity authentication is passed, the identity of the client may be determined based on the client information, so as to obtain the access right information corresponding to the client. Here, the access right information corresponding to the client may be pre-stored in the server, and the access right information may include resource information that is allowed to be accessed and resource information that is prohibited from being accessed. Furthermore, it is also necessary to determine access right information of the authorized user based on the authorized user information.
And after obtaining the access authority information of the client and the access authority information of the authorized user, fusing the access authority information of the client and the access authority information of the authorized user, and generating a corresponding authentication token. Here, the authentication token encodes access right information when the user is authorized to access the server through the client.
Based on any one of the above embodiments, in the method, the generating an interaction token based on the authentication token further includes: and caching a token pair formed by the authentication token and the interaction token in a database of the server. Correspondingly, step 120 specifically includes: and determining a token pair to which the interactive token belongs in the database, and extracting the authentication token from the token pair.
In particular, the token pair consists of an authentication token and an interaction token. When the authentication token corresponding to the interactive token needs to be acquired. The interactive token may be first retrieved from the database, and the token pair to which the interactive token belongs may be determined, so as to extract the authentication token corresponding to the interactive token from the token pair.
Based on any of the above embodiments, in the method, the caching a token pair formed by the authentication token and the interaction token in a database of the server, and then further including: if the preset destroying condition is met, destroying the token pair; the preset destroying condition is that the client logs out from the server, or the current moment is the preset destroying moment.
In particular, it is common for a user to authorize a client to access a server for a time-sensitive, e.g., one time before or some time after access. Therefore, it is necessary to destroy the token pair stored in the database when the preset destruction condition is satisfied, so as to prevent the client from accessing the server resource without limit. Here, the preset destruction condition may be that the client logs out from the server, that is, after a single access is finished, the token pair to which the interaction token sent by the client in the database belongs may be destroyed after the client is detected to log out from the server. In addition, the preset destruction condition may also be that the current time is a preset destruction time, the preset destruction time is a preset time at which the token pair destruction needs to be performed, the preset destruction time may be a time at which the storage time of the token pair reaches a preset maximum storage time, a time at which the time when the client accesses the service end exceeds the maximum access time, or the like, or may be a time 00 per day that is directly set: 00 or other times, this is not particularly limited in the embodiments of the present invention.
According to the method provided by the embodiment of the invention, the token pair is destroyed when the preset destruction condition is met, so that the times and time for the user to authorize the client to access the server can be reasonably limited, and the security of server resources is improved.
Based on any of the above embodiments, in the method, the determining a token pair to which the interaction token belongs in the database, and extracting the authentication token from the token pair, then further includes: and if the authentication token is expired, regenerating the authentication token based on the interactive token, and refreshing the authentication token in the token pair into the regenerated authentication token.
Specifically, the maximum cache duration of the authentication token is preset. After the authentication token is generated, caching the authentication token in a database, starting to record the caching duration of the authentication token, if the caching duration exceeds the maximum caching duration, determining that the authentication token is expired, and if the authentication token is expired, failing to be used for determining the access authority of the client for the request resource information.
After the authentication token expires, if an interaction token sent by the client is received, generating the authentication token reversely based on the interaction token, refreshing a token pair corresponding to the interaction token by applying the interaction token and the regenerated authentication token, refreshing the expired authentication token in the token pair into the regenerated authentication token, and using the regenerated authentication token to determine the access authority of the client for the request resource information.
The method provided by the embodiment of the invention regenerates the authentication token based on the interactive token, establishes a token refreshing mechanism and can realize efficient and uniform token management.
According to any of the above embodiments, in the method, the authentication token is a jwt (json Web token) token.
In particular, JWT is currently the most popular cross-domain authentication solution, a compact, URL-safe declarative specification for communicating security information between two parties. The JWT token may directly encrypt and encode access right information when the authorized user accesses the server through the client in the token, or may encrypt the token again after encoding is completed, so as to protect private data, which is not specifically limited in the embodiment of the present invention.
Based on any of the above embodiments, fig. 2 is a schematic flowchart of a service authentication method according to another embodiment of the present invention, as shown in fig. 2, a server includes an authorization server, a cache, an API gateway, and a resource server, where the cache is a database for storing token pairs, and both the authorization server and the API gateway can access the cache, and in addition, the API gateway is also an entry of the resource server, and when a client needs to access a resource in the resource server, the client needs to access the resource server through the API gateway. The resource server in the embodiment of the invention adopts a distributed micro-service architecture, and specifically comprises inventory micro-service, Customer micro-service, transportation mapping micro-service and Product micro-service. The service authentication method specifically comprises the following steps:
step 201, the client sends a request authorization message containing client information and authorized user information to the authorization server. And after authenticating the information of the authorized user, the authorization server approves authorization and invokes a token generation algorithm to generate a token pair comprising the interactive token and the authentication token. Here, the authentication token is an encrypted JWT token.
The authorization server returns the interaction token to the client, step 202.
The authorization server sends the token pair to the cache, step 203.
And step 204, the client sends an interactive token to the API gateway to apply for accessing the resource.
And step 206, the API gateway sends an authentication token to the resource server for verifying and applying for accessing the resource, and the client can access the authorized resource through the API gateway after the verification is passed.
Based on any of the above embodiments, fig. 3 is a schematic flow chart of a token generation method provided by an embodiment of the present invention, as shown in fig. 3, the method includes:
analyzing the client information and the authorized user information:
and receiving a request authorization message, and analyzing the request authorization message to obtain client information ClientID and authorized user information UserID.
Processing the client information:
and calling a client configuration information service type ClientDetailService aiming at the client information ClientID, and acquiring the details of the client, namely ClientDetails, so as to determine the access authority type grantType of the client. And then creating an OAuth2Request from the OAuth2Request factory based on the client details ClientDetails and a token Request object TokenRequest constructed by a related Parameter in the Request authorization message.
And performing authorized user authentication aiming at the authorized user information:
and calling the corresponding Authentication provider by using the Authentication manager aiming at the authorized user information UserID to perform authorized user Authentication to obtain an authorized user Authentication result.
If the authorized user passes the authentication, generating an authentication token:
generating Oauth2Authentication by using OAuth2Request and Authentication, and creating an Authentication token Oauth2Access token by using AuthorizationSerkenServices in combination with Oauth2 Authentication. And the expansion of the authentication token information is realized through a custom TokenEnhancer interface.
Generating an interaction token:
and after the authentication token is obtained, reconstructing the generated JWT authentication token by using a JWTWARER to obtain the interactive token.
Based on any of the above embodiments, fig. 4 is a schematic flowchart of a token destruction mechanism provided in an embodiment of the present invention, and as shown in fig. 4, when a client logs out, an API gateway sends a token destruction request to a cache to request the cache to destroy a token pair corresponding to the client. And after receiving the token destruction request, the cache executes the destruction task of the token pair, and returns a successful destruction response to the API gateway after successful destruction.
In addition, the cache can also poll the cached token pairs at regular time, and if the expired token pairs exist, the token pairs are destroyed.
Based on any of the above embodiments, fig. 5 is a schematic flow chart of a token refresh mechanism provided in an embodiment of the present invention, and as shown in fig. 5, the token refresh mechanism includes the following steps:
Based on any of the above embodiments, fig. 6 is a schematic structural diagram of a server according to an embodiment of the present invention, and as shown in fig. 6, the server includes an interaction token receiving unit 610, an authentication token determining unit 620, and a service authentication unit 630;
the interactive token receiving unit 610 is configured to receive an interactive token and request resource information sent by a client;
the authentication token determining unit 620 is configured to determine an authentication token corresponding to the interaction token; the authentication token is generated and stored in the server after the client side passes the authentication of the authorized user, and the interaction token is generated based on the authentication token;
the service authentication unit 630 is configured to determine, based on the authentication token, an access right of the client for the requested resource information.
The server side provided by the embodiment of the invention determines the corresponding authentication token through the interactive token sent by the client side so as to determine the access authority aiming at the request resource information. In the process, the interactive tokens corresponding to the authentication tokens one by one are adopted by the client and the server in an interactive mode, the interactive tokens cannot be directly used for service authentication, the problem that all authorities authorized by a user are coded in the tokens held by the client to cause easy information leakage is solved, and the safety and the reliability of the service authentication are effectively improved.
Based on any of the above embodiments, the server further includes:
the authorization request receiving unit is used for receiving client information and authorized user information sent by the client;
the authentication token generation unit is used for authenticating the authorized user information, and if the authentication passes, the authentication token is generated based on the client information and the authorized user information;
and the interactive token generating unit is used for generating the interactive token based on the authentication token and returning the interactive token to the client.
Based on any of the above embodiments, in the server, the authentication token generation unit is specifically configured to:
determining access authority information of the client based on the client information;
determining access authority information of an authorized user based on the authorized user information;
and generating the authentication token based on the access authority information of the client and the access authority information of the authorized user.
Based on any of the above embodiments, the server further includes:
the token pair storage unit is used for caching a token pair formed by the authentication token and the interaction token in a database of the server;
correspondingly, the authentication token determination unit 620 is specifically configured to:
and determining a token pair to which the interaction token belongs in the database, and extracting the authentication token from the token pair.
Based on any of the above embodiments, the server further includes a token destruction unit, configured to:
if the preset destroying condition is met, destroying the token pair;
the preset destroying condition is that the client logs out from the server, or the current moment is the preset destroying moment.
Based on any of the above embodiments, the server further includes a token refreshing unit, configured to:
and if the authentication token is expired, regenerating an authentication token based on the interaction token, and refreshing the authentication token in the token pair into the regenerated authentication token.
According to any of the above embodiments, in the server, the authentication token is a JWT token.
Fig. 7 illustrates a physical structure diagram of an electronic device, and as shown in fig. 7, the electronic device may include: a processor (processor)710, a communication Interface (Communications Interface)720, a memory (memory)730, and a communication bus 740, wherein the processor 710, the communication Interface 720, and the memory 730 communicate with each other via the communication bus 740. Processor 710 may call logic instructions in memory 730 to perform the following method: receiving an interactive token and request resource information sent by a client; determining an authentication token corresponding to the interaction token; the authentication token is generated and stored in the server after the client side passes the authentication of the authorized user, and the interaction token is generated based on the authentication token; and determining the access right of the client to the request resource information based on the authentication token.
In addition, the logic instructions in the memory 730 can be implemented in the form of software functional units and stored in a computer readable storage medium when the software functional units are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Embodiments of the present invention further provide a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program is implemented to perform the transmission method provided in the foregoing embodiments when executed by a processor, and the method includes: receiving an interactive token and request resource information sent by a client; determining an authentication token corresponding to the interaction token; the authentication token is generated and stored in the server after the client side passes the authentication of the authorized user, and the interaction token is generated based on the authentication token; and determining the access right of the client to the request resource information based on the authentication token.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A method of service authentication, comprising:
receiving an interactive token and request resource information sent by a client;
determining an authentication token corresponding to the interaction token; the authentication token is generated and stored in the server after the client side passes the authentication of the authorized user, and the interaction token is generated based on the authentication token;
and determining the access right of the client to the request resource information based on the authentication token.
2. The service authentication method according to claim 1, wherein the receiving the interaction token and the request resource information sent by the client further comprises:
receiving client information and authorized user information sent by the client;
authenticating the authorized user information, and if the authorized user information passes the authentication, generating the authentication token based on the client information and the authorized user information;
and generating the interaction token based on the authentication token, and returning the interaction token to the client.
3. The service authentication method according to claim 2, wherein the generating the authentication token based on the client information and the authorized user information specifically includes:
determining access authority information of the client based on the client information;
determining access authority information of an authorized user based on the authorized user information;
and generating the authentication token based on the access authority information of the client and the access authority information of the authorized user.
4. The service authentication method of claim 2, wherein generating the interaction token based on the authentication token further comprises:
caching a token pair formed by the authentication token and the interaction token in a database of the server;
correspondingly, the determining the authentication token corresponding to the interaction token specifically includes:
and determining a token pair to which the interaction token belongs in the database, and extracting the authentication token from the token pair.
5. The service authentication method according to claim 4, wherein the caching of the token pair consisting of the authentication token and the interaction token in the database of the server further comprises:
if the preset destroying condition is met, destroying the token pair;
the preset destroying condition is that the client logs out from the server, or the current moment is the preset destroying moment.
6. The service authentication method of claim 4, wherein the determining a token pair in the database to which the interaction token belongs and extracting the authentication token from the token pair further comprises:
and if the authentication token is expired, regenerating the authentication token based on the interaction token, and refreshing the authentication token in the token pair into the regenerated authentication token.
7. The service authentication method according to any of claims 1 to 6, wherein the authentication token is a JWT token.
8. A server, comprising:
the interactive token receiving unit is used for receiving the interactive token and the request resource information sent by the client;
the authentication token determining unit is used for determining an authentication token corresponding to the interaction token; the authentication token is generated and stored in the server after the client side passes the authentication of the authorized user, and the interaction token is generated based on the authentication token;
and the service authentication unit is used for determining the access right of the client to the request resource information based on the authentication token.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the service authentication method according to any one of claims 1 to 7 are implemented when the processor executes the program.
10. A non-transitory computer readable storage medium, having stored thereon a computer program, characterized in that the computer program, when being executed by a processor, realizes the steps of the service authentication method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910775528.9A CN112422477A (en) | 2019-08-21 | 2019-08-21 | Service authentication method, server, electronic device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910775528.9A CN112422477A (en) | 2019-08-21 | 2019-08-21 | Service authentication method, server, electronic device and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112422477A true CN112422477A (en) | 2021-02-26 |
Family
ID=74779585
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910775528.9A Pending CN112422477A (en) | 2019-08-21 | 2019-08-21 | Service authentication method, server, electronic device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112422477A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112883357A (en) * | 2021-03-11 | 2021-06-01 | 中科三清科技有限公司 | Stateless login authentication method and device |
| CN113347261A (en) * | 2021-06-09 | 2021-09-03 | 广州易行数字技术有限公司 | Mechanism for filling access token information based on business field |
| CN113742676A (en) * | 2021-09-13 | 2021-12-03 | 北京锐安科技有限公司 | Login management method, device, server, system and storage medium |
| CN113971292A (en) * | 2021-10-26 | 2022-01-25 | 科大讯飞股份有限公司 | Authorization method and related device |
| CN114168450A (en) * | 2021-11-11 | 2022-03-11 | 北京达佳互联信息技术有限公司 | Token validity checking method, device, equipment and storage medium |
| CN115242469A (en) * | 2022-07-07 | 2022-10-25 | 安天科技集团股份有限公司 | Secure access API, secure communication method, electronic device and storage medium |
| CN115296877A (en) * | 2022-07-25 | 2022-11-04 | 紫光云技术有限公司 | Method for invalidation and renewal of JWT storage token |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140355034A1 (en) * | 2013-05-29 | 2014-12-04 | Canon Kabushiki Kaisha | Image forming apparatus, server device, information processing method, and computer-readable storage medium |
| CN105072608A (en) * | 2015-06-30 | 2015-11-18 | 青岛海信移动通信技术股份有限公司 | Method and device for managing authentication token |
| US20160142409A1 (en) * | 2014-11-18 | 2016-05-19 | Microsoft Technology Licensing, Llc | Optimized token-based proxy authentication |
| US20160226879A1 (en) * | 2014-05-30 | 2016-08-04 | Oracle International Corporation | Authorization token cache system and method |
| CN108234122A (en) * | 2016-12-09 | 2018-06-29 | 杭州海康汽车技术有限公司 | Token method of calibration and device |
| CN109074582A (en) * | 2016-05-19 | 2018-12-21 | 维萨国际服务协会 | System and method for generating sub- token using main token |
-
2019
- 2019-08-21 CN CN201910775528.9A patent/CN112422477A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140355034A1 (en) * | 2013-05-29 | 2014-12-04 | Canon Kabushiki Kaisha | Image forming apparatus, server device, information processing method, and computer-readable storage medium |
| US20160226879A1 (en) * | 2014-05-30 | 2016-08-04 | Oracle International Corporation | Authorization token cache system and method |
| US20160142409A1 (en) * | 2014-11-18 | 2016-05-19 | Microsoft Technology Licensing, Llc | Optimized token-based proxy authentication |
| CN105072608A (en) * | 2015-06-30 | 2015-11-18 | 青岛海信移动通信技术股份有限公司 | Method and device for managing authentication token |
| CN109074582A (en) * | 2016-05-19 | 2018-12-21 | 维萨国际服务协会 | System and method for generating sub- token using main token |
| CN108234122A (en) * | 2016-12-09 | 2018-06-29 | 杭州海康汽车技术有限公司 | Token method of calibration and device |
Non-Patent Citations (1)
| Title |
|---|
| 嵇智辉等: "一种基于双令牌机制的单点登录模型研究", 《计算机工程与应用》 * |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112883357A (en) * | 2021-03-11 | 2021-06-01 | 中科三清科技有限公司 | Stateless login authentication method and device |
| CN113347261A (en) * | 2021-06-09 | 2021-09-03 | 广州易行数字技术有限公司 | Mechanism for filling access token information based on business field |
| CN113742676A (en) * | 2021-09-13 | 2021-12-03 | 北京锐安科技有限公司 | Login management method, device, server, system and storage medium |
| CN113742676B (en) * | 2021-09-13 | 2024-04-19 | 北京锐安科技有限公司 | Login management method, login management device, login management server, login management system and storage medium |
| CN113971292A (en) * | 2021-10-26 | 2022-01-25 | 科大讯飞股份有限公司 | Authorization method and related device |
| CN114168450A (en) * | 2021-11-11 | 2022-03-11 | 北京达佳互联信息技术有限公司 | Token validity checking method, device, equipment and storage medium |
| CN115242469A (en) * | 2022-07-07 | 2022-10-25 | 安天科技集团股份有限公司 | Secure access API, secure communication method, electronic device and storage medium |
| CN115242469B (en) * | 2022-07-07 | 2024-05-24 | 安天科技集团股份有限公司 | Secure access API, secure communication method, electronic device, and storage medium |
| CN115296877A (en) * | 2022-07-25 | 2022-11-04 | 紫光云技术有限公司 | Method for invalidation and renewal of JWT storage token |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112422477A (en) | Service authentication method, server, electronic device and storage medium | |
| CN109522726B (en) | Authentication method for applet, server and computer readable storage medium | |
| US9722984B2 (en) | Proximity-based authentication | |
| CN102624739B (en) | Authentication and authorization method and system applied to client platform | |
| CN104767731B (en) | A kind of Restful move transactions system identity certification means of defence | |
| CN106453361B (en) | A kind of security protection method and system of the network information | |
| CN106953831B (en) | User resource authorization method, device and system | |
| CN112000951B (en) | Access method, device, system, electronic equipment and storage medium | |
| CN110175466B (en) | Security management method and device for open platform, computer equipment and storage medium | |
| CN110933078B (en) | H5 unregistered user session tracking method | |
| CN112989426B (en) | Authorization authentication method and device, and resource access token acquisition method | |
| CN106453352B (en) | Single-system multi-platform identity authentication method | |
| CN109672675B (en) | OAuth 2.0-based WEB authentication method of password service middleware | |
| US11811739B2 (en) | Web encryption for web messages and application programming interfaces | |
| CN103780609A (en) | Cloud data processing method and device and cloud data security gateway | |
| CN109104432B (en) | Information transmission safety method based on JWT protocol | |
| CN106161475B (en) | Method and device for realizing user authentication | |
| WO2016188335A1 (en) | Access control method, apparatus and system for user data | |
| CN111327629B (en) | Identity verification method, client and server | |
| CN116527341A (en) | Client-side calling rear-end interface authentication authorization security method | |
| CN106209727A (en) | A kind of session access method and apparatus | |
| CN115842680A (en) | Network identity authentication management method and system | |
| CN109862009A (en) | A kind of client identity method of calibration and device | |
| CN116108416A (en) | Application program interface safety protection method and system | |
| CN108667761B (en) | Method for protecting single sign-on by using session of secure socket layer |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| AD01 | Patent right deemed abandoned |
Effective date of abandoning: 20230707 |
|
| AD01 | Patent right deemed abandoned |