CN112487390A - Micro-service switching method and system - Google Patents
Micro-service switching method and system Download PDFInfo
- Publication number
- CN112487390A CN112487390A CN202011353966.5A CN202011353966A CN112487390A CN 112487390 A CN112487390 A CN 112487390A CN 202011353966 A CN202011353966 A CN 202011353966A CN 112487390 A CN112487390 A CN 112487390A
- Authority
- CN
- China
- Prior art keywords
- service
- micro
- public cloud
- private cloud
- data center
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 73
- 238000012795 verification Methods 0.000 claims abstract description 59
- 230000008569 process Effects 0.000 claims description 35
- 238000012545 processing Methods 0.000 claims description 8
- 238000010586 diagram Methods 0.000 description 13
- 238000004590 computer program Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 5
- 235000014510 cooky Nutrition 0.000 description 4
- 238000011161 development Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/33—User authentication using certificates
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/41—User authentication where a single sign-on provides access to a plurality of computers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses a method and a system for switching micro services, wherein the method comprises the following steps: if the private cloud micro service is switched to the public cloud micro service, receiving a token acquisition request sent by the private cloud data center, wherein the token acquisition request at least comprises the user information; responding to the token acquisition request, feeding back a token to the private cloud data center, and receiving a login verification request which is sent by the private cloud data center and carries the token, wherein the login verification request comprises a service address of the public cloud micro-service; after the token in the login verification request is verified, the user logs in a public cloud data center based on the user information, and redirects to the service address in the login verification request so as to switch to the public cloud micro-service represented by the service address. According to the technical scheme, multiple times of login authentication can be avoided when the micro service is switched, so that the switching efficiency of the micro service is improved.
Description
Technical Field
The invention relates to the technical field of internet, in particular to a micro-service switching method and a micro-service switching system.
Background
With the continuous development of cloud service systems, an original large-scale cloud service system can be split into a plurality of micro service systems, so that more targeted and more professional services are provided through the micro service systems.
In the process of using the micro-service system, a user usually needs to switch from one micro-service to another micro-service, and how to avoid multiple login authentications becomes a key problem for improving user experience when switching the micro-services.
Currently, an SSO (Single Sign On) system may be constructed based On a CAS (Central Authentication Service) protocol, and each micro Service may access the SSO system, thereby performing unified login Authentication. When switching the micro-service, the SSO system can directly complete login authentication based on the stored TGC (packet ranking Cookie, Cookie for storing user identity authentication voucher Ticket) information. Therefore, the user can realize the switching between the micro services without inputting the account number and the password for many times.
However, the above solution also has certain disadvantages, for example, when there are two or more SSO systems, if service needs to be provided across the SSO systems, then multiple login authentication processes are still required. Therefore, there is a need for a more efficient microservice handoff scheme.
Disclosure of Invention
The application aims to provide a method and a system for switching micro services, which can avoid repeated login authentication when switching the micro services, thereby improving the switching efficiency of the micro services.
In order to achieve the above object, an aspect of the present application provides a micro service switching method, where the method is applied to a single sign-on system of a public cloud, and the method includes: under the condition that a user logs in a private cloud data center, if switching from a private cloud micro service to a public cloud micro service, receiving a token acquisition request sent by the private cloud data center, wherein the token acquisition request at least comprises user information of the user in the private cloud data center; responding to the token acquisition request, feeding back a token to the private cloud data center, and receiving a login verification request which is sent by the private cloud data center and carries the token, wherein the login verification request comprises a service address of the public cloud micro-service; after the token in the login verification request is verified, the user logs in a public cloud data center based on the user information, and redirects to the service address in the login verification request so as to switch to the public cloud micro-service represented by the service address.
In order to achieve the above object, another aspect of the present application further provides a single sign-on system of a public cloud, the system including: the system comprises a token request receiving unit, a token obtaining unit and a processing unit, wherein the token request receiving unit is used for receiving a token obtaining request sent by a private cloud data center if a user logs in the private cloud data center and the private cloud micro service is switched to a public cloud micro service, and the token obtaining request at least comprises user information of the user in the private cloud data center; the verification unit is used for responding to the token acquisition request, feeding back a token to the private cloud data center, and receiving a login verification request which is sent by the private cloud data center and carries the token, wherein the login verification request comprises a service address of the public cloud micro-service; and the micro-service switching unit is used for logging in a public cloud data center based on the user information after the token in the login verification request is verified, and redirecting to the service address in the login verification request so as to switch to the public cloud micro-service represented by the service address.
In order to achieve the above object, another aspect of the present application further provides a micro-service switching method, where the method is applied in a single sign-on system of a private cloud, and the method includes: under the condition that a user logs in a public cloud data center, if the public cloud micro service is switched to a private cloud micro service, receiving an access request sent by the public cloud data center, wherein the access request comprises a session identifier and a service address of the private cloud micro service; extracting the session identifier in the access request, sending a verification request containing the session identifier to a single sign-on system of a public cloud, and receiving user information fed back by the single sign-on system of the public cloud after the session identifier is verified; logging in a private cloud data center based on the user information, and redirecting to the service address in the access request so as to switch to the private cloud micro-service represented by the service address.
In order to achieve the above object, another aspect of the present application further provides a single sign-on system for a private cloud, the system including: the access request receiving unit is used for receiving an access request sent by the public cloud data center if the public cloud micro service is switched to the private cloud micro service under the condition that a user logs in the public cloud data center, wherein the access request comprises a session identifier and a service address of the private cloud micro service; the verification request unit is used for extracting the session identifier in the access request, sending a verification request containing the session identifier to a single sign-on system of the public cloud, and receiving user information fed back by the single sign-on system of the public cloud after the session identifier is verified; and the micro-service switching unit is used for logging in a private cloud data center based on the user information and redirecting to the service address in the access request so as to switch to the private cloud micro-service represented by the service address.
As can be seen from the above, according to the technical solutions provided in one or more embodiments of the present application, the public cloud micro service and the private cloud micro service may respectively have their respective SSO systems, and if a user needs to switch between the public cloud micro service and the private cloud micro service, an authentication process across the SSO systems is involved. In this authentication process, when switching from private cloud micro-service to public cloud micro-service, the data center of the private cloud may request a token from the SSO system of the public cloud. Subsequently, the SSO system of the private cloud may send a login check request carrying the token to the SSO system of the public cloud, and if the login check request is verified by the SSO system of the public cloud, the user may directly log in to the public cloud data center based on the user information in the private cloud data center, thereby implementing the switching process of the micro-service. If the public cloud micro service is switched to the private cloud micro service, the public cloud data center can send an access request carrying a session identifier to the SSO system of the private cloud, the SSO system of the private cloud can then request the SSO system of the public cloud to check the session identifier, if the session identifier passes the check, the SSO system of the private cloud can receive user information fed back by the SSO system of the public cloud, and the user information can directly log in the private cloud data center, so that the micro service switching is completed. Therefore, according to the technical scheme provided by the application, the user does not need to input the account number and the password for many times, and when the micro-service is switched across the SSO systems, the authentication process can be directly completed between the two SSO systems, and the micro-service switching can be smoothly carried out. The process is imperceptible to the user, and from the experience of the user, the switching process of the micro service can be realized under the condition that the account and the password are not required to be input for many times.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a system architecture diagram according to an embodiment of the present invention;
FIG. 2 is a diagram illustrating a method for switching micro services according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a logout from a public cloud microservice in an embodiment of the invention;
FIG. 4 is a schematic diagram of exit from a private cloud microservice in an embodiment of the invention;
fig. 5 is a schematic diagram of another method for micro service handover according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more clear, the technical solutions of the present application will be clearly and completely described below with reference to the detailed description of the present application and the accompanying drawings. It should be apparent that the described embodiments are only some embodiments of the present application, and not all embodiments. All other embodiments obtained by a person of ordinary skill in the art without any inventive work based on the embodiments in the present application are within the scope of protection of the present application.
At present, the CAS protocol and the SSO system implemented based on the CAS protocol can avoid the situation that the user needs to input the account password many times in the process of switching the micro service to some extent.
Based on the SSO system of the CAS protocol of the complete standard, each microservice can be accessed into the SSO system. When a user logs in the micro-Service, the browser can redirect the SSO system to perform account authentication, after the account password is successfully verified, the SSO system generates a TGT (packet ranking Ticket), stores the TGT in a cookie and issues an ST (Service Ticket) to the micro-Service, and the micro-Service can be authenticated with the SSO system through the ST to complete one-time login. When switching the micro service, the SSO system directly completes the login authentication by obtaining the TGC information in the browser. Thus, the user can access other micro-services without inputting the account password again. When the micro service exits, after receiving the exit request, the SSO system acquires all the micro service sessions logged in this time according to the TGT, and sends ST information containing logged-in ST information to each micro service, thereby informing the micro service to destroy the session (session) bound with the ST and finishing the exit.
In the simplified CAS implementation scheme, when a user logs in a micro-service for the first time, an SSO system generates a globally unique Session identifier (Session ID, SID), and when other micro-services are switched, the SID in a browser cookie is sent to the micro-service to be switched and verification is carried out to complete the password-free login. When exiting, the SSO system sends exit notice containing SID uniformly, each micro service destroys the session related to SID, and finishes exiting.
The single SSO login system based on CAS protocol has various schemes, and the solution is always updated. However, in some enterprises or organizations, especially in companies that make cloud solutions, there are independent application systems and authentication centers, i.e., there are multiple SSO systems, when providing customized cloud services to the outside. For example, an enterprise provides a unified public cloud service to the outside, and the public cloud service comprises a plurality of micro service systems. Meanwhile, the enterprise also provides a customized private cloud service for other companies or individuals, and the public cloud service and the private cloud service are provided with respective SSO systems. If a user logs in the private cloud and wants to use or purchase a certain service on a public cloud, the user must go to the SSO system of the public cloud, input a user name and a password aiming at the public cloud to log in the public cloud, and then can continue to operate, so that unfriendly experience is brought to the user.
Therefore, there is a need for a mutual trust authentication login scheme that supports this kind of cross SSO system to solve this problem.
There are currently a few solutions proposed to address this requirement, the most common of which is a trust center system, i.e. two or more SSO systems, simultaneously accessing to a trust center, where the trust center performs uniform authentication to implement mutual trust between SSOs. However, in this scheme, data of different SSO systems need to be shared to a uniform trust center, and the data cannot be isolated from the private cloud and the public cloud, so that there is a certain risk in the data. Moreover, the introduction of one trust center system requires an additional maintenance and development cost, and the development period is long, so that the existing SSO system is excessively modified. Still another solution is to perform mutual trust registration on the SSO registration system that implements the standard CAS protocol, but this solution is not compatible with the SSO system that simplifies the implementation of the CAS protocol. Some other schemes only provide a scheme for how to perform login authentication, and do not relate to the solution of how to perform unified logout, so that after a user logs in once, the user needs to log out in different SSO systems respectively, which also brings trouble to the user.
In view of this, an embodiment of the present application provides a method for micro service switching, which can be applied to the system architecture shown in fig. 1. In the system architecture, an SSO system of a private cloud, a private cloud data center, an SSO system of a public cloud, and a public cloud data center may be included. The private cloud data center and the public cloud data center can respectively provide private cloud micro-services and public cloud micro-services for the user. The SSO systems of the private cloud and the public cloud can authenticate the user information to confirm that the user has the right to access the corresponding microservice. Referring to fig. 1 and fig. 2, a micro service switching method provided in an embodiment of the present application may be applied to the above-mentioned SSO system of the public cloud, and the method may include the following steps.
S11: under the condition that a user logs in a private cloud data center, if switching from the private cloud micro service to a public cloud micro service, receiving a token acquisition request sent by the private cloud data center, wherein the token acquisition request at least comprises user information of the user in the private cloud data center.
In the embodiment, after the user logs in the private cloud data center through the account and the password, various private cloud micro services provided by the private cloud data center can be accessed. When private cloud micro-services are provided for the user, the page can also be provided with a micro-service list of public clouds for the user to select. When the user selects one public cloud micro-service, the process of switching from the private cloud micro-service to the public cloud micro-service is triggered. At this time, the private cloud data center may send a token obtaining request to the SSO system of the public cloud to obtain a one-time token (token) from the SSO system of the public cloud. When the token acquisition request is sent, the private cloud data center can send the user information I of the user to the SSO system of the public cloud, so that the SSO system of the public cloud can automatically log in by utilizing the user information subsequently. In practical applications, the form of the user information may be various. For example, the user information may be an account and a password used by the user when logging in the private cloud data center, or TGC information of the user stored in the private cloud data center after the user logs in the private cloud data center. Of course, in practical applications, the user information may be in other forms as long as the login process of the user can be completed based on the user information.
In one embodiment, in the token acquisition request sent by the private cloud data center, identification information obtained by pre-registering the private cloud data center may be added to the request header. The identification information may be ak (access key) information, for example. The private cloud data center can register the identification information in the management system, and meanwhile, the identification information can be provided with a matched Secret Key (SK) when being generated, so that AK and SK can form a group of matched information, and the corresponding SK can be inquired according to the AK. The private cloud data center can store the identification information in the request header of the token obtaining request, so that after the SSO system of the public cloud receives the token obtaining request, the key matched with the identification information can be inquired from the management system. Then, the request content of the token obtaining request may be encrypted by using the key to obtain a verification signature. If the verification signature obtained by encrypting the secret key is consistent with the signature carried in the token acquisition request, the token acquisition request meets the verification condition, and at the moment, the SSO system of the public cloud can feed back a disposable token to the private cloud data center.
S13: responding to the token acquisition request, feeding back a token to the private cloud data center, and receiving a login verification request which carries the token and is sent by the private cloud data center, wherein the login verification request comprises a service address of the public cloud micro-service.
In this embodiment, after receiving the one-time token, the private cloud data center may send a login verification request carrying the token to the SSO system of the public cloud, so as to attempt to complete verification of the user information in the SSO system of the public cloud. Because the token is disposable, the token can automatically fail after the verification is finished, so that the safety of the subsequent verification process is ensured.
Specifically, the login verification request may be initiated through a browser, and when the browser sends the login verification request, on one hand, a one-time token may be taken, and on the other hand, a service address of the public cloud micro-service to be switched may also be carried. In this way, the public cloud data center subsequently knows which public cloud microservice should be switched to. In practical applications, the domain name of the service address of the public cloud micro-service is usually different from the domain name of the login check request. For example, the login check request may be http:// public-client.sso.service ═ https:// a.client.com, and the service address of the public cloud microservice may be https:// a.client.com. Therefore, the login verification request can carry the service address of the public cloud micro-service.
S15: after the token in the login verification request is verified, the user logs in a public cloud data center based on the user information, and redirects to the service address in the login verification request so as to switch to the public cloud micro-service represented by the service address.
In this embodiment, after receiving the login check request, the SSO system of the public cloud may verify whether the token is correct. If so, the login verification request may be processed normally. When processing the login verification request, the user may first log in to the public cloud data center based on the user information acquired in step S11. Thus, the process that the user needs to input the account number and the password again is avoided. After logging in to the public cloud data center, the SSO system of the public cloud can rewrite the login verification request and generate a new link pointing to the public cloud micro-service. Specifically, the SSO system of the public cloud may identify the service address of the public cloud micro service from the login check request, and use the service address of the public cloud micro service as the rewritten link. For example, the login check request is http:// public-client.sso.com, and the service address of the public cloud microservice extracted from the login check request may be https:// a.client.com, so that https:// a.client.com can be used as the new link after rewriting. After the service address is extracted, the SSO system of the public cloud can redirect to the service address, thereby switching to the public cloud micro-service represented by the service address.
Therefore, through interaction between the private cloud data center and the SSO system of the public cloud, verification and login of user information can be completed, and the public cloud micro-service pointed by the service address can be switched in a redirection mode, so that switching from the private cloud micro-service to the public cloud micro-service is completed without inputting an account number and a password again.
And when the user accesses the public cloud micro service or the private cloud micro service, the user needs to quit the current login state. In order to uniformly quit the public cloud micro-service and the private cloud micro-service together, different schemes can be executed for different quit scenes in the application.
Specifically, if the user logs out from the public cloud micro-service after using the public cloud micro-service, at this time, the SSO system of the public cloud receives a log-out instruction for logging out of the micro-service from the public cloud. In the SSO system of the public cloud, the user information of the user is associated with each public cloud micro-service which is logged in the login process, so that all the associated logged-in public cloud micro-services can be inquired through the user information. At this time, the SSO system of the public cloud may send exit notifications to the public cloud micro-services one by one, thereby completing the exit process of the public cloud micro-services.
In addition, in the login process, the user may also access a part of private cloud micro-services, so that the private cloud micro-services are also in a login state at present. The private cloud micro-service in the login state can also be associated with the user information. Therefore, the SSO system of the public cloud can judge whether the private cloud micro-service is in the login state or not through the user information. If so, the SSO system of the public cloud can encrypt the user information to obtain a Session Identification (SID). In the SSO system of the private cloud, the logged-in private cloud microservices can be associated with the SID. In this way, the SSO system of the public cloud can send the resulting SID to the SSO system of the private cloud. In this way, the SSO system of the private cloud can log off all private cloud microservices associated with the SID. Thus, even if the micro-service is quitted from the public cloud, the public cloud micro-service and the private cloud micro-service can be quitted together.
Referring to fig. 3, in a specific application scenario, when a user triggers an operation of logging out, the SSO system of the public cloud may be redirected to a login page of the public cloud in a redirection manner. Meanwhile, the SSO system of the public cloud can notify the logged public cloud micro-service to exit the login according to the above manner, and determine whether the private cloud micro-service is currently in the login state according to the TGC information. After the public cloud SSO system obtains the SID, the exit interface of the private cloud SSO system may be called, and the process of calling the exit interface may be a redirection process, so as to redirect to the log-out page of the private cloud. In this way, the SSO system of the public cloud may initiate a redirection access to the exit interface, where the SID may be carried in the redirection access, so as to transfer the SID to the SSO system of the private cloud. The SSO system of the private cloud can then initiate a logout notification to the associated private cloud microservice according to the SID.
Referring to fig. 4, in one embodiment, if the user is to exit the microservice from the private cloud, the SSO system of the private cloud may receive an exit instruction to exit the microservice from the private cloud. At this time, the SSO system of the private cloud may query the associated logged-in private cloud micro-services according to the SID, and may send an exit notification to the private cloud micro-services. After the exit of the private cloud micro-service is completed, the public cloud micro-service currently in the login state needs to be exited. Specifically, the SSO system of the private cloud may send an exit notification to the SSO system of the public cloud, where the exit notification may include the SID and the jump link. In this way, after receiving the SID, the SSO system of the public cloud can decrypt the SID, thereby obtaining the corresponding TGC information. Through the TGC information, the SSO system of the public cloud can inquire the associated public cloud micro-services and can quit and log the public cloud micro-services. After logging out, a page after logging out needs to be displayed to the user, and the page can be determined by the SSO system of the private cloud through the jump link. Therefore, after the exiting of the public cloud micro service is completed, the SSO system of the public cloud can be redirected to the page pointed by the jump link, so that the page after the exiting of the micro service can be displayed to the user.
In this embodiment, when the SSO system of the private cloud sends the logout notification to the SSO system of the public cloud, the SSO system of the public cloud may call a logout interface of the SSO system of the public cloud. The process of calling the exit interface can also be a redirection process of the browser, the SID and the jump link can be carried in a redirection mode, so that the SSO system of the public cloud can complete exit of the public cloud micro-service based on the SID, and the exited page can be displayed to a user according to the jump link.
An embodiment of the present application further provides a single sign-on system of a public cloud, where the system includes:
the system comprises a token request receiving unit, a token obtaining unit and a processing unit, wherein the token request receiving unit is used for receiving a token obtaining request sent by a private cloud data center if a user logs in the private cloud data center and the private cloud micro service is switched to a public cloud micro service, and the token obtaining request at least comprises user information of the user in the private cloud data center;
the verification unit is used for responding to the token acquisition request, feeding back a token to the private cloud data center, and receiving a login verification request which is sent by the private cloud data center and carries the token, wherein the login verification request comprises a service address of the public cloud micro-service;
and the micro-service switching unit is used for logging in a public cloud data center based on the user information after the token in the login verification request is verified, and redirecting to the service address in the login verification request so as to switch to the public cloud micro-service represented by the service address.
An embodiment of the present application further provides a micro-service switching method, which may be applied to a single sign-on system of a private cloud, please refer to fig. 1 and 5, and the method may include the following steps.
S21: under the condition that a user logs in a public cloud data center, if the public cloud micro service is switched to a private cloud micro service, an access request sent by the public cloud data center is received, wherein the access request comprises a session identifier and a service address of the private cloud micro service.
In this embodiment, after the user logs in the public cloud data center through the account and the password, the user can access various public cloud micro services provided by the public cloud data center. When public cloud micro-services are provided for the user, the page can also be provided with a micro-service list of a private cloud for the user to select. When the user selects one of the private cloud micro-services, the process of switching from the public cloud micro-service to the private cloud micro-service is triggered. At this time, since the domain name in the public cloud data is different from the domain name of the SSO system of the public cloud, the public cloud data center may send a cross-domain request to the SSO system of the public cloud, where the cross-domain request may be an ajax request initiated by the public cloud data center, and the ajax request may invoke an interface of the SSO system of the public cloud. For example, the ajax request may be https:// public.sso.com/object-SID, for obtaining SIDs from the SSO system of the public cloud.
In this embodiment, in response to the cross-domain request, the SSO system of the public cloud may query the user information of the login, where the user information may be, for example, TGC information. Then, the SSO system of the public cloud can encrypt the user information to obtain a corresponding SID, and feed back the SID to the public cloud data center.
When the public cloud micro service is switched to the private cloud micro service, the public cloud data center may send an access request to the SSO system of the private cloud, where the access request may carry the SID and a service address of the private cloud micro service to be switched.
In an actual application scenario function, the public cloud data center may send the access request to the private cloud by calling an authentication interface of the private cloud. After receiving the access request, the micro service of the private cloud may feed the SID back to the SSO system of the private cloud for verification. Thus, the SSO system of the private cloud can receive the SID provided by the public cloud data center.
S23: and extracting the session identifier in the access request, sending a verification request containing the session identifier to a single sign-on system of the public cloud, and receiving user information fed back by the single sign-on system of the public cloud after the session identifier is verified.
In this embodiment, after receiving the SID provided by the public cloud data center, the SSO system of the private cloud may request the SSO system of the public cloud to verify the validity of the SID. When the SID passes the verification of the SSO system of the public cloud, the SSO system of the public cloud can feed back the user information of the user login to the SSO system of the private cloud.
S25: logging in a private cloud data center based on the user information, and redirecting to the service address in the access request so as to switch to the private cloud micro-service represented by the service address.
In this embodiment, after receiving the user information, the SSO system of the private cloud can directly log in the private cloud data center by using the user information, and after logging in, the SSO system can redirect the service address in the access request in a redirection manner, so as to switch to the private cloud micro service represented by the service address, thereby completing the switching process from the public cloud micro service to the private cloud micro service.
In this embodiment, after obtaining the SID, the SSO system of the private cloud may bind the SID with the private cloud micro service in the login process, identify a service address of the private cloud micro service from the access request, and redirect access to the private cloud micro service represented by the service address. In practical application, an access request initiated by a public cloud data center may be https:// private.sso.service:// b.client.com, and in the access request, a service address https:// b.client.com of a private cloud micro-service may be carried. Because the domain names of the access request and the service address are different, the browser needs to access the private cloud micro-service represented by the service address in a redirection mode.
In one embodiment, the exit may be from a public cloud microservice or a private cloud microservice in the manner described above. In this way, after receiving the quit instruction for quitting the micro-service from the private cloud, the SSO system of the private cloud may query the logged-in private cloud micro-service associated with the session identifier and send a quit notification to the logged-in private cloud micro-service. Then, the session identifier and the jump link may be sent to the SSO system of the public cloud, so that the SSO system of the public cloud redirects to a page pointed by the jump link after logging out the public cloud micro-service associated with the session identifier.
If the micro-service is logged out from the public cloud, the SSO system of the private cloud may receive a login logout notification sent by the SSO system of the public cloud. In response to the log-out notification, the SSO system of the private cloud may query the logged-in private cloud microservice associated with the session identity and send a log-out notification to the logged-in private cloud microservice.
The detailed description process can refer to the foregoing description, and is not repeated here.
The present application further provides a single sign-on system for a private cloud, the system comprising:
the access request receiving unit is used for receiving an access request sent by the public cloud data center if the public cloud micro service is switched to the private cloud micro service under the condition that a user logs in the public cloud data center, wherein the access request comprises a session identifier and a service address of the private cloud micro service;
the verification request unit is used for extracting the session identifier in the access request, sending a verification request containing the session identifier to a single sign-on system of the public cloud, and receiving user information fed back by the single sign-on system of the public cloud after the session identifier is verified;
and the micro-service switching unit is used for logging in a private cloud data center based on the user information and redirecting to the service address in the access request so as to switch to the private cloud micro-service represented by the service address.
As can be seen from the above, according to the technical solutions provided in one or more embodiments of the present application, the public cloud micro service and the private cloud micro service may respectively have their respective SSO systems, and if a user needs to switch between the public cloud micro service and the private cloud micro service, an authentication process across the SSO systems is involved. In this authentication process, when switching from private cloud micro-service to public cloud micro-service, the data center of the private cloud may request a token from the SSO system of the public cloud. Subsequently, the SSO system of the private cloud may send a login check request carrying the token to the SSO system of the public cloud, and if the login check request is verified by the SSO system of the public cloud, the user may directly log in to the public cloud data center based on the user information in the private cloud data center, thereby implementing the switching process of the micro-service. If the public cloud micro service is switched to the private cloud micro service, the public cloud data center can send an access request carrying a session identifier to the SSO system of the private cloud, the SSO system of the private cloud can then request the SSO system of the public cloud to check the session identifier, if the session identifier passes the check, the SSO system of the private cloud can receive user information fed back by the SSO system of the public cloud, and the user information can directly log in the private cloud data center, so that the micro service switching is completed. Therefore, according to the technical scheme provided by the application, the user does not need to input the account number and the password for many times, and when the micro-service is switched across the SSO systems, the authentication process can be directly completed between the two SSO systems, and the micro-service switching can be smoothly carried out. The process is imperceptible to the user, and from the experience of the user, the switching process of the micro service can be realized under the condition that the account and the password are not required to be input for many times.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments can be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for embodiments of the system, reference may be made to the introduction of embodiments of the method described above in contrast to the explanation.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The above description is only an embodiment of the present application, and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.
Claims (14)
1. A micro-service switching method is applied to a single sign-on system of a public cloud, and comprises the following steps:
under the condition that a user logs in a private cloud data center, if switching from a private cloud micro service to a public cloud micro service, receiving a token acquisition request sent by the private cloud data center, wherein the token acquisition request at least comprises user information of the user in the private cloud data center;
responding to the token acquisition request, feeding back a token to the private cloud data center, and receiving a login verification request which is sent by the private cloud data center and carries the token, wherein the login verification request comprises a service address of the public cloud micro-service;
after the token in the login verification request is verified, the user logs in a public cloud data center based on the user information, and redirects to the service address in the login verification request so as to switch to the public cloud micro-service represented by the service address.
2. The method of claim 1, further comprising:
and if the public cloud micro service is switched to the private cloud micro service, receiving a cross-domain request sent by the public cloud data center, responding to the cross-domain request, inquiring the user information of the login, encrypting the user information, generating a corresponding session identifier, and feeding back the session identifier to the public cloud data center.
3. The method of claim 1, wherein redirecting to the service address in the login-check request comprises:
and identifying the service address of the public cloud micro-service from the login checking request, and redirecting to access the public cloud micro-service represented by the service address.
4. The method according to claim 1, wherein the token obtaining request further includes identification information obtained by pre-registering the private cloud data center; feeding back a token to the private cloud data center comprises:
inquiring a secret key matched with the identification information, and encrypting the request content of the token acquisition request by using the secret key to obtain a verification signature;
and if the verification signature is consistent with the signature carried in the token acquisition request, feeding back the token to the private cloud data center.
5. The method of claim 1, further comprising:
after receiving an exit instruction for exiting the micro-service from the public cloud, inquiring the logged public cloud micro-service associated with the user information, and sending an exit notification to the logged public cloud micro-service;
and encrypting the user information to obtain a session identifier, and sending the session identifier to a single sign-on system of a private cloud, so that the single sign-on system of the private cloud quits the private cloud micro-service associated with the session identifier.
6. The method of claim 5, wherein sending the session identity to a single sign-on system of a private cloud comprises:
and calling an exit interface of the single sign-on system of the private cloud to initiate redirection access to the exit interface, wherein the redirection access carries the session identifier.
7. The method of claim 1, further comprising:
if the micro service exits from the private cloud, receiving a session identifier and a jump link sent by a single sign-on system of the private cloud;
and querying the logged public cloud micro-service associated with the session identifier, sending an exit notification to the logged public cloud micro-service obtained by querying, and redirecting to the skip link.
8. A single sign-on system for a public cloud, the system comprising:
the system comprises a token request receiving unit, a token obtaining unit and a processing unit, wherein the token request receiving unit is used for receiving a token obtaining request sent by a private cloud data center if a user logs in the private cloud data center and the private cloud micro service is switched to a public cloud micro service, and the token obtaining request at least comprises user information of the user in the private cloud data center;
the verification unit is used for responding to the token acquisition request, feeding back a token to the private cloud data center, and receiving a login verification request which is sent by the private cloud data center and carries the token, wherein the login verification request comprises a service address of the public cloud micro-service;
and the micro-service switching unit is used for logging in a public cloud data center based on the user information after the token in the login verification request is verified, and redirecting to the service address in the login verification request so as to switch to the public cloud micro-service represented by the service address.
9. A micro-service switching method is applied to a single sign-on system of a private cloud, and comprises the following steps:
under the condition that a user logs in a public cloud data center, if the public cloud micro service is switched to a private cloud micro service, receiving an access request sent by the public cloud data center, wherein the access request comprises a session identifier and a service address of the private cloud micro service;
extracting the session identifier in the access request, sending a verification request containing the session identifier to a single sign-on system of a public cloud, and receiving user information fed back by the single sign-on system of the public cloud after the session identifier is verified;
logging in a private cloud data center based on the user information, and redirecting to the service address in the access request so as to switch to the private cloud micro-service represented by the service address.
10. The method of claim 9, wherein the session identifier is generated as follows:
the single sign-on system of the public cloud receives a cross-domain request sent by a public cloud data center, responds to the cross-domain request to inquire the user information logged in this time, encrypts the user information, generates a corresponding session identifier, and feeds the session identifier back to the public cloud data center.
11. The method of claim 9, wherein redirecting to the service address in the access request comprises:
and binding the session identifier with the private cloud micro-service in the login process, identifying the service address from the access request, and redirecting to access the private cloud micro-service represented by the service address.
12. The method of claim 9, further comprising:
after receiving an exit instruction for exiting the micro-service from the private cloud, inquiring the logged-in private cloud micro-service associated with the session identifier, and sending an exit notification to the logged-in private cloud micro-service;
and sending the session identifier and the jump link to a public cloud single sign-on system, so that the public cloud single sign-on system redirects a public cloud micro-service associated with the session identifier to a page pointed by the jump link after exiting the login.
13. The method of claim 9, further comprising:
if the micro service is quitted from the public cloud, receiving a log-out notice sent by the single sign-on system of the public cloud;
and responding to the log-out notification, inquiring the logged-in private cloud micro-service associated with the session identification, and sending the log-out notification to the logged-in private cloud micro-service.
14. A single sign-on system for a private cloud, the system comprising:
the access request receiving unit is used for receiving an access request sent by the public cloud data center if the public cloud micro service is switched to the private cloud micro service under the condition that a user logs in the public cloud data center, wherein the access request comprises a session identifier and a service address of the private cloud micro service;
the verification request unit is used for extracting the session identifier in the access request, sending a verification request containing the session identifier to a single sign-on system of the public cloud, and receiving user information fed back by the single sign-on system of the public cloud after the session identifier is verified;
and the micro-service switching unit is used for logging in a private cloud data center based on the user information and redirecting to the service address in the access request so as to switch to the private cloud micro-service represented by the service address.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011353966.5A CN112487390A (en) | 2020-11-27 | 2020-11-27 | Micro-service switching method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011353966.5A CN112487390A (en) | 2020-11-27 | 2020-11-27 | Micro-service switching method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112487390A true CN112487390A (en) | 2021-03-12 |
Family
ID=74935708
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011353966.5A Pending CN112487390A (en) | 2020-11-27 | 2020-11-27 | Micro-service switching method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112487390A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113938282A (en) * | 2021-09-26 | 2022-01-14 | 用友网络科技股份有限公司 | Privatization deployment data acquisition method of hybrid cloud, electronic device and storage medium |
| CN116074117A (en) * | 2023-03-07 | 2023-05-05 | 徐工汉云技术股份有限公司 | Micro-service access control method and device based on enterprise micro-service architecture |
Citations (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030200465A1 (en) * | 2001-08-06 | 2003-10-23 | Shivaram Bhat | Web based applications single sign on system and method |
| CN106209749A (en) * | 2015-05-08 | 2016-12-07 | 阿里巴巴集团控股有限公司 | Single-point logging method and the processing method and processing device of device, relevant device and application |
| CN106375308A (en) * | 2016-08-31 | 2017-02-01 | 上海宽惠网络科技有限公司 | Hybrid cloud-oriented cross-cloud user authentication system |
| CN106790209A (en) * | 2017-01-03 | 2017-05-31 | 北京并行科技股份有限公司 | A kind of login authentication method and system |
| CN107070880A (en) * | 2017-02-16 | 2017-08-18 | 济南浪潮高新科技投资发展有限公司 | A kind of method and system of single-sign-on, a kind of authentication center's server |
| CN107222487A (en) * | 2017-06-13 | 2017-09-29 | 杭州亿方云网络科技有限公司 | A kind of account docking system for mixing cloud environment |
| CN107948167A (en) * | 2017-11-29 | 2018-04-20 | 浙江数链科技有限公司 | A kind of method and apparatus of single-sign-on |
| CN109314704A (en) * | 2016-09-14 | 2019-02-05 | 甲骨文国际公司 | Function is nullified for multi-tenant identity and the single-sign-on and single-point of data safety management cloud service |
| CN110177120A (en) * | 2019-06-14 | 2019-08-27 | 北京首都在线科技股份有限公司 | A kind of method, apparatus and computer readable storage medium of single-sign-on |
| CN110278179A (en) * | 2018-03-15 | 2019-09-24 | 阿里巴巴集团控股有限公司 | Single-point logging method, device and system and electronic equipment |
| CN110278187A (en) * | 2019-05-13 | 2019-09-24 | 网宿科技股份有限公司 | Multiple terminals single-point logging method, system, sync server and medium |
| CN110519240A (en) * | 2019-08-09 | 2019-11-29 | 浙江大搜车软件技术有限公司 | A kind of single-point logging method, apparatus and system |
| CN110581863A (en) * | 2019-10-25 | 2019-12-17 | 北京浪潮数据技术有限公司 | single sign-on method, device, equipment and medium for cloud platform |
| CN110661782A (en) * | 2019-08-27 | 2020-01-07 | 紫光云(南京)数字技术有限公司 | Public basic service system based on single sign-on and micro-service architecture and implementation method thereof |
| KR20200002680A (en) * | 2018-06-29 | 2020-01-08 | 주식회사 카카오 | Single-sign-on method and system for multi-domain services |
| CN110781482A (en) * | 2019-10-12 | 2020-02-11 | 广州酷旅旅行社有限公司 | Login method, login device, computer equipment and storage medium |
| CN111143814A (en) * | 2019-12-30 | 2020-05-12 | 武汉佰钧成技术有限责任公司 | Single sign-on method, micro-service access platform and storage medium |
-
2020
- 2020-11-27 CN CN202011353966.5A patent/CN112487390A/en active Pending
Patent Citations (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030200465A1 (en) * | 2001-08-06 | 2003-10-23 | Shivaram Bhat | Web based applications single sign on system and method |
| CN106209749A (en) * | 2015-05-08 | 2016-12-07 | 阿里巴巴集团控股有限公司 | Single-point logging method and the processing method and processing device of device, relevant device and application |
| CN106375308A (en) * | 2016-08-31 | 2017-02-01 | 上海宽惠网络科技有限公司 | Hybrid cloud-oriented cross-cloud user authentication system |
| CN109314704A (en) * | 2016-09-14 | 2019-02-05 | 甲骨文国际公司 | Function is nullified for multi-tenant identity and the single-sign-on and single-point of data safety management cloud service |
| CN106790209A (en) * | 2017-01-03 | 2017-05-31 | 北京并行科技股份有限公司 | A kind of login authentication method and system |
| CN107070880A (en) * | 2017-02-16 | 2017-08-18 | 济南浪潮高新科技投资发展有限公司 | A kind of method and system of single-sign-on, a kind of authentication center's server |
| CN107222487A (en) * | 2017-06-13 | 2017-09-29 | 杭州亿方云网络科技有限公司 | A kind of account docking system for mixing cloud environment |
| CN107948167A (en) * | 2017-11-29 | 2018-04-20 | 浙江数链科技有限公司 | A kind of method and apparatus of single-sign-on |
| CN110278179A (en) * | 2018-03-15 | 2019-09-24 | 阿里巴巴集团控股有限公司 | Single-point logging method, device and system and electronic equipment |
| KR20200002680A (en) * | 2018-06-29 | 2020-01-08 | 주식회사 카카오 | Single-sign-on method and system for multi-domain services |
| CN110278187A (en) * | 2019-05-13 | 2019-09-24 | 网宿科技股份有限公司 | Multiple terminals single-point logging method, system, sync server and medium |
| CN110177120A (en) * | 2019-06-14 | 2019-08-27 | 北京首都在线科技股份有限公司 | A kind of method, apparatus and computer readable storage medium of single-sign-on |
| CN110519240A (en) * | 2019-08-09 | 2019-11-29 | 浙江大搜车软件技术有限公司 | A kind of single-point logging method, apparatus and system |
| CN110661782A (en) * | 2019-08-27 | 2020-01-07 | 紫光云(南京)数字技术有限公司 | Public basic service system based on single sign-on and micro-service architecture and implementation method thereof |
| CN110781482A (en) * | 2019-10-12 | 2020-02-11 | 广州酷旅旅行社有限公司 | Login method, login device, computer equipment and storage medium |
| CN110581863A (en) * | 2019-10-25 | 2019-12-17 | 北京浪潮数据技术有限公司 | single sign-on method, device, equipment and medium for cloud platform |
| CN111143814A (en) * | 2019-12-30 | 2020-05-12 | 武汉佰钧成技术有限责任公司 | Single sign-on method, micro-service access platform and storage medium |
Non-Patent Citations (4)
| Title |
|---|
| 尹鹏: ""基于应用虚拟化的私有云计算平台设计与实现"", 中国优秀硕士学位论文全文数据库信息科技辑, no. 03, 15 March 2017 (2017-03-15) * |
| 康家邦: "面向物流系统的云计算统一身份认证与授权的研究", 中国优秀硕士学位论文全文数据库 信息科技辑, no. 05, 15 May 2015 (2015-05-15) * |
| 徐辉;: "基于.NET Web服务的跨域单点登录系统的实现", 电脑知识与技术, no. 20, 15 July 2012 (2012-07-15) * |
| 王文清;陈凌;: "CALIS数字图书馆云服务平台模型", 大学图书馆学报, no. 04, 21 July 2009 (2009-07-21) * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113938282A (en) * | 2021-09-26 | 2022-01-14 | 用友网络科技股份有限公司 | Privatization deployment data acquisition method of hybrid cloud, electronic device and storage medium |
| CN116074117A (en) * | 2023-03-07 | 2023-05-05 | 徐工汉云技术股份有限公司 | Micro-service access control method and device based on enterprise micro-service architecture |
| CN116074117B (en) * | 2023-03-07 | 2023-06-02 | 徐工汉云技术股份有限公司 | Micro-service access control method and device based on enterprise micro-service architecture |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9787664B1 (en) | Methods systems and articles of manufacture for implementing user access to remote resources | |
| CN107005582B (en) | Method for accessing public end point by using credentials stored in different directories | |
| WO2017028804A1 (en) | Web real-time communication platform authentication and access method and device | |
| JP5009294B2 (en) | Distributed single sign-on service | |
| CN110086768B (en) | Service processing method and device | |
| CN109165500B (en) | Single sign-on authentication system and method based on cross-domain technology | |
| US11303431B2 (en) | Method and system for performing SSL handshake | |
| US9118645B2 (en) | Distributed authentication using persistent stateless credentials | |
| CN111740966B (en) | Data processing method based on block chain network and related equipment | |
| US20120284786A1 (en) | System and method for providing access credentials | |
| CN103384237A (en) | Method for sharing IaaS cloud account, shared platform and network device | |
| CN110032842B (en) | Method and system for simultaneously supporting single sign-on and third party sign-on | |
| RU2008114665A (en) | PROTECTED PROCESSING THE MANDATE OF THE CUSTOMER SYSTEM FOR ACCESS TO RESOURCES BASED ON WEB | |
| CN112688773A (en) | Token generation and verification method and device | |
| CN110995656B (en) | Load balancing method, device, equipment and storage medium | |
| WO2007064169A1 (en) | Method and apparatus for transmitting message in heterogeneous federated environment, and method and apparatus for providing service using the message | |
| CN110069909B (en) | Method and device for login of third-party system without secret | |
| CN111211911B (en) | Collaborative signature method, device, equipment and system | |
| CN113922982B (en) | Login method, electronic equipment and computer readable storage medium | |
| CN112487390A (en) | Micro-service switching method and system | |
| CN110049032A (en) | A kind of the data content encryption method and device of two-way authentication | |
| CN111342964B (en) | Single sign-on method, device and system | |
| CN106911628A (en) | A kind of user registers the method and device of application software on the client | |
| US20180115555A1 (en) | Authenticating data transfer | |
| CN110753018A (en) | Login authentication method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |