CN112491778A - Authentication method, device, system and medium - Google Patents

Abstract

The disclosure provides an authentication method, device, system and medium applied to an authentication server. The authentication method comprises the following steps: receiving an access authorization request sent by the client; and responding to the verification of the access authorization request, acquiring a dynamic token, wherein the dynamic token comprises a first token and a second token, the validity period of the first token is shorter than that of the second token, and sending the dynamic token to the client. The disclosure also provides an authentication method, an authentication device, an authentication system and an authentication medium applied to the client, and an authentication method, an authentication device, an authentication system and an authentication medium applied to the third-party application server.

Description

Authentication method, device, system and medium

Technical Field

The present disclosure relates to the field of internet technologies, and in particular, to an authentication method, apparatus, system, and medium.

Background

Many products and applications are limited to supporting user authentication functionality. Currently, each product and each application are usually made into a user identity authentication service system separately to meet business needs. The user identity authentication service comprises the following steps: user token (token) authentication of a host application, user token (token) authentication of a third party application, single sign-on authentication (SSO). In multi-client (iPhone, Android, web, desktop) applications, the user authentication logic of each client is inconsistent. Such as: the authentication logic of the user identity of the iPhone end is consistent with that of the Android end, but is not consistent with that of the Web end of the webpage, and the authentication mechanism adopts a single token mechanism.

In the course of implementing the disclosed concept, the inventors found that there are at least the following problems in the prior art: the existing user token (token) authentication mechanism adopts a single token mechanism, the validity period of the token is 30 days, and the user needs to log in again after the token is invalid. The token mechanism has the disadvantages of too long token validity period, high probability of interception and cracking and poor safety. Moreover, in the prior art, each time an application is developed, a set of user identity authentication service system needs to be developed separately, which causes repeated wheel-building and increases the research and development cost. In the same application and multiple clients, the user identity authentication mechanisms of each client are inconsistent, so that the overall system architecture is inconsistent, and the background service cannot realize business logic unification.

Disclosure of Invention

In view of the foregoing, the present disclosure provides a method, apparatus, system, and medium for dual token organically coupled authentication with increased security.

In one aspect of the present disclosure, an authentication method is provided, which is applied to an authentication server, where the authentication server is configured to authorize and authenticate a client when the client accesses resources of a service server. The method comprises the following steps: receiving an access authorization request sent by the client; responding to the access authorization request, and obtaining a dynamic token, wherein the dynamic token comprises a first token and a second token, the validity period of the first token is shorter than that of the second token, the first token is a token carried in a service access request of the client for accessing the service server, and the second token is a token carried in a token update request for updating the first token; and sending the dynamic token to the client.

According to an embodiment of the present disclosure, the method further comprises: receiving the service access request sent by the client; and responding to the verification of the first token in the service access request, and forwarding the service access request to the service server.

According to an embodiment of the present disclosure, the method further comprises: receiving the token updating request sent by the client; updating the first token in response to verification of the second token in the token update request passing; and sending the updated first token to the client.

According to an embodiment of the present disclosure, the updating the first token comprises: determining whether a validity period of the first token expires; if the validity period of the first token expires, acquiring a new first token; or if the validity period of the first token is not expired, extending the validity period of the first token.

According to the embodiment of the disclosure, the access authorization request includes user information of a login user of the client, and the acquiring of the dynamic token includes generating the dynamic token through an encryption algorithm based on the user information.

According to an embodiment of the present disclosure, the generating the dynamic token through an encryption algorithm based on the user information includes: processing a character string obtained by combining the identity information of the client, the code of the login user, the current time and a first random number by using a message digest algorithm to obtain the first token; and processing a character string obtained by combining the identity information of the client, the code of the login user, the current time and a second random number by using a message digest algorithm to obtain the second token.

According to an embodiment of the present disclosure, the method further comprises: receiving a third-party token acquisition request sent by the client, wherein the third-party token acquisition request is used for acquiring a temporary token provided for a third-party application server, and comprises the first token and identity information of the third-party application server; after the third-party token acquisition request passes verification, acquiring the temporary token based on identity information of the third-party application server side; and sending the temporary token to the client.

According to an embodiment of the present disclosure, the method further comprises: receiving a temporary access authorization request for access authorization of a third-party application server, wherein the temporary access authorization request comprises the temporary token; after the temporary token passes verification, acquiring a third-party dynamic token, wherein the third-party dynamic token comprises a third-party first token and a third-party second token, the validity period of the third-party first token is shorter than that of the third-party second token, the third-party first token is a token carried in a request of the third-party application server for calling the client to access the business server, and the third-party second token is a token carried in a request of calling the client to update the third-party first token; and sending the third-party dynamic token to the third-party application server side.

In a second aspect of the present disclosure, an authentication method is provided, which is applied to a client, where the client authorizes and authenticates the client by using an authentication server when accessing resources of a service server. The method comprises the following steps: sending an access authorization request to the authentication server; and receiving a dynamic token sent by the authentication server, wherein the dynamic token comprises a first token and a second token, the validity period of the first token is shorter than that of the second token, the first token is a token carried in a service access request of the client for accessing the service server, and the second token is a token carried in a token update request for updating the first token.

According to an embodiment of the present disclosure, the method further comprises: sending the service access request to the authentication server; receiving a response to the service access request from the service server under the condition that the first token in the service access request passes the verification of the authentication server; or, receiving information that the client identity authentication sent by the authentication server fails in the case that the first token in the service access request fails the verification of the authentication server.

According to an embodiment of the present disclosure, the method further comprises: after the first token is invalid, sending the token updating request to the authentication server; and receiving feedback information of the authentication server, wherein the feedback information comprises the updated first token if the first token is updated successfully.

According to an embodiment of the present disclosure, the method further comprises: receiving a first calling request of a third-party application server, wherein the first calling request is used for requesting access authorization of the third-party application server; sending a third-party token acquisition request to the authentication server based on the first call request, wherein the third-party token acquisition request is used for acquiring a temporary token provided for a third-party application server, and the third-party token acquisition request comprises the first token and identity information of the third-party application server; receiving the temporary token fed back by the authentication server under the condition that the first token passes verification; and sending the temporary token to the third-party application server based on the identity information of the third-party application server.

The third aspect of the present disclosure provides an authentication method, which is applied to a third-party application server, where the third-party application server accesses resources of a service server by calling a client of a host application, and the client authorizes and authenticates the client by using an authentication server when accessing the resources of the service server. The method comprises the following steps: sending a first call request to the client, wherein the first call request is used for requesting access authorization by the third-party application server, and the first call request comprises identity information of the third-party application server; receiving a temporary token fed back by the client based on the first calling request, wherein the temporary token is obtained by the authentication server based on the identity information of the third-party application server; sending a temporary access authorization request for acquiring a third-party dynamic token to the authentication server, wherein the temporary access authorization request comprises the temporary token; and receiving the third-party dynamic token sent by the authentication server under the condition that the temporary token passes verification, wherein the third-party dynamic token comprises a third-party first token and a third-party second token, the validity period of the third-party first token is shorter than that of the third-party second token, the third-party first token is a token carried in a request of the third-party application server for calling the client to access the business server, and the third-party second token is a token carried in a request of calling the client to update the third-party first token.

In a fourth aspect of the present disclosure, an authentication apparatus is provided, where the authentication apparatus is disposed at an authentication server, and the authentication server is configured to authorize and authenticate a client when the client accesses a resource of a service server. The device comprises a first receiving module, a dynamic token obtaining module and a dynamic token updating module. The first receiving module is used for receiving the access authorization request sent by the client. The dynamic token obtaining module is configured to obtain a dynamic token in response to the access authorization request passing verification, where the dynamic token includes a first token and a second token, a validity period of the first token is shorter than that of the second token, the first token is a token carried in a service access request from the client to the service server, and the second token is a token carried in a token update request for updating the first token. The dynamic token sending module is used for sending the dynamic token to the client.

In a fifth aspect of the present disclosure, an authentication apparatus is provided in a client, where the client authorizes and authenticates the client by using an authentication server when accessing resources of a service server. The device comprises a first sending module and a dynamic token receiving module. The first sending module is used for sending an access authorization request to the authentication server. The dynamic token receiving module is configured to receive a dynamic token sent by the authentication server, where the dynamic token includes a first token and a second token, where a validity period of the first token is shorter than that of the second token, the first token is a token carried in a service access request from the client to the service server, and the second token is a token carried in a token update request for updating the first token.

A sixth aspect of the present disclosure provides an authentication apparatus, which is disposed at a third-party application server, where the third-party application server accesses resources of a service server by invoking a client of a host application, and the client authorizes and authenticates the client by using an authentication server when accessing the resources of the service server. The device comprises an access authorization calling module, a temporary token receiving module, a third party token requesting module and a third party token receiving module. The access authorization calling module is used for sending a first calling request to the client, the first calling request is used for the third-party application server side to request access authorization, and the first calling request comprises identity information of the third-party application server side. The temporary token receiving module is used for receiving a temporary token fed back by the client based on the first calling request, wherein the temporary token is obtained by the authentication server based on the identity information of the third-party application server. The third party token request module is used for sending a temporary access authorization request for acquiring a third party dynamic token to the authentication server, wherein the temporary access authorization request comprises the temporary token. And the third-party token receiving module is used for receiving the third-party dynamic token sent by the authentication server under the condition that the temporary token passes verification, wherein the third-party dynamic token comprises a third-party first token and a third-party second token, the validity period of the third-party first token is shorter than that of the third-party second token, the third-party first token is a token carried in a request of the third-party application server for calling the client to access the business server, and the third-party second token is a token carried in a request of calling the client to update the third-party first token.

A seventh aspect of the present disclosure provides an authentication system, including: one or more memories and one or more processors. The one or more memories store executable instructions. The one or more processors execute the executable instructions to implement a method according to the first, or second, or third aspect of the present disclosure.

In an eighth aspect of the present disclosure, there is provided a computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform a method according to the first, or second, or third aspect of the present disclosure.

According to the embodiment of the disclosure, in the process of authenticating the service, the token for the client comprises two tokens (a first token and a second token), the first token can be used for client authentication in the service access request, and the validity period is short. The second token may be used to update the first token after the first token fails. On one hand, the validity period of the first token which is frequently transmitted is shorter, and the possibility of being cracked in the validity period is reduced. On the other hand, the second token can update the first token in time after the first token is invalid, so that the trouble that the user needs to continuously request authorization again is avoided.

Drawings

The above and other objects, features and advantages of the present disclosure will become more apparent from the following description of embodiments of the present disclosure with reference to the accompanying drawings, in which:

fig. 1 schematically illustrates an application scenario of an authentication method, apparatus, system and medium according to an embodiment of the present disclosure;

FIG. 2 schematically illustrates a technical architecture of an authentication method, apparatus, system and medium according to embodiments of the disclosure;

fig. 3 schematically shows a block diagram of an authentication apparatus provided at an authentication server according to an embodiment of the present disclosure;

fig. 4 schematically shows a flowchart of an authentication method applied to an authentication server according to an embodiment of the present disclosure;

fig. 5 schematically shows a flowchart of an authentication method applied to an authentication server according to another embodiment of the present disclosure;

fig. 6 schematically shows a flowchart of an authentication method applied to an authentication server according to yet another embodiment of the present disclosure;

FIG. 7 schematically illustrates a block diagram of an authentication apparatus provided to a client of a host application, in accordance with an embodiment of the present disclosure;

FIG. 8 schematically illustrates a flow chart of an authentication method applied to a client according to an embodiment of the present disclosure;

fig. 9 schematically shows a flow chart of an authentication method applied to a client according to another embodiment of the present disclosure;

fig. 10 schematically shows a flow chart of an authentication method applied to a client according to yet another embodiment of the present disclosure;

fig. 11 schematically shows a block diagram of an authentication apparatus provided at a third party application server of a host application according to an embodiment of the present disclosure;

fig. 12 schematically shows a flowchart of an authentication method applied to a third party application server according to an embodiment of the present disclosure;

FIG. 13 is a flow chart that schematically illustrates a method for providing authentication for a third-party application server, as applied to a client, in accordance with an embodiment of the present disclosure;

fig. 14 schematically shows a flowchart of a method for providing authentication for a third party application server, which is applied to an authentication server according to an embodiment of the present disclosure; and

FIG. 15 schematically shows a block diagram of a computer system suitable for implementing an authentication method according to an embodiment of the present disclosure.

Detailed Description

Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.

All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.

Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). Where a convention analogous to "A, B or at least one of C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B or C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).

The embodiment of the disclosure provides an authentication method, an authentication device, an authentication system and an authentication medium applied to an authentication server. The authentication method comprises the following steps: receiving an access authorization request sent by the client; and responding to the verification of the access authorization request, acquiring a dynamic token, wherein the dynamic token comprises a first token and a second token, the validity period of the first token is shorter than that of the second token, and sending the dynamic token to the client. The embodiment of the disclosure also provides an authentication method, an authentication device, an authentication system and an authentication medium applied to the client, and an authentication method, an authentication device, an authentication system and an authentication medium applied to the third-party application server.

According to the embodiment of the disclosure, in the process of authenticating the service, the token for the client comprises two tokens (a first token and a second token), the first token can be used for client authentication in the service access request, and the validity period is short. The second token may be used to update the first token after the first token fails. On one hand, the validity period of the first token which is frequently transmitted is shorter, and the possibility of being cracked in the validity period is reduced. On the other hand, the second token can update the first token in time after the first token is invalid, so that the trouble that the user needs to continuously request authorization again is avoided. The mechanism for jointly using the first token and the second token for access authentication in the embodiment of the present disclosure is referred to as a dual token mechanism.

Fig. 1 schematically illustrates an application scenario 100 of an authentication method, apparatus, system and medium according to embodiments of the disclosure.

As shown in fig. 1, the application scenario 100 according to this embodiment may include a client 101, an authentication server 102, and a business server 103, where the client 101, the authentication server 102, and the business server 103 may communicate with each other through a network.

The client 101 may include various types of client applications, such as a shopping-type application, a web browser application, a search-type application, an instant messaging tool, a mailbox client, social platform software, and so forth (by way of example only). The client 101 may be installed in various terminal devices including, but not limited to, a smart phone, a tablet computer, a laptop portable computer, a desktop computer, and the like.

The service server 103 may respond to the received access request from the client 101 and feed back a corresponding service to the client 101, for example, providing a web resource of the service server 103. The business server 103 may be located in a server that provides various services, such as a background management server (for example only) that provides support for websites browsed by the client 101. The backend management server may analyze and perform other processing on the received data such as the user request, and feed back a processing result (e.g., a web page, information, or data obtained or generated according to the user request) to the client 101.

The authentication server 102 is configured to authorize and authenticate the client 101 when the client 101 accesses a resource of the service server 103. For example, the client 101 needs to first come to the authentication server 102 to request a token (e.g., a dynamic token of the disclosed embodiments) for access authorization when accessing the business server 103. Then, the access request of the client 101 accessing the service server 103 each time carries a token, and after the access request passes the verification of the authentication server 102, the access request is forwarded to the service server 103.

The access request from the client 101 to the authentication server 102 and then to the business server 103 shown in fig. 1 is only an example. In some embodiments, the access request from the client 101 may reach the service server 103 first, then be forwarded by the service server 103 to the authentication server 102 for authentication, and be forwarded to the service server 103 after the authentication is passed.

With continued reference to fig. 1, the application scenario 100 according to this embodiment may also include a third party application server 104. The third party application server 104 may provide the third party application service by calling the third party application program in the client 101 of the host application. According to the embodiment of the disclosure, in the process that the third-party application server 104 accesses the service server 103, the third-party application server 104 may obtain a temporary token representing the temporary access identity and a third-party dynamic token for verifying the temporary access right from the client 101 to the authentication server 102. Then, the third-party application server 104 may use the temporary token and the third-party dynamic token as authentication information of the access request to access the service server 103, and send feedback information responded by the service server 103 to the client 101.

It should be noted that fig. 1 is only an example of an application scenario in which the embodiments of the present disclosure may be applied to help those skilled in the art understand the technical content of the present disclosure, but does not mean that the embodiments of the present disclosure may not be applied to other devices, systems, environments or scenarios.

Fig. 2 schematically illustrates a technical architecture of an authentication method, apparatus, system and medium according to embodiments of the present disclosure.

With reference to fig. 1 and fig. 2, according to the embodiment of the present disclosure, the authentication service provided by the authentication service end 102 may satisfy front-end user identity authentication for a large number of service applications. The core functions of the authentication service may include user authentication supporting the hosted application, and/or user authentication supporting the open interface of the hosted application.

According to the embodiment of the disclosure, when a user inputs a login name and a login password to log in a host application at a host application of a client 101 and sends an access authorization request, an account service acquires and verifies the login name and the login password of the user. If the verification is successful, the account service forwards the access authorization request sent by the client 101 to the authentication server 102; if the authentication fails, login failure information is returned to the client 101. For example, when a user inputs a login name and a login password to login a host application at the host application of the client 101 and sends an access authorization request, if the host application accesses the gateway server, the gateway server forwards the access authorization request to the account service; if the host application does not access the gateway server but directly accesses the service server 103, the service main service may forward the access authorization request to the account service.

Then, after the authentication service provided by the authentication server 102 performs a certain logical operation on the access authorization request, a dynamic token (including a first token and a second token) according to the embodiment of the disclosure is generated, and the dynamic token is sent to the account service. The account service then returns the dynamic token to the hosting application of the client 101. Thereafter, the host application can access the resources of the service server 103 through the dual token mechanism according to the embodiment of the present disclosure.

According to the embodiment of the disclosure, for the situation of the same application with multiple clients, the user identity authentication mechanisms of multiple types of clients (an iPhone client, an Android client, a webpage web client and a desktop client) are consistent by integrating the multi-terminal login function in the authentication service, so that the development cost aggravated by the need of independently developing a set of user identity authentication service system for each application development is avoided.

According to an embodiment of the present disclosure, a dual token (first token and second token) mechanism is employed. Wherein the first token has a short validity period (e.g., 2 hours) and the second token has a longer validity period (e.g., 30 days). The first token is adopted when the client 101 and the service server 103 exchange data, so that the probability of interception and decryption is greatly reduced, and the system security is improved. When the first token is invalid, a new first token is obtained or the validity period of the first token is prolonged according to the second token, so that the trouble that a client user needs to continuously request authorization again is avoided.

According to the embodiment of the disclosure, for the third-party application in the host application, the authentication service can be used for providing a uniform authentication mechanism, and the authentication modes of the host application and the open interface thereof can be effectively unified.

Fig. 3 schematically shows a block diagram of an authentication apparatus 300 provided at the authentication server 102 according to an embodiment of the present disclosure.

As shown in fig. 3, the authentication device 300 is disposed at the authentication server 102. The authentication server 102 is configured to authorize and authenticate the client 101 when the client 101 accesses a resource of the service server 103.

The authentication apparatus 300 includes a first receiving module 310, a dynamic token obtaining module 320, and a dynamic token updating module 330.

The first receiving module 310 is configured to receive an access authorization request sent by the client 101.

The dynamic token obtaining module 320 is configured to obtain a dynamic token in response to the access authorization request passing verification, where the dynamic token includes a first token and a second token, a valid period of the first token is shorter than that of the second token, where the first token is a token carried in a service access request for the client 101 to access the service server 103, and the second token is a token carried in a token update request for updating the first token.

The dynamic token sending module 330 is configured to send the dynamic token to the client 101.

According to further embodiments of the present disclosure, the authentication apparatus 300 may further include a service access processing module 340, and/or a token update processing module 350, and/or a third party application authentication processing module 360.

The service access processing module 340 may be configured to receive the service access request sent by the client 101, and forward the service access request to the service server 103 in response to the first token in the service access request being verified.

The token update processing module 350 may be configured to receive the token update request sent by the client 101, update the first token in response to the verification of the second token in the token update request being passed, and send the updated first token to the client 101.

The third-party application authentication processing module 360 may be configured to send a temporary token representing a temporary access identity and a third-party dynamic token used for verifying a temporary access right to the third-party application server 104 according to a request of the client 101, and authorize and authenticate an access request of the third-party application server 104 to access the service server 103.

The authentication apparatus 300 may be used, for example, to execute a method flow as illustrated in any one of fig. 4 to 6, and fig. 14 below, to implement provision of an authentication service by two tokens (a first token and a second token). The first token can be used for authentication of the client 101 in the service access request, and the validity period is short. The second token may be used to update the first token after the first token fails. On one hand, the validity period of the first token which is frequently transmitted is shorter, and the possibility of being cracked in the validity period is reduced. On the other hand, the second token can update the first token in time after the first token is invalid, so that the trouble that the user needs to continuously request authorization again is avoided.

Fig. 4 schematically shows a flowchart of an authentication method applied to the authentication server 102 according to an embodiment of the present disclosure.

As shown in fig. 4, the authentication method applied to the authentication server 102 may include operations S401 to S403.

First, in operation S401, the first receiving module 310 receives an access authorization request sent by the client 101.

Then, in operation S402, the dynamic token obtaining module 320 obtains a dynamic token in response to the verification of the access authorization request, where the dynamic token includes a first token and a second token, and a valid period of the first token is shorter than that of the second token, where the first token is a token carried in a service access request from the client 101 to the service server 103, and the second token is a token carried in a token update request for updating the first token.

Next, in operation S403, the dynamic token sending module 330 sends the dynamic token to the client 101. By this, the authorization of the client 101 is completed.

With reference to fig. 2, in an embodiment, the authentication service of the authentication server 102 provides jsf and an http interface to the outside to facilitate external service invocation. After receiving the access authorization request sent by the client 101, the authentication server 102 first checks whether the user information (i.e., App ID) of the login user of the client 101 in the access authorization request is legal: if the answer is illegal, an error response is returned; if it is legal, the dynamic tokens (first token and second token) are obtained. It should be noted that, for the sake of distinction and understanding, some embodiments below may name the first token as an access token and the second token as a refresh token.

According to an embodiment of the present disclosure, the access authorization request includes user information of a login user of the client 101. In operation S402, a dynamic token is obtained, and specifically, the dynamic token obtaining module 320 generates the dynamic token through an encryption algorithm based on the user information.

According to an embodiment of the present disclosure, the generating the dynamic token through an encryption algorithm based on the user information may include processing a character string obtained by combining the identity information of the client, the code of the login user, the current time, and a first random number by using a message digest algorithm to obtain the first token; and processing a character string obtained by combining the identity information of the client, the code of the login user, the current time and a second random number by using a message digest algorithm to obtain the second token.

In one embodiment, the message digest algorithm may specifically be the MD5 algorithm. The calculation process of the first token and the second token may be specifically expressed as follows:

the first token access token is MD5 (identity information of the client 101 + the code of the login user + current time (ms) + first random number);

the second token refresh token MD5 (identity information of the client 101 + password of the client 101 + code of the login user + current time (ms) + second random number)

Where the symbol "+" indicates string addition, the first random number and the second random number may be the same or different.

According to the embodiment of the disclosure, after the access token and the refresh token are generated, the authentication server 102 may save the access token in a cache (e.g., redis) and save the refresh token in a database (e.g., mySQL) and redis. The access token is stored in the redis, so that the service access request can be conveniently and quickly generated. The refresh token can be stored in the database and the cache at the same time, wherein the refresh token placed in the cache can be conveniently and quickly read when the access token is refreshed.

Thereafter, the authentication server 102 may return the 2 pieces of dynamic token information, namely, the access token and the refresh token, to the client 101.

If the client 101 belongs to the mobile terminal, after receiving the refresh token and the access token, the 2 tokens can be stored locally in the mobile terminal. If the client 101 belongs to the web site of the web page, the access token may be saved in a cookie and then taken each time the service access request is sent by the client 103.

In addition, when the user logs out on the client 101, the authentication server 102 receives a user login request from the client 101, then finds out login information of the user from the database, then clears the access token and the refresh token in the redis, and finally sets the login state of the user in the database to be logged out.

Fig. 5 schematically shows a flowchart of an authentication method applied to the authentication server 102 according to another embodiment of the present disclosure.

As shown in fig. 5, the authentication method applied to the authentication server 102 according to the embodiment of the present disclosure may further include operations S504 to S505 in addition to operations S401 to S403.

According to an embodiment of the present disclosure, operations S504 and S505 may be performed by the service access processing module 340. In operation S504, the service access request sent by the client 101 is received. In operation S505, in response to the verification of the first token in the service access request being passed, the service access request is forwarded to the service server 103.

According to the embodiment of the present disclosure, the authentication process of the authentication server for the first token access token may be, for example, reading the access token in the service access request from the redis: if the access token does not exist in the redis, the reading fails and the verification fails; if the access token exists in the redis, the verification passes.

According to the embodiment of the present disclosure, the client 101 and the service server 103 exchange data by using the first token. Because the validity period of the first token is short, the probability of interception and cracking of the first token is greatly reduced, and the safety of the system is further improved.

Fig. 6 schematically shows a flowchart of an authentication method applied to the authentication server 102 according to another embodiment of the present disclosure.

As shown in fig. 6, the authentication method applied to the authentication server 102 according to the embodiment of the present disclosure may further include operations S604 to S606 in addition to operations S401 to S403.

Operations S604 and S606 may be performed by the token update processing module 350 according to an embodiment of the present disclosure. Specifically, first, in operation S604, the token update request sent by the client 101 is received. The first token is then updated in response to the verification of the second token in the token update request being passed in operation S605. Next, in operation S606, the updated first token is sent to the client 101.

In operation S605, if the first token is updated, it may be determined whether the validity period of the first token expires: and if the validity period of the first token expires, acquiring a new first token. Or if the validity period of the first token is not expired, extending the validity period of the first token.

According to the embodiment of the disclosure, the first token is updated in time by using the second token after the first token is invalid, so that the trouble that the user needs to continuously request for authorization again is avoided.

For example, when the client 101 detects or receives that the access token is invalid, a request for refreshing the access token is sent to the service server 103 to obtain a new access token.

According to an embodiment of the present disclosure, after receiving the refresh access token request, the authentication server 102 first reads corresponding refresh token information from the redis according to the refresh token in the refresh access token request. If refreshhooken information is read in redis, the user information returned by redis is compared with the user information of the login user of the client 101 in the refresh access token request. If the two pieces of user information are different, returning information that the user information is incorrect to the client 101; if the two user information are the same, the access token is refreshed.

According to another embodiment of the disclosure, after receiving the refresh access token request, the authentication server 102 queries whether a refresh token exists from the MySQL database if the refresh token information is not read in the redis. If the response does not exist in the database, the refresh token sent by the client 101 is invalid, so that an invalid refresh token response is returned to the client 101. If the refresh token exists in the database, judging whether the refresh token is expired or not, and if the refresh token is expired, returning expiration information to the user side; if not, a refresh of the access token is performed.

In one embodiment, when the access token is refreshed, whether the access token corresponding to the refresh token exists may be first searched from the redis. And if the access token corresponding to the refresh token exists in the redis, continuing the access token (for 2 hours). And if the access token corresponding to the refresh token does not exist in the redis, generating a new access token. After generating a new access token, writing the new access token into the redis, then updating the valid periods of the refresh token in the database and the redis, delaying the valid periods, and after the processing is completed, returning the updated access token information to the client 101.

Fig. 7 schematically shows a block diagram of an authentication apparatus 700 provided to a client 101 of a host application according to an embodiment of the present disclosure.

According to an embodiment of the present disclosure, the authentication apparatus 700 is provided in the client 101. When accessing the resources of the service server 103, the client 101 uses the authentication server 102 to authorize and authenticate the client 101. The authentication apparatus 700 includes a first sending module 710, and a dynamic token receiving module 720.

The first sending module 710 is configured to send an access authorization request to the authentication server 102.

The dynamic token receiving module 720 is configured to receive a dynamic token sent by the authentication server 102, where the dynamic token includes a first token and a second token, a valid period of the first token is shorter than that of the second token, where the first token is a token carried in a service access request of the client 101 accessing the service server 103, and the second token is a token carried in a token update request of updating the first token.

According to an embodiment of the present disclosure, the authentication apparatus 700 may further include a service access module 730, and/or a token update request module 740, and/or a third party application invocation module 750.

The service access module 730 is configured to send the service access request to the authentication server 102, and receive a response to the service access request from the service server 103 when the first token in the service access request passes the verification of the authentication server 102, or receive information that the identity authentication of the client 101 fails and is sent by the authentication server 102 when the first token in the service access request fails the verification of the authentication server 102.

The token update module 740 is configured to send the token update request to the authentication server 102 and receive feedback information of the authentication server 102 after the first token is invalid, where the feedback information includes the updated first token if the first token is updated successfully.

The third-party application invoking module 750 is configured to send a third-party token obtaining request to the authentication server 102 based on the first invoking request of the third-party application server 104, obtain a temporary token representing a temporary access identity for the third-party application server 104, and forward the temporary token to the third-party application server 104.

The authentication apparatus 700 may be used, for example, to perform a method flow as illustrated in any of fig. 8-10, and 13 below to implement a dual token mechanism.

Fig. 8 schematically shows a flowchart of an authentication method applied to the client 101 according to an embodiment of the present disclosure.

As shown in fig. 8, the authentication method applied to the client 101 may include operations S801 and S802 according to an embodiment of the present disclosure.

In operation S801, the first sending module 710 sends an access authorization request to the authentication server 102.

In operation S802, the dynamic token receiving module 720 receives a dynamic token sent by the authentication server 102, where the dynamic token includes a first token and a second token, and a validity period of the first token is shorter than that of the second token, where the first token is a token carried in a service access request for the client to access the service server 103, and the second token is a token carried in a token update request for updating the first token. In this way, the authorization of the client 101 is completed.

Fig. 9 schematically shows a flowchart of an authentication method applied to the client 101 according to another embodiment of the present disclosure.

As shown in fig. 9, according to an embodiment of the present disclosure, the authentication method applied to the client 101 may further include operation S903, operation S904A, or operation S904B, in addition to operation S801 and operation S802.

According to an embodiment of the present disclosure, the operation S903, the operation S904A, and the operation S904B may be performed by the service access module 730. Specifically, the service access request is sent to the authentication server 102 in operation S903. Then, in operation S904A, in case that the first token in the service access request passes the verification of the authentication server 102, a response to the service access request by the service server 103 is received. Alternatively, in operation S904B, in a case that the first token in the service access request fails the verification of the authentication server 102, the information that the identity authentication of the client 101 fails and is sent by the authentication server 102 is received.

It follows that only the first token is transmitted when the client 101 and the traffic server 103 exchange data. Because the validity period of the first token is short, the probability of interception and cracking of the first token is greatly reduced, and the safety of the system is further improved.

Fig. 10 schematically shows a flowchart of an authentication method applied to a client according to still another embodiment of the present disclosure.

As shown in fig. 10, the authentication method applied to the client 101 according to the embodiment of the present disclosure may include operations S1003 and S1004 in addition to operations S801 and S802.

Operations S1003 and S1004 may be performed by the token update request module 740 according to an embodiment of the present disclosure. First, in operation S1003, after the first token is invalid, the token update request is sent to the authentication server 102. Then, in operation S1004, feedback information of the authentication server 102 is received, where the feedback information includes the updated first token if the first token is updated successfully. In this way, the first token is updated in time, avoiding the trouble that the user is to continuously request authorization again.

Fig. 11 schematically shows a block diagram of an authentication apparatus 1100 provided at the third party application server 104 of the host application according to an embodiment of the present disclosure.

As shown in fig. 11, the authentication apparatus 1100 according to the embodiment of the disclosure is disposed at the third party application server 104. The third-party application server 104 accesses the resources of the service server 103 by calling the client 101 of the host application, and the client 101 uses the authentication server 102 to authorize and authenticate the client 101 when accessing the resources of the service server 103.

The authentication apparatus 1100 includes an access authorization calling module 1110, a temporary token receiving module 1120, a third party token requesting module 1130, and a third party token receiving module 1140.

The access authorization invoking module 1110 is configured to send a first invoking request to the client 101, where the first invoking request is used for the third-party application server 104 to request access authorization, and the first invoking request includes identity information of the third-party application server 104.

The temporary token receiving module 1120 is configured to receive a temporary token fed back by the client 101 based on the first invocation request, where the temporary token is obtained by the authentication server 102 based on the identity information of the third-party application server 104.

The third party token request module 1130 is configured to send a temporary access authorization request for obtaining a third party dynamic token to the authentication server 102, where the temporary access authorization request includes the temporary token.

The third-party token receiving module 1140 is configured to receive the third-party dynamic token sent by the authentication server 102 when the temporary token passes verification, where the third-party dynamic token includes a third-party first token and a third-party second token, where a validity period of the third-party first token is shorter than the third-party second token, the third-party first token is a token carried in a request of the third-party application server 104 invoking the client 101 to access the business server 103, and the third-party second token is a token carried in a request of the client 101 invoking to update the third-party first token.

The authentication apparatus 1100 may further include a third party application access module 1150 according to some embodiments of the present disclosure. The third party application access module 1150 is configured to send an access request to access the resource of the business server 103 after passing the authentication of the authentication server 102, with the temporary token as the identity of the third party application server 104 and the third party first token as the authentication information.

The authentication apparatus 1100 may be used to perform the authentication method illustrated in fig. 12 according to an embodiment of the present disclosure.

Fig. 12 schematically shows a flowchart of an authentication method applied to the third-party application server 104 according to an embodiment of the present disclosure.

As shown in fig. 12, the authentication method according to an embodiment of the present disclosure may include operations S1201 to S1204.

In operation S1201, the access authorization invoking module 1110 sends a first invoking request to the client 101, where the first invoking request is used for the third-party application server 104 to request access authorization, and the first invoking request includes identity information of the third-party application server 104.

In operation S1202, the temporary token receiving module 1120 receives a temporary token fed back by the client 101 based on the first invocation request, where the temporary token is obtained by the authentication server 102 based on the identity information of the third-party application server 104.

In operation S1203, the third party token request module 1130 sends a temporary access authorization request for obtaining a third party dynamic token to the authentication server 102, where the temporary access authorization request includes the temporary token.

In operation S1204, the third-party token receiving module 1140 receives the third-party dynamic token sent by the authentication server 102 under the condition that the temporary token passes verification, where the third-party dynamic token includes a third-party first token and a third-party second token, where a valid period of the third-party first token is shorter than the third-party second token, the third-party first token is a token carried in a request of the third-party application server 104 invoking the client 101 to access the business server 103, and the third-party second token is a token carried in a request of the client 101 invoking to update the third-party first token. In this way, the third party application server 104 can also access the resources of the business server 103 through the authentication of the authentication server 102. And moreover, the third-party first token with short validity period is used when the third-party first token interacts with the service server 103, so that the probability of interception and decryption of the token can be reduced, and the access security is improved.

Fig. 13 schematically shows a flowchart of a method for providing authentication for the third-party application server 104, which is applied to the client 101 according to an embodiment of the present disclosure.

As shown in fig. 13, the method for providing authentication for the third party application server 104 applied to the client 101 according to the embodiment of the present disclosure may include operations S1301 to S1304. Wherein, operations S1301 to S1304 may be performed by the third party application invoking module 750.

In operation S1301, a first invocation request of the third party application server 104 is received, where the first invocation request is used for the third party application server 104 to request access authorization.

In operation S1302, a third-party token obtaining request is sent to the authentication server 102 based on the first invocation request, where the third-party token obtaining request is used to obtain a temporary token provided to the third-party application server 104, and the third-party token obtaining request includes the first token and the identity information of the third-party application server.

In operation S1303, in the case that the first token is verified, the temporary token fed back by the authentication server 102 is received.

In operation S1304, the temporary token is sent to the third-party application server 104 based on the identity information of the third-party application server.

The client 101 requests a temporary token as a temporary identity for the third-party application server 104 from the authentication server 102 based on the invocation request of the third-party application server 104, so that the third-party application server 104 can use the temporary token to request temporary access qualification for the business server 103 from the authentication server 102.

Fig. 14 schematically shows a flowchart of a method for providing authentication for a third-party application server, which is applied to the authentication server 102 according to an embodiment of the present disclosure.

As shown in fig. 14, the method for providing authentication for the third party application server 104, which is applied to the authentication server 102, may include operations S1401 to S1406 according to an embodiment of the present disclosure. Among them, operations S1401 to S1406 may be performed by the third party application authentication processing module 360.

In operation S1401, a third-party token obtaining request sent by the client 101 is received, where the third-party token obtaining request is used to obtain a temporary token provided to a third-party application server 104, and the third-party token obtaining request includes the first token and identity information of the third-party application server.

In operation S1402, after the third-party token obtaining request is verified, the temporary token is obtained based on the identity information of the third-party application server.

In operation S1403, the temporary token is sent to the client 101. In this way, the temporary token is forwarded to the third-party application server 104 through the client 101, so that the third-party application server 104 can request access authorization and authentication from the authentication server 102 based on the temporary token representing the identity information of the third-party application server.

Next, in operation S1404, a temporary access authorization request sent by the third-party application server 104 for authorizing access to the third-party application server 104 is received, where the temporary access authorization request includes the temporary token.

In operation S1405, after the temporary token is verified, a third-party dynamic token is obtained, where the third-party dynamic token includes a third-party first token and a third-party second token, a validity period of the third-party first token is shorter than that of the third-party second token, the third-party first token is a token carried in a request that the third-party application server 104 invokes the client 101 to access the service server 103, and the third-party second token is a token carried in a request that the client 101 is invoked to update the third-party first token.

In operation S1406, the third party dynamic token is sent to the third party application service 104. To this end, the authorization of the temporary access qualification of the third-party application server 104 is achieved.

According to the embodiment of the disclosure, if the third-party application server 104 calls the client 101 of the host application, the one-time temporary token is obtained from the authentication server 102 according to the identity information of the third-party application server provided in the call request of the third-party application server.

For example, after receiving the request for obtaining the temporary token, the authentication server 102 may first determine whether the identity information of the third-party application server is legal, and if not, return a request parameter failure response to the client 101 of the host application; if the identity information of the third-party application server is legal, whether the access token of the client 101 of the host application in the request is legal or not is continuously judged. For example, whether the access token exists is read from the redis, and if the access token does not exist, a response that the access token is invalid is returned to the client 101 of the host application; if so, it is determined that the access token is legitimate.

After determining that the access token is legal, the authentication server 102 generates a temporary token according to the user information of the login user of the client 101 and the third-party application information read in the redis, and stores the temporary token in the redis (for example, only one-time use is available, and the valid time may be set to 10 minutes, for example). The authentication server 102 then creates a user openid for the third party application server 104 and saves the openid in a database and redis for the next use. The authentication server 102 may then transmit the temporary token to the third party application server 104 via the client 101 of the hosting application.

After receiving the temporary token, the third-party application server 104 may initiate a request for obtaining a third-party dynamic token to the authentication server 102.

After receiving the request for obtaining the third-party dynamic token, the authentication server 102 may first check whether the identity information of the third-party application server in the request is legal. And if the identity information of the third-party application server side is illegal, returning an error response. And if the identity information of the third-party application server side is legal, detecting whether the temporary token is legal or not.

If the authentication server 102 detects that the temporary token is illegal, an error response is returned; if the authentication server 102 detects that the temporary token is legal, a third party first token and a third party second token are made, then the third party second token is written into the database and the redis, the third party first token is written into the redis, and then the third party first token and the third party second token are transmitted to the third party application server 104 through the client 101 of the host application. The third-party application server 104 then obtains temporary access credentials.

Thereafter, the third party application server 104 can access the business server 103 based on the third party application first token. For example, when the third-party application server 104 calls the client 101 of the host application to access the resource of the service server 103, the authentication server 102 will verify whether the third-party first token transmitted by the third-party application server 104 is valid, and if not, reject the request and return an error response; if the verification is valid, the service access of the third-party application server 104 is forwarded to the service server 103.

According to embodiments of the present disclosure, the third party second token may be used to update the third party first token. For example, when the third-party application server 104 receives the failure of the third-party first token, the third-party application server 104 sends a request for refreshing the third-party first token to the authentication server 102.

After receiving the request for refreshing the third-party first token, the authentication server 102 first reads information of the corresponding third-party second token from the redis according to the third-party second token in the request.

If the authentication server 102 reads the third party second token from the redis, it reads whether the third party first token corresponding to the third party second token exists from the redis, if so, the third party first token is given a renewal period (for example, 2 hours), and if not, a new third party first token is generated.

If the authentication server 102 does not read the third party second token from the redis, it queries from the database (e.g., MySQL) whether the third party second token exists. If the third-party second token does not exist in the database, the third-party second token sent by the third-party application server 104 is invalid, and a response that the third-party second token is invalid is returned to the client 101; if the third party second token exists in the database, judging whether the third party second token is expired, and if so, returning expiration information to the client 101; if not, a new third party first token is generated.

After obtaining the updated third party first token, the authentication server 102 writes the updated third party first token into the redis, then updates the validity period of the third party second token in the database and the redis, and extends the validity period, and after the processing is completed, finally returns the latest third party first token information to the third party application server 104.

According to an embodiment of the present disclosure, a dual token (first token and second token) mechanism is employed. Wherein the first token validity period is shorter than the second token validity period. The first token is adopted when the client 101 and the service server 103 exchange data, so that the probability of interception and decryption is greatly reduced, and the system security is improved. When the first token is invalid, a new first token is obtained or the validity period of the first token is prolonged according to the second token, so that the trouble that a client user needs to continuously request authorization again is avoided.

According to the embodiment of the disclosure, for the third party application in the host application, authentication can also be performed through the dual token similarly to the dual token authentication mechanism for the client 101 of the host application. Therefore, the authentication server 104 provides a uniform authentication mechanism, so that the authentication modes of the host application and the open interface thereof can be effectively unified.

Any number of modules, sub-modules, units, sub-units, or at least part of the functionality of any number thereof according to embodiments of the present disclosure may be implemented in one module. Any one or more of the modules, sub-modules, units, and sub-units according to the embodiments of the present disclosure may be implemented by being split into a plurality of modules. Any one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in any other reasonable manner of hardware or firmware by integrating or packaging a circuit, or in any one of or a suitable combination of software, hardware, and firmware implementations. Alternatively, one or more of the modules, sub-modules, units, sub-units according to embodiments of the disclosure may be at least partially implemented as a computer program module, which when executed may perform the corresponding functions.

For example, any number of the first receiving module 310, the dynamic token obtaining module 320, the dynamic token updating module 330, the service access processing module 340, the token update processing module 350, the third party application authentication processing module 360, the first sending module 710, the dynamic token receiving module 720, the service access module 730, the token update request module 740, or the third party application calling module 750, the access authorization calling module 1110, the temporary token receiving module 1120, the third party token requesting module 1130, the third party token receiving module 1140, and the third party application access module 1150 may be combined in one module to be implemented, or any one of them may be split into a plurality of modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of the other modules and implemented in one module. According to an embodiment of the present disclosure, at least one of the first receiving module 310, the dynamic token obtaining module 320, the dynamic token updating module 330, the service access processing module 340, the token update processing module 350, the third party application authentication processing module 360, the first sending module 710, the dynamic token receiving module 720, the service access module 730, the token update request module 740, or the third party application calling module 750, the access authorization calling module 1110, the temporary token receiving module 1120, the third party token requesting module 1130, the third party token receiving module 1140, and the third party application access module 1150 may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or any other reasonable manner in which a circuit may be integrated or packaged, or in any one of three implementations, software, hardware and firmware, or in any suitable combination of any of them. Alternatively, at least one of the first receiving module 310, the dynamic token obtaining module 320, the dynamic token updating module 330, the service access processing module 340, the token update processing module 350, the third party application authentication processing module 360, the first sending module 710, the dynamic token receiving module 720, the service access module 730, the token update request module 740, or the third party application calling module 750, the access authorization calling module 1110, the temporary token receiving module 1120, the third party token requesting module 1130, the third party token receiving module 1140, and the third party application access module 1150 may be at least partially implemented as a computer program module that, when executed, may perform corresponding functions.

FIG. 15 schematically shows a block diagram of a computer system 1500 suitable for implementing an authentication method according to an embodiment of the disclosure. The computer system illustrated in FIG. 15 is only one example and should not impose any limitations on the scope of use or functionality of embodiments of the disclosure.

As shown in fig. 15, a computer system 1500 according to an embodiment of the present disclosure includes a processor 1501 which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)1502 or a program loaded from a storage section 1508 into a Random Access Memory (RAM) 1503. Processor 1501 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset(s) and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), and so forth. The processor 1501 may also include on-board memory for caching purposes. Processor 1501 may include a single processing unit or multiple processing units for performing different acts of a method flow in accordance with embodiments of the present disclosure.

In the RAM 1503, various programs and data necessary for the operation of the system 1500 are stored. The processor 1501, the ROM1502, and the RAM 1503 are connected to each other by a bus 1504. The processor 1501 executes various operations of the method flow according to the embodiments of the present disclosure by executing programs in the ROM1502 and/or RAM 1503. Note that the programs may also be stored in one or more memories other than the ROM1502 and RAM 1503. The processor 1501 may also execute various operations of the method flows according to the embodiments of the present disclosure by executing programs stored in the one or more memories.

In accordance with an embodiment of the present disclosure, system 1500 may also include an input/output (I/O) interface 1505, input/output (I/O) interface 1505 also connected to bus 1504. The system 1500 may also include one or more of the following components connected to the I/O interface 1505: an input portion 1506 including a keyboard, a mouse, and the like; an output portion 1507 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage portion 1508 including a hard disk and the like; and a communication section 1509 including a network interface card such as a LAN card, a modem, or the like. The communication section 1509 performs communication processing via a network such as the internet. A drive 1510 is also connected to the I/O interface 1505 as needed. A removable medium 1511 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 1510 as necessary, so that a computer program read out therefrom is mounted into the storage section 1508 as necessary.

According to embodiments of the present disclosure, method flows according to embodiments of the present disclosure may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable storage medium, the computer program containing program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 1509, and/or installed from the removable medium 1511. The computer program, when executed by the processor 1501, performs the above-described functions defined in the system of the embodiments of the present disclosure. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.

The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.

According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, a computer-readable storage medium may include the ROM1502 and/or RAM 1503 described above and/or one or more memories other than the ROM1502 and RAM 1503.

The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.

The embodiments of the present disclosure have been described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.

Claims (18)

1. An authentication method is applied to an authentication server, and the authentication server is used for authorizing and authenticating a client when the client accesses resources of a business server, and the method comprises the following steps:

receiving an access authorization request sent by the client;

responding to the access authorization request, and obtaining a dynamic token, wherein the dynamic token comprises a first token and a second token, the validity period of the first token is shorter than that of the second token, the first token is a token carried in a service access request of the client for accessing the service server, and the second token is a token carried in a token update request for updating the first token; and

and sending the dynamic token to the client.

2. The method of claim 1, further comprising:

receiving the service access request sent by the client; and

and responding to the verification of the first token in the service access request, and forwarding the service access request to the service server.

3. The method of claim 1, further comprising:

receiving the token updating request sent by the client;

updating the first token in response to verification of the second token in the token update request passing; and

and sending the updated first token to the client.

4. The method of claim 3, wherein the updating the first token comprises:

determining whether a validity period of the first token expires;

if the validity period of the first token expires, acquiring a new first token; or

And if the validity period of the first token is not expired, prolonging the validity period of the first token.

5. The method of claim 1, wherein the access authorization request includes user information of a logged-in user of the client, and the obtaining the dynamic token includes:

generating the dynamic token through an encryption algorithm based on the user information.

6. The method of claim 5, wherein the generating the dynamic token based on the user information through a cryptographic algorithm comprises:

processing a character string obtained by combining the identity information of the client, the code of the login user, the current time and a first random number by using a message digest algorithm to obtain the first token;

and processing a character string obtained by combining the identity information of the client, the code of the login user, the current time and a second random number by using a message digest algorithm to obtain the second token.

7. The method of claim 1, further comprising:

receiving a third-party token acquisition request sent by the client, wherein the third-party token acquisition request is used for acquiring a temporary token provided for a third-party application, and comprises the first token and identity information of a third-party application server;

after the third-party token acquisition request passes verification, acquiring the temporary token based on identity information of the third-party application server side; and

and sending the temporary token to the client.

8. The method of claim 7, further comprising:

receiving a temporary access authorization request for access authorization to a third party application, wherein the temporary access authorization request includes the temporary token;

after the temporary token passes verification, acquiring a third-party dynamic token, wherein the third-party dynamic token comprises a third-party first token and a third-party second token, the validity period of the third-party first token is shorter than that of the third-party second token, the third-party first token is a token carried in a request of the third-party application server for calling the client to access the business server, and the third-party second token is a token carried in a request of calling the client to update the third-party first token; and

and sending the third-party dynamic token to the third-party application.

9. An authentication method is applied to a client, wherein the client authorizes and authenticates the client by using an authentication server when accessing resources of a business server; the method comprises the following steps:

sending an access authorization request to the authentication server;

and receiving a dynamic token sent by the authentication server, wherein the dynamic token comprises a first token and a second token, the validity period of the first token is shorter than that of the second token, the first token is a token carried in a service access request of the client for accessing the service server, and the second token is a token carried in a token update request for updating the first token.

10. The method of claim 9, further comprising:

sending the service access request to the authentication server;

receiving a response to the service access request from the service server under the condition that the first token in the service access request passes the verification of the authentication server; alternatively, the first and second electrodes may be,

and receiving the information that the client identity authentication sent by the authentication server fails under the condition that the first token in the service access request fails the verification of the authentication server.

11. The method of claim 9, further comprising:

after the first token is invalid, sending the token updating request to the authentication server; and

and receiving feedback information of the authentication server, wherein the feedback information comprises the updated first token if the first token is updated successfully.

12. The method of claim 9, further comprising:

receiving a first calling request of a third-party application server, wherein the first calling request is used for requesting access authorization of the third-party application server;

sending a third-party token acquisition request to the authentication server based on the first call request, wherein the third-party token acquisition request is used for acquiring a temporary token provided for a third-party application server, and the third-party token acquisition request comprises the first token and identity information of the third-party application server;

receiving the temporary token fed back by the authentication server under the condition that the first token passes verification; and

and sending the temporary token to the third-party application server side based on the identity information of the third-party application server side.

13. An authentication method is applied to a third-party application server, the third-party application server accesses resources of a business server by calling a client of a host application, and the client authorizes and authenticates the client by using an authentication server when accessing the resources of the business server, and the method comprises the following steps:

sending a first call request to the client, wherein the first call request is used for requesting access authorization by the third-party application server, and the first call request comprises identity information of the third-party application server;

receiving a temporary token fed back by the client based on the first calling request, wherein the temporary token is obtained by the authentication server based on the identity information of the third-party application server;

sending a temporary access authorization request for acquiring a third-party dynamic token to the authentication server, wherein the temporary access authorization request comprises the temporary token; and

and receiving the third-party dynamic token sent by the authentication server under the condition that the temporary token passes verification, wherein the third-party dynamic token comprises a third-party first token and a third-party second token, the validity period of the third-party first token is shorter than that of the third-party second token, the third-party first token is a token carried in a request of the third-party application server for calling the client to access the business server, and the third-party second token is a token carried in a request of calling the client to update the third-party first token.

14. An authentication device, which is arranged at an authentication server and is used for authorizing and authenticating a client when the client accesses resources of a business server, the device comprising:

the first receiving module is used for receiving an access authorization request sent by the client;

a dynamic token obtaining module, configured to obtain a dynamic token in response to a verification of the access authorization request, where the dynamic token includes a first token and a second token, a validity period of the first token is shorter than that of the second token, where the first token is a token carried in a service access request from the client to the service server, and the second token is a token carried in a token update request for updating the first token; and

and the dynamic token sending module is used for sending the dynamic token to the client.

15. An authentication device is arranged at a client, wherein the client authorizes and authenticates the client by using an authentication server when accessing resources of a business server; the device comprises:

the first sending module is used for sending an access authorization request to the authentication server;

and the dynamic token receiving module is configured to receive a dynamic token sent by the authentication server, where the dynamic token includes a first token and a second token, a validity period of the first token is shorter than that of the second token, the first token is a token carried in a service access request of the client accessing the service server, and the second token is a token carried in a token update request for updating the first token.

16. An authentication device is arranged at a third-party application server, the third-party application server accesses resources of a business server by calling a client of a host application, and the client authorizes and authenticates the client by using the authentication server when accessing the resources of the business server, the device comprising:

the access authorization calling module is used for sending a first calling request to the client, wherein the first calling request is used for the third-party application server side to request access authorization, and the first calling request comprises the identity information of the third-party application server side;

a temporary token receiving module, configured to receive a temporary token fed back by the client based on the first invocation request, where the temporary token is a token obtained by the authentication server based on the identity information of the third-party application server;

the third party token request module is used for sending a temporary access authorization request for acquiring a third party dynamic token to the authentication server, wherein the temporary access authorization request comprises the temporary token; and

the third-party token receiving module is configured to receive the third-party dynamic token sent by the authentication server under the condition that the temporary token passes verification, where the third-party dynamic token includes a third-party first token and a third-party second token, a validity period of the third-party first token is shorter than that of the third-party second token, the third-party first token is a token carried in a request for the third-party application server to invoke the client to access the service server, and the third-party second token is a token carried in a request for the client to update the third-party first token.

17. An authentication system comprising:

one or more memories storing executable instructions; and

one or more processors executing the executable instructions to implement:

the method according to any one of claims 1 to 8; or

A process according to any one of claims 9 to 12; or

The method of claim 13.

18. A computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to perform:

the method according to any one of claims 1 to 8; or

A process according to any one of claims 9 to 12; or

The method of claim 13.

Images