CN112861089B - Authorization authentication method, resource server, resource user, equipment and medium - Google Patents

Authorization authentication method, resource server, resource user, equipment and medium Download PDF

Info

Publication number
CN112861089B
CN112861089B CN202110288236.XA CN202110288236A CN112861089B CN 112861089 B CN112861089 B CN 112861089B CN 202110288236 A CN202110288236 A CN 202110288236A CN 112861089 B CN112861089 B CN 112861089B
Authority
CN
China
Prior art keywords
resource
response message
server
information
authorization request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110288236.XA
Other languages
Chinese (zh)
Other versions
CN112861089A (en
Inventor
张智锋
马洁
胡丹
高伟强
韩璐
戴祯鸿
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Digital Yixin Technology Co ltd
Original Assignee
Beijing Digital Yixin Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Digital Yixin Technology Co ltd filed Critical Beijing Digital Yixin Technology Co ltd
Priority to CN202110288236.XA priority Critical patent/CN112861089B/en
Publication of CN112861089A publication Critical patent/CN112861089A/en
Application granted granted Critical
Publication of CN112861089B publication Critical patent/CN112861089B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication

Abstract

The embodiment of the application provides a method for authorizing authentication, a resource server, a resource user terminal, equipment and a medium, wherein the method comprises the steps of obtaining signature information to be authenticated and identification information of an authorization request sent by the resource user terminal, wherein the authorization request is used for a third party server to apply for accessing protected user resource information in the resource server; performing signature authentication on the signature information to be verified to generate an authentication result, wherein the authentication result is used for representing whether the identity of the resource user terminal is legal or not; and when the resource user terminal is legal, executing an authentication process of the resource server for authorizing the user resource information to the third party server. According to the method, the identity authentication is carried out on the resource user side in the authorization authentication process based on the digital certificate, so that the security of user identity authentication can be enhanced, and the security of user information opening is further ensured.

Description

Authorization authentication method, resource server, resource user, equipment and medium
Technical Field
The present application relates to the field of authorization authentication technologies, and in particular, to a method, a resource server, a resource user terminal, a device, and a medium for authorization authentication.
Background
Along with the popularity of internet applications, a large amount of user resource information is precipitated by each huge internet application, and in order to promote the influence of a platform ecological circle, the user information is opened on the premise of user authorization permission based on the OAuth2.0 protocol in disputes. The open and share is the main characteristic of the current internet, different services of internet service providers are integrated into the necessary trend of internet development, services of different manufacturers are integrated, and one of the key is to solve the problems of identity authentication, information sharing and the like.
Specifically, in oauth2.0 protocol, before accessing a protected resource, a third party needs to obtain authorization from a user, then use the authorization to exchange access credentials with an authorization server, then use the access credentials to exchange access tokens with the authorization server, and finally obtain the protected resource by presenting the access tokens to a resource server. In the process, whether the data packet is intercepted or the authorization server is maliciously attacked, the identity information of the user is possibly revealed, so that the legitimacy of the identity of the user cannot be ensured. Therefore, enhancing the security of identity authentication in the authorization authentication process of oauth2.0 protocol is a problem to be solved.
Disclosure of Invention
The embodiment of the application aims to provide an authorization authentication method, a resource server, a resource user terminal, equipment and a medium, which are used for enhancing the security of identity authentication in the OAuth2.0 protocol authorization authentication process.
In a first aspect, an embodiment of the present application provides a method for authorizing authentication, where the method is applied to a resource server, and the method includes: acquiring signature information to be verified and identification information of an authorization request sent by a resource user terminal, wherein the authorization request is used for a third party server to apply for accessing protected user resource information in the resource server; performing signature authentication on the signature information to be verified to generate an authentication result, wherein the authentication result is used for representing whether the identity of the resource user terminal is legal or not; and when the resource user terminal is legal, executing an authentication process of the resource server for authorizing the user resource information to the third party server.
In the implementation process, in the authorization and authentication process, signature verification is performed on the signature information to be verified, which is sent by the resource user terminal, so that identity authentication can be effectively performed on the resource user terminal, and further, the third party client can access the resources of the user on the open platform through user authorization without providing an account number and a password of the user to the third party client, so that the security of user identity authentication can be enhanced, and the security of user information opening is further ensured.
With reference to the first aspect, in an implementation manner, before the obtaining signature information to be verified and identification information of the authorization request sent by the resource client, the method further includes: acquiring the authorization request sent by the third party server; and sending a response message to the third party server according to the authorization request, wherein the response message comprises identification information of the authorization request and a random number, and the random number is used for carrying out digital signature on a resource user side.
In the implementation process, the response message is sent to the third party server according to the authorization request, so that the resource user terminal can conveniently carry out digital signature on the random number in the response message by using the personal digital certificate, the identity authentication on the resource user terminal is further facilitated, and the leakage of the identity information of the user is effectively avoided.
With reference to the first aspect, in another implementation manner, after the sending a response message to the third party server according to the authorization request, the method further includes: judging whether the resource user terminal receives the response message within preset time; if not, sending an updated response message to the third party server according to the authorization request, wherein the updated response message comprises identification information of the authorization request and an updated random number; and repeating the process until the resource user receives the response message, wherein the signature information to be verified is obtained by digitally signing the random number in the received response message by the resource user.
In the implementation process, whether the resource user terminal receives the response message or not is judged, and the response message is further updated, so that the safety protection of the response message is realized.
With reference to the first aspect, in another implementation manner, the performing signature authentication on the signature information to be verified, and generating an authentication result includes: decrypting the signature information to be verified by using the public key of the resource user side to obtain a decryption digest; performing function operation on the random number in the response message received by the resource user terminal to generate a random number abstract; and verifying whether the identity of the resource user is legal or not according to the decryption digest and the random number digest.
In the implementation process, the signature information to be verified is decrypted through the public key of the resource user side to obtain a decrypted abstract, the random number in the response message received by the resource user side is subjected to function operation to obtain the random number abstract, and the identity validity of the resource user side is further judged through comparison of the decrypted abstract and the random number abstract, so that the identity authentication of the resource user side is realized.
With reference to the first aspect, in another implementation manner, when the resource user side is a legal identity, performing an authentication process that the resource server grants the user resource information to the third party server includes: when the resource user side is legal, generating a temporary certificate and sending the temporary certificate to a third party client side, wherein the temporary certificate is used for the third party server to exchange an authorization token for the resource server; generating the authorization token according to first feedback information sent by the third party server, wherein the first feedback information is generated by the third party server according to the temporary certificate sent by the third party client; transmitting the authorization token to the third party server, wherein the authorization token is used for the third party server to exchange the user resource information for the resource server; and generating the user resource information according to second feedback information sent by the third-party server, wherein the second feedback information carries the authorization token.
In the implementation process, under the condition that the identity of the resource user terminal is legal, the resource server generates a temporary certificate and sends the temporary certificate to the third party client terminal; the third party server obtains the temporary certificate from the third party client, and uses the temporary certificate to exchange the authorization token for the resource server, and further obtains the user resource information through the authorization token, thereby realizing the authentication process that the resource server authorizes the user resource information to the third party server.
In a second aspect, an embodiment of the present application provides a method for authorizing authentication, where the method is applied to a resource user end, and the method includes: acquiring a response message, wherein the response message comprises identification information of an authorization request and a random number; carrying out digital signature on the random number based on the digital certificate of the resource user side to generate signature information to be verified; and sending the signature information to be verified and the identification information of the authorization request to a resource server.
In the implementation process, the random number in the response message is digitally signed based on the digital certificate, so that the identity authentication of the resource user terminal is facilitated, the problem of user information leakage caused by account password authentication in the authorization authentication process is effectively avoided, and the safety of the user identity information is further improved.
With reference to the second aspect, in one implementation manner, the generating signature information to be verified based on the digital certificate of the resource user side digitally signs the random number includes: performing function operation on the random number to generate an encrypted abstract; and encrypting the encrypted digest based on the private key of the digital certificate of the resource user side to generate the signature information to be verified.
In the implementation process, the random number is operated through a function to generate the encrypted digest, the encrypted digest is encrypted by utilizing the private key of the digital certificate to generate signature information to be verified, and the resource server is further convenient for carrying out identity authentication on the signature information to be verified.
In a third aspect, an embodiment of the present application provides a resource server for authorizing authentication, where the resource server includes: the first acquisition unit is used for acquiring signature information to be verified and identification information of an authorization request sent by a resource user terminal, wherein the authorization request is used for a third party server to apply for accessing the protected user resource information in the resource server; the first processing unit is used for carrying out signature authentication on the signature information to be verified and generating an authentication result, wherein the authentication result is used for representing whether the identity of the resource user terminal is legal or not; the first processing unit is further configured to execute an authentication process that the resource server grants the user resource information to the third party server when the resource user terminal is a legal identity.
With reference to the third aspect, in an implementation manner, before the first obtaining unit is configured to obtain signature information to be verified and identification information of an authorization request sent by a resource user side, the first obtaining unit is further configured to: acquiring the authorization request sent by the third party server; and sending a response message to the third party server according to the authorization request, wherein the response message comprises identification information of the authorization request and a random number, and the random number is used for carrying out digital signature on a resource user side.
With reference to the third aspect, in another embodiment, the first processing unit is further configured to: judging whether the resource user terminal receives the response message within preset time; if not, sending an updated response message to the third party server according to the authorization request, wherein the updated response message comprises identification information of the authorization request and an updated random number; and repeating the process until the resource user receives the response message, wherein the signature information to be verified is obtained by digitally signing the random number in the received response message by the resource user.
With reference to the third aspect, in another embodiment, the first processing unit is specifically configured to: decrypting the signature information to be verified by using the public key of the resource user side to obtain a decryption digest; performing function operation on the random number in the response message received by the resource user terminal to generate a random number abstract; and verifying whether the identity of the resource user is legal or not according to the decryption digest and the random number digest.
With reference to the third aspect, in another embodiment, the first processing unit is specifically configured to: when the resource user side is legal, generating a temporary certificate and sending the temporary certificate to a third party client side, wherein the temporary certificate is used for the third party server to exchange an authorization token for the resource server; generating the authorization token according to first feedback information sent by the third party server, wherein the first feedback information is generated by the third party server according to the temporary certificate sent by the third party client; transmitting the authorization token to the third party server, wherein the authorization token is used for the third party server to exchange the user resource information for the resource server; and generating the user resource information according to second feedback information sent by the third-party server, wherein the second feedback information carries the authorization token.
In a fourth aspect, an embodiment of the present application provides a resource user terminal for authorizing authentication, where the resource user terminal includes: a second obtaining unit, configured to obtain a response message, where the response message includes identification information and a random number of an authorization request; the second processing unit is used for digitally signing the random number based on the digital certificate of the resource user side and generating signature information to be verified; and the second sending unit is used for sending the signature information to be verified and the identification information of the authorization request to a resource server.
With reference to the fourth aspect, in one embodiment, the second processing unit is specifically configured to: performing function operation on the random number to generate an encrypted abstract; and encrypting the encrypted digest based on the private key of the digital certificate of the resource user side to generate the signature information to be verified.
In a fifth aspect, embodiments of the present application provide an apparatus, comprising:
a processor, a memory and a bus, the processor being connected to the memory by the bus, the memory storing computer readable instructions which, when executed by the processor, are adapted to carry out the method as provided in the first aspect and any implementation of the first aspect.
In a sixth aspect, embodiments of the present application provide a computer readable storage medium having stored thereon a computer program which, when executed by a server, implements the steps of the method as provided in the first aspect and any implementation manner of the first aspect.
In a seventh aspect, embodiments of the present application provide an apparatus, including: a processor, a memory and a bus, the processor being connected to the memory by the bus, the memory storing computer readable instructions which, when executed by the processor, are adapted to carry out the steps of the method as provided in the second aspect and any implementation of the second aspect.
In an eighth aspect, embodiments of the present application provide a computer readable storage medium having stored thereon a computer program which, when executed by a server, implements the steps of the method as provided in the second aspect and any implementation of the second aspect.
Additional features and advantages of the application will be set forth in the description which follows, and in part will be apparent from the description, or may be learned by practice of the embodiments of the application. The objectives and other advantages of the application will be realized and attained by the structure particularly pointed out in the written description and claims thereof as well as the appended drawings.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic diagram of a system structure of authorization authentication according to an embodiment of the present application;
Fig. 2 is a flowchart of a method interaction of authorization authentication provided in an embodiment of the present application;
fig. 3 is a schematic diagram of a resource server structure of authorization authentication according to an embodiment of the present application;
fig. 4 is a schematic diagram of a resource user end structure of authorization authentication according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an apparatus according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. The components of the embodiments of the present application, which are generally described and illustrated in the figures herein, may be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present application, as provided in the accompanying drawings, is not intended to limit the scope of the application, as claimed, but is merely representative of selected embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present application without making any inventive effort, are intended to be within the scope of the present application.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only to distinguish the description, and are not to be construed as indicating or implying relative importance.
Referring to fig. 1, fig. 1 is a schematic diagram of a system structure of authorization authentication according to an embodiment of the present application, where the system 100 includes: a resource user 110, a third party client 120, a third party server 130, and a resource server 140.
Third party client 120 sends an authorization request to resource server 140 via third party server 130 in order for third party client 120 to access the protected user resource in resource server 140; the resource server 140 obtains the authorization from the resource client 110, verifies the authorization, generates a temporary credential after the verification is passed, and then sends the temporary credential to the third party client 120; the third party client 120 uses the temporary credential to obtain an authorization token from the resource server 140 through the third party server 130, and the third party server 130 uses the authorization token to obtain the protected user resource from the resource server 140, thereby completing the authentication process that the resource server 140 authorizes the protected user resource to the third party server 130. The processing process is consistent with the flow of the OAuth2.0 protocol, so that the technical scheme has compatibility with the OAuth2.0 protocol.
It should be noted that, in the embodiment of the present application, the resource client 110 may be a client that grants access rights to the protected resource, and may be a mobile phone, a tablet computer, a notebook computer, a palm computer, and a wearable device, but the present application is not limited thereto; the resource server 140 may be a server carrying a protected resource, capable of receiving a request for the protected resource using an access token and responding thereto, or may be an authorization server, i.e. a server dedicated to the service provider for handling authentication authorization; the third party client 120 may be a resource owner and an application or browser that authorizes the issuing of a request for a protected resource; the third party server 130 may be a backend server to which the third party client 120 corresponds.
As an embodiment, the resource client 110 is a client of a medical network letter (medical network letter APP), the resource server 140 is a background server of the medical network letter, and is also an authorization server of an open platform of the medical network letter, the third party client 120 is a browser that wants to access a protected resource in the resource server 140, and the third party server 130 is a background server corresponding to the third party client 120.
With reference to fig. 2 for describing a specific process of the authorization authentication method, fig. 2 is a flowchart of interaction of a method for authorization authentication provided in an embodiment of the present application, and specifically, the method shown in fig. 2 includes:
201, authorizing a request.
As one embodiment, a third party client sends an authorization request to a third party server requesting access to user resource information stored in a resource server;
it should be noted that, the resource server may be a medical network letter server, and the user resource information may be a user account name, an account password, an image, a video, a text, and an audio stored in the medical network letter server, but the application is not limited thereto.
202, authorizing the request.
The third party server obtains the authorization request and sends the authorization request to the resource server;
203, responding to the message.
Acquiring an authorization request sent by a third-party server;
and sending a response message to the third party server according to the authorization request, wherein the response message comprises identification information of the authorization request and a random number, and the random number is used for carrying out digital signature on the resource user side.
As one embodiment, the resource server obtains an authorization request sent by the third party server, and sends a response message to the third party server according to the authorization request, where the response message includes identification information of the authorization request and a random number, and the random number is used for digital signature of the resource client.
It should be noted that, in the embodiment of the present application, the presentation form of the response message may be a two-dimensional code, a barcode, or a link, but the present application is not limited thereto; the identification information of the authorization request 202 may be an ID of the authorization request, may be a uniform resource location system (uniform resource locator, URL), or may be an IP address of a third party server, but the application is not limited thereto.
In the implementation process, the response message is sent to the third party server according to the authorization request, so that the resource user terminal can conveniently carry out digital signature on the random number in the response message by using the personal digital certificate, the identity authentication on the resource user terminal is further facilitated, and the leakage of the identity information of the user is effectively avoided.
204, response message.
205, presenting the response message.
As an embodiment, the third party server sends a response message to the third party client, the third party client presents the received response message to the resource user in the form of a two-dimensional code, and the response message includes the ID of the authorization request and a random number digitally signed by the resource user.
After sending the response message to the third party server according to the authorization request, the method further comprises:
judging whether the resource user terminal receives the response message within a preset time;
if not, sending an updated response message to the third party server according to the authorization request, wherein the updated response message comprises identification information of the authorization request and an updated random number;
and repeating the process until the resource user terminal receives the response message, wherein the signature information to be verified is obtained by carrying out digital signature on the random number in the received response message by the resource user terminal.
As an embodiment, after the resource server sends a response message to the third party server according to the authorization request, the resource server also judges whether the resource user terminal receives the response message in a preset time in a polling mode;
If not, the resource server sends an updated response message to the third party server according to the authorization request, wherein the updated response message comprises identification information of the authorization request and an updated random number; and repeating the judging process until the resource user receives the response message, wherein each sent response message comprises the identification information of the authorization request and the random number, the identification information of the authorization request in each sent response message is the same, and the random numbers are different.
In the embodiment of the present application, the preset time may be 60 seconds, 90 seconds, or 120 seconds, but the present application is not limited thereto.
If yes, executing the subsequent authentication operation flow.
In the implementation process, whether the resource user side receives the response message or not is judged, if not, the response message is resent, the judging process is repeated until the resource user side receives the response message, the response message sent each time comprises identification information of the authorization request and a random number, the identification information of the authorization request in the response message sent each time is the same, and the random numbers are different, so that the random numbers in the response message can be effectively protected, and attack or interception by an attacker can be avoided.
And 206, acquiring the response message, and digitally signing the random number in the response message to generate signature information to be verified.
And 207, sending signature information to be verified to the resource server.
Acquiring a response message, wherein the response message comprises identification information and a random number of an authorization request;
carrying out digital signature on the random number based on the digital certificate of the resource user side to generate signature information to be verified;
and sending the signature information to be verified and the identification information of the authorization request to the resource server.
As an embodiment, the resource user side obtains a response message by scanning the two-dimensional code presented to the third party client side, wherein the response message comprises an ID and a random number of the authorization request;
the resource user terminal uses the personal digital certificate to carry out digital signature on the random number in the received response message, and signature information to be verified is generated;
performing function operation on the random number to generate an encrypted abstract;
and encrypting the encrypted abstract based on the private key of the digital certificate of the resource user side to generate signature information to be verified.
Specifically, the hash algorithm is utilized to perform function operation on the random number to generate a encrypted abstract, and then the private key of the digital certificate of the resource user side is utilized to encrypt the encrypted abstract to generate signature information to be verified.
The digital certificate of the resource user side is a relatively authoritative and fair certificate issued by the authentication center, the certificate contains personal information of the user and public key information of the user, and signature information of the authentication center is attached at the same time, so that the safety and the integrity of the identity information of the user can be ensured.
As an embodiment, the resource client sends the authentication signature information and the identification information of the authorization request in the response message to the resource server.
As another embodiment, the resource client sends the signature information to be verified, the identification information of the authorization request in the response message, the random number in the response message and the personal digital certificate to the resource server.
In the implementation process, the random number in the response message is digitally signed based on the digital certificate, so that the identity authentication of the resource user terminal is facilitated, the problem of user information leakage caused by account password authentication in the authorization authentication process is effectively avoided, and the safety of the user identity information is further improved.
208, performing digital verification.
Acquiring signature information to be verified and identification information of an authorization request sent by a resource user terminal, wherein the authorization request is used for a third party server to apply for accessing protected user resource information in a resource server;
Signature authentication is carried out on the signature information to be verified, and an authentication result is generated, wherein the authentication result is used for representing whether the identity of the resource user terminal is legal or not;
and when the resource user terminal is legal identity, executing an authentication process that the resource server authorizes the user resource information to the third party server.
As an embodiment, a resource server acquires signature information to be verified and identification information of an authorization request, which are sent by a resource user side;
as another embodiment, the resource server obtains signature information to be verified, identification information of an authorization request in a response message, a random number in the response message and a personal digital certificate, which are sent by the resource client;
signature authentication is carried out on the signature information to be verified, and an authentication result is generated, wherein the authentication result is used for representing whether the identity of the resource user terminal is legal or not;
and when the resource user terminal is legal identity, executing an authentication process that the resource server authorizes the user resource information to the third party server.
Decrypting the signature information to be verified by using the public key of the resource user side to obtain a decryption abstract;
performing function operation on the random number in the response message received by the resource user to generate a random number abstract;
And verifying whether the identity of the resource user terminal is legal or not according to the decryption digest and the random number digest.
As an embodiment, signature authentication is performed on the acquired information to be verified, and an authentication result is generated;
specifically, decrypting signature information to be verified by using a public key of a resource user side in the digital certificate to obtain a decryption digest;
further, performing function operation on the random number in the response message received by the resource user by utilizing a hash algorithm to generate a random number abstract;
it should be noted that, the random number in the response message may be sent by the resource client, or may be stored locally after the resource server generates the random number.
Comparing the decrypted abstract with the random number abstract, and judging whether the identity of the resource user terminal is legal or not;
if the decryption digest is the same as the random number digest, the identity of the resource user terminal is legal, the certificate holder operator agrees to authorize, the content sent by the resource user terminal is not tampered, the identity of the resource user terminal is authenticated, and the certificate holder operator agrees to authorize, i.e. the user of the resource user terminal agrees to authorize the resource stored in the resource server to the third party server.
If the decryption digest is different from the random number digest, the identity of the resource user terminal is illegal, which means that the user resource information which the third party server wants to access is not authorized by the user, and the authorization authentication process is ended.
In the implementation process, the identity of the authorized user is confirmed through the digital certificate signature and signature verification, the identity of the resource user terminal can be effectively authenticated, the user authorization can be safely and effectively obtained, and the risk that the user information is revealed due to the fact that the user authentication is performed through a user name password mode is further avoided.
209, generating temporary credentials after verification.
210, polling the temporary credentials.
When the resource user terminal is legal identity, the resource server generates a temporary certificate;
meanwhile, the resource server polls the temporary certificate, which indicates that the resource user terminal agrees to authorize the protected user resource information to the third party client terminal served by the third party server.
The resource server sends the temporary certificate to the third party client, wherein the temporary certificate is used for the third party server to exchange the authorization token for the resource server;
as an embodiment, when the resource user side passes identity authentication, that is, the identity of the resource user side is legal, the resource server generates a temporary certificate and sends the temporary certificate to the third party client side;
It should be noted that, the temporary certificate in the embodiment of the present application is disposable and has timeliness, and the timeliness of the temporary certificate may be valid within 30 seconds, may be valid within 45 seconds, or may be valid within 60 seconds, but the present application is not limited thereto. After the time is over, the resource server generates a new temporary certificate, and the new temporary certificate has the same action and effect as the original temporary certificate, but different specific contents. And the third party server uses the temporary credentials to exchange the authorization token for the resource server before it fails.
211 sending the temporary credential to the third party server.
212, sending the temporary credential to the resource server.
As one embodiment, the third party client sends a temporary credential to the third party server, the temporary credential being used by the third party server to exchange the authorization token for the resource server;
after the third party server obtains the temporary certificate, the temporary certificate is sent to the resource server in an encryption mode, wherein the encryption mode can be that a security tag and the temporary certificate are stored in a communication message, the security tag and the temporary certificate are encrypted, the encrypted temporary certificate is generated, and the resource server judges whether the communication message is tampered or intercepted in a mode of checking the security tag after receiving the encrypted temporary certificate, so that the communication security of the third party server and the resource server is ensured.
In the implementation process, the third party server is used for communicating with the resource server, and the communication message is transmitted in an encrypted mode, so that the communication message is further verified, illegal calling can be effectively shielded, and the safety of user authorization information is further ensured.
213, verifying the temporary credentials and generating an authorization token.
214, feeding back the authorization token.
215, exchanging user resource information with the authorization token.
Generating an authorization token according to first feedback information sent by a third party server, wherein the first feedback information is generated by the third party server according to a temporary certificate sent by a third party client;
transmitting an authorization token to a third party server, wherein the authorization token is used for the third party server to exchange user resource information with a resource server;
and generating user resource information according to second feedback information sent by the third-party server, wherein the second feedback information carries the authorization token.
As one embodiment, the resource server verifies the received temporary certificate, generates an authorization token after the verification is passed, and feeds back the generated authorization token to the third party server;
it should be noted that, in the embodiment of the present application, the first feedback information third party server is generated according to the temporary credential sent by the third party client, that is, the first feedback information may include the temporary credential.
And after receiving the authorization token, the third-party server sends the authorization token to the resource server, and the user resource information is exchanged to the resource server through the authorization token.
It should be noted that, in the embodiment of the present application, the second feedback information is generated according to the authorization token, which may also be understood that the second feedback information carries the authorization token.
User resource information is generated 216 from the authorization token.
217, user resource information.
As an embodiment, after the resource server obtains the authorization token, user resource information is generated, and meanwhile, the authorization token is invalid; the resource server then transmits the generated user resource information to a third party server.
218, the authorized access is completed according to the user resource information.
219, the access was successful.
As an embodiment, after the third party server obtains the user resource information, the third party server performs self-owned service processing according to the user resource information, that is, accesses according to the user resource information, and after the access is successful, the third party client completes authorized access, so that corresponding access operation can be performed.
In the implementation process, the identity authentication is performed based on the digital certificate, after the identity authentication is passed, the user information is opened on the premise of permission of user authorization according to the OAuth2.0 protocol, the user identity can be effectively authenticated, the identity information of the user is ensured not to be cracked and stolen, and therefore the safe sharing of the user resource information is realized.
Referring to fig. 3, fig. 3 is a schematic diagram of a resource server structure of authorization authentication provided in an embodiment of the present application, where the resource server 140 is applied to the authorization authentication method shown in fig. 2, specifically, as shown in fig. 3, the resource server 140 includes:
a first acquisition unit 141 and a first processing unit 142;
in one embodiment, a first obtaining unit is configured to obtain signature information to be verified and identification information of an authorization request sent by a resource user side, where the authorization request is used by a third party server to apply for access to protected user resource information in the resource server; the first processing unit is used for carrying out signature authentication on the signature information to be verified and generating an authentication result, wherein the authentication result is used for representing whether the identity of the resource user terminal is legal or not; the first processing unit is further configured to execute an authentication process that the resource server grants the user resource information to the third party server when the resource user terminal is a legal identity.
In one embodiment, before the first obtaining unit is used for obtaining signature information to be verified and identification information of the authorization request sent by the resource user side, the first obtaining unit is further used for: acquiring an authorization request sent by a third-party server; and sending a response message to the third party server according to the authorization request, wherein the response message comprises identification information of the authorization request and a random number, and the random number is used for carrying out digital signature on the resource user side.
In one embodiment, the first processing unit is further configured to: judging whether the resource user terminal receives the response message within a preset time; if not, sending an updated response message to the third party server according to the authorization request, wherein the updated response message comprises identification information of the authorization request and an updated random number; and repeating the process until the resource user terminal receives the response message, wherein the signature information to be verified is obtained by carrying out digital signature on the random number in the received response message by the resource user terminal.
In one embodiment, the first processing unit is specifically configured to: decrypting the signature information to be verified by using the public key of the resource user side to obtain a decryption abstract; performing function operation on the random number in the response message received by the resource user to generate a random number abstract; and verifying whether the identity of the resource user terminal is legal or not according to the decryption digest and the random number digest.
In one embodiment, the first processing unit is specifically configured to: when the resource user side is legal, generating a temporary certificate and sending the temporary certificate to a third party client side, wherein the temporary certificate is used for a third party server to exchange an authorization token for the resource server; generating an authorization token according to first feedback information sent by a third party server, wherein the first feedback information is generated by the third party server according to a temporary certificate sent by a third party client; transmitting an authorization token to a third party server, wherein the authorization token is used for the third party server to exchange user resource information with a resource server; and generating user resource information according to second feedback information sent by the third-party server, wherein the second feedback information carries the authorization token.
It should be noted that, the resource server 140 provided in fig. 3 can implement various processes related to the method of authorizing authentication by the resource server 140 in the embodiment of the method of fig. 2. The operations and/or functions of the various modules in the resource server 140 are respectively for implementing the corresponding flows in the method embodiment in fig. 2. Reference is specifically made to the description in the above method embodiments, and detailed descriptions are omitted here as appropriate to avoid repetition.
Referring to fig. 4, fig. 4 is a schematic structural diagram of a resource user end of authorization authentication provided in an embodiment of the present application, where the resource user end 110 is applied to the authorization authentication method shown in fig. 2, and specifically, as shown in fig. 4, the resource user end 110 includes:
a second acquisition unit 111, a second processing unit 112, and a second transmission unit 113;
in one embodiment, the second obtaining unit is configured to obtain a response message, where the response message includes identification information of the authorization request and a random number; the second processing unit is used for digitally signing the random number based on the digital certificate of the resource user side and generating signature information to be verified; and the second sending unit is used for sending the signature information to be verified and the identification information of the authorization request to the resource server.
In one embodiment, the second processing unit is specifically configured to: performing function operation on the random number to generate an encrypted abstract; and encrypting the encrypted abstract based on the private key of the digital certificate of the resource user side to generate signature information to be verified.
It should be noted that, the resource client 110 provided in fig. 4 can implement various processes related to the method of authorization authentication of the resource client 110 in the embodiment of the method of fig. 2. The operations and/or functions of the various modules in the resource client 110 are respectively for implementing the corresponding flows in the method embodiment in fig. 2. Reference is specifically made to the description in the above method embodiments, and detailed descriptions are omitted here as appropriate to avoid repetition.
Referring to fig. 5, fig. 5 is a schematic structural diagram of an apparatus according to an embodiment of the present application, where the apparatus may include: at least one processor 510, such as a CPU, at least one communication interface 520, at least one memory 530, and at least one communication bus 540. Wherein the communication bus 540 is used to enable direct connection communication for these components. The communication interface 520 of the device in the embodiment of the present application is used to perform signaling or data communication with other node devices. Memory 530 may be a high-speed RAM memory or a non-volatile memory, such as at least one disk memory. Memory 530 may also optionally be at least one storage device located remotely from the aforementioned processor. The memory 530 has stored therein computer readable instructions which, when executed by the processor 510, perform the method process of fig. 2.
The embodiments of the present application provide a readable storage medium, on which a computer program is stored, where the computer program when executed by a server implements a method procedure shown in fig. 2 executed by a resource client or a resource server.
In the several embodiments provided in this application, it should be understood that the disclosed systems and methods may be implemented in other ways as well. The system embodiments described above are merely illustrative, e.g., the division of the system devices is merely a logical functional division, and there may be additional divisions in actual implementation, and e.g., multiple devices or components may be combined or integrated into another system, or some features may be omitted, or not performed.
Further, the units described as separate units may or may not be physically separate, and units displayed as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
The foregoing is merely exemplary embodiments of the present application and is not intended to limit the scope of the present application, and various modifications and variations may be suggested to one skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principles of the present application should be included in the protection scope of the present application.

Claims (9)

1. A method of authorizing authentication, the method being applied to a resource server, the method comprising:
acquiring signature information to be verified and identification information of an authorization request sent by a resource user terminal, wherein the authorization request is used for a third party server to apply for accessing protected user resource information in the resource server;
performing signature authentication on the signature information to be verified to generate an authentication result, wherein the authentication result is used for representing whether the identity of the resource user terminal is legal or not;
when the resource user terminal is legal identity, executing an authentication process that the resource server authorizes the user resource information to the third party server;
before the signature information to be verified and the identification information of the authorization request sent by the resource user terminal are obtained, the method further comprises the following steps: acquiring the authorization request sent by the third party server; transmitting a response message to the third party server according to the authorization request, wherein the response message comprises identification information of the authorization request and a random number, and the random number is used for carrying out digital signature on a resource user side;
after the sending of the response message to the third party server according to the authorization request, the method further comprises:
Judging whether the resource user terminal receives the response message within preset time; if not, sending an updated response message to the third party server according to the authorization request, wherein the updated response message comprises identification information of the authorization request and an updated random number;
and repeating the process until the resource user receives the response message, wherein the signature information to be verified is obtained by digitally signing the random number in the received response message by the resource user.
2. The method of claim 1, wherein signing the signature information to be verified, generating an authentication result, comprises:
decrypting the signature information to be verified by using the public key of the resource user side to obtain a decryption digest;
performing function operation on the random number in the response message received by the resource user terminal to generate a random number abstract;
and verifying whether the identity of the resource user is legal or not according to the decryption digest and the random number digest.
3. The method according to claim 1, wherein the step of performing an authentication process by the resource server to authorize the user resource information to the third party server when the resource client is a legal identity comprises:
When the resource user side is legal, generating a temporary certificate and sending the temporary certificate to a third party client side, wherein the temporary certificate is used for the third party server to exchange an authorization token for the resource server;
generating the authorization token according to first feedback information sent by the third party server, wherein the first feedback information is generated by the third party server according to the temporary certificate sent by the third party client;
transmitting the authorization token to the third party server, wherein the authorization token is used for the third party server to exchange the user resource information for the resource server;
and generating the user resource information according to second feedback information sent by the third-party server, wherein the second feedback information carries the authorization token.
4. A method for authorizing authentication, wherein the method is applied to a resource user side, the method comprising:
acquiring a response message, wherein the response message comprises identification information of an authorization request and a random number;
carrying out digital signature on the random number based on the digital certificate of the resource user side to generate signature information to be verified;
Transmitting the signature information to be verified and the identification information of the authorization request to a resource server;
the response message is sent to the third party server after the resource server receives the authorization request sent by the third party server;
the response message is that the resource server judges whether the resource user terminal receives the response message within preset time; if not, the resource server sends an updated response message to the third party server according to the authorization request, wherein the updated response message comprises identification information of the authorization request and an updated random number; repeating the above process until the resource user receives the response message.
5. The method of claim 4, wherein the generating signature information to be verified by digitally signing the random number based on the digital certificate of the resource client comprises:
performing function operation on the random number to generate an encrypted abstract;
and encrypting the encrypted digest based on the private key of the digital certificate of the resource user side to generate the signature information to be verified.
6. A resource server for authorizing authentication, the resource server comprising:
The first acquisition unit is used for acquiring signature information to be verified and identification information of an authorization request sent by a resource user terminal, wherein the authorization request is used for a third party server to apply for accessing the protected user resource information in the resource server;
the first processing unit is used for carrying out signature authentication on the signature information to be verified and generating an authentication result, wherein the authentication result is used for representing whether the identity of the resource user terminal is legal or not;
the first processing unit is further configured to execute an authentication process that the resource server grants the user resource information to the third party server when the resource user terminal is a legal identity;
the first acquisition unit is used for:
acquiring the authorization request sent by the third party server; transmitting a response message to the third party server according to the authorization request, wherein the response message comprises identification information of the authorization request and a random number, and the random number is used for carrying out digital signature on a resource user side;
judging whether the resource user terminal receives the response message within preset time; if not, sending an updated response message to the third party server according to the authorization request, wherein the updated response message comprises identification information of the authorization request and an updated random number;
And repeating the process until the resource user receives the response message, wherein the signature information to be verified is obtained by digitally signing the random number in the received response message by the resource user.
7. A resource client for authorizing authentication, the resource client comprising:
a second obtaining unit, configured to obtain a response message, where the response message includes identification information and a random number of an authorization request;
the second processing unit is used for digitally signing the random number based on the digital certificate of the resource user side and generating signature information to be verified;
the second sending unit is used for sending the signature information to be verified and the identification information of the authorization request to a resource server;
the response message is sent to the third party server after the resource server receives the authorization request sent by the third party server;
the response message is that the resource server judges whether the resource user terminal receives the response message within preset time; if not, the resource server sends an updated response message to the third party server according to the authorization request, wherein the updated response message comprises identification information of the authorization request and an updated random number; repeating the above process until the resource user receives the response message.
8. An apparatus, comprising:
a processor, a memory and a bus, the processor being connected to the memory by the bus, the memory storing computer readable instructions for implementing the method of any of claims 1-5 when the computer readable instructions are executed by the processor.
9. A computer readable storage medium, characterized in that the computer readable storage medium has stored thereon a computer program which, when executed by a server, implements the method according to any of claims 1-5.
CN202110288236.XA 2021-03-17 2021-03-17 Authorization authentication method, resource server, resource user, equipment and medium Active CN112861089B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110288236.XA CN112861089B (en) 2021-03-17 2021-03-17 Authorization authentication method, resource server, resource user, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110288236.XA CN112861089B (en) 2021-03-17 2021-03-17 Authorization authentication method, resource server, resource user, equipment and medium

Publications (2)

Publication Number Publication Date
CN112861089A CN112861089A (en) 2021-05-28
CN112861089B true CN112861089B (en) 2024-02-20

Family

ID=75995201

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110288236.XA Active CN112861089B (en) 2021-03-17 2021-03-17 Authorization authentication method, resource server, resource user, equipment and medium

Country Status (1)

Country Link
CN (1) CN112861089B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113312653A (en) * 2021-06-25 2021-08-27 中国农业银行股份有限公司 Open platform authentication and authorization method, device and storage medium
CN113609528A (en) * 2021-07-14 2021-11-05 洛阳小行家科技有限公司 Data authorization circulation method and system based on digital pass
CN113656785A (en) * 2021-07-30 2021-11-16 中金金融认证中心有限公司 Method for identity authentication and authentication service of bank user and related product
CN114066708A (en) * 2021-11-16 2022-02-18 深圳前海微众银行股份有限公司 Traceable picture authorization method and device
CN114338031A (en) * 2021-11-22 2022-04-12 珠海格力电器股份有限公司 Data sharing method and device, electronic equipment and storage medium
CN114117551B (en) * 2021-11-26 2022-12-27 深圳前海微众银行股份有限公司 Access verification method and device
CN114244533A (en) * 2021-12-21 2022-03-25 掌阅科技股份有限公司 Resource transmission method, terminal and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5926549A (en) * 1996-02-12 1999-07-20 Bull S.A. Process for verifying the preservation of the integrity of an unprotected request sent by a client to a server by verifying the integrity of the response
WO2008122627A1 (en) * 2007-04-05 2008-10-16 Infineon Technologies Ag Communication terminal device, communication device, electronic card, method for a communication terminal device and method for a communication device for providing a verification
CN101674304A (en) * 2009-10-15 2010-03-17 浙江师范大学 Network identity authentication system and method
CN107454115A (en) * 2017-10-10 2017-12-08 北京奇艺世纪科技有限公司 A kind of abstract identification method and digest authentication system
CN109672537A (en) * 2019-01-18 2019-04-23 如般量子科技有限公司 Anti- quantum certificate acquisition system and acquisition methods based on public key pond
US10484372B1 (en) * 2015-12-14 2019-11-19 Amazon Technologies, Inc. Automatic replacement of passwords with secure claims

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8245052B2 (en) * 2006-02-22 2012-08-14 Digitalpersona, Inc. Method and apparatus for a token
US9374369B2 (en) * 2012-12-28 2016-06-21 Lookout, Inc. Multi-factor authentication and comprehensive login system for client-server networks

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5926549A (en) * 1996-02-12 1999-07-20 Bull S.A. Process for verifying the preservation of the integrity of an unprotected request sent by a client to a server by verifying the integrity of the response
WO2008122627A1 (en) * 2007-04-05 2008-10-16 Infineon Technologies Ag Communication terminal device, communication device, electronic card, method for a communication terminal device and method for a communication device for providing a verification
CN101674304A (en) * 2009-10-15 2010-03-17 浙江师范大学 Network identity authentication system and method
US10484372B1 (en) * 2015-12-14 2019-11-19 Amazon Technologies, Inc. Automatic replacement of passwords with secure claims
CN107454115A (en) * 2017-10-10 2017-12-08 北京奇艺世纪科技有限公司 A kind of abstract identification method and digest authentication system
CN109672537A (en) * 2019-01-18 2019-04-23 如般量子科技有限公司 Anti- quantum certificate acquisition system and acquisition methods based on public key pond

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
云环境中外包数据安全访问关键技术研究;李昊星;信息科技(第1期);20-40 *

Also Published As

Publication number Publication date
CN112861089A (en) 2021-05-28

Similar Documents

Publication Publication Date Title
CN112861089B (en) Authorization authentication method, resource server, resource user, equipment and medium
KR101759193B1 (en) Network authentication method for secure electronic transactions
CN102217277B (en) Method and system for token-based authentication
CN110519309B (en) Data transmission method, device, terminal, server and storage medium
CN111901346B (en) Identity authentication system
CN105553666B (en) Intelligent power terminal safety authentication system and method
CN108322416B (en) Security authentication implementation method, device and system
CN109981665B (en) Resource providing method and device, and resource access method, device and system
CN104767731A (en) Identity authentication protection method of Restful mobile transaction system
CN111030814A (en) Key negotiation method and device
JP5431040B2 (en) Authentication request conversion apparatus, authentication request conversion method, and authentication request conversion program
CN109684129B (en) Data backup recovery method, storage medium, encryption machine, client and server
EP2414983B1 (en) Secure Data System
JP5452192B2 (en) Access control system, access control method and program
CN109873819A (en) A kind of method and system preventing unauthorized access server
CN114513339A (en) Security authentication method, system and device
CN113918967A (en) Data transmission method, system, computer equipment and medium based on security check
CN111080856A (en) Bluetooth entrance guard unlocking method
CN1859149A (en) Method for realizing stream medium business service
CN113792345A (en) Data access control method and device
CN110807210B (en) Information processing method, platform, system and computer storage medium
KR20090054774A (en) Method of integrated security management in distribution network
JP4409497B2 (en) How to send confidential information
CN104901967A (en) Registration method for trusted device
CN112039857A (en) Calling method and device of public basic module

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant