CN112948802B - Single sign-on method, device, equipment and storage medium - Google Patents
Single sign-on method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN112948802B CN112948802B CN202010368628.2A CN202010368628A CN112948802B CN 112948802 B CN112948802 B CN 112948802B CN 202010368628 A CN202010368628 A CN 202010368628A CN 112948802 B CN112948802 B CN 112948802B
- Authority
- CN
- China
- Prior art keywords
- application
- user
- information
- authorization code
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 67
- 238000013475 authorization Methods 0.000 claims abstract description 81
- 238000012795 verification Methods 0.000 claims description 78
- 238000004590 computer program Methods 0.000 claims description 26
- 230000001960 triggered effect Effects 0.000 claims description 11
- 238000010586 diagram Methods 0.000 description 13
- 230000008569 process Effects 0.000 description 7
- 238000004891 communication Methods 0.000 description 6
- 230000010354 integration Effects 0.000 description 5
- 238000012545 processing Methods 0.000 description 5
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 230000002452 interceptive effect Effects 0.000 description 2
- 238000004091 panning Methods 0.000 description 2
- 230000011664 signaling Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000000802 evaporation-induced self-assembly Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/41—User authentication where a single sign-on provides access to a plurality of computers
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
- G06F21/445—Program or device authentication by mutual authentication, e.g. between devices or programs
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The application is applicable to the technical field of computers and provides a single sign-on method, a single sign-on device, single sign-on equipment and a storage medium. The single sign-on method comprises the following steps: receiving a first check request sent by a user terminal, wherein the first check request comprises a user identifier of a user; checking the user identifier, generating an authorization code corresponding to the user identifier after the user identifier is checked successfully, and transmitting the authorization code to a second application of the user terminal so that the user terminal transmits the authorization code to an application server corresponding to the second application; receiving a second check request sent by an application server, wherein the second check request comprises an authorization code and attribute information of a second application; and checking the second checking request, and after the checking is successful, transmitting the user information corresponding to the user identifier to the application server, wherein the user information is used for indicating the application server to generate login information matched with the second application according to the user information, and transmitting the login information to the second application of the user terminal.
Description
Technical Field
The application belongs to the technical field of computers, and particularly relates to a single sign-on method, a single sign-on device, single sign-on equipment and a storage medium.
Background
Under the wave of increasingly developed mobile internet, in order to occupy more application markets, enterprises need to construct corresponding applications according to various business requirements. The applications are generally developed in different periods of enterprise development, and each application is provided with an application server and a user authentication system which are independent of each other, so that when a user accesses different applications, the user needs to use a corresponding account number and a corresponding password, and as new services are continuously enhanced, the user account number is increased, and the user is a huge burden for the user.
Currently, single sign-on of multiple applications is typically achieved by integrating the multiple applications into one application system. For example, new applications are developed or existing applications are modified based on agreed application development technical rules and conventions, thereby achieving integration of multiple applications.
Because different applications are respectively corresponding to the application servers, for the existing applications, each user stores corresponding login information in different application servers, so that data (login information) of the application servers are required to be maintained when a plurality of applications are integrated, and the working efficiency is greatly reduced.
Disclosure of Invention
In view of this, embodiments of the present application provide a single sign-on method, apparatus, device, and storage medium, so as to quickly implement single sign-on of multiple applications in an application integration system.
In a first aspect, an embodiment of the present application provides a single sign-on method, including:
receiving a first check request sent by a user terminal, wherein the first check request is triggered when a user jumps from a logged-in first application to a second application, and the first check request contains a user identifier of the user;
checking the user identifier, generating an authorization code corresponding to the user identifier after the user identifier is checked successfully, and transmitting the authorization code to a second application of the user terminal, so that the user terminal S505 transmits the authorization code to an application server corresponding to the second application;
receiving a second check request sent by an application server, wherein the second check request comprises an authorization code and attribute information of a second application;
and checking the second checking request, and after the checking is successful, transmitting the user information corresponding to the user identifier to the application server, wherein the user information is used for indicating the application server to generate login information matched with the second application according to the user information, and transmitting the login information to the second application of the user terminal.
In a possible implementation manner of the first aspect, before receiving the first check request sent by the user terminal, the method includes:
receiving a third check request sent by a user terminal, wherein the third check request is triggered when a user logs in the first application for the first time, and the third check request contains user information and attribute information of the first application;
Verifying the attribute information of the first application, and storing user information after the verification is successful;
and distributing a user identifier for the user, and sending the user identifier to a user terminal, wherein the user identifier is used for indicating an application server corresponding to the first application to store the user identifier.
In a possible implementation manner of the first aspect, verifying the second verification request includes:
judging whether the authorization code is invalid, if so, indicating that the verification fails;
and if the authorization code is not invalid, checking the attribute information of the second application.
In a possible implementation manner of the first aspect, the attribute information of the second application includes an encrypted identifier of the second application;
verifying the attribute information of the second application includes:
decrypting the attribute information based on a preset private key to obtain decrypted attribute information; the preset private key is a session key between the authentication server and a server corresponding to the second application;
judging whether the decrypted attribute information is matched with a preset identifier of a second application;
if the decrypted attribute information is matched with the preset identifier of the second application, the verification is successful;
And if the decrypted attribute information is not matched with the preset identifier of the second application, indicating that verification fails.
In a second aspect, an embodiment of the present application provides a single sign-on method, including:
when a user jumps from a logged-in first application to a second application, a first verification request containing a user identifier is sent to an authentication server, the first verification request is used for requesting the authentication server to verify the user identifier, and an authorization code corresponding to the user identifier is generated after verification is successful;
receiving the authorization code and sending the authorization code to an application server corresponding to the second application; the authorization code is used for indicating the application server to send a second verification request to the authentication server and receiving user information of the corresponding user identifier fed back by the authentication server, and the second verification request comprises the authorization code and attribute information of the second application;
and receiving login information which is generated by the application server according to the user information and matched with the second application, and logging in the second application according to the login information.
In a possible implementation manner of the second aspect, the login information stored on the second application is cleared when the user exits the second application.
In a third aspect, an embodiment of the present application provides a single sign-on device, including:
The first receiving module is used for receiving a first check request sent by the user terminal, wherein the first check request is triggered when a user jumps from a logged-in first application to a second application, and the first check request contains a user identifier of the user;
the first receiving module is used for verifying the user identifier, generating an authorization code corresponding to the user identifier after the user identifier is successfully verified, and transmitting the authorization code to a second application of the user terminal so that the user terminal can transmit the authorization code to an application server corresponding to the second application;
the second receiving module is used for receiving a second check request sent by the application server, wherein the second check request comprises an authorization code and attribute information of a second application;
the first sending module is used for verifying the second verification request, and sending the user information corresponding to the user identifier to the application server after the verification is successful, wherein the user information is used for indicating the application server to use the user information.
In a fourth aspect, an embodiment of the present application provides a single sign-on device, including:
the second sending module is used for sending a first verification request containing a user identifier to the authentication server when the user jumps from the logged-in first application to the second application, wherein the first verification request is used for requesting the authentication server to verify the user identifier and generating an authorization code corresponding to the user identifier after the verification is successful;
The third receiving module is used for receiving the authorization code and sending the authorization code to the application server corresponding to the second application; the authorization code is used for indicating the application server to send a second verification request to the authentication server and receiving user information of the corresponding user identifier fed back by the authentication server, and the second verification request comprises the authorization code and attribute information of the second application;
and the fourth receiving module is used for receiving login information which is generated by the application server according to the user information and matched with the second application, and logging in the second application according to the login information.
In a fifth aspect, embodiments of the present application provide an authentication server comprising a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of any one of the methods of the first aspect when the computer program is executed.
In a sixth aspect, embodiments of the present application provide a user terminal comprising a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of any one of the methods of the second aspect described above when the computer program is executed.
In a seventh aspect, embodiments of the present application provide a computer readable storage medium storing a computer program which, when executed by a processor, performs the steps of any one of the methods of the first aspect.
In an eighth aspect, embodiments of the present application provide a computer-readable storage medium storing a computer program which, when executed by a processor, performs the steps of any one of the methods of the second aspect.
In a ninth aspect, embodiments of the present application provide a computer program product for, when run on a terminal device, causing the terminal device to perform the method of any one of the first aspects described above.
In a tenth aspect, embodiments of the present application provide a computer program product for, when run on a terminal device, causing the terminal device to perform the method of any one of the second aspects described above.
According to the single sign-on method provided by the embodiment of the application, when a user directly jumps from a first application which is already logged in to a second application to be logged in, the identification of the user is checked, and an authorization code is generated to an application server corresponding to the second application after the verification is passed; and after the second check request sent by the application server is checked successfully, the user information corresponding to the user identifier is sent to the application server, and the user information is used for indicating the application server to generate login information matched with the second application according to the user information and sending the login information to the second application of the user terminal. In the single sign-on method provided by the application, when the user directly jumps from the first application which is already logged in to the second application to be logged in, verification is performed through the user identifier, so that the application server meeting the verification requirement can obtain user information matched with the user identifier, and the login information is matched according to the user information, thereby the user can directly jump from the first application to the second application without modifying and maintaining the data of the application server, and the quick integration among a plurality of applications is facilitated.
It will be appreciated that the advantages of the second to tenth aspects may be found in the relevant description of the first aspect and are not described here again.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the following description will briefly introduce the drawings that are needed in the embodiments or the description of the prior art, it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is an application scenario schematic diagram of a single sign-on method according to an embodiment of the present application;
FIG. 2 is a flow chart of a single sign-on method according to an embodiment of the present application;
FIG. 3 is a flow chart of logging in a first application according to an embodiment of the present application;
FIG. 4 is a flowchart of a single sign-on method according to another embodiment of the present disclosure;
FIG. 5 is an interactive signaling diagram of a single sign-on method according to an embodiment of the present application;
FIG. 6 is a schematic diagram of a single sign-on device according to an embodiment of the present disclosure;
FIG. 7 is a schematic diagram of a single sign-on device according to another embodiment of the present application;
Fig. 8 is a schematic diagram of hardware components of an authentication server according to an embodiment of the present application.
Fig. 9 is a schematic diagram of hardware components of a user terminal according to an embodiment of the present application.
Detailed Description
In the following description, for purposes of explanation and not limitation, specific details are set forth, such as particular system configurations, techniques, etc. in order to provide a thorough understanding of the embodiments of the present application. It will be apparent, however, to one skilled in the art that the present application may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well-known systems, devices, circuits, and methods are omitted so as not to obscure the description of the present application with unnecessary detail.
Reference in the specification to "one embodiment" or "some embodiments" or the like means that a particular feature, structure, or characteristic described in connection with the embodiment is included in one or more embodiments of the application. Thus, appearances of the phrases "in one embodiment," "in some embodiments," "in other embodiments," and the like in the specification are not necessarily all referring to the same embodiment, but mean "one or more but not all embodiments" unless expressly specified otherwise. The terms "comprising," "including," "having," and variations thereof mean "including but not limited to," unless expressly specified otherwise.
Single Sign On (SSO) refers to an application system in which a user can access all mutual information only by logging in one system once in a plurality of application systems, such as a microblog system, a mail system, a panning system, etc., and is one of the popular solutions for enterprise business integration at present.
Fig. 1 is an application scenario schematic diagram of a single sign-on method according to an embodiment of the present application. As shown in fig. 1, the application scenario includes an authentication server 10, a user terminal 20, and at least one application server (application server 1, application servers 2, …, application server N), where at least one application system is installed on the user terminal 20, and the application system includes a plurality of applications (including, for example, a first application, a second application, …, and an nth application), and each application corresponds to one application server.
The authentication server 10 is used for processing a request from the user terminal 20 to log in to an application in the application system, for example, checking the identity of the user, generating a user identification, etc., and the authentication server 10 is also used for managing and storing user information of the user.
The user information may be user login information and user identity information.
The authentication server 10 may also be used to process requests from an application server to obtain user information.
The authentication server 10 stores a white list of applications that are allowed to acquire user information in advance.
In this embodiment, the application system refers to a service system that provides accessible resources for a user. An application system may include a plurality of applications, each for providing accessible resources.
The applications in the application system are all installed on the user terminal 20, the user terminal 20 communicates with the authentication server 10, transmits login information, a verification request and the like for a user to login to a certain application to the authentication server, and receives a user identifier fed back by the authentication server.
Wherein the user identification is an identification which is allocated to each user by the authentication server and used for uniquely identifying the user, and the user can access all applications in the application system based on the identification without repeated login.
In this embodiment, the application servers may be third party servers, and each application server includes login information of a registered user.
Because different applications are respectively corresponding to the application servers, for the existing applications, each user stores corresponding login information in different application servers, so that data (login information) of the application servers are required to be maintained when a plurality of applications are integrated, and the working efficiency is greatly reduced.
The following describes the technical solutions of the present application and how the technical solutions of the present application solve the above technical problems with specific embodiments. It is noted that the specific embodiments listed below may be combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments.
Fig. 2 is a flow chart of a single sign-on method according to an embodiment of the present application, where an execution subject of the embodiment is the authentication server in fig. 1; the single sign-on method as shown in fig. 2 may include:
s11, receiving a first check request sent by a user terminal, wherein the first check request is triggered when a user jumps from a logged-in first application to a second application, and the first check request contains a user identifier of the user.
The first application that has been logged in this embodiment is an application that the user logs in advance in the user terminal.
The pre-login may be the first login through an account number and a password, and also includes the login completed when the application jumps to the first application from other already logged applications, such as a third application.
The first application, the second application and the third application are all applications installed on the user terminal, and the first application, the second application and the third application are integrated in an application system based on the same application development technical rule.
For example, the application system is an ari service system, and after the user logs in the trekking application through an account number and a password in advance in fig. 7, when the user jumps from the trekking application to the kitten application, a first verification request containing the user identification is sent to the authentication server.
Wherein the user identification is a uniquely identifiable identification for marking the user, e.g. a user ID, etc.
S12, checking the user identifier, generating an authorization code corresponding to the user identifier after the user identifier is checked successfully, and transmitting the authorization code to a second application of the user terminal, so that the user terminal transmits the authorization code to an application server corresponding to the second application.
In this embodiment, the verification of the user identifier by the authentication server may refer to that the authentication server searches whether the user identifier in the first verification request is included in the pre-stored user identifier list. If the user identification list prestored by the authentication server contains the user identification, the authentication server indicates that the verification is successful; if the user identification list pre-stored by the authentication server does not contain the user identification, the authentication server indicates that the verification is successful.
The user identification list can be set uniformly for a manager, and can be generated when each user logs in/registers an application in the application system for the first time.
For example: when each user logs in for the first time, the authentication server distributes a user identification for the user and stores the identification to a user identification list.
After the authentication server checks successfully, an authorization code for indicating that the check is successful is returned to the user terminal. The authorization code is randomly generated by the authentication service, and is valid only in a first preset time after generation.
The user terminal receives the authorization code and sends the authorization code to an application server corresponding to the second application.
S13, receiving a second check request sent by the application server, wherein the second check request comprises an authorization code and attribute information of the second application.
In this embodiment, the attribute information includes an identification of the encrypted second application.
For example, the identifier of the second application is encrypted based on a session key between the authentication server and a server corresponding to the second application, and the encrypted identifier of the second application is obtained.
S14, checking the second checking request, and after the checking is successful, transmitting the user information corresponding to the user identifier to the application server, wherein the user information is used for indicating the application server to generate login information matched with the second application according to the user information, and transmitting the login information to the second application of the user terminal.
In this embodiment, the verification of the second verification request by the authentication server may include the following steps:
and A1, judging whether the authorization code is invalid, and if the authorization code is invalid, indicating that the verification is failed.
Wherein, judging whether the authorization code is invalid may be judging whether the time interval T between the time when the authorization code is received and the time when the authentication server sends the authorization code to the user terminal is greater than a first preset time;
if T is greater than the first preset time, the authorization code is invalid, and the authentication server sends information of verification failure to the application server. Correspondingly, after receiving the message of verification failure, the application server sends prompt information of login failure to the client.
If T is smaller than or equal to the first preset time, the authorization code is not invalid, and the attribute information of the second application in the second verification request is further verified.
And step A2, if the authorization code is not invalid, verifying the attribute information of the second application.
In this step, verifying the attribute of the second application may mean that the attribute information of the second application is decrypted based on a preset private key to obtain decrypted attribute information; the preset private key is a session key between the authentication server and a server corresponding to the second application. After the decrypted attribute information is obtained, judging whether the decrypted attribute information is matched with the preset second application identifier, if so, indicating that the verification is successful, and if not, indicating that the verification is failed.
In this step, the authentication server stores a white list of applications that are allowed to acquire user information in advance, and specifically stores an identifier of the application that is allowed to acquire user information. The preset identifier of the second application is the identifier which is prestored on the authentication server and characterizes the second application.
In this step, the user information corresponding to the user ID may include a user account corresponding to the user ID. The login information of the user may include a user name matching the user account, a contact address of the user, a user password, and other information pre-stored on the application server for logging in to the second application.
According to the single sign-on method provided by the embodiment of the application, when a user directly jumps from a first application which is already logged in to a second application to be logged in, the identification of the user is checked, and an authorization code is generated to an application server corresponding to the second application after the verification is passed; and after the second check request sent by the application server is checked successfully, the user information corresponding to the user identifier is sent to the application server, and the user information is used for indicating the application server to generate login information matched with the second application according to the user information and sending the login information to the second application of the user terminal. In the single sign-on method provided by the application, when the user directly jumps from the first application which is already logged in to the second application to be logged in, verification is performed through the user identifier, so that the application server meeting the verification requirement can obtain user information matched with the user identifier, and the login information is matched according to the user information, thereby the user can directly jump from the first application to the second application without modifying and maintaining the data of the application server, and the quick integration among a plurality of applications is facilitated.
Fig. 3 is a schematic flow chart of logging in a first application according to an embodiment of the present application. As shown in fig. 3, the method for logging in the first application includes:
s21, receiving a third check request sent by the user terminal, wherein the third check request is triggered when the user logs in the first application for the first time, and the third check request contains user information and attribute information of the first application.
In this embodiment, the third verification request is triggered when the user logs in the first application for the first time, so the third verification request can be understood as a registration request; the registration request includes attribute information of the first application, for example, an identifier of the first application.
The user information in this step may comprise identity information of the user logging into the first application.
The first application may be a panning application, a microblog application, a mail application, and the like.
S22, checking the attribute information of the first application, and storing the user information after the check is successful.
In this embodiment, after the authentication server verifies the attribute information of the first application, the authentication server notifies the user terminal to start logging in, and stores the user information. And if the verification fails, a registration failure message is sent to the user terminal.
S23, distributing the user identification for the user, and sending the user identification to the user terminal so that the first application of the user terminal stores the user identification.
In the first application login method provided by the implementation, when a user logs in any application in an application system for the first time, an authentication server distributes a user identifier which can be uniquely identified for the user so as to be used for single sign-on among a plurality of applications in the application system.
Fig. 4 is a schematic diagram of another embodiment of a single sign-on method provided in the present application, where an execution body of the method is a user terminal, and a first application and a second application are installed on the user terminal. As shown in fig. 4, the single sign-on method includes:
s31, when the user jumps from the logged-in first application to the second application, a first verification request containing the user identification is sent to the authentication server, so that the authentication server verifies the user identification, and an authorization code corresponding to the user identification is randomly generated after the verification is successful.
S32, receiving the authorization code and sending the authorization code to an application server corresponding to the second application; so that the application server sends a second verification request to the authentication server and receives the user information of the corresponding user identifier fed back by the authentication server, wherein the second verification request comprises an authorization code and attribute information of the second application.
S33, receiving login information which is generated by the application server according to the user information and matched with the second application, and logging in the second application according to the login information.
Optionally, when the user exits the second application, the login information stored on the second application is cleared.
The specific implementation process of the embodiment of the present application may refer to the technical solution of the single sign-on method provided in the embodiment of fig. 2, which is not described herein again.
Fig. 5 is an interactive signaling diagram of a single sign-on method according to an embodiment of the present application, where, as shown in fig. 5, the single sign-on method includes:
s401, when a user jumps from a first application to a second application, the user terminal generates a first verification request containing a user identifier of the user.
S402, the user terminal sends the first check request to the authentication server.
S403, the authentication server checks the user identifier and generates an authorization code corresponding to the user identifier after the user identifier is checked successfully.
S404, the authentication server sends the authorization code to a second application of the user terminal.
S405, the user terminal sends the authorization code to a second application server corresponding to the second application.
S406, a second verification request sent by the second application server to the authentication server, wherein the second verification request comprises an authorization code and attribute information of the second application.
S407, the authentication server verifies the second verification request.
And S408, after the verification is successful, the authentication server sends the user information corresponding to the user identification to the second application server.
S409, the second application server generates login information matched with the second application according to the user information.
And S410, the second application server sends the login information to a second application of the user terminal.
S411, the user terminal operates the user to log in the second application according to the login information.
The specific implementation process of the embodiment of the present application may refer to the technical solutions of the single sign-on method provided in the embodiments of fig. 2 and fig. 4, which are not described herein again.
It should be understood that the sequence number of each step in the foregoing embodiment does not mean that the execution sequence of each process should be determined by the function and the internal logic of each process, and should not limit the implementation process of the embodiment of the present application in any way.
Based on the single sign-on method provided by the above embodiment, the embodiment of the present invention further provides an apparatus embodiment for implementing the above method embodiment.
Fig. 6 is a schematic structural diagram of a single sign-on device according to an embodiment of the present application. The units included are used to perform the steps in the embodiments corresponding to fig. 2 and 3, and refer specifically to the relevant descriptions in the embodiments corresponding to fig. 2 and 3. For convenience of explanation, only the portions related to the present embodiment are shown. Referring to fig. 6, the single sign-on device 50 includes a first receiving module 501, a first checking module 502, a second receiving module 503, and a first transmitting module 504.
The first receiving module 501 is configured to receive a first check request sent by a user terminal, where the first check request is triggered when a user jumps from a logged-in first application to a second application, and the first check request includes a user identifier of the user.
The first verification module 502 is configured to verify the user identifier, generate an authorization code corresponding to the user identifier after the verification is successful, and send the authorization code to a second application of the user terminal, so that the user terminal sends the authorization code to an application server corresponding to the second application.
A second receiving module 503, configured to receive a second check request sent by the application server, where the second check request includes an authorization code and attribute information of the second application.
The first sending module 504 is configured to check the second check request, and send user information corresponding to the user identifier to the application server after the check is successful, where the user information is used to instruct the application server to indicate the application server according to the user information.
Optionally, the first sending module 504 checks the second check request, including:
judging whether the authorization code is invalid, if so, indicating that the verification fails;
and if the authorization code is not invalid, checking the attribute information of the second application.
Optionally, the attribute information of the second application includes an encrypted identifier of the second application;
optionally, the verifying, by the first sending module 504, the attribute information of the second application includes:
decrypting the attribute information based on a preset private key to obtain decrypted attribute information; the preset private key is a session key between the authentication server and a server corresponding to the second application;
judging whether the decrypted attribute information is matched with a preset identifier of a second application;
if the decrypted attribute information is matched with the preset identifier of the second application, the verification is successful;
and if the decrypted attribute information is not matched with the preset identifier of the second application, indicating that verification fails.
The single sign-on device 50 further includes a sign-on module for:
receiving a third check request sent by a user terminal, wherein the third check request is triggered when a user logs in the first application for the first time, and the third check request contains user information and attribute information of the first application;
verifying the attribute information of the first application, and storing user information after the verification is successful;
and distributing a user identifier for the user, and sending a user identifier to a user terminal, wherein the user identifier is used for indicating an application server corresponding to the first application to store the user identifier.
The single sign-on device provided in the embodiment shown in fig. 6 may be used to implement the technical solutions in the embodiments of the methods shown in fig. 2 and fig. 3, and the implementation principle and technical effects are similar, which are not repeated here.
Fig. 7 is a schematic structural diagram of a single sign-on device according to another embodiment of the present application. The units included are used to perform the steps in the embodiment corresponding to fig. 4, and refer specifically to the related description in the embodiment corresponding to fig. 4. For convenience of explanation, only the portions related to the present embodiment are shown. Referring to fig. 7, the single sign-on device 60 includes a second transmitting module 601, a third receiving module 602, and a fourth receiving module 603.
The second sending module 601 is configured to send a first verification request including a user identifier to the authentication server when the user jumps from the logged-in first application to the second application, where the first verification request is used to request the authentication server to verify the user identifier, and generate an authorization code corresponding to the user identifier after the verification is successful.
A third receiving module 602, configured to receive the authorization code and send the authorization code to an application server corresponding to the second application; the authorization code is used for indicating the application server to send a second verification request to the authentication server and receiving user information of the corresponding user identifier fed back by the authentication server, and the second verification request comprises the authorization code and attribute information of the second application;
The fourth receiving module 603 is configured to receive login information, generated by the application server according to the user information, that matches the second application, and login the second application according to the login information.
The single sign-on device provided in the embodiment shown in fig. 7 may be used to implement the technical scheme in the embodiment of the method shown in fig. 4, and its implementation principle and technical effect are similar, and this embodiment will not be repeated here.
Fig. 8 is a schematic diagram of hardware components of an authentication server according to an embodiment of the present application. As shown in fig. 8, the authentication server 70 of this embodiment includes: at least one first processor 701, a first memory 702, and a computer program stored in the first memory 702 and executable on the first processor 701. The authentication server 70 further comprises a first communication means 703, wherein the first processor 701, the first memory 702 and the first communication means 703 are connected by a bus 704.
The first processor 701 executes the computer program to implement the steps in the embodiment of the single sign-on method of fig. 2 or 3, for example, steps S11 to S14 in the embodiment shown in fig. 2. Alternatively, the first processor 701 performs the functions of the modules/units of the embodiment of the apparatus of fig. 6 described above when executing a computer program.
Fig. 9 is a schematic diagram of hardware components of a user terminal according to an embodiment of the present application. As shown in fig. 9, the user terminal 80 of this embodiment includes: at least one second processor 801, a second memory 802, and a computer program stored in the second memory 802 and executable on the second processor 801. The user terminal 80 further comprises a second communication means 803, wherein the second processor 801, the second memory 802 and the second communication means 803 are connected by a bus 804.
The second processor 801 performs the steps of the embodiment of the single sign-on method of fig. 4 when executing the computer program, or the first processor 701 performs the functions of the modules/units of the embodiment of the apparatus of fig. 7 when executing the computer program.
The first processor 701 in FIG. 8 and the second processor 801 in FIG. 9 may each be a central processing unit (Central Processing Unit, CPU), but may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), off-the-shelf programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The first memory 702 in fig. 8 and the second memory 802 in fig. 9 may be internal memory units of the video processing device, or may be external memory devices of the video processing device, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash Card (Flash Card), and the like.
The bus may be an industry standard architecture (Industry Standard Architecture, ISA) bus, an external device interconnect (Peripheral Component, PCI) bus, or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, among others. The buses may be divided into address buses, data buses, control buses, etc. For ease of illustration, the buses in the drawings of the present application are not limited to only one bus or one type of bus.
The present application also provides a computer readable storage medium storing a computer program which, when executed by a processor, implements steps for implementing the various method embodiments described above.
Embodiments of the present application provide a computer program product which, when run on a mobile terminal, causes the mobile terminal to perform steps that may be performed in the various method embodiments described above.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the present application implements all or part of the flow of the method of the above embodiments, and may be implemented by a computer program to instruct related hardware, where the computer program may be stored in a computer readable storage medium, where the computer program may implement the steps of each of the method embodiments described above when executed by a processor. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, executable files or in some intermediate form, etc. The computer readable medium may include at least: any entity or device capable of carrying computer program code to a photographing device/terminal apparatus, recording medium, computer Memory, read-Only Memory (ROM), random access Memory (RAM, random Access Memory), electrical carrier signals, telecommunications signals, and software distribution media. Such as a U-disk, removable hard disk, magnetic or optical disk, etc. In some jurisdictions, computer readable media may not be electrical carrier signals and telecommunications signals in accordance with legislation and patent practice.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and in part, not described or illustrated in any particular embodiment, reference is made to the related descriptions of other embodiments.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus/network device and method may be implemented in other manners. For example, the apparatus/network device embodiments described above are merely illustrative, e.g., the division of modules or elements is merely a logical functional division, and there may be additional divisions when actually implemented, e.g., multiple elements or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection via interfaces, devices or units, which may be in electrical, mechanical or other forms.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
The above embodiments are only for illustrating the technical solution of the present application, and are not limiting thereof; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application, and are intended to be included in the scope of the present application.
Claims (10)
1. A single sign-on method for use with an authentication server, comprising:
receiving a first check request sent by a user terminal, wherein the first check request is triggered when a user jumps from a logged-in first application to a second application, and the first check request contains a user identifier of the user;
Checking the user identifier, generating an authorization code corresponding to the user identifier after the user identifier is checked successfully, and transmitting the authorization code to a second application of the user terminal so that the user terminal transmits the authorization code to an application server corresponding to the second application;
receiving a second check request sent by the application server, wherein the second check request comprises the authorization code and attribute information of the second application;
and checking the second checking request, and after the checking is successful, transmitting user information corresponding to the user identifier to the application server, wherein the user information is used for indicating the application server to generate login information matched with the second application according to the user information, and transmitting the login information to the second application of the user terminal, and the authentication server is used for managing and storing the user information.
2. The single sign-on method of claim 1, wherein prior to receiving the first check request sent by the user terminal, the method comprises:
receiving a third check request sent by a user terminal, wherein the third check request is triggered when a user logs in the first application for the first time, and the third check request contains the user information and the attribute information of the first application;
Verifying the attribute information of the first application, and storing the user information after the verification is successful;
and distributing a user identifier to the user, and sending the user identifier to the user terminal, wherein the user identifier is used for indicating an application server corresponding to the first application to store the user identifier.
3. The single sign-on method of claim 1, wherein the verifying the second verification request comprises:
judging whether the authorization code is invalid, if so, indicating that the verification fails;
and if the authorization code is not invalid, verifying the attribute information of the second application.
4. The single sign-on method of claim 1, wherein the attribute information of the second application includes an identification of the second application after encryption;
the verifying the attribute information of the second application includes:
decrypting the attribute information based on a preset private key to obtain decrypted attribute information; the preset private key is a session key between the authentication server and a server corresponding to the second application;
judging whether the decrypted attribute information is matched with a preset identifier of a second application;
If the decrypted attribute information is matched with the identifier of the preset second application, the verification is successful;
and if the decrypted attribute information is not matched with the identifier of the preset second application, indicating that verification fails.
5. A single sign-on method, which is applied to a user terminal, characterized in that:
when a user jumps from a logged-in first application to a second application, a first verification request containing the user identifier is sent to an authentication server, wherein the first verification request is used for requesting the authentication server to verify the user identifier and generating an authorization code corresponding to the user identifier after the verification is successful, and the authentication server is used for managing and storing the user information;
receiving the authorization code and sending the authorization code to an application server corresponding to the second application, wherein the authorization code is used for indicating the application server to send a second verification request to the authentication server and receiving user information corresponding to the user identifier and fed back by the authentication server, and the second verification request comprises the authorization code and attribute information of the second application;
and receiving login information which is generated by the application server according to the user information and matches with the second application, and logging in the second application according to the login information.
6. The single sign-on method of claim 5, wherein the method further comprises:
and when the user exits the second application, the login information stored on the second application is cleared.
7. A single sign-on device for use with an authentication server, comprising:
the first receiving module is used for receiving a first check request sent by a user terminal, wherein the first check request is triggered when a user jumps from a logged-in first application to a second application, and the first check request contains a user identifier of the user;
the first verification module is used for verifying the user identifier, forming an authorization code corresponding to the user identifier after the user identifier is successfully verified, and transmitting the authorization code to a second application of the user terminal so that the user terminal can transmit the authorization code to an application server corresponding to the second application;
the second receiving module is used for receiving a second check request sent by the application server, wherein the second check request comprises the authorization code and attribute information of the second application;
the first sending module is used for verifying the second verification request, sending user information corresponding to the user identifier to the application server after the verification is successful, wherein the user information is used for indicating the application server to generate login information matched with the second application according to the user information, and sending the login information to the second application of the user terminal, and the authentication server is used for managing and storing the user information.
8. A single sign-on device for use in a user terminal, comprising:
the second sending module is used for sending a first verification request containing the user identifier to the authentication server when the user jumps from the logged-in first application to the second application, wherein the first verification request is used for requesting the authentication server to verify the user identifier and randomly generating an authorization code corresponding to the user identifier after the verification is successful, and the authentication server is used for managing and storing the user information;
the third receiving module is used for receiving the authorization code and sending the authorization code to an application server corresponding to the second application, the authorization code is used for indicating the application server to send a second verification request to the authentication server and receiving user information corresponding to the user identifier, which is fed back by the authentication server, and the second verification request comprises the authorization code and attribute information of the second application;
and the fourth receiving module is used for receiving login information which is generated by the application server according to the user information and matches with the second application, and logging in the second application according to the login information.
9. A single sign-on device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the processor implements the steps of the method of any one of claims 1 to 4 when the computer program is executed; or to carry out the steps of the method according to claim 5 or 6.
10. A computer readable storage medium storing a computer program, characterized in that the computer program when executed by a processor implements the steps of the method according to any one of claims 1 to 4; or to carry out the steps of the method according to any one of claims 5 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010368628.2A CN112948802B (en) | 2020-04-28 | 2020-04-28 | Single sign-on method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010368628.2A CN112948802B (en) | 2020-04-28 | 2020-04-28 | Single sign-on method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112948802A CN112948802A (en) | 2021-06-11 |
| CN112948802B true CN112948802B (en) | 2024-03-12 |
Family
ID=76234487
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010368628.2A Active CN112948802B (en) | 2020-04-28 | 2020-04-28 | Single sign-on method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112948802B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113849801A (en) * | 2021-09-30 | 2021-12-28 | 中国平安财产保险股份有限公司 | Single sign-on method and device, computer equipment and storage medium |
| CN113761505B (en) * | 2021-11-09 | 2022-04-15 | 云丁网络技术(北京)有限公司 | Method and equipment for processing information |
| CN114844674B (en) * | 2022-03-29 | 2024-02-27 | 网宿科技股份有限公司 | Dynamic authorization method, system, electronic equipment and storage medium |
| CN115102711B (en) * | 2022-05-09 | 2024-01-02 | 支付宝(杭州)信息技术有限公司 | Information authorization method, device and system |
| CN115001807A (en) * | 2022-05-31 | 2022-09-02 | 中国银行股份有限公司 | User login processing method and device of application program |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101902327A (en) * | 2009-06-01 | 2010-12-01 | 中国移动通信集团公司 | Method and device for realizing single-point log-in and system thereof |
| CN104065616A (en) * | 2013-03-20 | 2014-09-24 | 中国移动通信集团公司 | Single sign-on method and system |
| CN104378376A (en) * | 2014-11-18 | 2015-02-25 | 深圳中兴网信科技有限公司 | SOA-based single-point login method, authentication server and browser |
| CN105049427A (en) * | 2015-06-29 | 2015-11-11 | 用友优普信息技术有限公司 | Management method and management device for login accounts of application systems |
| CN106209749A (en) * | 2015-05-08 | 2016-12-07 | 阿里巴巴集团控股有限公司 | Single-point logging method and the processing method and processing device of device, relevant device and application |
| CN109246076A (en) * | 2018-08-01 | 2019-01-18 | 北京奇虎科技有限公司 | A kind of method and apparatus of single-sign-on multisystem |
| CN109286633A (en) * | 2018-10-26 | 2019-01-29 | 深圳市华云中盛科技有限公司 | Single sign-on method, device, computer equipment and storage medium |
| CN110032855A (en) * | 2019-02-28 | 2019-07-19 | 招银云创(深圳)信息技术有限公司 | Login method, device, computer equipment and the storage medium of application |
| CN110909340A (en) * | 2019-11-25 | 2020-03-24 | 北京明略软件系统有限公司 | Login processing method, system, device, electronic equipment and storage medium |
| CN111062024A (en) * | 2019-11-25 | 2020-04-24 | 泰康保险集团股份有限公司 | Application login method and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8141138B2 (en) * | 2005-10-17 | 2012-03-20 | Oracle International Corporation | Auditing correlated events using a secure web single sign-on login |
-
2020
- 2020-04-28 CN CN202010368628.2A patent/CN112948802B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101902327A (en) * | 2009-06-01 | 2010-12-01 | 中国移动通信集团公司 | Method and device for realizing single-point log-in and system thereof |
| CN104065616A (en) * | 2013-03-20 | 2014-09-24 | 中国移动通信集团公司 | Single sign-on method and system |
| CN104378376A (en) * | 2014-11-18 | 2015-02-25 | 深圳中兴网信科技有限公司 | SOA-based single-point login method, authentication server and browser |
| CN106209749A (en) * | 2015-05-08 | 2016-12-07 | 阿里巴巴集团控股有限公司 | Single-point logging method and the processing method and processing device of device, relevant device and application |
| CN105049427A (en) * | 2015-06-29 | 2015-11-11 | 用友优普信息技术有限公司 | Management method and management device for login accounts of application systems |
| CN109246076A (en) * | 2018-08-01 | 2019-01-18 | 北京奇虎科技有限公司 | A kind of method and apparatus of single-sign-on multisystem |
| CN109286633A (en) * | 2018-10-26 | 2019-01-29 | 深圳市华云中盛科技有限公司 | Single sign-on method, device, computer equipment and storage medium |
| CN110032855A (en) * | 2019-02-28 | 2019-07-19 | 招银云创(深圳)信息技术有限公司 | Login method, device, computer equipment and the storage medium of application |
| CN110909340A (en) * | 2019-11-25 | 2020-03-24 | 北京明略软件系统有限公司 | Login processing method, system, device, electronic equipment and storage medium |
| CN111062024A (en) * | 2019-11-25 | 2020-04-24 | 泰康保险集团股份有限公司 | Application login method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112948802A (en) | 2021-06-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112948802B (en) | Single sign-on method, device, equipment and storage medium | |
| CN108964885B (en) | Authentication method, device, system and storage medium | |
| WO2018145605A1 (en) | Authentication method and server, and access control device | |
| US20140196132A1 (en) | Disconnected credential validation using pre-fetched service tickets | |
| CN109587126B (en) | User authentication method and system | |
| CN108512845B (en) | Interface calling verification method and device | |
| RU2676896C2 (en) | Method and system related to authentication of users for accessing data networks | |
| CN110365684B (en) | Access control method and device for application cluster and electronic equipment | |
| CN102457507A (en) | Secure sharing method, device and system for cloud computing resources | |
| CN109981680B (en) | Access control implementation method and device, computer equipment and storage medium | |
| CN111669351B (en) | Authentication method, service server, client and computer readable storage medium | |
| CN112948851A (en) | User authentication method, device, server and storage medium | |
| CN107040501B (en) | Authentication method and device based on platform as a service | |
| CN111342964B (en) | Single sign-on method, device and system | |
| CN110138558B (en) | Transmission method and device of session key and computer-readable storage medium | |
| CN114021103A (en) | Single sign-on method, device, terminal and storage medium based on identity authentication | |
| CN110351364B (en) | Data storage method, device and computer readable storage medium | |
| CN111737681A (en) | Resource acquisition method and device, storage medium and electronic device | |
| CN115150072A (en) | Cloud network issuing authentication method, equipment, device and storage medium | |
| CN114499975A (en) | Method for verifying login server, server and storage medium | |
| CN112039857B (en) | Calling method and device of public basic module | |
| CN111371811A (en) | Resource calling method, resource calling device, client and service server | |
| CN108809927B (en) | Identity authentication method and device | |
| CN114338795B (en) | Data communication method and device of blockchain client | |
| CN108900555A (en) | A kind of data processing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |