CN112968866B - Method, device and system for binding user account information and user identity information - Google Patents

Method, device and system for binding user account information and user identity information Download PDF

Info

Publication number
CN112968866B
CN112968866B CN202110117250.3A CN202110117250A CN112968866B CN 112968866 B CN112968866 B CN 112968866B CN 202110117250 A CN202110117250 A CN 202110117250A CN 112968866 B CN112968866 B CN 112968866B
Authority
CN
China
Prior art keywords
account information
target
target user
user account
application
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110117250.3A
Other languages
Chinese (zh)
Other versions
CN112968866A (en
Inventor
杨军
丁龙
孙悦
郭晓鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Trusfort Technology Co ltd
Original Assignee
Beijing Trusfort Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Trusfort Technology Co ltd filed Critical Beijing Trusfort Technology Co ltd
Priority to CN202110117250.3A priority Critical patent/CN112968866B/en
Publication of CN112968866A publication Critical patent/CN112968866A/en
Application granted granted Critical
Publication of CN112968866B publication Critical patent/CN112968866B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies

Abstract

A method, a device and a system for binding user account information and user identity information are disclosed. The method is used for a gateway, and comprises the following steps: receiving a bill sent by an account binding service module; informing the browser to jump to an agent login interface of a target application of a gateway agent; receiving target user account information of a target application input by a user on a proxy login interface through a browser; sending target user account information to an application server of a target application; intercepting a response result returned by the application server according to the target user account information; and sending the bill, the target user account information and the response result to the account verification service module, so that the account verification server informs the account binding service module to bind and store the target user account information and the target user identity information when determining that the target user account information passes the authentication of the application server according to the response result.

Description

Method, device and system for binding user account information and user identity information
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method, an apparatus, and a system for binding user account information and user identity information.
Background
Single Sign On (SSO), as a current mainstream business integration solution, realizes that a user can access all docked applications only by logging On once in a WEB environment. Currently, more and more applications integrate standard single sign-on protocols, such as CAS, OAuth, OIDC, etc. Although most industrial applications support standard single sign-on protocols, the user account information of the applications needs to identify identities, and the user account information used by a user to log in the applications is bound with the user identity information used to log in the single sign-on authentication center.
In the prior art, a method for binding user account information and user identity information includes three types: one is that the administrator manually combs the relationship between the user account information and the user identity information off-line, and introduces and stores the binding relationship in the single sign-on authentication center; one is that the single sign-on authentication center sends the user identity information to the application, and the application searches the user account information according to the user identity information, so as to perform binding, but the method requires that the user account information and the user identity information have the same content (for example, when the user account information and the user identity information are registered, the used mobile phone number is the same); the other method is to customize and develop the application, so that the application provides a verification interface or page of the user account information (customized and developed), the application verifies the user account information, the verified user account information is sent to the single sign-on authentication center, and the single sign-on authentication center binds the user identity information and the application account information.
By integrating the three binding methods of the user account information and the user identity information, the prior art has the following disadvantages: 1. manual participation is needed, manpower and material resources are consumed, the timeliness is poor, and errors are easy to occur; 2. the universality is not available; 3. the application needs to be customized and developed, and the cost is high.
Disclosure of Invention
In order to solve the problems, the invention provides a method, a device and a system for binding user account information and user identity information, which have universality, do not need manual participation and customized development on application when the user account information and the user identity information are bound, can effectively improve timeliness and accuracy, and have lower cost.
In order to achieve the above object, in a first aspect, an embodiment of the present invention provides a method for binding user account information and user identity information, where the method is applied to a gateway, and the method includes:
receiving a bill sent by an account binding service module when determining that target user identity information which a user has logged in is not bound to user account information for logging in a target application, wherein the bill comprises: the address of the target application, the identification of the target application and the identity information of the target user;
informing a browser to jump to an agent login interface of the target application of a gateway agent according to the address of the target application and the identification of the target application;
receiving target user account information of the target application, which is input by the user through the browser on the proxy login interface;
sending the target user account information to an application server of the target application;
intercepting a response result returned by the application server according to the target user account information;
and sending the bill, the target user account information and the response result to an account verification service module, so that the account verification server informs the account binding service module to bind and store the target user account information and the target user identity information when determining that the target user account information passes the authentication of the application server according to the response result.
Preferably, after sending the ticket, the target user account information, and the response result to the account verification server, the method further includes: receiving a first notice that the account information of the target user sent by the account verification service module passes the authentication of the application server; and informing the single sign-on authentication center to log in by using the user account information.
Preferably, after sending the ticket, the target user account information, and the response result to the account verification server, the method further includes: and receiving a second notice that the account information of the target user sent by the account verification service module fails to pass the authentication of the application server, and sending the response result to the browser.
In a second aspect, an embodiment of the present invention provides a method for binding user account information and user identity information, where the method is applied to an account binding service module, and the method includes:
judging whether the target user identity information which is logged in by the user is bound with the user account information for logging in the target application or not according to the binding relationship between the stored user identity information and the user account information for logging in the application;
if the target user identity information is not bound with the user account information for logging in the target application, generating a bill, wherein the bill comprises: the address of the target application, the identification of the target application and the identity information of the target user;
sending the bill to the gateway, so that the gateway acquires target user account information used by the user for logging in the target application, intercepts a response result returned by an application server corresponding to the target application according to the target user account information, and sends the bill, the target user account information and the response result to an account verification service module;
receiving the target user account information and the target user identity information which are sent by the account verification service module when the target user account information is determined to pass the authentication of the application server;
and binding and storing the target user account information and the target user identity information.
In a third aspect, an embodiment of the present invention provides a method for binding user account information and user identity information, where the method is applied to an account verification service module, and the method includes:
receiving a bill, target user account information and a response result sent by a gateway, wherein the response result is a response result returned by an application server corresponding to the target application and intercepted by the gateway according to the target user account information, and the bill comprises: the address of the target application, the identification of the target application and the identity information of the target user;
determining whether the target user account information passes the authentication of the application server according to the response result;
and if the authentication is passed through the application server, sending the target user account information and the target user identity information to an account binding service module so that the account binding service module binds and stores the target user account information and the target user identity information.
Preferably, if the authentication is performed by the application server, the method further includes: and sending a first notice that the target user account information passes the authentication of the application server to the gateway so that the gateway informs a single sign-on authentication center to log in by using the user account information.
Preferably, if the authentication is not passed through the application server, the method further includes: and sending a second notice that the target user account information fails to pass the authentication of the application server to the gateway so that the gateway sends the response result to the browser.
In a fourth aspect, an embodiment of the present invention provides a gateway, where the gateway includes:
a first receiving unit, configured to receive a ticket sent by an account binding service module when it is determined that target user identity information that a user has logged in is not bound to user account information used for logging in a target application, where the ticket includes: the address of the target application, the identification of the target application and the identity information of the target user;
the notification unit is used for notifying the browser to jump to an agent login interface of the target application of the gateway agent according to the address of the target application and the identification of the target application;
a second receiving unit, configured to receive target user account information of the target application, which is input by the user through the browser on the proxy login interface;
the first sending unit is used for sending the target user account information to an application server of the target application;
the intercepting unit is used for intercepting a response result returned by the application server according to the target user account information;
and the second sending unit is used for sending the bill, the target user account information and the response result to an account verification service module, so that the account verification server informs the account binding service module to bind and store the target user account information and the target user identity information when determining that the target user account information passes the authentication of the application server according to the response result.
Preferably, the gateway further comprises: a third receiving unit, configured to receive a first notification that the account information of the target user sent by the account verification service module passes the authentication of the application server; the notification unit is further configured to notify the single sign-on authentication center of using the user account information to log in.
Preferably, the gateway further comprises: a third receiving unit, configured to receive a second notification that the account information of the target user sent by the account verification service module fails to pass the authentication of the application server; the notification unit is further configured to send the response result to the browser.
In a fifth aspect, an embodiment of the present invention provides an account binding service apparatus, where the apparatus includes:
the judging unit is used for judging whether the target user identity information logged in by the user is bound with the user account information used for logging in the target application or not according to the binding relationship between the stored user identity information and the user account information used for logging in the application;
a generating unit, configured to generate a ticket if the target user identity information is not bound to the user account information for logging in the target application, where the ticket includes: the address of the target application, the identification of the target application and the identity information of the target user;
the sending unit is used for sending the bill to the gateway so that the gateway obtains the target user account information used by the user for logging in the target application, intercepts a response result returned by an application server corresponding to the target application according to the target user account information, and sends the bill, the target user account information and the response result to an account verification service module;
a receiving unit, configured to receive the target user account information and the target user identity information sent by the account verification service module when determining that the target user account information passes the authentication of the application server;
and the binding unit is used for binding and storing the target user account information and the target user identity information.
In a sixth aspect, an embodiment of the present invention provides an account verification service apparatus, where the apparatus includes:
a receiving unit, configured to receive a ticket, target user account information, and a response result sent by a gateway, where the response result is a response result returned by an application server corresponding to the target application and intercepted by the gateway according to the target user account information, and the ticket includes: the address of the target application, the identification of the target application and the identity information of the target user;
a determining unit, configured to determine whether the target user account information passes through the authentication of the application server according to the response result;
and the first sending unit is used for sending the target user account information and the target user identity information to an account binding service module if the target user account information passes the authentication of the application server, so that the account binding service module binds and stores the target user account information and the target user identity information.
Preferably, the apparatus further comprises: and the second sending unit is used for sending a first notice that the target user account information passes the authentication of the application server to the gateway if the target user account information passes the authentication of the application server so that the gateway informs a single sign-on authentication center to log in by using the user account information.
Preferably, the apparatus further comprises: and a second sending unit, configured to send, to the gateway, a second notification that the target user account information fails to be authenticated by the application server, so that the gateway sends the response result to the browser.
In a seventh aspect, an embodiment of the present invention provides a system for binding user account information and user identity information, where the system includes: the gateway of any one of the fourth aspect, the account binding service device of the fifth aspect, and the account checking service device of any one of the sixth aspect.
By utilizing the binding method, the device and the system of the user account information and the user identity information provided by the invention, after a gateway receives a bill sent by an account binding service module when determining that the target user identity information which is logged in by a user is not bound with the user account information for logging in a target application, a browser is informed to jump to a proxy login interface of the target application of a gateway proxy, then after receiving the target user account information of the target application input by the user through the browser on the proxy login interface, the target user account information is sent to an application server of the target application, a response result returned by the application server according to the target user account information is intercepted, and then the bill, the target user account information and the response result are sent to an account checking service module, so that when the account checking server determines that the target user account information passes the authentication of the application server according to the response result, and informing the account binding service module to bind and store the target user account information and the target user identity information. Therefore, the method, the device and the system for binding the user account information and the user identity information have universality, do not need manual participation and customized development on application when the user account information and the user identity information are bound, can effectively improve timeliness and accuracy, and are low in cost.
Drawings
The above and other objects, features and advantages of the present application will become more apparent by describing in more detail embodiments of the present application with reference to the attached drawings. The accompanying drawings are included to provide a further understanding of the embodiments of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the principles of the application. In the drawings, like reference numbers generally represent like parts or steps.
Fig. 1 is a flowchart illustrating a method for binding user account information and user identity information according to an exemplary embodiment of the present application;
fig. 2 is a flowchart illustrating another method for binding user account information and user identity information according to an exemplary embodiment of the present application;
fig. 3 is a flowchart illustrating a further method for binding user account information and user identity information according to an exemplary embodiment of the present application;
fig. 4 is a flowchart illustrating a further method for binding user account information and user identity information according to an exemplary embodiment of the present application;
fig. 5 is a block diagram of a gateway provided in an exemplary embodiment of the present application;
fig. 6 is a block diagram of an account binding service apparatus according to an exemplary embodiment of the present application;
fig. 7 is a structural diagram of an account verification service apparatus according to an exemplary embodiment of the present application;
fig. 8 is a block diagram of an electronic device provided in an exemplary embodiment of the present application.
Detailed Description
Hereinafter, example embodiments according to the present application will be described in detail with reference to the accompanying drawings. It should be understood that the described embodiments are only some embodiments of the present application and not all embodiments of the present application, and that the present application is not limited by the example embodiments described herein.
Fig. 1 is a flowchart illustrating a method for binding user account information and user identity information according to an embodiment of the present application. The method is applicable to a gateway. The method for binding the user account information and the user identity information provided by the embodiment of the application can comprise the following steps:
step 101, receiving a bill sent by an account binding service module when determining that the target user identity information that the user has logged in is not bound to the user account information for logging in the target application.
Wherein, this bill includes: the address of the target application, the identification of the target application and the identity information of the target user.
And 102, informing the browser to jump to an agent login interface of the target application of the gateway agent according to the address of the target application and the identification of the target application.
And 103, receiving target user account information of the target application input by the user on the proxy login interface through the browser.
And step 104, sending the account information of the target user to an application server of the target application.
And 105, intercepting a response result returned by the application server according to the account information of the target user.
And step 106, sending the bill, the target user account information and the response result to the account verification service module.
And after receiving the bill, the target user account information and the response result, the account verification server informs the account binding service module to bind and store the target user account information and the target user identity information when determining that the target user account information passes the authentication of the application server according to the response result.
In one example, after sending the ticket, the target user account information, and the response result to the account verification server, the method may further include:
receiving a first notice that the account information of the target user sent by the account verification service module passes the authentication of the application server;
and informing the single sign-on authentication center to log in by using the user account information.
In one example, after sending the ticket, the target user account information, and the response result to the account verification server, the method may further include:
receiving a second notice that the account information of the target user sent by the account verification service module fails to pass the authentication of the application server;
and sending a response result to the browser.
The method for binding the user account information and the user identity information provided by the embodiment of the invention has universality, and the binding of the user account information and the user identity information is carried out by utilizing the method for binding the user account information and the user identity information provided by the embodiment of the invention, so that manual participation is not required, customized development on application is not required, the timeliness and the accuracy can be effectively improved, and the cost is lower. In addition, the user account information is directly acquired by the gateway, so that the user account information is difficult to be tampered in the transmission process, and the safety is higher.
Fig. 2 is a flowchart illustrating another method for binding user account information and user identity information according to an embodiment of the present application. The method can be applied to the account binding service module. The method for binding the user account information and the user identity information provided by the embodiment of the application can comprise the following steps:
step 201, according to the binding relationship between the stored user identity information and the user account information for logging in the application, it is determined whether the target user identity information that the user has logged in is bound with the user account information for logging in the target application.
Step 202, if the target user identity information is not bound with the user account information for logging in the target application, a ticket is generated.
Wherein, this bill includes: the address of the target application, the identification of the target application and the identity information of the target user.
In one example, if the target user identity information is bound to user account information for logging in the target application, the single sign-on authentication center is notified to log in using the user account information, which is the same as the prior art and is not described herein again.
Step 203, the ticket is sent to the gateway.
After receiving the bill, the gateway acquires target user account information used by the user for logging in the target application, intercepts a response result returned by the application server corresponding to the target application according to the target user account information, and sends the bill, the target user account information and the response result to the account verification service module. The specific process can refer to the flow shown in fig. 1.
And step 204, receiving the target user account information and the target user identity information which are sent by the account verification service module when the target user account information is determined to pass the authentication of the application server.
And step 205, binding and storing the account information and the identity information of the target user.
The method for binding the user account information and the user identity information provided by the embodiment of the invention has universality, and the binding of the user account information and the user identity information is carried out by utilizing the method for binding the user account information and the user identity information provided by the embodiment of the invention, so that manual participation is not required, customized development on application is not required, the timeliness and the accuracy can be effectively improved, and the cost is lower. In addition, the user account information is directly acquired by the gateway, so that the user account information is difficult to be tampered in the transmission process, and the safety is higher.
Fig. 3 is a flowchart illustrating a further method for binding user account information and user identity information according to an embodiment of the present application. The method can be applied to the account number checking service module. The method for binding the user account information and the user identity information provided by the embodiment of the application can comprise the following steps:
step 301, receiving the bill, the target user account information and the response result sent by the gateway.
And the response result is returned by the application server corresponding to the target application intercepted by the gateway according to the account information of the target user. The bill includes: the address of the target application, the identification of the target application and the identity information of the target user. The specific process can refer to the flow shown in fig. 1.
Step 302, determining whether the account information of the target user passes the authentication of the application server according to the response result.
Step 303, if the authentication is passed through the application server, the account information of the target user and the identity information of the target user are sent to the account binding service module.
And after receiving the target user account information and the target user identity information, the account binding service module binds and stores the target user account information and the target user identity information.
In one example, if authenticated by the application server, the method may further comprise:
and sending a first notice that the target user account information passes through the authentication of the application server to the gateway so that the gateway informs the single sign-on authentication center to log in by using the user account information.
It should be noted that, in this case, the gateway has already performed reverse proxy, and therefore, the response result is not sent to the browser.
In one example, if the authentication is not passed through the application server, the method may further include:
and sending a second notice that the target user account information fails to pass the authentication of the application server to the gateway so that the gateway sends a response result to the browser.
The method for binding the user account information and the user identity information provided by the embodiment of the invention has universality, and the binding of the user account information and the user identity information is carried out by utilizing the method for binding the user account information and the user identity information provided by the embodiment of the invention, so that manual participation is not required, customized development on application is not required, the timeliness and the accuracy can be effectively improved, and the cost is lower. In addition, the user account information is directly acquired by the gateway, so that the user account information is difficult to be tampered in the transmission process, and the safety is higher.
Fig. 4 is a schematic flowchart of a further method for binding user account information and user identity information according to an embodiment of the present application, so as to further describe an interaction process of a gateway, an account binding service module, and an account checking service module. The gateway, the account binding service module, and the account checking service module in the embodiment of the present invention may be disposed on the same device, or may be disposed on different devices, which is not limited in this respect.
The method for binding the user account information and the user identity information provided by the embodiment of the application can comprise the following steps:
in step 401, the account binding service module determines whether the target user identity information that the user has logged in is bound with the user account information for logging in the target application according to the binding relationship between the stored user identity information and the user account information for logging in the application.
Before entering step 401, the user logs in the single sign-on authentication center by using the target user identity information, and when the browser jumps to the login interface of the target application, the browser notifies the account binding service module to start the service, that is, step 401 is executed.
If the target user identity information is not bound with the user account information for logging in the target application, executing step 402; if the target user identity information is bound to user account information for logging into the target application, step 416 is performed.
In step 402, the account binding service module generates a ticket.
The bill includes: the address of the target application, the identification of the target application and the identity information of the target user.
In step 403, the account binding service module sends the ticket to the gateway.
Specifically, the account binding service module may send the ticket to the gateway by setting the ticket into a cookie value.
Step 404, the gateway receives the ticket and notifies the browser to jump to the proxy login interface of the target application of the gateway proxy.
And the gateway determines the target application according to the address of the target application and the identification of the target application, which are included in the ticket. The address of the proxy login interface corresponding to each application is preset in the gateway, and based on the address, after the gateway determines the target application, the gateway can return the state code 302 carrying the address of the proxy login interface of the target application to the browser, so that the browser jumps to the proxy login interface of the target application after receiving the state code 302. And the gateway writes the ticket into the browser cookie through the set-cookie response header, so that if a subsequent user logs in the target application by using the browser, the ticket can be automatically acquired through the cookie, and the target user identity information used by the user for logging in the target application is acquired from the ticket.
In step 405, the gateway receives the target user account information of the target application, which is input by the user through the browser on the proxy login interface.
In step 406, the gateway sends the target user account information to the application server of the target application.
Step 407, the gateway intercepts a response result returned by the application server according to the target user account information.
The application server authenticates the target user account information input by the user, which is the same as the prior art and is not described herein again.
And step 408, the gateway sends the bill, the target user account information and the response result to the account verification service module.
In step 409, the account checking service module determines whether the target user account information passes the authentication of the application server according to the response result.
Specifically, the formats of the response results corresponding to different applications are different. The account number checking service module can determine the target application according to the address of the target application and the identification of the target application, wherein the address is included in the bill. Therefore, the format of the response result corresponding to the target application can be obtained, and the certificate is extracted from the response result according to the corresponding format so as to determine the result of the authentication of the application server on the target user account information input by the user.
If the target user account information is authenticated by the application server, steps 410 and 412 are performed. If the target user account information is not authenticated by the application server, step 414 is performed.
In step 410, the account checking service module sends the account information of the target user and the identity information of the target user to the account binding service module.
The account checking service module extracts the target user identity information from the bill and sends the target user account information and the target user identity information to the account binding service module.
In step 411, the account binding service module binds and stores the received target user account information and target user identity information.
In step 412, the account checking service module sends a first notification that the account information of the target user passes the authentication of the application server to the gateway.
It should be noted that the order of execution of step 410 and step 412 is not limited in the present invention.
Step 413, after receiving the first notification, the gateway notifies the single sign-on authentication center to log in using the user account information.
After receiving the first notification, the gateway determines that the target user account information passes the authentication of the application server, and the default account binding service module binds the target user account information and the target user identity information, so that the user can normally log in the target application, and therefore, the single sign-on authentication center is notified to log in by using the user account information.
In step 414, the account checking service module sends a second notification that the account information of the target user fails to pass the authentication of the application server to the gateway.
Step 415, after receiving the second notification, the gateway sends a response result to the browser.
Because the account information of the target user is not authenticated by the application server, the user cannot log in the target application, so that the response result can be directly sent to the browser, and the browser executes the response result according to the prior art after receiving the response result, which is not described herein again.
In step 416, the account binding service module notifies the single sign-on authentication center to log in using the user account information.
The process is the same as the prior art and is not described in detail herein.
The method for binding the user account information and the user identity information provided by the embodiment of the invention has universality, and the binding of the user account information and the user identity information is carried out by utilizing the method for binding the user account information and the user identity information provided by the embodiment of the invention, so that manual participation is not required, customized development on application is not required, the timeliness and the accuracy can be effectively improved, and the cost is lower. In addition, the user account information is directly acquired by the gateway, so that the user account information is difficult to be tampered in the transmission process, and the safety is higher.
An embodiment of the present invention provides a gateway, and fig. 5 is a structural diagram of the gateway. As shown in fig. 5, the gateway includes:
a first receiving unit 501, configured to receive a ticket sent by an account binding service module when it is determined that target user identity information that a user has logged in is not bound to user account information for logging in a target application, where the ticket includes: the address of the target application, the identification of the target application and the identity information of the target user;
a notification unit 502, configured to notify a browser to jump to a proxy login interface of a target application of a gateway proxy according to an address of the target application and an identifier of the target application;
a second receiving unit 503, configured to receive target user account information of the target application, which is input by the user through the browser on the proxy login interface;
a first sending unit 504, configured to send the target user account information to an application server of the target application;
an intercepting unit 505, configured to intercept a response result returned by the application server according to the target user account information;
a second sending unit 506, configured to send the ticket, the target user account information, and the response result to an account verification service module, so that when the account verification server determines that the target user account information passes through the authentication of the application server according to the response result, the account binding service module is notified to bind and store the target user account information and the target user identity information.
Preferably, the gateway further comprises: a third receiving unit 507, configured to receive a first notification that the account information of the target user sent by the account verification service module passes the authentication of the application server; the notifying unit 502 is further configured to notify the single sign-on authentication center to log in using the user account information.
Preferably, the gateway further comprises: a third receiving unit 507, configured to receive a second notification that the account information of the target user sent by the account verification service module fails to pass the authentication of the application server; the notifying unit 502 is further configured to send the response result to the browser.
By using the gateway provided by the embodiment of the invention, the binding process of the user account information and the user identity information has universality, manual participation is not required, the application is not required to be customized and developed, the timeliness and the accuracy can be effectively improved, and the cost is lower. In addition, the user account information is directly acquired by the gateway, so that the user account information is difficult to be tampered in the transmission process, and the safety is higher.
An embodiment of the present invention provides an account binding service apparatus, and fig. 6 is a structural diagram of the account binding service apparatus. As shown in fig. 6, the account binding service apparatus includes:
a determining unit 601, configured to determine, according to a binding relationship between the stored user identity information and user account information used for logging in an application, whether target user identity information that a user has logged in is bound with user account information used for logging in a target application;
a generating unit 602, configured to generate a ticket if the target user identity information is not bound to the user account information for logging in the target application, where the ticket includes: the address of the target application, the identification of the target application and the identity information of the target user;
a sending unit 603, configured to send the ticket to the gateway, so that the gateway obtains target user account information used by the user to log in the target application, intercepts a response result returned by an application server corresponding to the target application according to the target user account information, and sends the ticket, the target user account information, and the response result to an account verification service module;
a receiving unit 604, configured to receive the target user account information and the target user identity information sent by the account verification service module when determining that the target user account information passes through the authentication of the application server;
a binding unit 605, configured to bind and store the target user account information and the target user identity information.
By utilizing the account binding service module provided by the embodiment of the invention, the binding process of the user account information and the user identity information has universality, manual participation is not required, the application is not required to be customized and developed, the timeliness and the accuracy can be effectively improved, and the cost is lower.
An embodiment of the present invention provides an account verification service apparatus, and fig. 7 is a structural diagram of the account verification service apparatus. As shown in fig. 7, the account checking service apparatus includes:
a receiving unit 701, configured to receive a ticket, target user account information, and a response result sent by a gateway, where the response result is a response result returned by an application server corresponding to the target application and intercepted by the gateway according to the target user account information, and the ticket includes: the address of the target application, the identification of the target application and the identity information of the target user;
a determining unit 702, configured to determine, according to the response result, whether the target user account information passes through the authentication of the application server;
a first sending unit 703, configured to send, if the authentication is performed by the application server, the target user account information and the target user identity information to an account binding service module, so that the account binding service module binds and stores the target user account information and the target user identity information.
Preferably, the apparatus further comprises: a second sending unit 704, configured to send, if the target user account information passes the authentication of the application server, a first notification that the target user account information passes the authentication of the application server to the gateway, so that the gateway notifies a single sign-on authentication center to log in using the user account information.
Preferably, the apparatus further comprises: a second sending unit 704, configured to send a second notification that the target user account information fails to be authenticated by the application server to the gateway, so that the gateway sends the response result to the browser.
By using the account verification service module provided by the embodiment of the invention, the binding process of the user account information and the user identity information has universality, manual participation is not required, application customization and development are not required, the timeliness and the accuracy can be effectively improved, and the cost is lower.
The embodiment of the invention provides a system for binding user account information and user identity information, which comprises: the gateway shown in fig. 5, the account binding service apparatus shown in fig. 6, and the account checking service apparatus shown in fig. 7.
The binding system of the user account information and the user identity information provided by the embodiment of the invention has universality, and the binding system of the user account information and the user identity information provided by the embodiment of the invention is used for binding the user account information and the user identity information without manual participation or customized development of application, so that the timeliness and the accuracy can be effectively improved, and the cost is lower. In addition, the user account information is directly acquired by the gateway, so that the user account information is difficult to be tampered in the transmission process, and the safety is higher.
Next, an electronic apparatus 11 according to an embodiment of the present application is described with reference to fig. 8.
As shown in fig. 8, the electronic device 11 includes one or more processors 111 and memory 112.
The processor 111 may be a Central Processing Unit (CPU) or other form of processing unit having data processing capabilities and/or instruction execution capabilities, and may control other components in the electronic device 11 to perform desired functions.
Memory 112 may include one or more computer program products that may include various forms of computer-readable storage media, such as volatile memory and/or non-volatile memory. The volatile memory may include, for example, Random Access Memory (RAM), cache memory (cache), and/or the like. The non-volatile memory may include, for example, Read Only Memory (ROM), hard disk, flash memory, etc. One or more computer program instructions may be stored on the computer-readable storage medium, and executed by the processor 111, to implement the method for binding the user account information and the user identity information according to the embodiments of the present application described above, and/or other desired functions. Various contents such as an input signal, a signal component, a noise component, etc. may also be stored in the computer-readable storage medium.
In one example, the electronic device 11 may further include: an input device 113 and an output device 114, which are interconnected by a bus system and/or other form of connection mechanism (not shown).
The input device 113 may include, for example, a keyboard, a mouse, and the like.
The output device 114 may output various information including the determined distance information, direction information, and the like to the outside. The output devices 114 may include, for example, a display, speakers, a printer, and a communication network and remote output devices connected thereto, among others.
Of course, for the sake of simplicity, only some of the components of the electronic device 11 relevant to the present application are shown in fig. 8, and components such as a bus, an input/output interface, and the like are omitted. In addition, the electronic device 11 may include any other suitable components, depending on the particular application.
Exemplary computer program product and computer-readable storage Medium
In addition to the above methods and apparatus, embodiments of the present application may also be a computer program product comprising computer program instructions that, when executed by a processor, cause the processor to perform the steps in the method for binding user account information and user identity information according to various embodiments of the present application described in the above section "exemplary methods" of this specification.
The computer program product may be written with program code for performing the operations of embodiments of the present application in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server.
Furthermore, embodiments of the present application may also be a computer-readable storage medium having stored thereon computer program instructions, which, when executed by a processor, cause the processor to perform the steps in the method for binding user account information and user identity information according to various embodiments of the present application, described in the "exemplary methods" section above in this specification.
The computer-readable storage medium may take any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may include, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The foregoing describes the general principles of the present application in conjunction with specific embodiments, however, it is noted that the advantages, effects, etc. mentioned in the present application are merely examples and are not limiting, and they should not be considered essential to the various embodiments of the present application. Furthermore, the foregoing disclosure of specific details is for the purpose of illustration and description and is not intended to be limiting, since the foregoing disclosure is not intended to be exhaustive or to limit the disclosure to the precise details disclosed.
The block diagrams of devices, apparatuses, systems referred to in this application are only given as illustrative examples and are not intended to require or imply that the connections, arrangements, configurations, etc. must be made in the manner shown in the block diagrams. These devices, apparatuses, devices, systems may be connected, arranged, configured in any manner, as will be appreciated by those skilled in the art. Words such as "including," "comprising," "having," and the like are open-ended words that mean "including, but not limited to," and are used interchangeably therewith. The words "or" and "as used herein mean, and are used interchangeably with, the word" and/or, "unless the context clearly dictates otherwise. The word "such as" is used herein to mean, and is used interchangeably with, the phrase "such as but not limited to".
It should also be noted that in the devices, apparatuses, and methods of the present application, the components or steps may be decomposed and/or recombined. These decompositions and/or recombinations are to be considered as equivalents of the present application.
The previous description of the disclosed aspects is provided to enable any person skilled in the art to make or use the present application. Various modifications to these aspects will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other aspects without departing from the scope of the application. Thus, the present application is not intended to be limited to the aspects shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
The foregoing description has been presented for purposes of illustration and description. Furthermore, the description is not intended to limit embodiments of the application to the form disclosed herein. While a number of example aspects and embodiments have been discussed above, those of skill in the art will recognize certain variations, modifications, alterations, additions and sub-combinations thereof.

Claims (15)

1. A method for binding user account information and user identity information is used for a gateway, and comprises the following steps:
receiving a bill sent by an account binding service module when determining that target user identity information which a user has logged in is not bound to user account information for logging in a target application, wherein the bill comprises: the address of the target application, the identification of the target application and the identity information of the target user;
informing a browser to jump to an agent login interface of the target application of a gateway agent according to the address of the target application and the identification of the target application;
receiving target user account information of the target application, which is input by the user through the browser on the proxy login interface;
sending the target user account information to an application server of the target application;
intercepting a response result returned by the application server according to the target user account information;
and sending the bill, the target user account information and the response result to an account verification service module, so that the account verification server informs the account binding service module to bind and store the target user account information and the target user identity information included in the bill when determining that the target user account information passes the authentication of the application server according to the response result.
2. The method of claim 1, wherein after sending the ticket, the target user account information, and the response result to an account verification server, the method further comprises:
receiving a first notice that the account information of the target user sent by the account verification service module passes the authentication of the application server;
and informing the single sign-on authentication center to log in by using the user account information.
3. The method of claim 1, wherein after sending the ticket, the target user account information, and the response result to an account verification server, the method further comprises:
receiving a second notice that the account information of the target user sent by the account verification service module fails to pass the authentication of the application server;
and sending the response result to the browser.
4. A method for binding user account information and user identity information is applied to an account binding service module, and comprises the following steps:
judging whether the target user identity information which is logged in by the user is bound with the user account information for logging in the target application or not according to the binding relationship between the stored user identity information and the user account information for logging in the application;
if the target user identity information is not bound with the user account information for logging in the target application, generating a bill, wherein the bill comprises: the address of the target application, the identification of the target application and the identity information of the target user;
sending the bill to a gateway so that the gateway acquires target user account information used by the user for logging in the target application, intercepts a response result returned by an application server corresponding to the target application according to the target user account information, and sends the bill, the target user account information and the response result to an account verification service module;
receiving the target user account information and the target user identity information included in the bill, which are sent by the account verification service module when the target user account information is determined to pass the authentication of the application server;
and binding and storing the target user account information and the target user identity information.
5. A method for binding user account information and user identity information is applied to an account verification service module, and comprises the following steps:
receiving a bill, target user account information and a response result sent by a gateway, wherein the response result is returned by an application server corresponding to a target application intercepted by the gateway according to the target user account information, and the bill comprises: the address of the target application, the identification of the target application and the identity information of the target user;
determining whether the target user account information passes the authentication of the application server according to the response result;
and if the bill passes the authentication of the application server, sending the target user account information and the target user identity information included in the bill to an account binding service module so that the account binding service module binds and stores the target user account information and the target user identity information.
6. The method of claim 5, wherein if authenticated by the application server, the method further comprises:
and sending a first notice that the target user account information passes the authentication of the application server to the gateway so that the gateway informs a single sign-on authentication center to log in by using the user account information.
7. The method of claim 5, wherein if the application server is not authenticated, the method further comprises:
and sending a second notice that the target user account information fails to pass the authentication of the application server to the gateway so that the gateway sends the response result to the browser.
8. A gateway, characterized in that the gateway comprises:
a first receiving unit, configured to receive a ticket sent by an account binding service module when it is determined that target user identity information that a user has logged in is not bound to user account information used for logging in a target application, where the ticket includes: the address of the target application, the identification of the target application and the identity information of the target user;
the notification unit is used for notifying the browser to jump to an agent login interface of the target application of the gateway agent according to the address of the target application and the identification of the target application;
a second receiving unit, configured to receive target user account information of the target application, which is input by the user through the browser on the proxy login interface;
the first sending unit is used for sending the target user account information to an application server of the target application;
the intercepting unit is used for intercepting a response result returned by the application server according to the target user account information;
and the second sending unit is used for sending the bill, the target user account information and the response result to an account verification service module, so that the account verification server informs the account binding service module to bind and store the target user account information and the target user identity information included in the bill when determining that the target user account information passes the authentication of the application server according to the response result.
9. The gateway of claim 8, further comprising:
a third receiving unit, configured to receive a first notification that the account information of the target user sent by the account verification service module passes the authentication of the application server;
the notification unit is further configured to notify the single sign-on authentication center of using the user account information to log in.
10. The gateway of claim 8, further comprising:
a third receiving unit, configured to receive a second notification that the account information of the target user sent by the account verification service module fails to pass the authentication of the application server;
the notification unit is further configured to send the response result to the browser.
11. An account binding service apparatus, the apparatus comprising:
the judging unit is used for judging whether the target user identity information logged in by the user is bound with the user account information used for logging in the target application or not according to the binding relationship between the stored user identity information and the user account information used for logging in the application;
a generating unit, configured to generate a ticket if the target user identity information is not bound to the user account information for logging in the target application, where the ticket includes: the address of the target application, the identification of the target application and the identity information of the target user;
the sending unit is used for sending the bill to a gateway so that the gateway obtains target user account information used by the user for logging in the target application, intercepts a response result returned by an application server corresponding to the target application according to the target user account information, and sends the bill, the target user account information and the response result to an account verification service module;
the receiving unit is used for receiving the target user account information and the target user identity information contained in the bill, which are sent by the account verification service module when the target user account information is determined to pass the authentication of the application server;
and the binding unit is used for binding and storing the target user account information and the target user identity information.
12. An account checking service apparatus, comprising:
a receiving unit, configured to receive a ticket, target user account information, and a response result sent by a gateway, where the response result is a response result returned by an application server corresponding to a target application intercepted by the gateway according to the target user account information, and the ticket includes: the address of the target application, the identification of the target application and the identity information of the target user;
a determining unit, configured to determine whether the target user account information passes through the authentication of the application server according to the response result;
and the first sending unit is used for sending the target user account information and the target user identity information included by the bill to an account binding service module if the target user account information passes the authentication of the application server, so that the account binding service module binds and stores the target user account information and the target user identity information.
13. The apparatus of claim 12, further comprising:
and the second sending unit is used for sending a first notice that the target user account information passes the authentication of the application server to the gateway if the target user account information passes the authentication of the application server so that the gateway informs a single sign-on authentication center to log in by using the user account information.
14. The apparatus of claim 12, further comprising:
and a second sending unit, configured to send, to the gateway, a second notification that the target user account information fails to be authenticated by the application server, so that the gateway sends the response result to the browser.
15. A system for binding user account information and user identity information is characterized in that the system comprises: the gateway of any one of claims 8 to 10, the account binding service of claim 11, and the account checking service of any one of claims 12 to 14.
CN202110117250.3A 2021-01-28 2021-01-28 Method, device and system for binding user account information and user identity information Active CN112968866B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110117250.3A CN112968866B (en) 2021-01-28 2021-01-28 Method, device and system for binding user account information and user identity information

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110117250.3A CN112968866B (en) 2021-01-28 2021-01-28 Method, device and system for binding user account information and user identity information

Publications (2)

Publication Number Publication Date
CN112968866A CN112968866A (en) 2021-06-15
CN112968866B true CN112968866B (en) 2021-10-01

Family

ID=76271901

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110117250.3A Active CN112968866B (en) 2021-01-28 2021-01-28 Method, device and system for binding user account information and user identity information

Country Status (1)

Country Link
CN (1) CN112968866B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102204211A (en) * 2011-05-30 2011-09-28 华为技术有限公司 Real-name account-opening method based on self-help terminal and terminal thereof
CN106713257A (en) * 2015-11-18 2017-05-24 北京奇虎科技有限公司 Method and device for service processing based on mobile device
CN109525604A (en) * 2018-12-29 2019-03-26 乐蜜有限公司 A kind of method and relevant device of account binding

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101997824B (en) * 2009-08-20 2016-08-10 中国移动通信集团公司 Identity identifying method based on mobile terminal and device thereof and system
CN102737308B (en) * 2012-06-08 2015-08-12 中兴通讯股份有限公司 The method and system of a kind of mobile terminal and inquiry smart card information thereof
CN103986720B (en) * 2014-05-26 2017-11-17 网之易信息技术(北京)有限公司 A kind of login method and device
CN104580265B (en) * 2015-02-13 2018-12-18 小米科技有限责任公司 Apparatus bound method and apparatus
CN106454820A (en) * 2015-08-12 2017-02-22 深圳富泰宏精密工业有限公司 Network system and method for realizing cloud-end identity authentication and mobile device
CN107294916B (en) * 2016-03-31 2019-10-08 北京神州泰岳软件股份有限公司 Single-point logging method, single-sign-on terminal and single-node login system
CN107786487B (en) * 2016-08-24 2021-02-02 腾讯科技(深圳)有限公司 Information authentication processing method, system and related equipment
CN111385267B (en) * 2018-12-29 2022-06-21 金联汇通信息技术有限公司 Application authorization control method and device and electronic equipment
CN111311251B (en) * 2020-05-09 2020-08-21 支付宝(杭州)信息技术有限公司 Binding processing method, device and equipment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102204211A (en) * 2011-05-30 2011-09-28 华为技术有限公司 Real-name account-opening method based on self-help terminal and terminal thereof
CN106713257A (en) * 2015-11-18 2017-05-24 北京奇虎科技有限公司 Method and device for service processing based on mobile device
CN109525604A (en) * 2018-12-29 2019-03-26 乐蜜有限公司 A kind of method and relevant device of account binding

Also Published As

Publication number Publication date
CN112968866A (en) 2021-06-15

Similar Documents

Publication Publication Date Title
JP6061364B2 (en) Cloud-assisted methods and services for application security verification
CN111311251B (en) Binding processing method, device and equipment
US9507927B2 (en) Dynamic identity switching
US9021055B2 (en) Nonconforming web service policy functions
KR102407334B1 (en) Gateway apparatus and operating method thereof
KR102026544B1 (en) Phishing page detection method and device
CN113079164B (en) Remote control method and device for bastion machine resources, storage medium and terminal equipment
CN112491776B (en) Security authentication method and related equipment
CN110011875B (en) Dial testing method, device, equipment and computer readable storage medium
CN113938886B (en) Identity authentication platform testing method, device, equipment and storage medium
US20150373011A1 (en) Credential collection in an authentication server employing diverse authentication schemes
CN112995166A (en) Resource access authentication method and device, storage medium and electronic equipment
CN112243002A (en) Data forwarding method and device, electronic equipment and computer readable medium
CN111818035A (en) Permission verification method and device based on API gateway
CN111404921B (en) Webpage application access method, device, equipment, system and storage medium
CN111241523B (en) Authentication processing method, device, equipment and storage medium
CN114745156A (en) Distributed single sign-on realization method and device, electronic equipment and storage medium
WO2017008409A1 (en) Cross-application data access method and apparatus
CN112968866B (en) Method, device and system for binding user account information and user identity information
CN109698832B (en) Method for rapidly providing Portal authentication and rapidly popping Portal authentication page and related equipment
CN113778725A (en) Data verification method and device
CN112104641B (en) Login form conversion method and device, storage medium and electronic equipment
CN114091077A (en) Authentication method, device, equipment and storage medium
CN101563885A (en) Methods and apparatus for securely signing on to a website via a security website
US8806589B2 (en) Credential collection in an authentication server employing diverse authentication schemes

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant