CN113079175A - Authorization system and method based on oauth2 protocol enhancement - Google Patents
Authorization system and method based on oauth2 protocol enhancement Download PDFInfo
- Publication number
- CN113079175A CN113079175A CN202110399119.0A CN202110399119A CN113079175A CN 113079175 A CN113079175 A CN 113079175A CN 202110399119 A CN202110399119 A CN 202110399119A CN 113079175 A CN113079175 A CN 113079175A
- Authority
- CN
- China
- Prior art keywords
- authorization
- client
- platform
- information
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000013475 authorization Methods 0.000 title claims abstract description 227
- 238000000034 method Methods 0.000 title claims abstract description 52
- 238000012790 confirmation Methods 0.000 claims abstract description 33
- 230000003993 interaction Effects 0.000 claims abstract description 32
- 230000008569 process Effects 0.000 claims abstract description 31
- 230000002452 interceptive effect Effects 0.000 claims description 12
- 238000012795 verification Methods 0.000 claims description 6
- 235000014510 cooky Nutrition 0.000 claims description 5
- 230000004044 response Effects 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000007474 system interaction Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/045—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3297—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
Abstract
The invention relates to an authorization system based on oauth2 protocol enhancement and a method thereof, the system comprises a client and an authorization platform, the client is unidirectionally connected to a plurality of different service systems to send request access information to the corresponding service systems from the client, the client and the service systems are respectively bidirectionally connected with the authorization platform, the authorization platform is used for pushing an authorization confirmation page to the client and returning an authorization code to the corresponding service systems, the client is used for executing user login operation and sending authorization confirmation information to the authorization platform, the service system is used for sending the request authorization information to the authorization platform, obtaining a token from the authorization platform according to the authorization code and obtaining user information from the authorization platform according to the token. Compared with the prior art, the method and the system can simplify the user operation in the cross-service interaction process, and the user does not need to repeatedly perform login operation; meanwhile, data safety is guaranteed, user information does not need to be transmitted between service systems, and malicious program information interception is avoided.
Description
Technical Field
The invention relates to the technical field of authorization authentication, in particular to an authorization system and an authorization method based on oauth2 protocol enhancement.
Background
Compared with a traditional application system, the Internet application has the advantages of better user experience and data security, so that the Internet application is developed rapidly, and the user identity identification can reliably ensure the safe operation of the application.
At present, for a single application system, the user identity can be effectively identified through an authentication mode of user login authentication, but under the condition that part of service scenes may involve cross-service interaction, the situation that multiple authentication is needed exists, not only is the system interaction complexity increased, but also the user experience is poor and the service access efficiency is reduced, in order to solve the problem, the prior art mostly adopts a mode of mutually transmitting user information between different systems to realize login-free authentication, although the mode can avoid repeated authentication of a client, the data security aspect has great hidden danger, in the process of transmitting the user information, the user information may be intercepted by malicious program information, and the user information is leaked.
Disclosure of Invention
The present invention is directed to overcome the above-mentioned drawbacks of the prior art, and provides an authorization system and method based on oauth2 protocol enhancement to simplify user operation during cross-service interaction and ensure data security.
The purpose of the invention can be realized by the following technical scheme: an authorization system based on oauth2 protocol enhancement comprises a client and an authorization platform, wherein the client is connected to a plurality of different service systems in a one-way mode to send request access information to corresponding service systems from the client, the client and the service systems are respectively connected with the authorization platform in a two-way mode, the authorization platform is used for pushing an authorization confirmation page to the client and returning authorization codes to the corresponding service systems, the client is used for executing user login operation and sending authorization confirmation information to the authorization platform, the service systems are used for sending request authorization information to the authorization platform, obtaining tokens from the authorization platform according to the authorization codes and obtaining user information from the authorization platform according to the tokens.
Further, the authorization platform comprises an authentication module, a resource module and a security module which are respectively connected with the authorization module, the authorization module is connected with the client, the authorization module is used for providing services in the authorization process, the authentication module is used for providing user authentication services before authorization, the resource module is used for providing resource acquisition services after authorization, and the security module is used for providing security services in the interaction process with the service system.
Further, the service systems are bidirectionally connected with the authorization platform through respective interactive interfaces, and the interactive interfaces carry unique serial numbers and timestamps.
An authorization method enhanced based on oauth2 protocol, comprising the following steps:
s1, the client sends different request access information to the corresponding service system;
s2, according to the request access information sent by the client, different service systems respectively send corresponding request authorization information to an authorization platform;
s3, the authorization platform carries out login state authentication and authorization confirmation on the user in sequence to generate an authorization code, and the authorization code is called back to the corresponding service system;
s4, according to the authorization code, different service systems respectively obtain access tokens from the authorization platform;
s5, according to the access token, different service systems respectively obtain the user information of the current login user from the authorization platform, namely, the cross-service interaction authorization process is completed.
Further, after the service system receives the request access information from the client in step S2, if the request needs to identify the user, the service system sends the request authorization information to the authorization platform.
Further, the step S3 specifically includes the following steps:
s31, the authorization platform receives the request authorization information from the service system, and performs login authentication on the user, and after the authentication is passed, an authorization confirmation page is pushed to the client;
s32, after the user selects the authorization confirmation at the client, the client sends the authorization confirmation information to the authorization platform;
and S33, after receiving the authorization confirmation information, the authorization platform calls back to the corresponding service system and returns an authorization code.
Further, the specific process of step S31 is as follows: the authorization platform receives request authorization information from a service system, identifies the current user login state, if the current user login state is not logged in, the authorization platform pushes a user login page to a client, after the user executes login operation at the client, the authorization platform stores the login state in a back-end cache and a cookie of the user, and then pushes an authorization confirmation page to the client;
and if the current user login state is logged in, the authorization platform directly pushes an authorization confirmation page to the client.
Further, the specific process of step S33 is as follows: and the authorization platform verifies the received authorization confirmation information, generates an authorization code after the verification is passed, and then calls back the generated authorization code to the corresponding service system.
Further, in the data information interaction process of step S2, step S4, and step S5, the service system is a requester, and the authorization platform is a receiver;
in the data information interaction process of step S3, the service system is the receiving party, and the authorization platform is the requesting party;
and the requester and the receiver adopt an authorization code mode to carry out data information interaction.
Further, the specific process of data information interaction between the requester and the receiver is as follows:
the method comprises the steps that a requester sequentially requests sensitive data encryption and message data signature, and then request information carrying a unique serial number, a timestamp and a custom service parameter is sent to a receiver;
the receiver requests message data to check the signature, requests message replay check, requests sensitive data to decrypt, responds to sensitive data encryption, responds to message data to check the signature in sequence, and then returns response information carrying self-defined service parameters to the requester;
the requester responds to the message data for signature verification and responds to the sensitive data for decryption in sequence to complete the data information interaction process.
Compared with the prior art, the invention has the following advantages:
firstly, the invention connects the client with a plurality of different service systems, and connects the client and the service systems with the authorization platform in two directions, when the user requests to access a plurality of service systems at the client for cross-system interaction, the authorization platform is used for receiving request authorization information from different service systems, and the user is logged in and authenticated, then the authorization platform directly calls back the authorization code to the corresponding service system, so that different service systems can respectively obtain the user information from the authorization platform, therefore, in the cross-system access scene of the user, the repeated login operation of the user is not needed, the system interaction complexity is greatly simplified, thereby improving the user experience and the service access efficiency, in addition, the user information is not needed to be transmitted between different service systems, the problem of malicious program information interception is avoided, and the replay of historical access request is avoided, further ensuring data security.
Secondly, the service systems are bidirectionally connected with the authorization platform through respective interactive interfaces, and the interactive interfaces carry unique serial numbers and timestamps, so that the aim of preventing replay can be fulfilled, and the traceability of subsequent data information interaction is ensured; in addition, when the service system and the authorization platform carry out data information interaction, the requesting party can send the self-defined service parameters through the interaction interface, thereby avoiding the loss of the service parameters caused by the redirection and callback of the front end.
Drawings
FIG. 1 is a schematic diagram of a system data interaction of the present invention;
FIG. 2 is a schematic diagram of an authorization platform;
FIG. 3 is a schematic flow chart of the method of the present invention;
FIG. 4 is a schematic diagram illustrating a data information interaction process between a requester and a receiver according to the present invention;
the notation in the figure is: 1. client side, 2, service system, 3, authorization platform, 301, authorization module, 302, authentication module, 303, resource module, 304 and security module.
Detailed Description
The invention is described in detail below with reference to the figures and specific embodiments.
Examples
The invention aims to realize safe and efficient cross-service interactive authorization, and finally determines to adopt an open authorization mode based on the oauth2.0 protocol to solve the problems through multiple times of investigation and technical model selection comparison, but the original basic capability may not meet the requirements, so the cross-service interactive authorization needs to be enhanced based on the oauth2 protocol.
The design principle takes the oauth2.0 protocol as a standard frame and mainly solves the problems of client experience and data security caused by repeated authentication or client parameter transmission of a client in the cross-platform jump interaction process. In short, the platform can authorize the personalized information of the platform to different business systems for use according to the wishes of the client.
As shown in fig. 1, an authorization system enhanced based on oauth2 protocol includes a client 1 and an authorization platform 3, where the client 1 is unidirectionally connected to a plurality of different service systems 2 (only a connection schematic of a single service system in fig. 1) to send request access information from the client 1 to the corresponding service systems 2, the client 1 and the plurality of service systems 2 are respectively bidirectionally connected to the authorization platform 3, the authorization platform 3 is configured to push an authorization confirmation page to the client 1 and return an authorization code to the corresponding service systems 2, the client 1 is configured to perform a user login operation and send authorization confirmation information to the authorization platform 3, the service system 2 is configured to send request authorization information to the authorization platform 3, and obtain a token from the authorization platform 3 according to the authorization code and obtain user information from the authorization platform 3 according to the token.
As shown in fig. 2, the authorization platform 3 includes an authentication module 302, a resource module 303, and a security module 304, which are respectively connected to an authorization module 301, the authorization module 301 is connected to the client 1, and the authorization module 301 is configured to provide services in an authorization process, which mainly include login state control, authorization confirmation, authorization cancellation, token issuance, resource control, and integrated linkage with other service modules;
the authentication module 302 is used for providing user authentication service before authorization, and mainly includes user login, registration, password functions and the like;
the resource module 303 is configured to provide authorized resource acquisition services, and mainly includes access routing and encapsulation for solving and acquiring external system resource information;
the security module 304 is used for providing security services in the process of interacting with the business system, and mainly includes message tamper resistance, data encryption and the like.
In the invention, a plurality of service systems 2 are bidirectionally connected with an authorization platform 3 through respective interactive interfaces, and each interactive interface carries a unique serial number and a timestamp, so that the interaction traceability is increased while the replay prevention is realized.
The system is applied to practice, and the authorization method process is shown in fig. 3, and includes the following steps:
s1, the client sends different request access information to the corresponding service system;
s2, according to the request access information sent by the client, different service systems respectively send corresponding request authorization information to the authorization platform, specifically, after the service systems receive the request access information from the client, if the request needs to identify the user, the service systems send the request authorization information to the authorization platform, otherwise, the service systems do not need to send the request authorization information to the authorization platform;
s3, the authorization platform sequentially performs login status authentication and authorization confirmation on the user to generate an authorization code, and recalls the authorization code to the corresponding service system, specifically:
s31, the authorization platform receives the request authorization information from the service system, and carries out login authentication to the user, after the authentication is passed, an authorization confirmation page is pushed to the client, when the authorization platform receives the request authorization information from the service system, the current user login state is firstly identified, if the current user login state is not logged in, the authorization platform pushes the user login page to the client, after the user executes login operation at the client, the authorization platform stores the login state in a back-end cache and a cookie of the user, and then the authorization confirmation page is pushed to the client;
if the current user login state is logged in, the authorization platform directly pushes an authorization confirmation page to the client;
s32, after the user selects the authorization confirmation at the client, the client sends the authorization confirmation information to the authorization platform;
s33, after receiving the authorization confirmation information, the authorization platform calls back to the corresponding service system and returns an authorization code, the authorization platform firstly verifies the received authorization confirmation information, generates the authorization code after passing the verification, and then calls back the generated authorization code to the corresponding service system;
s4, according to the authorization code, different service systems respectively obtain access tokens from the authorization platform;
s5, according to the access token, different service systems respectively obtain the user information of the current login user from the authorization platform, namely, the cross-service interaction authorization process is completed.
In the method, in the data information interaction process of the step S2, the step S4 and the step S5, the service system is a requester, and the authorization platform is a receiver;
in the data information interaction process of step S3, the service system is the receiving party, and the authorization platform is the requesting party;
and the requester and the receiver adopt an authorization code mode to carry out data information interaction.
As shown in fig. 4, the specific process of data information interaction between the requester and the receiver is as follows:
the method comprises the steps that a requester sequentially requests sensitive data encryption and message data signature, and then request information carrying a unique serial number, a timestamp and a custom service parameter is sent to a receiver;
the receiver requests message data to check the signature, requests message replay check, requests sensitive data to decrypt, responds to sensitive data encryption, responds to message data to check the signature in sequence, and then returns response information carrying self-defined service parameters to the requester;
the requester responds to the message data for signature verification and responds to the sensitive data for decryption in sequence to complete the data information interaction process.
Namely, the method comprises the following steps: all the interactive interfaces must be signed and checked, and if the interfaces relate to the sensitive information of the clients, encryption must be carried out;
all the interactive interfaces must carry unique serial numbers and timestamps, so that the interaction traceability is increased while the replay is prevented;
only supporting the authorization code mode, abolishing the authorization scope, the access system can send the resource group parameters according to the actual need;
the authorization request interface can upload the self-defined service parameters so as to avoid the loss of the service parameters caused by the redirection and callback of the front end;
therefore, the data security during cross-business access can be further improved.
In the specific implementation process, the invention can adopt an SM2 country secret mode to sign/check all parameters of the message, adopts an SM4 country secret mode to encrypt/decrypt sensitive information in the message, and protects the message based on a nonce + timestamp mode in the aspect of anti-replay; in addition, before authorization, if the service system requests the authorization system to acquire user information for the first time, and the authorization system identifies that the current state is the unregistered state, the user is required to log in, after the login is completed, the login state is stored in a back-end cache and a cookie of the user, the service system is directly called back to return an authorization code, a token is subsequently exchanged through the authorization code, and then the user information is acquired through the token; if the authorization system is accessed again before the login state fails, the cookie and the login state information in the rear-end cache can be directly obtained, then the business system is called back to return the authorization code, the token is subsequently exchanged through the authorization code, and then the user information is obtained through the token.
In summary, compared with the prior art, when the user performs cross-system access, on one hand, the invention avoids the user from repeatedly logging in, thereby simplifying the system interaction complexity and improving the customer experience and the service access efficiency; on the other hand, the mutual transmission of user information among different service systems is not needed, so that the interception by malicious program information is avoided, and the replay of historical access requests is also avoided.
Claims (10)
1. An authorization system enhanced based on an oauth2 protocol, comprising a client (1) and an authorization platform (3), wherein the client (1) is unidirectionally connected to a plurality of different business systems (2) to send request access information from the client (1) to the corresponding business systems (2), the client (1) and the business systems (2) are respectively bidirectionally connected to the authorization platform (3), the authorization platform (3) is configured to push an authorization confirmation page to the client (1) and return an authorization code to the corresponding business system (2), the client (1) is configured to perform a user login operation and send authorization confirmation information to the authorization platform (3), the business system (2) is configured to send request authorization information to the authorization platform (3), and obtain a token from the authorization platform (3) according to the authorization code, User information is obtained from the authorization platform (3) based on the token.
2. The authorization system enhanced based on the oauth2 protocol of claim 1, wherein the authorization platform (3) comprises an authentication module (302), a resource module (303), and a security module (304) respectively connected to an authorization module (301), the authorization module (301) is connected to the client (1), the authorization module (301) is configured to provide a service in an authorization process, the authentication module (302) is configured to provide a user authentication service before authorization, the resource module (303) is configured to provide a resource acquisition service after authorization, and the security module (304) is configured to provide a security service in an interaction process with the business system (2).
3. The authorization system enhanced based on oauth2 protocol according to claim 1, wherein the service systems (2) are bidirectionally connected to the authorization platform (3) via respective interactive interfaces, and the interactive interfaces carry unique serial numbers and timestamps.
4. An authorization method for applying the authorization system enhanced based on oauth2 protocol of claim 1, comprising the following steps:
s1, the client sends different request access information to the corresponding service system;
s2, according to the request access information sent by the client, different service systems respectively send corresponding request authorization information to an authorization platform;
s3, the authorization platform carries out login state authentication and authorization confirmation on the user in sequence to generate an authorization code, and the authorization code is called back to the corresponding service system;
s4, according to the authorization code, different service systems respectively obtain access tokens from the authorization platform;
s5, according to the access token, different service systems respectively obtain the user information of the current login user from the authorization platform, namely, the cross-service interaction authorization process is completed.
5. The authorization method according to claim 4, wherein after the service system receives the request access information from the client in step S2, if the request needs to identify the user, the service system sends the request authorization information to the authorization platform.
6. The authorization method according to claim 4, wherein the step S3 specifically includes the following steps:
s31, the authorization platform receives the request authorization information from the service system, and performs login authentication on the user, and after the authentication is passed, an authorization confirmation page is pushed to the client;
s32, after the user selects the authorization confirmation at the client, the client sends the authorization confirmation information to the authorization platform;
and S33, after receiving the authorization confirmation information, the authorization platform calls back to the corresponding service system and returns an authorization code.
7. The authorization method according to claim 6, wherein the specific process of step S31 is as follows: the authorization platform receives request authorization information from a service system, identifies the current user login state, if the current user login state is not logged in, the authorization platform pushes a user login page to a client, after the user executes login operation at the client, the authorization platform stores the login state in a back-end cache and a cookie of the user, and then pushes an authorization confirmation page to the client;
and if the current user login state is logged in, the authorization platform directly pushes an authorization confirmation page to the client.
8. The authorization method according to claim 6, wherein the specific process of step S33 is as follows: and the authorization platform verifies the received authorization confirmation information, generates an authorization code after the verification is passed, and then calls back the generated authorization code to the corresponding service system.
9. The authorization method according to claim 4, wherein in the data information interaction process of step S2, step S4 and step S5, the service system is the requesting party, and the authorization platform is the receiving party;
in the data information interaction process of step S3, the service system is the receiving party, and the authorization platform is the requesting party;
and the requester and the receiver adopt an authorization code mode to carry out data information interaction.
10. The authorization method according to claim 9, wherein the specific process of data information interaction between the requesting party and the receiving party is as follows: the method comprises the steps that a requester sequentially requests sensitive data encryption and message data signature, and then request information carrying a unique serial number, a timestamp and a custom service parameter is sent to a receiver;
the receiver requests message data to check the signature, requests message replay check, requests sensitive data to decrypt, responds to sensitive data encryption, responds to message data to check the signature in sequence, and then returns response information carrying self-defined service parameters to the requester;
the requester responds to the message data for signature verification and responds to the sensitive data for decryption in sequence to complete the data information interaction process.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110399119.0A CN113079175A (en) | 2021-04-14 | 2021-04-14 | Authorization system and method based on oauth2 protocol enhancement |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110399119.0A CN113079175A (en) | 2021-04-14 | 2021-04-14 | Authorization system and method based on oauth2 protocol enhancement |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113079175A true CN113079175A (en) | 2021-07-06 |
Family
ID=76618690
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110399119.0A Pending CN113079175A (en) | 2021-04-14 | 2021-04-14 | Authorization system and method based on oauth2 protocol enhancement |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113079175A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113435898A (en) * | 2021-07-09 | 2021-09-24 | 支付宝(杭州)信息技术有限公司 | Data processing method and system |
| CN113487322A (en) * | 2021-07-09 | 2021-10-08 | 支付宝(杭州)信息技术有限公司 | Data processing method and system |
| CN113535102A (en) * | 2021-09-16 | 2021-10-22 | 飞天诚信科技股份有限公司 | Intelligent Internet of things platform system, working method thereof and computer readable storage medium |
| CN113630252A (en) * | 2021-07-13 | 2021-11-09 | 上海百胜软件股份有限公司 | Multi-platform access method, system and equipment |
| CN113810426A (en) * | 2021-09-30 | 2021-12-17 | 完美世界(北京)软件科技发展有限公司 | Access system, method and device of instant messaging service |
| CN114329290A (en) * | 2021-12-15 | 2022-04-12 | 北京科东电力控制系统有限责任公司 | Capability opening platform and authorized access method thereof |
| CN115189919A (en) * | 2022-06-17 | 2022-10-14 | 浪潮软件股份有限公司 | Method and system for sharing information between platform and living application based on cryptographic algorithm |
| CN115801322A (en) * | 2022-10-20 | 2023-03-14 | 浪潮软件股份有限公司 | Encryption method and system for realizing server-side secure communication |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102624739A (en) * | 2012-03-30 | 2012-08-01 | 奇智软件(北京)有限公司 | Authentication and authorization method and system applied to client platform |
| CN110535652A (en) * | 2019-07-01 | 2019-12-03 | 广州昆仑科技有限公司 | A kind of system and method by each operation system data integration displaying and unified login |
| CN110611661A (en) * | 2019-08-23 | 2019-12-24 | 国网浙江省电力有限公司电力科学研究院 | Acquired information sharing method and system based on double-authentication multiple-protection measures |
| CN111212095A (en) * | 2020-04-20 | 2020-05-29 | 国网电子商务有限公司 | Authentication method, server, client and system for identity information |
| CN111327582A (en) * | 2019-08-22 | 2020-06-23 | 刘高峰 | Authorization method, device and system based on OAuth protocol |
| CN111949959A (en) * | 2020-08-14 | 2020-11-17 | 中国工商银行股份有限公司 | Authorization authentication method and device in Oauth protocol |
| CN111949958A (en) * | 2020-08-14 | 2020-11-17 | 中国工商银行股份有限公司 | Authorization authentication method and device in Oauth protocol |
| CN111988318A (en) * | 2020-08-21 | 2020-11-24 | 上海浦东发展银行股份有限公司 | Authorization authentication system and method thereof |
| CN112333198A (en) * | 2020-11-17 | 2021-02-05 | 中国银联股份有限公司 | Secure cross-domain login method, system and server |
| CN112445800A (en) * | 2020-11-20 | 2021-03-05 | 北京思特奇信息技术股份有限公司 | Method and system for generating data serial number and electronic equipment |
-
2021
- 2021-04-14 CN CN202110399119.0A patent/CN113079175A/en active Pending
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102624739A (en) * | 2012-03-30 | 2012-08-01 | 奇智软件(北京)有限公司 | Authentication and authorization method and system applied to client platform |
| CN110535652A (en) * | 2019-07-01 | 2019-12-03 | 广州昆仑科技有限公司 | A kind of system and method by each operation system data integration displaying and unified login |
| CN111327582A (en) * | 2019-08-22 | 2020-06-23 | 刘高峰 | Authorization method, device and system based on OAuth protocol |
| CN110611661A (en) * | 2019-08-23 | 2019-12-24 | 国网浙江省电力有限公司电力科学研究院 | Acquired information sharing method and system based on double-authentication multiple-protection measures |
| CN111212095A (en) * | 2020-04-20 | 2020-05-29 | 国网电子商务有限公司 | Authentication method, server, client and system for identity information |
| CN111949959A (en) * | 2020-08-14 | 2020-11-17 | 中国工商银行股份有限公司 | Authorization authentication method and device in Oauth protocol |
| CN111949958A (en) * | 2020-08-14 | 2020-11-17 | 中国工商银行股份有限公司 | Authorization authentication method and device in Oauth protocol |
| CN111988318A (en) * | 2020-08-21 | 2020-11-24 | 上海浦东发展银行股份有限公司 | Authorization authentication system and method thereof |
| CN112333198A (en) * | 2020-11-17 | 2021-02-05 | 中国银联股份有限公司 | Secure cross-domain login method, system and server |
| CN112445800A (en) * | 2020-11-20 | 2021-03-05 | 北京思特奇信息技术股份有限公司 | Method and system for generating data serial number and electronic equipment |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113435898A (en) * | 2021-07-09 | 2021-09-24 | 支付宝(杭州)信息技术有限公司 | Data processing method and system |
| CN113487322A (en) * | 2021-07-09 | 2021-10-08 | 支付宝(杭州)信息技术有限公司 | Data processing method and system |
| CN113435898B (en) * | 2021-07-09 | 2022-06-14 | 支付宝(杭州)信息技术有限公司 | Data processing method and system |
| CN113487322B (en) * | 2021-07-09 | 2024-02-20 | 支付宝(杭州)信息技术有限公司 | Data processing method and system |
| CN113630252A (en) * | 2021-07-13 | 2021-11-09 | 上海百胜软件股份有限公司 | Multi-platform access method, system and equipment |
| CN113535102A (en) * | 2021-09-16 | 2021-10-22 | 飞天诚信科技股份有限公司 | Intelligent Internet of things platform system, working method thereof and computer readable storage medium |
| CN113810426A (en) * | 2021-09-30 | 2021-12-17 | 完美世界(北京)软件科技发展有限公司 | Access system, method and device of instant messaging service |
| CN113810426B (en) * | 2021-09-30 | 2023-04-07 | 完美世界(北京)软件科技发展有限公司 | Access system, method and device of instant messaging service |
| CN114329290A (en) * | 2021-12-15 | 2022-04-12 | 北京科东电力控制系统有限责任公司 | Capability opening platform and authorized access method thereof |
| CN114329290B (en) * | 2021-12-15 | 2023-09-15 | 北京科东电力控制系统有限责任公司 | Capability open platform and authorized access method thereof |
| CN115189919A (en) * | 2022-06-17 | 2022-10-14 | 浪潮软件股份有限公司 | Method and system for sharing information between platform and living application based on cryptographic algorithm |
| CN115801322A (en) * | 2022-10-20 | 2023-03-14 | 浪潮软件股份有限公司 | Encryption method and system for realizing server-side secure communication |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113079175A (en) | Authorization system and method based on oauth2 protocol enhancement | |
| CN108810029B (en) | Authentication system and optimization method between micro-service architecture services | |
| CN106357649B (en) | User identity authentication system and method | |
| CN107294916B (en) | Single-point logging method, single-sign-on terminal and single-node login system | |
| CN104506534B (en) | Secure communication key agreement interaction schemes | |
| US8527762B2 (en) | Method for realizing an authentication center and an authentication system thereof | |
| CN108833507B (en) | Authorization authentication system and method for shared product | |
| US20110035582A1 (en) | Network authentication service system and method | |
| CN103906052B (en) | A kind of mobile terminal authentication method, Operational Visit method and apparatus | |
| US20110213959A1 (en) | Methods, apparatuses, system and related computer program product for privacy-enhanced identity management | |
| CN105554098A (en) | Device configuration method, server and system | |
| CN113015159B (en) | Initial security configuration method, security module and terminal | |
| CN105282095A (en) | Login verification method and device of virtual desktop | |
| US11811739B2 (en) | Web encryption for web messages and application programming interfaces | |
| US9672367B2 (en) | Method and apparatus for inputting data | |
| CN113630407A (en) | Method and system for enhancing transmission security of MQTT protocol by using symmetric cryptographic technology | |
| CN111405062A (en) | Mimic input agent device based on SSH protocol, communication system and method | |
| CN104579657A (en) | Method and device for identity authentication | |
| CN114390524B (en) | Method and device for realizing one-key login service | |
| CN102255904B (en) | Communication network and terminal authentication method thereof | |
| CN113993127B (en) | Method and device for realizing one-key login service | |
| CN107135228B (en) | Authentication system and authentication method based on central node | |
| CN114158046B (en) | Method and device for realizing one-key login service | |
| CN116647345A (en) | Method and device for generating permission token, storage medium and computer equipment | |
| CN108600266B (en) | Statement filtering authentication method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210706 |
|
| RJ01 | Rejection of invention patent application after publication |