CN113111335B

CN113111335B - Authentication method, authentication device, authentication equipment and storage medium

Info

Publication number: CN113111335B
Application number: CN202010032716.5A
Authority: CN
Inventors: 黄崔扬
Original assignee: Sangfor Technologies Co Ltd
Current assignee: Sangfor Technologies Co Ltd
Priority date: 2020-01-13
Filing date: 2020-01-13
Publication date: 2023-12-29
Anticipated expiration: 2040-01-13
Also published as: CN113111335A

Abstract

The application discloses an authentication method, an authentication device, authentication equipment and a storage medium, wherein the authentication method comprises the following steps: receiving an authentication request, wherein the authentication request carries user information; acquiring target information meeting authorization standards in user information, and generating authorization identification information; storing the authorization identification information and broadcasting the synchronous information containing the authorization identification information to other service platforms in the service platform cluster; and returning the authorization identification information to the target user equipment corresponding to the target information. The method ensures that in the scene of the service platform cluster, after the user equipment passes the authentication of one service platform, the user equipment can access the service data of all the service platforms in the service platform cluster, thereby ensuring the overall availability of the service platform cluster. In addition, the application also provides an authentication device, equipment and a storage medium, and the beneficial effects are the same as those described above.

Description

Authentication method, authentication device, authentication equipment and storage medium

Technical Field

The present invention relates to the field of communication authentication, and in particular, to an authentication method, apparatus, device, and storage medium.

Background

With the continuous development of network technology, networks are becoming one of the common ways for people to acquire information, so various service platforms based on server devices in the networks are continuously appeared, and corresponding service is provided for user devices in the networks. Because the communication efficiency is affected by the communication distance, in order to ensure that user equipment in different geographic areas can access service platforms relatively efficiently, service platforms of the same service type are deployed in different geographic areas in an actual scene to form a service platform cluster, and then the user equipment can access the service platform in the area or the service platform with the highest proximity degree to the area preferentially according to the current area.

In order to ensure the data security of the service platform, when the user equipment accesses the service platform, identity authentication is often required to be performed on the user equipment, so that only the user equipment authorized by the service platform is allowed to access the service platform, but currently in the distributed deployment service platform cluster scene, after the user equipment passes the authentication of one service platform in the service platform cluster, the user equipment still cannot access the service data of other service platforms in the service platform cluster, and the overall availability of the service platform cluster is difficult to ensure.

Therefore, the authentication method is provided to ensure that the user equipment can access the service data of all the service platforms in the service platform cluster after passing the authentication of one service platform in the service platform cluster, thereby ensuring the overall availability of the service platform cluster, and the authentication method is a problem to be solved by the person skilled in the art.

Disclosure of Invention

The invention aims to provide an authentication method, an authentication device, authentication equipment and an authentication storage medium, so that in a scene of a service platform cluster, user equipment can access service data of all service platforms in the service platform cluster after passing authentication of one service platform, and the overall availability of the service platform cluster is further ensured.

In order to solve the above technical problems, the present application provides an authentication method, which is applied to a service platform in a service platform cluster, and includes:

receiving an authentication request, wherein the authentication request carries user information;

acquiring target information meeting authorization standards in user information, and generating authorization identification information;

storing the authorization identification information, and broadcasting the synchronous information containing the authorization identification information to other service platforms in the service platform cluster so that the service platforms in the service platform cluster respond to the access request initiated by the user equipment based on the synchronous information;

and returning the authorization identification information to the target user equipment corresponding to the target information so that the target user equipment can access the service platform in the service platform cluster based on the authorization identification information.

Preferably, the method further comprises:

receiving a current access request, wherein the current access request carries actual authorization identification information;

judging whether the actual authorization identification information is matched with the authorization identification information in the synchronous information;

if the service response is matched with the authorization identification information in the synchronous information, executing the service response to the corresponding current user equipment according to the current access request;

if the current access request is not matched with the authorization identification information in the synchronous information, stopping responding to the current access request.

Preferably, generating the authorization identification information includes:

acquiring platform identity information of a local service platform, and performing encryption operation on plaintext information containing the platform identity information to obtain authorization identification information;

the method further comprises the steps of:

performing decryption operation on the actual authorization identification information to obtain actual plaintext information, and acquiring actual platform identity information in the actual plaintext information;

according to the identity information of the actual platform, a verification request for the actual authorization identification information is initiated to the corresponding target service platform, and a verification result is received;

judging whether the verification result is in a verification passing state or not;

if the verification result is in a verification passing state, executing service response on the corresponding current user equipment according to the current access request;

and if the verification result is not in the verification passing state, stopping responding to the current access request.

Preferably, generating the authorization identification information includes:

generating authentication information according to the target information, and performing encryption operation on plaintext information containing the authentication information to obtain authorization identification information;

the method further comprises the steps of:

Receiving a current access request, wherein the current access request carries actual authorization identification information and actual user information;

performing decryption operation on the actual authorization identification information to obtain actual plaintext information, and acquiring actual authentication information in the actual plaintext information;

judging whether the actual user information is matched with the actual authentication information;

if the actual user information is matched with the actual authentication information, executing service response on the corresponding current user equipment according to the current access request;

if the actual user information does not match the actual authentication information, stopping responding to the current access request.

Preferably, generating the authorization identification information includes:

acquiring platform identity information of a local service platform, and generating authentication information according to target information;

obtaining authorization identification information based on encryption operation on plaintext information containing platform identity information and authentication information;

the method further comprises the steps of:

If the real plain text information is not matched with the authorization identification information in the synchronous information, performing decryption operation on the real authorization identification information to obtain the real plain text information, and obtaining the real platform identity information in the real plain text information;

if the verification result is not in the verification passing state, acquiring actual authentication information in the actual plaintext information;

Preferably, before broadcasting the synchronization information including the authorization identification information to other service platforms in the service platform cluster, the method further includes:

generating synchronous information containing the generation object information;

Broadcasting the synchronous information containing the authorized identification information to other service platforms in the service platform cluster, wherein the method comprises the following steps:

broadcasting the synchronous information containing the authorized identification information to other service platforms in the service platform cluster through a message queue;

when receiving the actual synchronization information, the method further comprises:

screening according to the generated object information to obtain non-local service platform generated target actual synchronous information in the actual synchronous information;

and updating a local database based on the target actual synchronization information and broadcasting the local database to other service platforms in the service platform cluster.

Preferably, updating the local database based on the target actual synchronization information comprises:

storing the target actual synchronization information into a local database, or deleting the target actual synchronization information in the local database.

Preferably, before updating the local database based on the target actual synchronization information, the method further comprises:

judging whether target actual synchronous information exists in a local database;

if the target actual synchronization information exists, discarding the target actual synchronization information;

and if the target actual synchronization information does not exist, executing the step of updating the local database based on the target actual synchronization information.

Preferably, when the number of the target actual synchronization information is greater than 1 and the actual identity identifiers are the same, updating the local database based on the target actual synchronization information includes:

and updating the local database based on the latest target actual synchronous information with the smallest time difference value with the current time when the time is generated in the target actual synchronous information.

Preferably, broadcasting the synchronization information containing the authorization identification information to other service platforms in the service platform cluster through a message queue, including:

and broadcasting the synchronous information with the same identity to other service platforms in the service platform cluster through partition channels corresponding to the identity in the message queue.

In addition, the application further provides an authentication device, which is applied to the service platform in the service platform cluster and comprises:

the request receiving module is used for receiving an authentication request, wherein the authentication request carries user information;

the authorization information generation module is used for acquiring target information meeting authorization standards in the user information and generating authorization identification information;

the synchronization module is used for storing the authorization identification information and broadcasting the synchronization information containing the authorization identification information to other service platforms in the service platform cluster so that the service platforms in the service platform cluster respond to the access request initiated by the user equipment based on the synchronization information;

The identification output module is used for returning the authorization identification information to the target user equipment corresponding to the target information so that the target user equipment can access the service platform in the service platform cluster based on the authorization identification information.

In addition, the application further provides service platform equipment, which comprises:

a memory for storing a computer program;

a processor for implementing the steps of the authentication method as described above when executing the computer program.

In addition, the application further provides a computer readable storage medium, and a computer program is stored on the computer readable storage medium, and when the computer program is executed by a processor, the steps of the authentication method are implemented.

The authentication method is applied to the service platform in the service platform cluster, firstly, an authentication request carrying user information is received, target information meeting authorization standards in the user information is obtained, authorization identification information is generated, then the authorization information is stored, synchronous information containing the authorization identification information is broadcasted to other service platforms in the service platform cluster, the service platform in the service platform cluster can respond to an access request initiated by user equipment based on the synchronous information, and the authorization identification information is further returned to the target user equipment corresponding to the target information, so that the target user equipment accesses the service platforms in the service platform cluster based on the authorization identification information. After the target information in the user information passes the authentication of one service platform in the service platform cluster, the service platform broadcasts the synchronous information containing the authorization identification information generated by the authentication to other service platforms in the service platform cluster, and further, the other service platforms can respond to the access request initiated by the user equipment based on the authorization identification information, so that the user equipment can access the service data of all the service platforms in the service platform cluster after passing the authentication of one service platform in the service platform cluster scene, and the overall availability of the service platform cluster is further ensured. In addition, the application also provides an authentication device, equipment and a storage medium, and the beneficial effects are the same as those described above.

Drawings

For a clearer description of the embodiments of the present application, the drawings that are needed in the embodiments will be briefly described, it being apparent that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

Fig. 1 is a flowchart of an authentication method disclosed in an embodiment of the present application;

FIG. 2 is a flowchart of a specific authentication method disclosed in an embodiment of the present application;

FIG. 3 is a flowchart of a specific authentication method disclosed in an embodiment of the present application;

FIG. 4 is a flowchart of a specific authentication method disclosed in an embodiment of the present application;

FIG. 5 is a flowchart of a specific authentication method disclosed in an embodiment of the present application;

fig. 6 is an application scenario schematic diagram of an authentication method disclosed in an embodiment of the present application;

fig. 7 is a schematic structural diagram of an authentication device according to an embodiment of the present application.

Detailed Description

The following description of the technical solutions in the embodiments of the present application will be made clearly and completely with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are only some embodiments of the present application, but not all embodiments. All other embodiments obtained by those skilled in the art based on the embodiments herein without making any inventive effort are intended to fall within the scope of the present application.

Therefore, the core of the application is to provide an authentication method, which ensures that in the scene of the service platform cluster, after the user equipment passes the authentication of one service platform, the user equipment can access the service data of all the service platforms in the service platform cluster, thereby ensuring the overall availability of the service platform cluster.

Referring to fig. 1, an embodiment of the present application discloses an authentication method applied to a service platform in a service platform cluster, including:

step S10: and receiving an authentication request, wherein the authentication request carries the user information.

It should be noted that, the authentication request received in this step is a request initiated by the user equipment, and the authentication request carries user information of the corresponding user equipment. That is, before the user equipment normally accesses the service platform in the service platform cluster, the user equipment needs to acquire the authorization identification information provided by the service platform in the service platform cluster, and because the service platform only allows the user equipment with access rights to access the service platform, the authentication request of the user equipment needs to carry the user information representing the identity of the user equipment, including but not limited to the type of the user equipment, the user account number of the user equipment, the user password of the user equipment, and the like.

Step S11: and acquiring target information meeting the authorization standard in the user information, and generating authorization identification information.

After the authentication request of the user equipment is obtained, the service platform checks the user information in the authentication request to obtain target information meeting the authorization standard in the user information, wherein the authorization standard is the standard which needs to be met when the user information passes the check of the service platform, so the service platform screens the target information meeting the authorization standard in the user information based on the authorization standard, the target information is the user information corresponding to the user equipment with access right to the service platform, and then authorization identification information corresponding to the target information is generated, and the authorization identification information is the identification for representing the legal identity of the user equipment when the user equipment accesses the service data in the service platform.

It should be noted that the authorization criteria in this step may specifically include, but are not limited to, that the user information transmitted by the user equipment does not exist in the blacklist, and/or that the type of the user equipment meets the type requirement, and/or that the user information is pre-recorded in the authorized user information list of the service platform.

Step S12: and storing the authorization identification information, and broadcasting the synchronous information containing the authorization identification information to other service platforms in the service platform cluster so that the service platforms in the service platform cluster respond to the access request initiated by the user equipment based on the synchronous information.

After generating the authorization identification information corresponding to the target information, the service platform locally stores the authorization identification information, so that when the user equipment holds the authorization identification information to carry out service access to the user equipment, the legal identity of the user equipment can be checked based on the locally stored authorization identification information, and further corresponding service data can be provided for the user identity. The local service platform broadcasts the synchronous information containing the authorized identification information to other service platforms in the service platform cluster where the local service platform stores the authorized identification information, so that the purpose of ensuring that when the user equipment holds the authorized identification information to access other service platforms is achieved, the other service platforms can also verify the legal identity of the user equipment based on the authorized identification information transmitted by the local service platform, and further ensure that the other service platforms can also respond to the service access of the user equipment correctly.

Step S13: and returning the authorization identification information to the target user equipment corresponding to the target information so that the target user equipment can access the service platform in the service platform cluster based on the authorization identification information.

It can be understood that after the authorization identification information is generated, the authorization identification information is further returned to the target user equipment corresponding to the target information, so as to provide the corresponding authority identification for the target user equipment with the access authority, so that the target user equipment can hold the authorization identification information to initiate access to the service data to the service platforms in the service platform cluster.

The authentication method is applied to the service platform in the service platform cluster, firstly, an authentication request carrying user information is received, target information meeting authorization standards in the user information is obtained, authorization identification information is generated, then the authorization information is stored, synchronous information containing the authorization identification information is broadcasted to other service platforms in the service platform cluster, the service platform in the service platform cluster can respond to an access request initiated by user equipment based on the synchronous information, and the authorization identification information is further returned to the target user equipment corresponding to the target information, so that the target user equipment accesses the service platforms in the service platform cluster based on the authorization identification information. After the target information in the user information passes the authentication of one service platform in the service platform cluster, the service platform broadcasts the synchronous information containing the authorization identification information generated by the authentication to other service platforms in the service platform cluster, and further, the other service platforms can respond to the access request initiated by the user equipment based on the authorization identification information, so that the user equipment can access the service data of all the service platforms in the service platform cluster after passing the authentication of one service platform in the service platform cluster scene, and the overall availability of the service platform cluster is further ensured.

Referring to fig. 2, an embodiment of the present application discloses an authentication method applied to a service platform in a service platform cluster, including:

step S20: and receiving an authentication request, wherein the authentication request carries the user information.

Step S21: and acquiring target information meeting the authorization standard in the user information, and generating authorization identification information.

Step S22: and storing the authorization identification information, and broadcasting the synchronous information containing the authorization identification information to other service platforms in the service platform cluster so that the service platforms in the service platform cluster respond to the access request initiated by the user equipment based on the synchronous information.

Step S23: and returning the authorization identification information to the target user equipment corresponding to the target information so that the target user equipment can access the service platform in the service platform cluster based on the authorization identification information.

Step S24: and receiving a current access request, wherein the current access request carries actual authorization identification information.

The current access request received in the step refers to a request initiated by the current user equipment in an actual scene to a local service platform in the service platform cluster, and aims to access service data in the local service platform, wherein the current access request carries actual authorization identification information held by the current user equipment so as to be used for the service platform to verify the current user equipment.

Step S25: and judging whether the actual authorization identification information is matched with the authorization identification information in the synchronous information, if so, executing the step S26, otherwise, executing the step S27.

Step S26: and executing service response to the corresponding current user equipment according to the current access request.

Step S27: stopping responding to the current access request.

After receiving the current access request, the local service platform further judges whether the actual authorization identification information in the current access request is matched with the authorization identification information in the synchronous information, namely judges whether the actual authorization identification information is already stored in the local synchronous information, if so, the current user equipment is considered to have the authority of accessing the service data, so that service response is executed on the corresponding current user equipment according to the current access request, otherwise, the current user equipment is considered to not have the authority of accessing the service data, and further response to the current access request is stopped.

The key point of the embodiment is that the service platform in the service platform cluster determines whether the actual authorization identification information is valid in the current access request initiated by the current user equipment through the locally stored synchronization information, and because the authorization identification information in the synchronization information in the local service platform is generated after the user equipment is authenticated by the local service platform or generated after the user equipment is authenticated by other service platforms and is synchronized to the local in a broadcast mode, the embodiment can further ensure that the user equipment can access the service data of all the service platforms in the service platform cluster after passing the authentication of one service platform, thereby further ensuring the overall availability of the service platform cluster.

In addition, it should be emphasized that, in this embodiment, step S20 to step S23 are processes of authentication performed by the ue, and step S24 to step S27 are processes of accessing service data in response to the ue, where for the same ue, the authentication processes of step S20 to step S23 need to be performed first, and then the processes of step S24 to step S27 of accessing service data in response to the ue are performed; the above two processes may be performed simultaneously or in a non-fixed order for different ues, and are not specifically limited herein.

Referring to fig. 3, an embodiment of the present application discloses an authentication method applied to a service platform in a service platform cluster, including:

step S30: and receiving an authentication request, wherein the authentication request carries the user information.

Step S31: and acquiring target information meeting the authorization standard in the user information.

Step S32: and acquiring platform identity information of the local service platform, and performing encryption operation on plaintext information containing the platform identity information to obtain authorized identification information.

It should be noted that, in this step, the focus is to acquire the platform identity information of the local service platform, and execute the encryption operation based on the plaintext information containing the platform identity information to obtain the authorized identification information, where the platform identity information in this step is related information of the local service platform, that is, all the other service platforms in the service platform cluster can access to the local service platform according to the platform identity information.

Step S33: and storing the authorization identification information, and broadcasting the synchronous information containing the authorization identification information to other service platforms in the service platform cluster so that the service platforms in the service platform cluster respond to the access request initiated by the user equipment based on the synchronous information.

Step S34: and returning the authorization identification information to the target user equipment corresponding to the target information so that the target user equipment can access the service platform in the service platform cluster based on the authorization identification information.

Step S35: and receiving a current access request, wherein the current access request carries actual authorization identification information.

Step S36: and executing decryption operation on the actual authorization identification information to obtain actual plaintext information, and acquiring actual platform identity information in the actual plaintext information.

In this step, after obtaining the actual authorization identification information carried in the access request, further performing a decryption operation on the actual authorization identification information to obtain actual plaintext information, and obtaining actual platform identity information in the actual plaintext information, where the actual platform identity information is related information of a service platform that generates the actual authorization identification.

Step S37: and initiating a verification request for the actual authorization identification information to the corresponding target service platform according to the actual platform identity information, and receiving a verification result.

Because the service platform generating the actual authorization identification is considered to store the actual authorization identification first, after the actual platform identity information is acquired, a verification request for the actual authorization identification information is further initiated to the corresponding target service platform according to the actual platform identity information, and a verification result is received, wherein the verification result is a judgment result of whether the target service platform is effective for the actual authorization identification information.

Step S38: whether the verification result is in a verification passing state is judged, if so, step S39 is executed, otherwise step S310 is executed.

Step S39: and executing service response to the corresponding current user equipment according to the current access request.

Step S310: stopping responding to the current access request.

It can be understood that when the verification result is in the verification passing state, the actual authorization identification information is indicated to be valid, and then the service response is executed to the corresponding current user equipment according to the current access request, otherwise, the actual authorization identification information is indicated to be invalid, and then the response to the current access request is stopped.

In the embodiment, the problem that the local service platform cannot normally check whether the actual authorization identification information is effective or not is caused by the fact that the synchronous information is not transmitted timely due to the problem of network delay when the synchronous information is broadcast by each service platform in the service platform cluster is considered, so that the embodiment initiates a check request for the actual authorization identification information to the target service platform generating the actual authorization identification information and receives a check result, and the verification for the actual authorization identification information is completed through the target service platform generating the actual authorization identification information, and therefore the user equipment can access service data of all the service platforms in the service platform cluster after passing authentication of one service platform, and the overall usability of the service platform cluster is further ensured.

In addition, it should be emphasized that, in this embodiment, step S30 to step S34 are processes of authenticating the user equipment, and step S35 to step S310 are processes of responding to the user equipment to access the service data, where for the same user equipment, the authentication processes of step S30 to step S34 need to be performed first, and then the processes of step S35 to step S310 responding to the user equipment to access the service data are performed; the above two processes may be performed simultaneously or in a non-fixed order for different ues, and are not specifically limited herein.

Referring to fig. 4, an embodiment of the present application discloses an authentication method applied to a service platform in a service platform cluster, including:

step S40: and receiving an authentication request, wherein the authentication request carries the user information.

Step S41: and acquiring target information meeting the authorization standard in the user information.

Step S42: generating authentication information according to the target information, and performing encryption operation on plaintext information containing the authentication information to obtain authorization identification information.

It should be noted that, in this step, the focus is that after the local service platform obtains the target information meeting the authorization standard in the user information, authentication information is further generated according to the target information, and then encryption operation is performed based on plaintext information containing the authentication information to obtain authorization identification information, where the authentication information is information generated by performing logical data extraction or data conversion based on the target information, and a mapping relationship based on logic can exist between the authentication information and the target information. And further, after the authentication information is generated, the authorization identification information is obtained based on the encryption operation performed on the plaintext information containing the authentication information.

Step S43: and storing the authorization identification information, and broadcasting the synchronous information containing the authorization identification information to other service platforms in the service platform cluster so that the service platforms in the service platform cluster respond to the access request initiated by the user equipment based on the synchronous information.

Step S44: and returning the authorization identification information to the target user equipment corresponding to the target information so that the target user equipment can access the service platform in the service platform cluster based on the authorization identification information.

Step S45: and receiving a current access request, wherein the current access request carries actual authorization identification information and actual user information.

It should be noted that, in this embodiment, the current access request received by the local service platform and transmitted by the actual user equipment carries actual authorization identification information and actual user information of the actual user equipment.

Step S46: and executing decryption operation on the actual authorization identification information to obtain actual plaintext information, and acquiring actual authentication information in the actual plaintext information.

After the actual authorization identification information is obtained, the step further carries out decryption operation on the actual authorization identification information to obtain actual plaintext information, and further obtains actual authentication information in the actual plaintext information.

Step S47: it is determined whether the actual user information matches the actual authentication information, if so, step S48 is performed, otherwise step S49 is performed.

Step S48: and executing service response to the corresponding current user equipment according to the current access request.

Step S49: stopping responding to the current access request.

In this embodiment, authentication information in authorization identification information held by a user device is generated based on user information of the user device, and in this embodiment, considering that when broadcasting synchronization information is performed by each service platform in a service platform cluster, there may be a situation that the synchronization information is not completed in time due to a network delay problem, so after a current access request of an actual user device is obtained, the embodiment further performs matching with actual authentication information obtained by decrypting the actual authorization identification information in the current access request, that is, determines whether a mapping relationship based on logic exists between the actual user information and the actual authentication information, and if yes, considers that the actual authentication information is valid, and performs service response on the corresponding current user device according to the current access request; otherwise, the actual authentication information is considered invalid, and then the response to the current access request is stopped. The embodiment further ensures that the user equipment can access the service data of all the service platforms in the service platform cluster after passing the authentication of one service platform, thereby ensuring the overall availability of the service platform cluster.

In addition, it should be emphasized that, in this embodiment, step S40 to step S44 are processes of authenticating the user equipment, and step S45 to step S49 are processes of responding to the user equipment to access the service data, where for the same user equipment, the authentication processes of step S40 to step S44 need to be performed first, and then the processes of step S45 to step S49 responding to the user equipment to access the service data are performed; the above two processes may be performed simultaneously or in a non-fixed order for different ues, and are not specifically limited herein.

Referring to fig. 5, an embodiment of the present application discloses an authentication method applied to a service platform in a service platform cluster, including:

step S50: and receiving an authentication request, wherein the authentication request carries the user information.

Step S51: and acquiring target information meeting the authorization standard in the user information.

Step S52: and acquiring platform identity information of the local service platform, and generating authentication information according to the target information.

Step S53: the authorization identification information is obtained based on performing an encryption operation on the plaintext information including the platform identity information and the authentication information.

Step S54: and storing the authorization identification information, and broadcasting the synchronous information containing the authorization identification information to other service platforms in the service platform cluster so that the service platforms in the service platform cluster respond to the access request initiated by the user equipment based on the synchronous information.

Step S55: and returning the authorization identification information to the target user equipment corresponding to the target information so that the target user equipment can access the service platform in the service platform cluster based on the authorization identification information.

Step S56: and receiving a current access request, wherein the current access request carries actual authorization identification information.

Step S57: and judging whether the actual authorization identification information is matched with the authorization identification information in the synchronous information, if so, executing the step S58, and if not, executing the step S59.

Step S58: and executing service response to the corresponding current user equipment according to the current access request.

Step S59: and executing decryption operation on the actual authorization identification information to obtain actual plaintext information, and acquiring actual platform identity information in the actual plaintext information.

Step S510: and initiating a verification request for the actual authorization identification information to the corresponding target service platform according to the actual platform identity information, and receiving a verification result.

Step S511: whether the verification result is in a verification passing state is determined, if so, step S58 is executed, and if not, step S512 is executed.

Step S512: and acquiring actual authentication information in the actual plaintext information.

Step S513: and judging whether the actual user information is matched with the actual authentication information, if so, executing a step S58, otherwise, executing a step S514.

Step S514: stopping responding to the current access request.

It should be noted that, the key point of this embodiment is that the verification of the user authentication request is divided into three levels of verification, and the authorization identification information is generated by performing the encryption operation based on the plaintext information including the platform identity information and the authentication information. After receiving a current access request carrying actual authorization identification information, the first-level verification process is to judge whether the actual authorization identification information is matched with authorization identification information in the local synchronous information; the second-level verification process is to initiate verification of the actual authorization identification information to the corresponding target service platform according to the actual platform identity information obtained through analysis of the actual authorization identification information; the third level verification process is to judge whether the actual user information is matched with the actual authentication information. The three levels of verification are executed according to the sequence from level one to level three, the condition that the current level of verification enters the next level of verification is that the current level of verification fails, namely the condition that the corresponding current user equipment is subjected to service response according to the current access request is not met, and when the corresponding current user equipment is subjected to service response according to the current access request, the corresponding current user equipment is subjected to service response according to the current access request when any one level of verification passes; if any one of the levels of verification is not passed, stopping responding to the current access request.

Since the first level of verification in the embodiment is performed in the local service platform, that is, the verification is performed locally preferentially; the second level of verification is to communicate the local service platform with other service platforms in the service platform cluster; the third level of verification is still performed in the local service platform, that is, in the verification process, the verification efficiency is preferably ensured, that is, the local service platform performs verification, if the local service platform does not synchronously store synchronous information due to network delay, the accuracy of the verification is further ensured by communicating with other service platforms in the service platform cluster, and if the network is short-circuited, the verification with relatively lower accuracy is further performed in the local service platform, so that the overall flexibility and the integrity of the verification process are ensured.

Based on the above series of embodiments, as a preferred implementation manner, before broadcasting the synchronization information including the authorization identification information to other service platforms in the service platform cluster, the method further includes:

In this embodiment, the synchronization information carries generation object information, and the generation object information characterizes related information of a service platform object generating the synchronization information. In addition, in this embodiment, the synchronization information including the authorization identification information is broadcast to other service platforms in the service platform cluster by means of a message queue. The synchronous information is transferred between the service platforms in a message queue mode, so that the integrity and the reliability of the synchronous information can be relatively ensured.

In addition, when the local service platform receives the actual synchronization information, the non-local service platform in the actual synchronization information is screened according to the generated object information to generate target actual synchronization information, and then the local database is updated according to the target actual synchronization information, and the target actual synchronization information is broadcasted to other service platforms in the service platform cluster, so that the problem that the local service platform stores the synchronization information generated and stored by itself again and the problems of content reverberation and content conflict caused by bidirectional synchronization between service platforms in the service platform cluster can be relatively avoided.

On the basis of the above embodiment, as a preferred embodiment, updating the local database based on the target actual synchronization information includes:

It should be noted that, in this embodiment, the updating operation of the local database based on the target actual synchronization information may further include storing the target actual synchronization information in the local database, or deleting the target actual synchronization information in the local database, which is mainly based on the synchronization event corresponding to the time when the actual synchronization information is received, and the synchronization event may include adding local data and deleting the local data according to the actual requirement, which should not be limited specifically herein according to the actual situation.

On the basis of the above embodiment, as a preferred embodiment, before updating the local database based on the target actual synchronization information, the method further includes:

It should be noted that, in this embodiment, before updating the local database based on the target actual synchronization information, it is determined whether the target actual synchronization information already exists in the local database, only when the target actual synchronization information does not exist, the step of updating the local database based on the target actual synchronization information is executed, otherwise, the target actual synchronization information is discarded. The embodiment further avoids the situation that the same synchronous information is repeatedly stored and stored in the local database, and ensures the accuracy of the synchronous information.

On the basis of the above embodiment, as a preferred embodiment, when the number of the target actual synchronization information is greater than 1 and the actual identity is the same, updating the local database based on the target actual synchronization information includes:

It should be noted that, the key point of this embodiment is to consider that when the local service platform receives a plurality of target actual synchronization information with the same target actual identity, the local database is further updated according to the latest target actual synchronization information with the smallest time difference from the current time when the generation time is selected, so as to relatively ensure the accuracy of updating the local data, where the target actual identity refers to the identity of the actual user equipment corresponding to the actual synchronization information.

In addition, on the basis of the foregoing embodiment, as a preferred embodiment, broadcasting the synchronization information including the authorization identification information to other service platforms in the service platform cluster through the message queue, including:

The key point of the embodiment is that the synchronous information with the same identity mark is broadcasted to other service platforms in the service platform cluster through the same partition channel in the message queue, so that different actual synchronous information generated based on the same actual user equipment can be broadcasted to the other service platforms in the service platform cluster with similar communication efficiency, and the transmission synchronous efficiency of the synchronous information of the same user equipment in the service platform cluster is ensured.

To enhance the understanding of the above embodiments, a scenario embodiment of an authentication scenario applied to a service platform in a service platform cluster is provided below.

Fig. 6 is an application scenario schematic diagram of an authentication method disclosed in an embodiment of the present application.

As shown in fig. 6, in the embodiment of the present scenario, the service platform cluster is specifically a Data Center a and a Data Center B (DC) cluster; the database in each DC in the DC cluster is particularly a Redis database (Remote Dictionary Server, remote dictionary service), is a key-value storage system and is used for storing synchronous information of the synchronization between the DCs in the DC cluster; broadcasting synchronous information is realized among DC in the DC cluster based on the kafka message queue; the verification request of the actual authorization identification information is initiated between the DCs through an RPC protocol (Remote Procedure Call Protocol), namely a simple inter-process protocol; the authorization identification information is specifically a character string encrypted by AES algorithm, hereinafter referred to as token.

The whole scheme of the user equipment access authentication API service of the scene embodiment mainly comprises two processes, namely bidirectional real-time synchronization of data crossing DC and authentication degradation verification.

The bidirectional real-time synchronization of the cross DC is realized by Redis data, the principle is based on MirrorMaker 2.0 communication of a kafka channel of the cross DC, a bidirectional real-time synchronization framework realized by event driving of the Redis is added, the final consistency of the data is ensured, and the problems of hysteresis and failure of the cross DC data synchronization are tolerated based on an authentication degradation verification strategy.

The authentication degradation verification is a multi-stage verification strategy, so that the security coefficient of verification is ensured, and the availability of the distributed authentication system is ensured. The longest verification process has three stages, namely, the first stage is local database verification, the second stage is remote DC verification, and the third stage is algorithm decryption verification. The second-level checking process is remote checking based on RPC protocol, if the checking is successful, the data are synchronized to the local. Three levels of verification can only occur in certain disaster situations (no associated synchronization data locally and network communication anomalies between DCs).

The process of data bidirectional real-time synchronization:

redis data avoids the problem of ringing and collision of real-time bidirectional synchronization by adding a tag field, and time comparison is carried out before all synchronous operation data, so that the operation time sequence is ensured.

The data consumed by the kafka production is time-sequential, the hash operation is carried out according to keys when needed, and the calculated hash value is put in a corresponding partition channel to be broadcast to other DCs in the DC cluster.

Correspondingly, if the token data synchronization fails, a remote RPC call is generated in the token degradation check design, and meanwhile, an active data synchronization is completed.

Authentication degradation verification process:

first, performing first-level verification, performing token comparison verification through a local database, and accelerating the verification process by using a database cache, thereby being the fastest and safe verification.

When the primary verification finds that the token is not in the database, the token is decrypted, if the decryption fails, the direct verification fails, and if the decryption succeeds, the secondary verification is entered, and the RPC service for generating the DC of the token is called to verify through the decrypted information. Wherein the RPC service invocation procedure can be performed based on a private network (within 10ms of the private network delay).

When disaster conditions such as network abnormality occur in the secondary verification process, service of the opposite DC in the DC cluster cannot be accessed. The security coefficient is temporarily reduced, a three-level verification process is entered, algorithm verification is carried out on the information obtained by decryption of the token, and when the network is recovered to be normal, the three-level verification process is stopped.

After the user equipment passes the authentication of the authentication API service, the related business data of the data center can be further acquired based on the business API service.

Referring to fig. 7, an embodiment of the present application discloses an authentication device, which is applied to a service platform in a service platform cluster, and includes:

a request receiving module 10, configured to receive an authentication request, where the authentication request carries user information;

the authorization information generation module 11 is configured to obtain target information meeting an authorization standard in the user information, and generate authorization identification information;

the synchronization module 12 is configured to store the authorization identification information, and broadcast synchronization information including the authorization identification information to other service platforms in the service platform cluster, so that the service platforms in the service platform cluster respond to an access request initiated by the user equipment based on the synchronization information;

the identifier output module 13 is configured to return the authorization identifier information to the target user equipment corresponding to the target information, so that the target user equipment accesses the service platform in the service platform cluster based on the authorization identifier information.

The authentication device is applied to a service platform in a service platform cluster, firstly receives an authentication request carrying user information, acquires target information meeting an authorization standard in the user information, generates authorization identification information, stores the authorization information, and broadcasts synchronous information containing the authorization identification information to other service platforms in the service platform cluster, so that the service platform in the service platform cluster can respond to an access request initiated by user equipment based on the synchronous information, and further returns the authorization identification information to the target user equipment corresponding to the target information, so that the target user equipment accesses the service platform in the service platform cluster based on the authorization identification information. After the target information in the user information passes the authentication of one service platform in the service platform cluster, the service platform broadcasts the synchronous information containing the authorization identification information generated by the authentication to other service platforms in the service platform cluster, and further, the other service platforms can respond to the access request initiated by the user equipment based on the authorization identification information, so that the user equipment can access the service data of all the service platforms in the service platform cluster after passing the authentication of one service platform in the service platform cluster scene, and the overall availability of the service platform cluster is further ensured.

On the basis of the foregoing embodiments, the authentication device is further described and optimized in the embodiments of the present application. Specific:

in one embodiment, the apparatus further comprises:

the first access receiving module is used for receiving a current access request, wherein the current access request carries actual authorization identification information;

the identification judging module is used for judging whether the actual authorization identification information is matched with the authorization identification information in the synchronous information, if so, the service executing module is called, and if not, the stopping response module is called;

the service execution module is used for executing service response to the corresponding current user equipment according to the current access request;

and the stop response module is used for stopping responding to the current access request.

In one embodiment, the authorization information generation module 11 includes:

the encryption generation module is used for acquiring platform identity information of the local service platform and obtaining authorization identification information based on encryption operation on plaintext information containing the platform identity information;

the apparatus further comprises:

the second access receiving module is used for receiving a current access request, wherein the current access request carries actual authorization identification information;

the identity decryption module is used for performing decryption operation on the actual authorization identification information to obtain actual plaintext information and obtaining actual platform identity information in the actual plaintext information;

The identity verification module is used for initiating a verification request for the actual authorization identification information to the corresponding target service platform according to the actual platform identity information and receiving a verification result;

the verification judging module is used for judging whether a verification result is in a verification passing state, if so, calling the service executing module, and if not, calling the stop response module;

In one embodiment, the authorization information generation module 11 includes:

the authentication generation module is used for generating authentication information according to the target information and obtaining authorization identification information based on encryption operation on plaintext information containing the authentication information;

the apparatus further comprises:

the third access receiving module is used for receiving a current access request, wherein the current access request carries actual authorization identification information and actual user information;

the authentication decryption module is used for performing decryption operation on the actual authorization identification information to obtain actual plaintext information and obtaining actual authentication information in the actual plaintext information;

The authentication judging module is used for judging whether the actual user information is matched with the actual authentication information, if so, the service executing module is called, and if not, the stopping response module is called;

In one embodiment, the authorization information generation module 11 includes:

the acquisition module is used for acquiring platform identity information of the local service platform and generating authentication information according to the target information;

the encryption module is used for obtaining authorization identification information based on encryption operation on plaintext information containing platform identity information and authentication information;

the apparatus further comprises:

the fourth access receiving module is used for receiving a current access request, wherein the current access request carries actual authorization identification information;

the first judging module is used for judging whether the actual authorization identification information is matched with the authorization identification information in the synchronous information, if so, the service executing module is called, and if not, the identity information acquiring module is called;

the identity information acquisition module is used for performing decryption operation on the actual authorization identification information to obtain actual plaintext information and acquiring actual platform identity information in the actual plaintext information;

The request initiating module is used for initiating a verification request for the actual authorization identification information to the corresponding target service platform according to the actual platform identity information and receiving a verification result;

the second judging module is used for judging whether the verification result is in a verification passing state, if so, calling the service executing module, and if not, calling the authentication obtaining module;

the authentication acquisition module is used for acquiring actual authentication information in the actual plaintext information;

the third judging module is used for judging whether the actual user information is matched with the actual authentication information, if so, the service executing module is called, and if not, the stopping response module is called;

In one embodiment, the apparatus further comprises:

the synchronous information generating module is used for generating synchronous information containing the generating object information;

the synchronization module 12 includes:

the queue synchronization module is used for broadcasting the synchronization information containing the authorization identification information to other service platforms in the service platform cluster through the message queue;

When receiving the actual synchronization information, the device further comprises:

the screening module is used for screening and obtaining non-local service platforms in the actual synchronous information to generate target actual synchronous information according to the generated object information;

and the updating module is used for updating the local database based on the target actual synchronous information and broadcasting the local database to other service platforms in the service platform cluster.

In one embodiment, the update module includes:

and the storage deleting module is used for storing the target actual synchronization information into the local database or deleting the target actual synchronization information in the local database.

In a specific embodiment, the apparatus further comprises:

the conflict judging module is used for judging whether the target actual synchronous information exists in the local database, if yes, the discarding module is called, and if not, the updating module is called;

and the discarding module is used for discarding the target actual synchronization information.

In a specific embodiment, when the number of the target actual synchronization information is greater than 1 and the actual identity identifiers are the same, the updating module includes:

and the time updating module is used for generating time based on the target actual synchronous information, and updating the local database by using the latest target actual synchronous information with the smallest time difference value with the current time.

In a specific embodiment, the queue synchronization module includes:

and the partition broadcasting module is used for broadcasting the synchronous information with the same identity to other service platforms in the service platform cluster through partition channels corresponding to the identity in the message queue.

In addition, the embodiment also discloses a service platform device, which comprises:

a memory for storing a computer program;

The service platform equipment provided by the application firstly receives an authentication request carrying user information, acquires target information meeting an authorization standard in the user information, generates authorization identification information, stores the authorization information, and broadcasts synchronous information containing the authorization identification information to other service platforms in the service platform cluster so that the service platforms in the service platform cluster can respond to an access request initiated by the user equipment based on the synchronous information, and further returns the authorization identification information to the target user equipment corresponding to the target information so that the target user equipment accesses the service platforms in the service platform cluster based on the authorization identification information. After the target information in the user information passes the authentication of one service platform in the service platform cluster, the service platform broadcasts the synchronous information containing the authorization identification information generated by the authentication to other service platforms in the service platform cluster, and further, the other service platforms can respond to the access request initiated by the user equipment based on the authorization identification information, so that the user equipment can access the service data of all the service platforms in the service platform cluster after passing the authentication of one service platform in the service platform cluster scene, and the overall availability of the service platform cluster is further ensured.

In addition, the embodiment also discloses a computer readable storage medium, and the computer readable storage medium stores a computer program, and the computer program realizes the steps of the authentication method when being executed by a processor.

The computer readable storage medium is applied to service platforms in a service platform cluster, firstly receives an authentication request carrying user information, acquires target information meeting authorization standards in the user information, generates authorization identification information, further stores the authorization information, and broadcasts synchronous information containing the authorization identification information to other service platforms in the service platform cluster, so that the service platforms in the service platform cluster can respond to an access request initiated by user equipment based on the synchronous information, and further returns the authorization identification information to the target user equipment corresponding to the target information, so that the target user equipment accesses the service platforms in the service platform cluster based on the authorization identification information. After the target information in the user information passes through the authentication of one service platform in the service platform cluster, the service platform broadcasts the synchronous information containing the authorization identification information generated by the authentication to other service platforms in the service platform cluster, and further, the other service platforms can respond to the access request initiated by the user equipment based on the authorization identification information, so that the user equipment can access the service data of all service platforms in the service platform cluster after passing through the authentication of one service platform in the service platform cluster in the scene of the service platform cluster, and the overall availability of the service platform cluster is further ensured.

The authentication method, the authentication device, the authentication equipment and the storage medium provided by the application are described in detail. In the description, each embodiment is described in a progressive manner, and each embodiment is mainly described by the differences from other embodiments, so that the same similar parts among the embodiments are mutually referred. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section. It should be noted that it would be obvious to those skilled in the art that various improvements and modifications can be made to the present application without departing from the principles of the present application, and such improvements and modifications fall within the scope of the claims of the present application.

It should also be noted that in this specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

Claims

1. The authentication method is characterized by being applied to a service platform in a service platform cluster and comprising the following steps:

acquiring target information meeting authorization standards in the user information, and generating authorization identification information;

storing the authorization identification information, broadcasting synchronous information containing the authorization identification information and generated object information to other service platforms in the service platform cluster, so that the service platforms in the service platform cluster respond to an access request initiated by user equipment based on the synchronous information;

returning the authorization identification information to target user equipment corresponding to the target information so that the target user equipment can access the service platform in the service platform cluster based on the authorization identification information;

when receiving the actual synchronization information, the method further comprises: screening according to the generated object information to obtain non-local service platform generated target actual synchronous information in the actual synchronous information; and updating a local database based on the target actual synchronization information and broadcasting the local database to other service platforms in the service platform cluster.

2. The authentication method of claim 1, wherein the method further comprises:

judging whether the actual authorization identification information is matched with the authorization identification information in the synchronous information or not;

if the service response is matched with the authorization identification information in the synchronous information, executing the service response on the corresponding current user equipment according to the current access request;

and if the current access request is not matched with the authorization identification information in the synchronous information, stopping responding to the current access request.

3. The authentication method of claim 1, wherein the generating authorization identification information comprises:

acquiring platform identity information of a local service platform, and performing encryption operation on plaintext information containing the platform identity information to obtain the authorization identification information;

the method further comprises the steps of:

Initiating a verification request for the actual authorization identification information to a corresponding target service platform according to the actual platform identity information, and receiving a verification result;

4. The authentication method of claim 1, wherein the generating authorization identification information comprises:

generating authentication information according to the target information, and performing encryption operation on plaintext information containing the authentication information to obtain the authorization identification information;

the method further comprises the steps of:

and if the actual user information is not matched with the actual authentication information, stopping responding to the current access request.

5. The authentication method of claim 1, wherein the generating authorization identification information comprises:

acquiring platform identity information of a local service platform, and generating authentication information according to the target information;

performing encryption operation on plaintext information containing the platform identity information and the authentication information to obtain the authorization identification information;

the method further comprises the steps of:

6. The authentication method according to any one of claims 1 to 5, wherein before broadcasting the synchronization information containing the authorization identification information to other service platforms in the service platform cluster, the method further comprises:

generating the synchronous information containing the generation object information;

The broadcasting the synchronization information containing the authorization identification information to other service platforms in the service platform cluster includes:

and broadcasting the synchronous information containing the authorization identification information to other service platforms in the service platform cluster through a message queue.

7. The authentication method of claim 6, wherein the updating the local database based on the target actual synchronization information comprises:

and storing the target actual synchronization information into the local database, or deleting the target actual synchronization information in the local database.

8. The authentication method of claim 7, wherein prior to said updating a local database based on said target actual synchronization information, the method further comprises:

judging whether the target actual synchronous information exists in the local database;

discarding the target actual synchronization information if the target actual synchronization information exists;

9. The authentication method according to claim 8, wherein when the number of the target actual synchronization information is greater than 1 and the actual identity is the same, the updating the local database based on the target actual synchronization information includes:

And updating the local database based on the latest target actual synchronous information with the smallest time difference value with the current time, wherein the time is generated in the target actual synchronous information.

10. The authentication method according to claim 9, wherein broadcasting the synchronization information including the authorization identification information to other service platforms in the service platform cluster through a message queue, comprises:

broadcasting the synchronous information with the same identity to other service platforms in the service platform cluster through partition channels corresponding to the identity in a message queue.

11. An authentication device, which is applied to a service platform in a service platform cluster, comprising:

the synchronization module is used for storing the authorization identification information, broadcasting synchronization information containing the authorization identification information and generated object information to other service platforms in the service platform cluster, and enabling the service platforms in the service platform cluster to respond to an access request initiated by user equipment based on the synchronization information;

The identification output module is used for returning the authorization identification information to target user equipment corresponding to the target information so that the target user equipment can access the service platform in the service platform cluster based on the authorization identification information;

12. A service platform device, comprising:

a memory for storing a computer program;

processor for implementing the steps of the authentication method according to any one of claims 1 to 10 when executing the computer program.

13. A computer readable storage medium, characterized in that the computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the steps of the authentication method according to any of claims 1 to 10.