CN113765655A

CN113765655A - Access control method, device, equipment and storage medium

Info

Publication number: CN113765655A
Application number: CN202010952254.9A
Authority: CN
Inventors: 魏军龙
Original assignee: Beijing Jingdong Century Trading Co Ltd; Beijing Wodong Tianjun Information Technology Co Ltd
Current assignee: Beijing Jingdong Century Trading Co Ltd; Beijing Wodong Tianjun Information Technology Co Ltd
Priority date: 2020-09-11
Filing date: 2020-09-11
Publication date: 2021-12-07

Abstract

The embodiment of the application provides an access control method, an access control device and a storage medium, wherein an access request sent by a terminal device is received through a control gateway, and the access request comprises the following steps: the method comprises the steps that a client account of a service client and a user access certificate corresponding to the client account are verified by an authorization center, the validity of an access request is determined, and finally when the access request is determined to be legal, business operation corresponding to the access request is executed by the cloud server. In the technical scheme, when a user of the terminal equipment has an account number of the service client, the user does not need to register the account number of the platform to which the central control platform belongs again, and can log in the platform of the central control platform, so that the control and management of the intelligent equipment and the intelligent scene are realized, and the experience of the intelligent equipment and the user stickiness are improved.

Description

Access control method, device, equipment and storage medium

Technical Field

The embodiment of the application relates to the technical field of internet, in particular to an access control method, device, equipment and storage medium.

Background

The whole-house intelligence combines the Internet of things and artificial intelligence to provide safe, comfortable, energy-saving and colorful home life experience for users, and changes the life style of people by intelligent electronic products with fashionable and sexy feelings. The third-party platform of a certain E-business is a control device in the whole house intelligence, and plays an important role in realizing the whole house intelligent project.

In the prior art, in a full-house intelligent project which utilizes a third-party platform for control management, when a user of a local manufacturer uses the third-party platform, a client of the third-party platform is downloaded and an account of the third-party platform is registered, then an intelligent scene is selected from the client of the third-party platform, and intelligent equipment associated with the local manufacturer is controlled and managed.

In the process of implementing the invention, the inventor finds that at least the following problems exist in the prior art: since the user of the local manufacturer must download the client of the third-party platform and register the account of the third-party platform before using the client, the user experience is poor, and the user stickiness is low.

Disclosure of Invention

The embodiment of the application provides an access control method, device, equipment and storage medium, which are used for solving the problems of poor user experience and low user viscosity of the existing central control platform.

In a first aspect, an embodiment of the present application provides an access control method, which is applied to a central control platform, where the central control platform includes: the method comprises the following steps of controlling a gateway, an authorization center and a cloud server:

receiving an access request sent by a terminal device through the control gateway, wherein the access request comprises: a client account of a service client and a user access certificate corresponding to the client account;

verifying the client account and the user access certificate by using the authorization center, and determining the validity of the access request;

and when the authorization center determines that the access request is legal, the control gateway is utilized to call the cloud server to execute the business operation corresponding to the access request.

In a possible design of the first aspect, the verifying, by the authorization center, the client account and the user access credential to determine validity of the access request includes:

judging whether the client account and the user access certificate exist in the information stored in the authorization center;

and when the client account and the user access certificate exist in the information stored in the authorization center, determining that the access request is legal.

Optionally, before receiving, by the control gateway, an access request sent by a terminal device, the method further includes:

receiving, by the control gateway, a login credential acquisition request sent by an application server of the service client, where the login credential acquisition request includes: the client account and the login code value;

according to the login credential obtaining request, sending an authentication request to the application server through the authorization center, wherein the authentication request comprises: the client account, the password of the client account and the login code value;

receiving, by the authorization center, an authentication response returned by the application server, where the authentication response includes: user identification information, a session key and the effective duration of the session key;

storing the user identification information, the session key and the effective duration of the session key to the authorization center;

feeding back a login credential acquisition response to the application server through an authorization center, wherein the login credential acquisition response comprises: the client account, the password of the client account, the user access credential, and the signing key.

In another possible design of the first aspect, after the performing, by the cloud server, the business operation corresponding to the access request, the method further includes:

receiving, by the control gateway, a logout request sent by an application server of the service client, where the logout request includes: the client account and the user access certificate;

and logging off the user access certificate corresponding to the client account from the authorization center.

In a second aspect, an embodiment of the present application provides an access control method, which is applied to an application server serving a client, where the method includes:

receiving an access information acquisition request from a terminal device, the access information acquisition request including: a client account of the service client;

according to the access information acquisition request, determining access information required to be used by the service client for accessing the central control platform, wherein the access information comprises: the service client comprises a client account of the service client and a user access certificate corresponding to the client account, and the central control platform is a control center for uniformly controlling and managing intelligent equipment;

and feeding back the access information to the terminal equipment.

In one possible design of the second aspect, before the receiving of the access information acquisition request from the terminal device, the method includes:

receiving a login request from a terminal device, the login request comprising: the client account number;

generating a login code value according to the login request;

sending a login credential acquisition request to a control gateway of the central control platform, wherein the login credential acquisition request comprises: the control gateway is used for sending the login certificate acquisition request to an authorization center for authentication;

receiving an authentication request sent by an authorization center of the central control platform, wherein the authentication request comprises: the client account, the password of the client account and the login code value;

verifying the legality of the login code value in the identity verification request based on the generated login code value;

when the login code value in the authentication request is determined to be legal, an authentication response is fed back to the authorization center, and a login credential obtaining response returned by the authorization center is received, wherein the authentication response comprises: the login credential obtaining response comprises the following steps of: the client account, the password of the client account, the user access credential, and the signing key.

In another possible design of the second aspect, the method further includes:

when detecting that a user logs out from the service client and/or logs out the client account, generating a logout request, wherein the logout request comprises: the client account and the user access certificate;

and sending a logout request to a control gateway of the central control platform, wherein the logout request is used for requesting to logout the user access certificate corresponding to the client account in the authorization center.

In a third aspect, an embodiment of the present application provides an access control apparatus, which is applied to a central control platform, where the central control platform includes: control gateway, authorization center and cloud server, the device includes: the system comprises a receiving module, a processing module and a calling module;

the receiving module is configured to receive, through the control gateway, an access request sent by a terminal device, where the access request includes: a client account of a service client and a user access certificate corresponding to the client account;

the processing module is used for verifying the client account and the user access certificate by using the authorization center and determining the validity of the access request;

and the calling module is used for calling the cloud server to execute the service operation corresponding to the access request by using the control gateway when the authorization center determines that the access request is legal.

In a possible design of the third aspect, the processing module is specifically configured to determine whether the client account and the user access credential exist in the information stored in the authorization center, and determine that the access request is legal when the client account and the user access credential exist in the information stored in the authorization center.

Optionally, the receiving module is further configured to receive, by the control gateway, a login credential obtaining request sent by an application server of the service client before receiving, by the control gateway, an access request sent by a terminal device, where the login credential obtaining request includes: the client account and the login code value;

the device further comprises: a sending module;

the sending module is configured to send an authentication request to the application server through the authorization center according to the login credential obtaining request, where the authentication request includes: the client account, the password of the client account and the login code value;

the receiving module is further configured to receive, by using the authorization center, an authentication response returned by the application server, where the authentication response includes: user identification information, a session key and the effective duration of the session key;

the processing module is further configured to store the user identification information, the session key, and the effective duration of the session key in the authorization center;

the sending module is further configured to feed back a login credential acquisition response to the application server through an authorization center, where the login credential acquisition response includes: the client account, the password of the client account, the user access credential, and the signing key.

In another possible design of the third aspect, the receiving module is further configured to receive, by the control gateway, a logout request sent by an application server of the service client after the invoking module executes a service operation corresponding to the access request by using the cloud server, where the logout request includes: the client account and the user access certificate;

the processing module is further configured to log out the user access credential corresponding to the client account from the authorization center.

In a fourth aspect, an embodiment of the present application provides an access control apparatus, which is applied to an application server serving a client, and the apparatus includes: the device comprises a receiving module, a processing module and a sending module;

the receiving module is configured to receive an access information acquisition request from a terminal device, where the access information acquisition request includes: a client account of the service client;

the processing module is configured to determine, according to the access information acquisition request, access information that the service client needs to use to access the central control platform, where the access information includes: the service client comprises a client account of the service client and a user access certificate corresponding to the client account, and the central control platform is a control center for uniformly controlling and managing intelligent equipment;

and the sending module is used for feeding back the access information to the terminal equipment.

In a possible design of the fourth aspect, the receiving module is further configured to receive a login request from the terminal device before receiving the access information obtaining request from the terminal device, where the login request includes: the client account number;

the processing module is further used for generating a login code value according to the login request;

the sending module is further configured to send a login credential obtaining request to the control gateway of the central control platform, where the login credential obtaining request includes: the control gateway is used for sending the login certificate acquisition request to an authorization center for authentication;

the receiving module is further configured to receive an authentication request sent by an authorization center of the central control platform, where the authentication request includes: the client account, the password of the client account and the login code value;

the processing module is further configured to verify the validity of the login code value in the authentication request based on the generated login code value;

the sending module is further configured to, when it is determined that the login code value in the authentication request is legal, feed back an authentication response to the authorization center, and receive a login credential acquisition response returned by the authorization center, where the authentication response includes: the login credential obtaining response comprises the following steps of: the client account, the password of the client account, the user access credential, and the signing key.

In another possible design of the fourth aspect, the processing module is further configured to generate a logout request when detecting that a user logs out from the service client and/or logs out the client account, where the logout request includes: the client account and the user access certificate;

the sending module is further configured to send a logout request to a control gateway of the central control platform, where the logout request is used to request to logout the user access credential corresponding to the client account in the authorization center.

In a fifth aspect, an embodiment of the present application provides a central control platform, including: the system comprises a control gateway, an authorization center and a cloud server, wherein the control gateway, the authorization center and the cloud server work cooperatively to realize the method according to the first aspect and possible designs.

In a sixth aspect, embodiments of the present application provide a server comprising a processor, a transceiver, a memory, and a computer program stored on the memory and executable on the processor, the processor implementing the method according to the second aspect and possible designs when executing the program.

In a seventh aspect, an embodiment of the present application provides a computer-readable storage medium, where computer-executable instructions are stored, and when executed by a processor, the computer-executable instructions are configured to implement the method according to the first aspect and each possible design.

In an eighth aspect, embodiments of the present application provide a computer-readable storage medium, in which computer-executable instructions are stored, and when executed by a processor, the computer-executable instructions are configured to implement the method according to the second aspect and possible designs.

The access control method, device, equipment and storage medium provided by the embodiment of the application receive an access request sent by terminal equipment through a control gateway, wherein the access request comprises the following steps: the method comprises the steps that a client account of a service client and a user access certificate corresponding to the client account are verified by an authorization center, the validity of an access request is determined, and finally when the access request is determined to be legal, business operation corresponding to the access request is executed by the cloud server. In the technical scheme, when a user of the terminal equipment has an account number of the service client, the user does not need to register the account number of the platform to which the central control platform belongs again, and can log in the platform of the central control platform, so that the control and management of the intelligent equipment and the intelligent scene are realized, and the experience of the intelligent equipment and the user stickiness are improved.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure.

Fig. 1 is a schematic structural diagram of an access control system to which an access control method provided in an embodiment of the present application is applied;

fig. 2 is an interaction diagram of a first access control method provided in an embodiment of the present application;

fig. 3 is an interaction diagram of a second access control method provided in an embodiment of the present application

Fig. 4 is an interaction diagram of a third embodiment of an access control method provided in the embodiment of the present application;

fig. 5 is a schematic structural diagram of a first embodiment of an access control apparatus according to an embodiment of the present application;

fig. 6 is a schematic structural diagram of a second access control device according to an embodiment of the present application;

fig. 7 is a schematic structural diagram of an embodiment of a central control platform provided in the present application;

fig. 8 is a schematic structural diagram of an embodiment of a server according to the present application.

With the foregoing drawings in mind, certain embodiments of the disclosure have been shown and described in more detail below. These drawings and written description are not intended to limit the scope of the disclosed concepts in any way, but rather to illustrate the concepts of the disclosure to those skilled in the art by reference to specific embodiments.

Detailed Description

Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The implementations described in the exemplary embodiments below are not intended to represent all implementations consistent with the present disclosure. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present disclosure, as detailed in the appended claims.

With the rapid development of the internet technology and the promotion of the market and the demand of users, a single intelligent product cannot meet the project experience, and a complete, integrated, interconnected and intercommunicated whole-house intelligent home product becomes the mainstream of the industry. Based on artificial intelligence, the Internet of things, cloud service and research and development and design of intelligent hardware, the important basis is big data analysis, safe, energy-saving and comfortable physical space is created for millions of users, the life quality of people is improved, and the life style of people is changed.

In order to realize the whole-house intelligence, a local manufacturer, an equipment side and a third-party platform are all disputed to provide a targeted intelligent real-estate home/community solution. For example, the community service system of the landlord populates a third party platform, such as the Peking platform, in a whole house intelligent project. In the using process, when the user of the local manufacturer uses the third-party platform, the user needs to download the client of the third-party platform and register the account of the third-party platform to control and manage the intelligent equipment and the intelligent scene registered in the community service system of the local manufacturer.

In practical application, the technical conception process of the inventor is as follows: if the account number of the third-party platform is decoupled from the community service system, when a user logs in the community service system by using a service client of the community service system, login authorization access to the third-party platform can be completed through interaction between the service client and the third-party platform, control and management of an intelligent home, intelligent hardware equipment and an intelligent scene are further realized, the experience and user stickiness of the intelligent equipment are improved, independent software developers (ISVs) are strongly supported to popularize products of the third-party platform, and the promotion of intelligent directional projects of the whole house is supported.

Based on the above technical concept, an embodiment of the present application provides an access control method, in which a third party platform is configured as a central control platform, the central control platform includes a control gateway, an authorization center, a cloud server, and the like, and an access request sent by a terminal device is received through the control gateway, where the access request includes: the method comprises the steps that a client account of a service client and a user access certificate corresponding to the client account are verified by the authorization center, the validity of an access request is determined, and finally when the access request is determined to be legal, business operation corresponding to the access request is executed by the cloud server. In the technical scheme, when a user of the terminal equipment has an account number of the service client, the user does not need to register the account number of the platform to which the central control platform belongs again, and can log in the platform of the central control platform, so that the control and management of the intelligent equipment and the intelligent scene are realized, and the experience of the intelligent equipment and the user stickiness are improved.

For example, before the technical solutions of the present application are introduced, an access control system to which the access control method provided by the present application is applied will be explained first.

Fig. 1 is a schematic structural diagram of an access control system to which the access control method provided in the embodiment of the present application is applied. As shown in fig. 1, the access control system may include: a terminal device 11 installed with a service client 110, an application server 12 of the service client 110, and a central control platform 13 capable of communicating with the terminal device 11 and the application server 12. Wherein, this central control platform 13 includes: control gateway 131, authorization center 132, and cloud server 133.

In a specific application, the terminal device 11 and the application server 12 may establish a communication connection, the terminal device 11 and the application server 12 may respectively establish a communication connection with a control gateway of the central control platform 13, and the control gateway 131 may establish a communication connection with the authorization center 132 and the cloud server 133.

In the embodiment of the present application, the access control method may be divided into three processes: a login procedure, an access procedure and a logout procedure.

Optionally, in the login process, the user may send a login request to the application server 12 through the service client 110 of the terminal device 11, after the application server 12 generates a login code value based on the login request, the login credential acquiring request may be sent to the control gateway 131, the control gateway 131 communicates with the authorization center 132, the authorization center 132 communicates with the application server 12 to implement authentication of the client account, for example, the control gateway 131 sends the login credential acquiring request to the authorization center 132, the authorization center 132 generates an authentication request based on the login credential acquiring request and sends the authentication request to the application server 12, the application server 12 feeds back an authentication response to the authorization center after authenticating the identity, and finally the authorization center feeds back the login credential acquiring response to the application server 12, where the login credential acquiring response includes: the client account, the password of the client account, the user access credential, and the signing key.

In the access process, a user may send an access request to the control gateway 131 through the service client 110 of the terminal device 11, the control gateway 131 performs interaction with the authorization center 132 to authenticate the access request, and determines validity of the access request, and when it is determined that the access request is valid, the control gateway sends a service operation corresponding to the access request to the cloud server 133, so that the cloud 133 completely executes the service operation corresponding to the access request. That is, the cloud server 133 may be used to control and manage at least one smart device bound to the central control platform 13.

In the logout process, when the application server 13 detects that the user logs out of the service client 110 or logs out of the client account, the application server 13 calls a logout interface of the control gateway 131 to send a logout request to the control gateway 131, so that the control gateway 131 interacts with the authorization center 132, so that the authorization center logs out the user access credential in the authorization center 132 based on the logout request.

For specific implementation of the login process, the access process, and the logout process, reference may be made to the following description of specific embodiments, which are not described herein again.

Optionally, in the embodiment of the present application, the terminal device 11 may be a portable device (e.g., a smart phone, a smart watch, a tablet computer, a notebook computer, etc.), or may be a Personal Computer (PC).

Optionally, in this embodiment of the application, the various intelligent devices in the smart home scene may include, but are not limited to and include, an intelligent LED lamp, an intelligent sound, an intelligent air conditioner, an auxiliary robot, various sensors (such as a temperature sensor, a humidity sensor, a light-sensing sensor, a human body-sensing sensor, etc.), an intelligent humidifier, and the like.

The following describes in detail the technical solution of the present application and how the technical solution of the present application solves the above technical problem with a specific embodiment in combination with a schematic architecture diagram of an access control system shown in fig. 1. The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.

Fig. 2 is an interaction diagram of a first access control method provided in an embodiment of the present application. The method is explained by information interaction among terminal equipment provided with a service client, an application server of the service client and a central control platform. As shown in fig. 2, the access control method may include the steps of:

s201, the terminal device sends an access information acquisition request to the application server based on the information acquisition instruction of the user.

Wherein the access information acquisition request includes: a client account of the service client.

In the embodiment of the application, when a user wants to control the smart device connected to the access control system, the user may send an information acquisition instruction to the terminal device, so that the terminal device can acquire the access information from the application server of the server client.

For example, the user may send the information acquisition instruction in a voice manner, an interactive interface of the terminal device, or the like. The embodiment of the application does not limit the specific implementation manner in which the user sends the information acquisition instruction, and the information acquisition instruction can be determined according to an actual scene, which is not described herein again.

It can be understood that a plurality of service clients may be installed on the terminal device, and when a user sends an access information acquisition request to the application server by operating a target service client on the terminal device, the access information acquisition request carries a client account of the service client, so that the application server can determine access information of the target service client based on the client account.

In practical application, a software development kit of the central control platform is integrated in a service client of the terminal device, so that the terminal device can access the central control platform based on the acquired access information, and further control the intelligent device associated with the central control platform.

S202, the application server determines the access information needed by the service client to access the central control platform according to the received access information acquisition request.

Wherein the access information comprises: the service client comprises a client account of the service client and a user access certificate corresponding to the client account, and the central control platform is a control center for uniformly controlling and managing the intelligent equipment.

S203, the application server feeds back the access information to the terminal equipment.

In this embodiment, before the user sends the access information acquisition request to the application server through the terminal device, the application server and the central control platform are authenticated with each other, and the application server stores relevant information of the service client, such as a client account, a client password, a user access credential, a signature key, and the like. Therefore, when the application server receives the access information acquisition request, the access information required by the service client to access the central control platform can be determined based on the client account in the access information acquisition request, and is fed back to the terminal device.

It can be understood that the central control platform in the embodiment of the present application is a control center for uniformly controlling and managing the intelligent devices. In practical application, after acquiring the authenticated access information from the application server, the terminal device directly accesses the central control platform through the service client, and then controls the target intelligent device.

Illustratively, the access information may include a service account and a user access credential. Optionally, the service account is represented by appkey, and is used for uniquely identifying the service client, the user access credential is represented by access _ token, which may prepare for subsequently obtaining the unique identification OpenID of the user at the service client, and the access _ token is a parameter that must be passed in when an application (client) calls OpenAPI to access and modify user data.

S204, the terminal equipment sends an access request to a control gateway of the central control platform, wherein the access request comprises: the client account of the service client and the user access certificate corresponding to the client account.

Optionally, after acquiring the access information, the terminal device may send an access request to the central control platform. Specifically, after the service client of the terminal device obtains the client account of the service client and the user access credential corresponding to the client account, the service client may call an open interface of a control gateway in the central control platform based on a software development kit integrated in the service client, and transmit the user access credential (access _ token) corresponding to the server account and the client account (appkey) to the central control platform through an access request.

S205, the central control platform verifies the client account and the user access certificate received by the control gateway by using the authorization center, and the validity of the access request is determined.

In the embodiment of the application, when the control gateway receives an access request from the terminal device, the client account carried in the access request and the user access credential corresponding to the client account are sent to the authorization center for verification, that is, after the control gateway receives the access request, the authorization center of the central control platform can be called to verify the legitimacy of the received client account (appkey) and the user access credential (access _ token).

In a possible design of the present application, the step S205 may be specifically implemented by:

judging whether the client account and the user access certificate exist in the information stored in the authorization center; if yes, determining that the access request is legal; if not, the access request is determined to be illegal.

In practical application, before the central control platform receives an access request through the control gateway, a user firstly needs to interact with the central control platform through a service client of the terminal device and an application server of the service client, and completes verification of a client account and a user access certificate and stores related authorization information into an authorization center. Therefore, when the control gateway receives an access request sent by the terminal device, it is first determined whether the client account and the user access credential exist in the information stored in the authorization center, and when the client account and the user access credential exist in the information stored in the authorization center, it is determined that the access request is legal, and when the client account and the user access credential do not exist in the information stored in the authorization center, it is determined that the access request is illegal.

And S206, when the authorization center determines that the access request is legal, the control gateway calls the cloud server to execute the service operation corresponding to the access request.

For example, if the control gateway verifies that the access request is legal by invoking the authorization center, the control gateway may invoke the cloud server to execute the business operation corresponding to the access request, that is, the user accesses the cloud server through the service client to complete the specific business operation.

For example, the service operation corresponding to the access request may refer to starting the smart device, shutting down the smart device, adjusting the smart device, and the like. The embodiment of the present application does not limit the specific implementation of the service operation, and may be determined according to an actual scene, which is not described herein again.

In the access control method provided in the embodiment of the present application, an access request sent by a terminal device is received through a control gateway, where the access request includes: the method comprises the steps that a client account of a service client and a user access certificate corresponding to the client account are verified by an authorization center, the validity of an access request is determined, and finally when the access request is determined to be legal, business operation corresponding to the access request is executed by the cloud server. In the technical scheme, when a user of the terminal equipment has an account number of the service client, the user does not need to register the account number of the platform to which the central control platform belongs again, and can log in the platform of the central control platform, so that the control and management of the intelligent equipment and the intelligent scene are realized, and the experience of the intelligent equipment and the user stickiness are improved.

Optionally, on the basis of the foregoing embodiment, before a user accesses the central control platform by using a service client of the terminal device, the user first needs to log in the central control platform through the service client, and a specific implementation scheme is as shown in fig. 3.

Fig. 3 is an interaction diagram of a second embodiment of an access control method provided in the embodiment of the present application. The method still explains the information interaction among the terminal equipment provided with the service client, the application server of the service client and the central control platform. As shown in fig. 3, when a user logs in the central control platform through the terminal device, the method may further include the following steps:

s301, the terminal device sends a login request to the application server, wherein the login request comprises: a client account number.

For example, when a user operates a device connected to the central control platform, the user first needs to successfully log in the central control platform. Specifically, a Software Development Kit (SDK) of a central control platform is integrated in a service client installed on the terminal device, so that a user can invoke an application server of the service client to initiate a login request to the central control platform through the service client, that is, the login request of a carried client account is first sent to the application server, so that the application server determines the service client initiating the login request.

S302, the application server generates a login code value according to the received login request.

In practical applications, the application server, upon receiving a login request, triggers the application server to generate a login code value (login _ code) for login verification. Optionally, the login code value is randomly generated by the application server, and is mainly used to ensure the security of the user login.

Optionally, after the application server generates the login code value, on one hand, the login code value may be stored in its own database, and on the other hand, the login code value may be transmitted to the central control platform.

It can be understood that, each time the service client calls the login interface and successfully logs in the application server, the application server needs to regenerate a login _ code and cover the login _ code originally corresponding to the account of the service client.

S303, the application server sends a login credential acquisition request to a control gateway of the central control platform.

Wherein, the login credential obtaining request comprises: client account number and login code value.

Optionally, after the application server generates the login code value, the application server may generate a login credential obtaining request by combining with the client account carried in the login request, where the login credential obtaining request carries the client account and the login code value.

Correspondingly, the application server may call a login interface of the control gateway of the central control platform based on the control gateway call specification of the central control platform to send a login credential obtaining request to the control gateway, so as to transfer a client account (appkey) and a login code value (login _ code) for uniquely identifying the service client to the central control platform.

S304, the control gateway of the central control platform sends the received login certificate acquisition request to an authorization center for authentication.

Optionally, when the control gateway receives the login credential obtaining request from the application server, the authorization center may be called to verify the client account (appkey) and the login code value (login _ code) in the login credential obtaining request, that is, the control gateway sends the login credential obtaining request to the authorization center, so that the control gateway authenticates the received login credential obtaining request.

S305, the authorization center of the central control platform sends an authentication request to the application server according to the login credential obtaining request, wherein the authentication request comprises: client account, password of client account, and login code value.

In this embodiment, after the authorization center of the central control platform obtains the login credential obtaining request, a password (apprequest) of a client account stored by the service client during registration may be determined according to the client account of the login credential obtaining request, so that an authentication request may be generated according to the client account (appkey), the password (apprequest) of the client account, and the login code value (login _ code), and sent to the application server of the service client for authentication.

S306, the application server verifies the legality of the login code value in the received identity verification request based on the generated login code value.

Optionally, in this embodiment, when receiving an authentication request sent by an authorization center, an application server may analyze and obtain a login code value in the authentication request, and further compare the login code value with a login code value generated when receiving the login request (i.e., a login code value stored by the application server itself), and if the two values are the same, it indicates that the service client is in a login state; if the two values are different, the original login authentication fails, and the login needs to be re-logged in.

Specifically, the application server determines that the login code value in the authentication request is legal when determining that the login code value stored by the application server is the same as the login code value in the authentication request, and determines that the login code value in the authentication request is illegal when determining that the login code value stored by the application server is not the same as the login code value in the authentication request.

S307, when the login code value in the authentication request is determined to be legal, the application server feeds an authentication response back to the authorization center, wherein the authentication response comprises: user identification information, a session key, and a validity duration of the session key.

Optionally, after determining that the login code value in the authentication request is legal, the application server may return, to the authorization center, information such as a unique identifier (i.e., user identification information), a session key (session _ key), and expiration time (expire) of the session key of the user accessing the service client in the application server.

The openid is an identifier corresponding to the unique user identity in the service client, and the application server can send the identifier to the authorization center for storage, so that the identity of the service client can be conveniently identified when the service client logs in, or the identity of the service client is bound with an original account number of the user in the service client.

The session key (session _ key), also called data encryption key or working key, is an encryption and decryption key randomly generated to ensure a secure communication session between a user and another computer or between two computers, and can be negotiated by both parties.

The expiration time (expire) is the expiration time set by the application server for the session _ key, and the valid time of the expire time is no longer available after the duration corresponding to the expiration time.

S308, the authorization center stores the received user identification information, the session key and the effective duration of the session key.

Optionally, after receiving the authentication response sent by the application server, the authorization center may store the information in the authentication response, so that the authorization center may perform authentication on the access client initiating the access request when receiving the access information subsequently.

S309, the authorization center feeds back a login credential acquisition response to the application server, wherein the login credential acquisition response comprises: the client account, the password of the client account, the user access credential, and the signing key.

For example, after receiving an authentication response returned by the application server, that is, after the authorization center completes account login and authorization, the authorization center may call back the application server, and send a login credential acquisition response to the application server, that is, feedback information such as a client account, a password of the client account, a user access credential, and a signature key (sign _ key) to the application server through the login credential acquisition response.

According to the access control method provided by the embodiment of the application, the central control platform receives a login credential obtaining request sent by an application server of a service client through the control gateway, sends an authentication request to the application server through the authorization center according to the login credential obtaining request, receives an authentication response returned by the application server through the authorization center, and feeds back the login credential obtaining response to the application server, so that the purpose that a user logs in the central control platform through the service client is achieved, and the implementation premise is improved for the follow-up operation of intelligent equipment managed by the central control platform.

Optionally, on the basis of the foregoing embodiments, after the central control platform invokes the cloud server to execute the business operation corresponding to the access request, the application server may further detect whether the user logs out or logs out of the client from the service client, and execute a log-out process when determining that the user logs out and/or logs out of the client account from the service client, where a specific implementation scheme is shown in fig. 4.

Fig. 4 is an interaction diagram of a third embodiment of an access control method provided in the embodiment of the present application. The method is used for explaining the information interaction between the application server of the service client and the central control platform. As shown in fig. 4, the method may further include the steps of:

s401, when detecting that a user logs out from a service client and/or logs out a client account, an application server generates a logout request, wherein the logout request comprises: client account number and user access certificate.

In practical applications, the application server may detect the online condition of the logged-in client account in real time or periodically. For example, when the application server detects that a user of the service client logs out, or detects that the user logs out of the client account, the application server may generate a logout request, so that the logout request carries the client account and the user access credential.

S402, the application server sends the logout request to a control gateway of the central control platform.

And the logout request is used for requesting to logout a user access certificate corresponding to the client account in the authorization center.

Optionally, since the user access credential is a credential of the user accessing the central control platform, for accuracy of control of the smart device, when the user logs out and/or logs out the client account from the service client, the access _ token that the application (access client) must enter when calling the OpenAPI to access and modify the user data needs to be logged out. Therefore, the application server can call the log-out interface of the control gateway to transfer the appkey and the access _ token to the control gateway.

And S403, the central control platform utilizes the control gateway to log off the user access certificate corresponding to the client account from the authorization center.

In this step, when receiving the appkey and the access _ token sent by the application server through the logout request, the control gateway of the central control platform may transmit the appkey and the access _ token to the authorization center, and the authorization center may logout the stored user access credential corresponding to the client account.

According to the access control method provided by the embodiment of the application, when the application server detects that the user logs out of the service client and/or logs out of the client account, a logout request is generated and sent to the control gateway of the central control platform, so that the central control platform can log out the user access certificate corresponding to the client account from the authorization center by using the control gateway, and accurate control and management are further guaranteed.

To sum up, according to the technical scheme provided by the embodiment of the application, the service client finishes login authorization access through interaction with the central control platform under the condition of account login through the account system of the service client, and then finishes intelligent home connected with the central control platform, the intelligent equipment and the intelligent scene are controlled and managed, the user management experience and the user viscosity of the intelligent equipment are improved, and the central control platform is promoted by strongly supporting each ISV manufacturer, so that the project propulsion of the whole house in the intelligent direction is supported.

The following are embodiments of the apparatus of the present application that may be used to perform embodiments of the method of the present application. For details which are not disclosed in the embodiments of the apparatus of the present application, reference is made to the embodiments of the method of the present application.

Fig. 5 is a schematic structural diagram of a first embodiment of an access control device according to an embodiment of the present application. The device can be applied to a central control platform, which comprises: the system comprises a control gateway, an authorization center and a cloud server. Referring to fig. 5, the apparatus may include: a receiving module 501, a processing module 502 and a calling module 503.

A receiving module 501, configured to receive, through the control gateway, an access request sent by a terminal device, where the access request includes: a client account of a service client and a user access certificate corresponding to the client account;

a processing module 502, configured to verify the client account and the user access credential by using the authorization center, and determine validity of the access request;

the invoking module 503 is configured to invoke, by using the control gateway, the cloud server to execute the service operation corresponding to the access request when the authorization center determines that the access request is legal.

In a possible design of the embodiment of the present application, the processing module 502 is specifically configured to determine whether the client account and the user access credential exist in the information stored in the authorization center, and determine that the access request is legal when the client account and the user access credential exist in the information stored in the authorization center.

Illustratively, the receiving module 501 is further configured to receive, by the control gateway, a login credential obtaining request sent by an application server of the service client before receiving, by the control gateway, an access request sent by a terminal device, where the login credential obtaining request includes: the client account and the login code value;

wherein, the device still includes: a sending module 504;

a sending module 504, configured to send, according to the login credential obtaining request, an authentication request to the application server through the authorization center, where the authentication request includes: the client account, the password of the client account and the login code value;

the receiving module 501 is further configured to receive, by using the authorization center, an authentication response returned by the application server, where the authentication response includes: user identification information, a session key and the effective duration of the session key;

the processing module 502 is further configured to store the user identification information, the session key, and the valid duration of the session key in the authorization center;

the sending module 504 is further configured to feed back, to the application server, a login credential obtaining response through the authorization center, where the login credential obtaining response includes: the client account, the password of the client account, the user access credential, and the signing key.

In another possible design of the embodiment of the present application, the receiving module 501 is further configured to receive, through the control gateway, a logout request sent by an application server of the service client after the invoking module executes a service operation corresponding to the access request by using the cloud server, where the logout request includes: the client account and the user access certificate;

the processing module 502 is further configured to log out the user access credential corresponding to the client account from the authorization center.

The device is used for realizing the technical scheme of the central control platform in the embodiment of the method, the realization principle and the technical effect are similar, and the detailed description is omitted.

Fig. 6 is a schematic structural diagram of a second access control device according to an embodiment of the present application. The apparatus may be applied to an application server serving a client. As shown in fig. 6, the apparatus may include: a receiving module 601, a processing module 602 and a sending module 603.

The receiving module 601 is configured to receive an access information obtaining request from a terminal device, where the access information obtaining request includes: a client account of the service client;

a processing module 602, configured to determine, according to the access information obtaining request, access information that the service client needs to use to access the central control platform, where the access information includes: the service client comprises a client account of the service client and a user access certificate corresponding to the client account, and the central control platform is a control center for uniformly controlling and managing intelligent equipment;

a sending module 603, configured to feed back the access information to the terminal device.

In a possible design of the embodiment of the present application, the receiving module 601 is further configured to receive, before receiving the access information obtaining request from the terminal device, a login request from the terminal device, where the login request includes: the client account number;

the processing module 602 is further configured to generate a login code value according to the login request;

the sending module 603 is further configured to send a login credential obtaining request to the control gateway of the central control platform, where the login credential obtaining request includes: the control gateway is used for sending the login certificate acquisition request to an authorization center for authentication;

the receiving module 601 is further configured to receive an authentication request sent by an authorization center of the central control platform, where the authentication request includes: the client account, the password of the client account and the login code value;

the processing module 602 is further configured to verify the validity of the login code value in the authentication request based on the generated login code value;

the sending module 603 is further configured to, when it is determined that the login code value in the authentication request is legal, feed back an authentication response to the authorization center, and receive a login credential obtaining response returned by the authorization center, where the authentication response includes: the login credential obtaining response comprises the following steps of: the client account, the password of the client account, the user access credential, and the signing key.

In another possible design of the embodiment of the present application, the processing module 602 is further configured to generate a logout request when detecting that a user logs out from the service client and/or logs out the client account, where the logout request includes: the client account and the user access certificate;

the sending module 603 is further configured to send a logout request to a control gateway of the central control platform, where the logout request is used to request to logout the user access credential corresponding to the client account in the authorization center.

The above-mentioned apparatus is used for implementing the technical scheme of the application server in the foregoing method embodiment, and the implementation principle and technical effect are similar, which are not described herein again.

It should be noted that the division of the modules of the above apparatus is only a logical division, and the actual implementation may be wholly or partially integrated into one physical entity, or may be physically separated. And these modules can be realized in the form of software called by processing element; or may be implemented entirely in hardware; and part of the modules can be realized in the form of calling software by the processing element, and part of the modules can be realized in the form of hardware. For example, the processing module may be a processing element separately set up, or may be implemented by being integrated in a chip of the apparatus, or may be stored in a memory of the apparatus in the form of program code, and a function of the processing module may be called and executed by a processing element of the apparatus. Other modules are implemented similarly. In addition, all or part of the modules can be integrated together or can be independently realized. The processing element described herein may be an integrated circuit having signal processing capabilities. In implementation, each step of the above method or each module above may be implemented by an integrated logic circuit of hardware in a processor element or an instruction in the form of software.

In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the application to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.

Fig. 7 is a schematic structural diagram of an embodiment of a central control platform provided in the embodiment of the present application. As shown in fig. 7, the central control platform may include: the system comprises a control gateway 701, an authorization center 702 and a cloud server 703, wherein the control gateway 701, the authorization center 702 and the cloud server 703 cooperate to implement the technical scheme of the central control platform in the above method embodiment. For specific implementation of this technical solution, reference may be made to the description of the above method embodiment, and details are not described here.

Fig. 8 is a schematic structural diagram of an embodiment of a server according to the present application. As shown in fig. 8, the server may include: the system comprises a processor 801, a memory 802, a transceiver 803 and a system bus 804, wherein the memory 802 and the transceiver 803 are connected with the processor 801 through the system bus 804 and complete mutual communication, the memory 802 is used for storing computer execution instructions, the transceiver 803 is used for communicating with other devices, and the technical scheme of the application server in the method embodiment is realized when the processor 801 executes the computer execution instructions.

Optionally, an embodiment of the present application further provides a computer-readable storage medium, where a computer instruction is stored in the computer-readable storage medium, and when the computer instruction runs on a computer, the computer is enabled to execute the technical solution of the central control platform in the foregoing method embodiment.

Optionally, an embodiment of the present application further provides a computer-readable storage medium, where a computer instruction is stored in the computer-readable storage medium, and when the computer instruction runs on a computer, the computer is enabled to execute the technical solution of the application server in the foregoing method embodiment.

Optionally, an embodiment of the present application further provides a chip for executing the instruction, where the chip is used to execute the technical scheme of the central control platform in the foregoing method embodiment.

Optionally, an embodiment of the present application further provides a chip for executing the instruction, where the chip is used to execute the technical scheme of the application server in the foregoing method embodiment.

The embodiment of the present application further provides a program product, where the program product includes a computer program, where the computer program is stored in a computer-readable storage medium, and the computer program can be read from the computer-readable storage medium by at least one processor, and when the computer program is executed by the at least one processor, the technical solution of the central control platform in the above method embodiments can be implemented.

The embodiment of the present application further provides a program product, where the program product includes a computer program, where the computer program is stored in a computer-readable storage medium, and the computer program can be read from the computer-readable storage medium by at least one processor, and when the computer program is executed by the at least one processor, the technical solution of the application server in the above method embodiment can be implemented.

In the present application, "at least one" means one or more, "a plurality" means two or more. "and/or" describes the association relationship of the associated objects, meaning that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone, wherein A and B can be singular or plural. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship; in the formula, the character "/" indicates that the preceding and following related objects are in a relationship of "division". "at least one of the following" or similar expressions refer to any combination of these items, including any combination of the singular or plural items.

It is to be understood that the various numerical references referred to in the embodiments of the present application are merely for descriptive convenience and are not intended to limit the scope of the embodiments of the present application. In the embodiment of the present application, the sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiment of the present application.

Other embodiments of the present disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the application disclosed herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.

It will be understood that the present disclosure is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.

Claims

1. An access control method, applied to a central control platform, the central control platform comprising: the method comprises the following steps of controlling a gateway, an authorization center and a cloud server:

2. The method of claim 1, wherein the verifying the client account and the user access credential with the rights issuer to determine the validity of the access request comprises:

3. The method of claim 2, wherein prior to said receiving, by said control gateway, an access request from a terminal device, said method further comprises:

4. The method according to any one of claims 1-3, wherein after the performing, with the cloud server, the business operation corresponding to the access request, the method further comprises:

5. An access control method applied to an application server serving a client, the method comprising:

and feeding back the access information to the terminal equipment.

6. The method according to claim 5, wherein before said receiving an access information acquisition request from a terminal device, the method comprises:

generating a login code value according to the login request;

7. The method of claim 5 or 6, further comprising:

8. An access control device, applied to a central control platform, the central control platform comprising: control gateway, authorization center and cloud server, the device includes: the system comprises a receiving module, a processing module and a calling module;

9. The apparatus according to claim 8, wherein the processing module is specifically configured to determine whether the client account and the user access credential exist in the information stored in the authorization center, and determine that the access request is valid when the client account and the user access credential exist in the information stored in the authorization center.

10. The apparatus according to claim 9, wherein the receiving module is further configured to receive, through the control gateway, a login credential obtaining request sent by an application server of the service client before receiving, through the control gateway, an access request issued by a terminal device, where the login credential obtaining request includes: the client account and the login code value;

the device further comprises: a sending module;

11. The apparatus according to any one of claims 8 to 10, wherein the receiving module is further configured to receive, through the control gateway, a logout request sent by an application server of the service client after the invoking module performs a business operation corresponding to the access request by using the cloud server, where the logout request includes: the client account and the user access certificate;

12. An access control apparatus, applied to an application server serving a client, the apparatus comprising: the device comprises a receiving module, a processing module and a sending module;

13. The apparatus of claim 12, wherein the receiving module is further configured to receive a login request from the terminal device before receiving the access information obtaining request from the terminal device, and the login request includes: the client account number;

14. The apparatus according to claim 12 or 13, wherein the processing module is further configured to generate a logout request when detecting that a user logs out from the service client and/or logs out the client account, the logout request including: the client account and the user access certificate;

15. A central control platform, comprising: a control gateway, an authorization center and a cloud server, said control gateway, said authorization center and said cloud server working cooperatively for implementing the method according to any of the preceding claims 1-4.

16. A server comprising a processor, a transceiver, a memory and a computer program stored on and executable on the memory, characterized in that the processor, when executing the program, implements the method according to any of the claims 5-7.

17. A computer-readable storage medium having computer-executable instructions stored thereon, which when executed by a processor, perform the method of any one of claims 1-4.

18. A computer-readable storage medium having computer-executable instructions stored thereon, which when executed by a processor, perform the method of any one of claims 5-7.