CN114117551B - Access verification method and device - Google Patents
Access verification method and device Download PDFInfo
- Publication number
- CN114117551B CN114117551B CN202111419243.5A CN202111419243A CN114117551B CN 114117551 B CN114117551 B CN 114117551B CN 202111419243 A CN202111419243 A CN 202111419243A CN 114117551 B CN114117551 B CN 114117551B
- Authority
- CN
- China
- Prior art keywords
- token
- access
- resource
- authentication server
- salt
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Abstract
The embodiment of the application provides an access verification method and device, and the method comprises the following steps: the authentication server receives a resource acquisition request sent by an access user aiming at the open server so as to extract an access token and user information of the access user from the resource acquisition request; the access token comprises a token check value and a token identification; the token check value is generated according to the token certificate; the authentication server side obtains a salt value corresponding to the salt value number in the token identification from the salt value record after determining that the access token is valid according to the token failure time in the token identification; the salt value record is stored in the memory of the authentication server; the authentication server generates a comparison check value according to the user information, the salt value number and the token failure time; and after the authentication server side determines that the token check value is consistent with the comparison check value, a resource authorization response is generated and returned to the open server side. The method is used for improving the operation reliability of the authentication system.
Description
Technical Field
The present application relates to the field of network technologies, and in particular, to an access verification method and apparatus.
Background
In recent years, with the development of computer technology, more and more technologies are applied in the financial field, and the traditional financial industry is gradually changing to financial technology (Fintech), but higher requirements are also put on the technologies due to the requirements of the financial industry on safety and real-time performance. For example, the OAuth (Open Authorization) protocol is an Open standard, and allows a third party application to access private resources (e.g., photos, videos, contact lists, etc.) stored on a certain website by the user according to a user credential (token). Basic principles of the OAuth protocol: after a user authorizes a third-party application, an authentication server corresponding to a website where resources to be accessed are located issues a token (access token), and the token is stored in a database and is handed to the third-party application for storage by the authentication server. After the authorization is completed, the third-party application uses the token to acquire the resource to be accessed. Therefore, the token is stored in the database, so that the authentication server can check the resource acquisition request, and the security of the resource access process is ensured.
However, in the prior art, the token needs to be stored in the database by the authentication server, so that when the resource acquisition request sent by the third-party application is subsequently received, the authentication server may acquire the stored token from the database to verify the token returned by the third-party application, so as to determine the validity of the third-party application. In the method, if the storage database fails, the authentication server cannot acquire the token from the database for authentication, and the stability of the authentication system is poor.
Therefore, there is a need for an access verification method and apparatus for improving the operation reliability of the authentication system.
Disclosure of Invention
The embodiment of the application provides an access verification method and device, which are used for improving the operation reliability of an authentication system.
In a first aspect, an embodiment of the present application provides an access verification method, where the method includes:
the authentication server receives a resource acquisition request sent by an access user aiming at the open server, so as to extract an access token and user information of the access user from the resource acquisition request; wherein the access token comprises a token check value and a token identification; the token check value is generated according to a token credential;
after the authentication server side determines that the access token is valid according to the token failure time in the token identification, salt values corresponding to the salt value numbers in the token identification are obtained from salt value records; the salt value record is stored in the memory of the authentication server;
the authentication server generates a comparison check value according to the user information, the salt value number and the token failure time;
and after the authentication server side determines that the token check value is consistent with the comparison check value, generating a resource authorization response and returning the resource authorization response to the open server side.
In the method, the access token consists of a token identifier and a token check value, and the token check value is generated according to the token certificate. Therefore, the token certificate in the access token in transmission is transmitted in the form of the token check value, so that the token certificate is not a plaintext in the transmission process, and even if the token certificate is acquired, any information of the token certificate cannot be obtained, and the safety of information transmission is improved. The resource acquisition request includes an access token and user information of an access user, and when the authentication server receives the resource acquisition request, the authentication server can acquire a salt number (a salt number of a salt in the token credential) and token expiration time according to a token identifier in the resource acquisition request. And after determining that the access token is not invalid according to the token invalidation time in the token identification, further acquiring a salt value from a salt value record according to the user information and the salt value number of the token identification to generate a comparison check value to verify the token check value in the resource acquisition request. Therefore, the authentication server can realize authentication without storing the token check value in the database, namely, even if the database fails and the authentication server cannot acquire the token check value, the authentication server can generate a comparison check value according to the information in the resource acquisition request to check the token check value. Compared with the prior art that the token must be stored in the database, the method and the system solve the problem that the authentication server cannot obtain the token check value from the database and cannot authenticate when the database fails, and improve the operation reliability of the authentication system.
Optionally, before the authenticating server receives the resource obtaining request sent by the access user for the open server, the method further includes:
the authentication server receives a token acquisition request sent by the open server, wherein the token acquisition request comprises user information of an access user;
the authentication server side determines a token identifier for the token acquisition request; the token identification comprises token expiration time, and a salt value number determined from the salt value record;
the authentication server generates a token certificate based on the user information, the salt value corresponding to the salt value number and the token identification;
the authentication server side sends a token generation response carrying an access token to the open server side; the access token includes the token identification and the token credential.
In the method, after receiving a token acquisition request which is sent by an open server and contains user information of an access user, an authentication server determines a token identifier and a token certificate which contain information such as token expiration time, a salt number and a salt for the token acquisition request, further obtains a token check value according to the token certificate, and generates a response for the token containing the token check value and the token identifier and returns the response to the open server. Therefore, even if the database fails, the authentication server cannot acquire the token check value from the database. Or, the comparison check value can be obtained according to the information in the resource obtaining request and the salt value record in the memory, and the token check value of the resource obtaining request is checked according to the comparison check value.
Optionally, the token identifier further includes an extension field; the authentication server generates a token certificate based on the user information, the salt value corresponding to the salt value number and the token identifier, and includes:
the authentication server generates a token certificate based on the user information, the salt value corresponding to the salt value number, the field value in the extension field and the token identification;
the authentication server generates a comparative check value according to the user information, the salt value number and the token failure time, and comprises the following steps:
and the authentication server generates a comparison check value according to the user information, the salt value number, the token failure time and the field value in the extension field.
In the above method, the token identifier and the token credential may further include an extension field. Thus, more information can be set in the extension field, and corresponding verification can be performed according to corresponding information in the extension field. For example, setting information such as an identifier of an authentication server generating the access token and an access token type in the extension field, after the authentication server receives the token identifier, it may be checked whether the access token is generated by the authentication server according to the identifier of the authentication server in the extension field of the token identifier, and it may be checked whether the authentication server is used for authenticating such access token and the like according to the information of the access token type in the extension field, where the information in the extension field is not specifically limited, and may be set according to the required information.
Optionally, the token check value is generated according to a token credential, and includes:
the token check value is the token credential; or the token check value is obtained by signing the token certificate and each request parameter; wherein, the resource obtaining request also comprises each request parameter.
In the method, the signature is carried out according to the token certificate and the request parameter of the resource acquisition request to obtain the token check value. Therefore, the token voucher in transmission is not in an 'exposed' state, the safety of information in the token voucher is improved, and the safety of resource acquisition is ensured.
Optionally, after generating the token credential, the method further includes:
the authentication server stores the access token in a token database;
before obtaining the salt value corresponding to the salt value number in the token identifier from the salt value record, the method further includes:
and the authentication server side cannot acquire the access token corresponding to the token identification from the token database.
In the method, the authentication server fails to acquire the access token from the database. And verifying the token verification value in the resource acquisition request according to the comparison verification value to determine the legality of the resource acquisition request. Therefore, the scheme that the authentication server generates the comparison check value according to the information in the resource acquisition request can be used as a degradation scheme for acquiring the token check value from the database access token. Even if the database fails, the authentication can be normally carried out, and the reliability of the authentication system is ensured.
Optionally, the method further includes:
the authentication server side obtains an access token corresponding to the token identification from the token database;
and the authentication server side determines whether the access token in the resource acquisition request is consistent with the access token acquired from the token database or not, so as to determine whether to generate a resource authorization response to return to the open server side or not.
In the method, the authentication server fails to acquire the access token from the database. And verifying the token verification value in the resource acquisition request according to the comparison verification value to determine the validity of the resource acquisition request. However, if the access token (including the token check value generated when the token acquisition request is received) is successfully acquired from the database, and the token check value acquired from the access token and the token check value in the resource acquisition request are directly verified, it can be determined from the access token in the database whether the token check value in the resource acquisition request is disposable and used, if used, the resource acquisition request is not processed, and if not used and the check passes, the requested resource is returned to the access user terminal. Therefore, the scheme that the authentication server generates the comparison check value according to the information in the resource acquisition request can be used as a degradation scheme for acquiring the token check value from the database access token. On the premise of ensuring the reliability of the authentication system, when the database operates normally, the use information of the token check value can be ensured to be accurately obtained, and the accuracy of the token use is further ensured.
Optionally, the method further includes:
and the authentication server configures the salt value records by adopting a gray level issuing mechanism, wherein the gray level issuing mechanism is used for setting the salt values in the salt value records to be used in a token verification stage when any authentication server does not configure the salt value records, and setting the salt values in the salt value records to be used in a token generation stage and a token verification stage when each authentication server configures the salt value records.
In the method, the gray level of the salt value record is issued, and the gray level issuing mechanism sets the salt value in the salt value record to be used in the token verification stage when any authentication server side is not configured with the salt value record. Therefore, the situation that the authentication server side which is not configured uses the newly configured salt value record for token verification, so that new salt value cannot be obtained and verification cannot be completed is prevented. And the gray level issuing mechanism sets the salt value in the salt value record to be used in a token generation stage and a token verification stage when the salt value record is configured at each authentication server side. Therefore, after the salt value records are configured at each authentication server, the configuration and the updating of the salt value records are completed, and any authentication server can generate and verify the token according to the new salt value records. Therefore, the salt value is updated as required, and the safety and the effectiveness of the access token are ensured.
Optionally, the method further includes:
the authentication server receives the token valid time change configuration; the token valid time indicated in the token valid time alteration configuration has a higher priority than the token expiration time in the access token.
And the authentication server determines the token failure time of the failure state in the token identification to be valid on the basis of the token valid time change configuration, or determines the token failure time of the valid state in the token identification to be invalid on the basis of the token valid time change configuration.
In the above method, the token validity time in the access token may be changed by changing the configuration of the token validity time. The flexibility of changing the token expiration time and the valid time is improved, so that even if the token expiration time information is written in the access token, the information such as the valid time and the expiration time of the access token can be flexibly changed according to the change and the configuration of the token valid time.
In a first aspect, an embodiment of the present application provides an access authentication apparatus, where the apparatus includes:
the receiving and sending module is used for receiving a resource acquisition request sent by an access user aiming at the open server so as to extract an access token and user information of the access user from the resource acquisition request; wherein the access token comprises a token check value and a token identification; the token check value is generated according to a token credential;
the processing module is used for obtaining a salt value corresponding to the salt value number in the token identification from a salt value record after determining that the access token is valid according to the token failure time in the token identification; the salt value record is stored in the memory of the authentication server;
the processing module is further used for generating a comparison check value according to the user information, the salt value number and the token failure time;
the processing module is further configured to generate a resource authorization response and return the resource authorization response to the open server through the transceiver module after determining that the token check value matches the comparison check value.
In a third aspect, an embodiment of the present application further provides a computing device, including: a memory for storing a program; a processor for calling the program stored in said memory and executing the method as described in the various possible designs of the first aspect according to the obtained program.
In a fourth aspect, embodiments of the present application further provide a computer-readable non-transitory storage medium including a computer-readable program which, when read and executed by a computer, causes the computer to perform the method as described in the various possible designs of the first aspect.
These and other implementations of the present application will be more readily understood from the following description of the embodiments.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise.
Fig. 1 is a schematic diagram of an architecture for access authentication according to an embodiment of the present application;
fig. 2 is a schematic flowchart of an access authentication method according to an embodiment of the present application;
fig. 3 is a schematic flowchart of an access authentication method according to an embodiment of the present application;
fig. 4 is a schematic flowchart of an access authentication method according to an embodiment of the present application;
fig. 5 is a schematic flowchart of an access authentication method according to an embodiment of the present application;
fig. 6 is a schematic diagram of an access authentication device according to an embodiment of the present application.
Detailed Description
To make the objects, technical solutions and advantages of the present application clearer, the present application will be described in further detail with reference to the accompanying drawings, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without making any creative effort belong to the protection scope of the present application.
Fig. 1 is a schematic diagram of a system architecture for access verification according to an embodiment of the present application, where a resource requester may be an access user terminal, or may be any requester that can initiate resource acquisition, such as a third party platform, which is not limited specifically herein. In addition, if the resource requester is an access user terminal, the user information described below may be information such as a user account and a user password, and if the resource requester is a third-party platform, application software, or the like, the user information may also be information such as an identifier of the third-party platform and the application software, which is not limited specifically here. In the following example, the resource requesting party is an access user terminal, and the user information is information such as a user account and a user password:
the resource requester generates an authorization address request and sends the authorization address request to the service system. And after receiving the authorization address request through the open service, the service system returns an authorization address to the resource requester. And after receiving the authorization address, the resource requester generates a token acquisition request according to the registered user account, password and other user information containing the authorization information of the access user, which are input by the user, and sends the token acquisition request to the service system. And the open service in the service system receives the token acquisition request and sends the user information of the access user to the user center. And the user center receives the user information of the access user, verifies the user information in the token acquisition request according to the recorded user information of the access user, and sends a verification passing result to the open service after the verification passes. And after the open service determines that the access user of the token acquisition request is legal, the open service generates a determined token notification and sends the determined token notification to the authentication center, so that the authentication center generates an access token for the token acquisition request, and the determined token notification contains the user information in the token acquisition request. And after receiving the determined token notification, the authentication center determines a token identifier containing the token expiration time, the salt number corresponding to the salt determined from the salt record and other information for the token acquisition request, and generates a token certificate containing the user information, the salt number, the salt corresponding to the salt number and the token identifier. And obtaining an access token containing the token identification and the token certificate, and sending a generated response carrying the access token to the open service. And after receiving the token generation response, the open service returns the token generation response to the resource requester. After receiving the token generation response, the resource requester acquires the access token in the token generation response, and generates a resource acquisition request according to the access token, where the resource acquisition request generated here may be two types:
one is as follows: the resource acquisition request comprises user information, token certificates, token identifications and other related information;
the other is as follows: the resource acquisition request includes information such as user information, a signature (obtained by signing the token credential and each request parameter), a token identifier, and each request parameter.
Correspondingly, when the open service in the service system receives a resource acquisition request containing relevant information such as user information, a token check value (token certificate), a token identifier and the like, the legitimacy of the resource acquisition request is verified through the authentication center. The authentication center determines that the access token is valid according to the token invalidation time in the token identification in the resource acquisition request (if the access token is determined to be invalid, the open service does not respond to the resource acquisition request), acquires a token check value from the database according to the user information and/or the token identification, compares the token check value in the resource acquisition request with the token check value acquired from the database if the acquisition is successful, and sends a verification passing notice to the open service if the verification passes (if the verification does not pass, the open service does not respond to the resource acquisition request). And the open service returns the resource to the resource requester according to the verification passing notification. If the token check value is not obtained from the database according to the user information and/or the token identification, the authentication center determines a salt value corresponding to the salt value number from the salt value record according to the salt value number in the token identification, further generates a token certificate according to the salt value number, the salt value corresponding to the salt value number, the user information, the token failure time and other information, and obtains a comparison check value according to the token certificate. The authentication center compares the token check value in the resource acquisition request with the comparison check value, and if the verification is passed (if the verification is not passed, the open service does not respond to the resource acquisition request), the authentication center sends a verification passing notice to the open service. And the open service returns the resources to the resource requester according to the verification passing notification.
If the open service in the service system receives a resource acquisition request containing information such as user information, a signature-token check value (obtained by signing a token certificate and each request parameter), a token identifier, each request parameter and the like, the legitimacy of the resource acquisition request is verified through an authentication center. The authentication center determines that the access token is valid according to the token invalidation time in the token identification in the resource acquisition request (if the access token is determined to be invalid, the open service does not respond to the resource acquisition request), acquires a token check value from the database according to the user information and/or the token identification, compares the token check value in the resource acquisition request with the token check value acquired from the database if the acquisition is successful, and sends a verification passing notice to the open service if the verification passes (if the verification does not pass, the open service does not respond to the resource acquisition request). And the open service returns the resource to the resource requester according to the verification passing notification. If the token check value is not acquired from the database according to the user information and/or the token identification, the authentication center determines a salt value corresponding to the salt value number from the salt value record according to the salt value number in the token identification, further generates a token certificate according to the salt value number, the salt value corresponding to the salt value number, the user information, the token failure time and other information, further signs the token certificate and each request parameter in the resource acquisition request, and acquires a comparative check value. The authentication center compares the signature-token check value in the resource acquisition request with the comparison check value, and if the verification is passed (if the verification is not passed, the open service does not respond to the resource acquisition request), the authentication center sends a verification passing notice to the open service. And the open service returns the resource to the resource requester according to the verification passing notification. Therefore, the token in the prior art is set as the access token containing the relevant information such as the salt value, the salt value number, the user information, the token failure time and the like, and even if the database fails, the authentication center can authenticate the access token in the resource acquisition request according to the relevant information in the resource acquisition request, so that the stability and the reliability of the authentication system are ensured.
Based on this, an embodiment of the present application provides a flow of an access verification method, as shown in fig. 2, including:
here, the user information may be information such as a user account and a user password, or may also be information such as an identifier of a third party platform, which is not limited specifically here.
and step 204, after the authentication server side determines that the token check value is consistent with the comparison check value, generating a resource authorization response and returning the resource authorization response to the open server side.
In the method, the access token is composed of a token identifier and a token check value, and the token check value is generated according to the token certificate. Therefore, the token certificate in the access token in transmission is transmitted in the form of the token check value, so that the token certificate is not a plaintext in the transmission process, and even if the token certificate is acquired, any information of the token certificate cannot be obtained, and the safety of information transmission is improved. The resource acquisition request includes an access token and user information of an access user, and when the authentication server receives the resource acquisition request, the authentication server can acquire a salt number (a salt number of a salt in the token credential) and token expiration time according to a token identifier in the resource acquisition request. And after determining that the access token is not invalid according to the token invalidation time in the token identification, further acquiring a salt value from a salt value record according to the user information and the salt value number of the token identification to generate a comparison check value to verify the token check value in the resource acquisition request. Therefore, the authentication server can realize authentication without storing the token check value in the database, namely, even if the database fails and the authentication server cannot acquire the token check value, the authentication server can generate a comparison check value according to the information in the resource acquisition request to check the token check value. Compared with the prior art that the token must be stored in the database, the method and the system solve the problem that the authentication server cannot obtain the token check value from the database and cannot authenticate when the database fails, and improve the operation reliability of the authentication system.
Before the authentication server receives a resource acquisition request sent by an access user for an open server, the method further includes: the authentication server receives a token acquisition request sent by the open server, wherein the token acquisition request comprises user information of an access user; the authentication server side determines a token identifier for the token acquisition request; the token identification comprises token expiration time, and a salt value number determined from the salt value record; the authentication server generates a token certificate based on the user information, the salt value corresponding to the salt value number and the token identification; the authentication server side sends a token generation response carrying an access token to the open server side; the access token includes the token identification and the token credential.
That is to say, after the resource requester sends the token obtaining request to the open server, the open server sends the token obtaining request to the authentication server, the authentication server generates a token credential according to the user information, the token valid time (which can be determined according to the type of the requested resource or the type of the token) in the token obtaining request, and the information such as the salt value and the salt value number determined from the salt value record, and determines the token identifier according to the salt value number and the token expiration time. An access token is further generated that includes the token identification and the token credential.
The embodiment of the application provides another access token, wherein the token identification further comprises an extension field; the authentication server generates a token voucher based on the user information, the salt value corresponding to the salt value number and the token identifier, and includes: the authentication server generates a token certificate based on the user information, the salt value corresponding to the salt value number, the field value in the extension field and the token identification; the authentication server generates a comparison check value according to the user information, the salt value number and the token failure time, and comprises the following steps: and the authentication server side generates a comparison check value according to the user information, the salt value number, the token failure time and the field value in the extension field. That is, extension fields may also be included in the token identification and token credentials. Namely, the token identifier includes a salt number, token expiration time, and an extension field, and the token credential includes a salt number, token expiration time, and an extension field, and a salt corresponding to the salt number and user information. Correspondingly, when the authentication server generates the comparison check value, the authentication server also needs to generate the corresponding comparison check value including the salt number, the token expiration time and the extension field, and the salt corresponding to the salt number and the user information. The field value in the extension field may contain relevant information such as an identifier of the authentication server, a token type, and the like. Therefore, meaningful information in the access token is increased, the authentication server side can conveniently acquire more related information, problems in processes such as resource access and the like are solved, and the applicability of the access token is improved.
In one example, the token credential size may be 32 bytes: the token expiration time may occupy 8 bytes, the salt number may occupy 2 bytes, each field value in the extension field may occupy 6 bytes, and the user information and salt number may occupy 16 bytes. The token identification size may be 16 bytes: the token expiration time may occupy 8 bytes, the number of the salt value may occupy 2 bytes, and each field value in the extension field may occupy 6 bytes. In addition, the token expiration time may be generated by the authentication server according to the validity period of the access token plus the current time, for example, from 1900-01-0100. Salt number in salt number record: a 2 byte code can accommodate 256 codes in the 16 system.
The embodiment of the application provides a method for generating a token check value, wherein the token check value is generated according to a token certificate, and the method comprises the following steps: the token check value is the token credential; or the token check value is obtained by signing the token certificate and each request parameter; wherein, the resource obtaining request also comprises each request parameter. That is, the token check value may be a token credential, or may be obtained by signing according to the token credential and each request parameter in the resource obtaining request. The token check value provided herein may be obtained by calculating a salt value, user information, a salt value number, and token expiration time corresponding to the salt value number through a hash algorithm. Or the method can be obtained by calculating the salt value, the user information, the salt value number, the token failure time and the extension field corresponding to the salt value number through a hash algorithm. Or the hash algorithm may be used to calculate the salt value, the user information, the salt value number, and the token expiration time corresponding to the salt value number, or the salt value, the user information, the salt value number, the token expiration time, and the extension field corresponding to the salt value number, and then sign each request parameter in the resource acquisition request.
The embodiment of the application provides an access verification method, which further comprises the following steps after a token certificate is generated:
the authentication server stores the access token in a token database;
before obtaining the salt value corresponding to the salt value number in the token identifier from the salt value record, the method further includes:
and the authentication server side cannot acquire the access token corresponding to the token identification from the token database. That is to say, after the authentication server generates the access token, the access token may also be stored in the database, and in the authentication process, the access token corresponding to the token identifier is first obtained from the database, and if the access token is not obtained, the comparison check value is generated.
The embodiment of the application provides an access verification method, which further comprises the following steps:
the authentication server side obtains an access token corresponding to the token identification from the token database;
and the authentication server side determines whether the access token in the resource acquisition request is consistent with the access token acquired from the token database or not, so as to determine whether to generate a resource authorization response to return to the open server side or not. That is, if the access token can be obtained from the database in the authentication process, the authentication server does not need to generate a comparison check value, and the authentication can be performed according to the access token obtained from the database and the access token in the resource obtaining request.
The embodiment of the application provides a method for publishing the gray level of a salt value record, which further comprises the following steps: the authentication server side adopts a gray level issuing mechanism to configure the salt value records, the gray level issuing mechanism is used for setting the salt values in the salt value records to be used in a token verification stage when any authentication server side does not configure the salt value records, and the salt values in the salt value records are set to be used in a token generation stage and a token verification stage when all authentication server sides configure the salt value records. That is to say, the salt records in the authentication server are all the same, and when the salt record configuration update is performed on the authentication server one by one, any authentication server does not configure the salt record, and the new salt record cannot be used in the token verification stage. After the full configuration is complete, the updated salt value records are used in the token generation phase and the verification phase. Therefore, the method effectively prevents the authentication server from recording the verification token with the old salt value to cause the verification token verification error and being incapable of reliably and accurately completing the authentication process. The salt value records can contain a plurality of salt values, so that the diversity of the access token is ensured, the safety of the access process is improved, and other salt values are reserved for replacement. Here, in the implementation process of access token generation, the corresponding salt value can be selected in a customized manner according to requirements.
The embodiment of the application provides a method for changing the effective time of a token, which further comprises the following steps:
the authentication server receives the token valid time change configuration; the token valid time indicated in the token valid time alteration configuration has a higher priority than the token expiration time in the access token. And the authentication server determines the token failure time of the failure state in the token identification to be valid on the basis of the token valid time change configuration, or determines the token failure time of the valid state in the token identification to be invalid on the basis of the token valid time change configuration. That is to say, the token expiration time in the access token is not controlled by the temporary change, and then the token expiration time change configuration may be set in the authentication server, so that the priority of the token expiration time therein is higher than the token expiration time in the access token, and then the token expiration time in the access token may be changed. For example, when the token valid time is set to be greater than the token invalid time 2 for some salt values/user information, or when the token valid time is set to be less than the token invalid time 2 for some salt values/user information, or the like, the global change configuration may be performed for the token invalid times of all access tokens. Here, the specific setting of the token valid time change configuration is not limited, and may be determined as needed.
Based on the above method flow, an embodiment of the present application provides an access verification method flow, as shown in fig. 3, including:
step 301, the resource request terminal/server generates an authorization address request and sends the authorization address request to the open server.
Step 302, the open server returns the authorized address to the resource request terminal/server after receiving the authorized address request.
Step 303, the resource request terminal/service end generates a first token acquisition request according to the user account and the password input by the user, and sends the first token acquisition request to the open service end.
And step 304, the open server receives the first token acquisition request, and sends the user information in the first token acquisition request to the user center server.
Step 305, the user center server verifies the user information in the first token obtaining request according to the recorded user information, and if the verification fails, the open server is notified not to make a response to the first token obtaining request. And if the verification is passed, returning a verification passing message to the open server.
Step 306, the open server sends the relevant information in the first token obtaining request to the authentication server according to the received verification passing message.
Here, the related information in the first token obtaining request includes user information.
And 307, the authentication server side generates a temporary access token according to the relevant information in the first token acquisition request. And returns the temporary access token to the open server (the temporary access token may be included in the temporary token generation response and returned to the open server).
Here, the structure of the temporary access token may be a structure including a temporary token identifier and a temporary token credential, and the size of the temporary token credential may be 32 bytes: the token expiration time may occupy 8 bytes, the salt number may occupy 2 bytes, each field value in the extension field may occupy 6 bytes, and the user information and salt number may occupy 16 bytes. The temporary token identification size may be 16 bytes: the token expiration time may occupy 8 bytes, the number of the salt value may occupy 2 bytes, and each field value in the extension field may occupy 6 bytes. Wherein the 32-byte token credential is hash-computed.
And step 308, the open server sends the temporary access token to the resource request terminal/server.
Step 309, the resource request terminal/server generates a second token obtaining request according to the temporary access token. And the resource request terminal/the server sends the second token acquisition request to the open server.
Here, a second token acquisition request includes: the temporary access token (temporary token credential + temporary token id) (for authentication), information for applying for a resource access token (for acquisition of a resource), user information, and various request parameters. A token check value of the temporary token credential.
Another second token acquisition request includes: temporary token identification, signatures (generated from token credential + request parameters) (for authenticating identity), information for applying for resource access tokens (for acquiring resources), user information, and request parameters. The signature is a token check value.
And 310, the open server sends the relevant information of the second token acquisition request to the authentication server.
Step 311, the authentication server generates a temporary comparison check value according to the relevant information in the second token acquisition request. And verifying the temporary access token according to the temporary comparison check value, if the verification is passed, generating a resource access token, and returning the resource access token to the open server.
Here, the method of generating the temporary comparison check value may be: for the second token obtaining request, after determining that the temporary access token is still valid according to the token expiration time in the temporary token identifier in the temporary access token, determining a salt value corresponding to the salt value number from the salt value record according to the salt value number in the temporary token identifier, and further generating a temporary comparison check value according to the salt value, the salt value number, the user information in the second token obtaining request, and the token valid time.
And for the other second token acquisition request, after the temporary access token is determined to be still valid according to the token expiration time in the temporary token identification, determining a salt value corresponding to the salt value number from the salt value record according to the salt value number in the temporary token identification, further generating a temporary token certificate according to the salt value, the salt value number, the user information in the second token acquisition request and the token validity time, and signing the temporary token certificate and each request parameter in the second token acquisition request to obtain a temporary comparison check value.
The structure of the resource access token may be a token including a resource token identifier and a resource token credential, and the resource token credential may have a size of 32 bytes: the token expiration time may occupy 8 bytes, the salt number may occupy 2 bytes, each field value in the extension field may occupy 6 bytes, and the user information and salt number may occupy 16 bytes. The resource token identification size may be 16 bytes: the token expiration time may occupy 8 bytes, the number of the salt value may occupy 2 bytes, and each field value in the extension field may occupy 6 bytes. Wherein the 32-byte token credential is hash-computed.
Step 312, the open server sends the resource access token to the resource request terminal/server.
And 313, the resource request terminal/the server generates a resource acquisition request according to the resource access token and sends the resource acquisition request to the open server.
Here, a resource acquisition request includes: the resource access token (resource token credential + resource token id) (for identity verification), information of the application resource (for acquiring the resource), user information, and various request parameters. A token check value of the resource token credential.
Another resource acquisition request includes: resource token identification, signatures (generated from token credentials + request parameters) (for authenticating identity), information for applying for resources (for acquiring resources), user information, and request parameters. The signature is a token check value.
Step 314, the open server sends the relevant information of the resource acquisition request to the authentication server.
Step 315, the authentication server generates a resource comparison check value according to the relevant information of the resource acquisition request. And verifying the resource access token according to the resource comparison check value, if the verification is passed, generating a resource authorization response, and returning the resource authorization response to the open server.
Here, the method of generating the resource comparison check value may be: for the resource acquisition request, after determining that the resource access token is still valid according to the token failure time in the resource token identifier in the resource access token, determining a salt value corresponding to the salt value number from the salt value record according to the salt value number in the resource token identifier, and further generating a resource comparison check value according to the salt value, the salt value number, the user information in the resource acquisition request and the token valid time.
And aiming at the other resource acquisition request, after the resource access token is still valid according to the token failure time in the resource token identification, determining a salt value corresponding to the salt value number from the salt value record according to the salt value number in the resource token identification, further generating a resource token certificate according to the salt value, the salt value number, the user information in the resource acquisition request and the token valid time, and signing the resource token certificate and each request parameter in the resource acquisition request to obtain a resource comparison check value.
Step 316, the open server receives the resource authorization response, and returns the resource corresponding to the resource acquisition request to the resource request terminal/server.
Step 317, the resource request terminal/server receives the resource.
It should be noted that, the above-mentioned steps of the flow are not exclusive, and the flow that needs to verify the temporary access token in step 311 is a flow that obtains the temporary access token, and may not be executed, that is, may not obtain the temporary access token.
Based on the foregoing method flow, an embodiment of the present application provides a flow of an access verification method, as shown in fig. 4, including:
step 401, the resource request terminal/server generates an authorization address request and sends the authorization address request to the open server.
Step 402, the open server returns the authorization address to the resource request terminal/server after receiving the authorization address request.
Step 403, the resource request terminal/server generates a first token acquisition request according to the user account and the password input by the user, and sends the first token acquisition request to the open server.
And 404, the open server receives the first token acquisition request and sends the user information in the first token acquisition request to the user center server.
Step 405, the user center server verifies the user information in the first token obtaining request according to the recorded user information, and if the verification fails, the open server is notified not to make a response to the first token obtaining request. And if the verification is passed, returning a verification passing message to the open server.
And step 406, the open server sends the relevant information in the first token acquisition request to the authentication server according to the received verification passing message.
Step 407, the authentication server generates a temporary access token according to the relevant information in the first token acquisition request. And returning the temporary access token to the open server, and sending the temporary access token to the database.
And step 408, the open server sends the temporary access token to the resource request terminal/server.
Step 409, the resource request terminal/server generates a second token acquisition request according to the temporary access token. And the resource request terminal/the server sends the second token acquisition request to the open server.
Step 410, the open server sends the related information of the second token obtaining request to the authentication server.
Step 411, the authentication server side fails to acquire the temporary access token from the database, and generates a temporary comparison check value according to the related information in the second token acquisition request. And verifying the temporary access token according to the temporary comparison check value, if the verification is passed, generating a resource access token, and returning the resource access token to the open server.
Step 412, the open server sends the resource access token to the resource request terminal/server.
And 413, the resource request terminal/server generates a resource acquisition request according to the resource access token and sends the resource acquisition request to the open server.
And step 414, the open server sends the relevant information of the resource acquisition request to the authentication server.
Step 415, the authentication server generates a resource comparison check value according to the related information of the resource obtaining request. And verifying the resource access token according to the resource comparison check value, if the verification is passed, generating a resource authorization response, and returning the resource authorization response to the open server.
And step 416, the open server receives the resource authorization response, and returns the resource corresponding to the resource acquisition request to the resource request terminal/server.
Step 417, the resource request terminal/server receives the resource.
It should be noted that, the above-mentioned steps of the flow are not exclusive, such as steps 406 to 409, and the flow that needs to verify the temporary access token in step 411 is a flow that obtains the temporary access token, and may not be executed, that is, may not obtain the temporary access token. The process comprises a process of storing the access token in the database, if the access token cannot be acquired from the database (the database fails), the authentication server generates a comparison check value, and checks the comparison check value with the token check value in the request. That is, the scheme of generating the comparative check value for access verification is a degraded scheme of access verification.
Based on the above method flow, an embodiment of the present application further provides another access verification method flow, where the access verification method flow corresponds to a method flow when the authentication server can obtain the access token from the database, as shown in fig. 5, including:
step 501, the resource request terminal/server generates an authorization address request and sends the authorization address request to the open server.
Step 502, the open server returns the authorization address to the resource request terminal/server after receiving the authorization address request.
Step 503, the resource request terminal/service end generates a first token acquisition request according to the user account and the password input by the user, and sends the first token acquisition request to the open service end.
Step 504, the open server receives the first token obtaining request, and sends the user information in the first token obtaining request to the user center server.
And 505, the user center server side verifies the user information in the first token acquisition request according to the recorded user information, and if the verification fails, the open server side is notified not to make a response to the first token acquisition request. And if the verification is passed, returning a verification passing message to the open server.
Step 506, the open server sends the relevant information in the first token acquisition request to the authentication server according to the received verification passing message.
Step 507, the authentication server generates a temporary access token according to the relevant information in the first token acquisition request. And returning the temporary access token to the open server and storing the temporary access token in the database.
And step 508, the open server sends the temporary access token to the resource request terminal/server.
Step 509, the resource request terminal/server generates a second token obtaining request according to the temporary access token. And the resource request terminal/the server sends the second token acquisition request to the open server.
Step 510, the open server sends the relevant information of the second token obtaining request to the authentication server.
Step 511, the authentication server successfully obtains the temporary access token from the database, verifies the token check value in the second token obtaining request and the token check value corresponding to the temporary access token obtained from the database, generates the resource access token and stores the resource access token into the database after the verification is passed, and returns the resource access token to the open server.
And step 512, the open server sends the resource access token to the resource request terminal/server.
And 513, the resource request terminal/the server generates a resource acquisition request according to the resource access token, and sends the resource acquisition request to the open server.
And 514, the open server sends the relevant information of the resource acquisition request to the authentication server.
Step 515, the authentication server successfully obtains the resource access token from the database, verifies the token check value in the resource obtaining request and the token check value corresponding to the resource access token obtained from the database, if the verification is passed, generates a resource authorization response, and returns the resource authorization response to the open server.
Step 516, the open server receives the resource authorization response, and returns the resource corresponding to the resource acquisition request to the resource request terminal/server.
Step 517, the resource request terminal/server receives the resource.
It should be noted that, the above flow steps are not exclusive, for example, in steps 506 to 509, and the flow that needs to verify the temporary access token in step 511 is a flow for obtaining the temporary access token, and may not be executed, that is, the temporary access token may not be obtained.
Based on the same concept, an embodiment of the present application provides an access authentication device, and fig. 6 is a schematic diagram of an access authentication device provided in an embodiment of the present application, as shown in fig. 6, including:
the receiving and sending module 601 is configured to receive a resource acquisition request sent by an access user for an open server, so as to extract an access token and user information of the access user from the resource acquisition request; wherein the access token comprises a token check value and a token identification; the token check value is generated according to a token credential;
the processing module 602 is configured to obtain, from a salt value record, a salt value corresponding to a salt value number in the token identifier after determining that the access token is valid according to the token expiration time in the token identifier; the salt value record is stored in the memory of the authentication server;
the processing module 602 is further configured to generate a comparison check value according to the user information, the salt value number, and the token expiration time;
the processing module 602 is further configured to generate a resource authorization response and return the resource authorization response to the open server through the transceiver module 601 after determining that the token check value matches the comparison check value.
Optionally, the transceiver module 601 is further configured to receive a token acquisition request sent by the open server, where the token acquisition request includes user information of an access user; the processing module 602 is further configured to determine a token identifier for the token obtaining request; the token identification comprises token expiration time, and a salt value number determined from the salt value record; the processing module 602 is further configured to generate a token credential based on the user information, the salt value corresponding to the salt value number, and the token identifier; the transceiver module 601 is further configured to send a token generation response carrying an access token to the open server; the access token includes the token identification and the token credential.
Optionally, the processing module 602 is specifically configured to generate a token credential based on the user information, the salt value corresponding to the salt value number, the field value in the extension field, and the token identifier; the processing module 602 is specifically configured to generate a comparison check value according to the user information, the salt value number, the token expiration time, and the field value in the extension field.
Optionally, the token check value is generated according to a token credential, and includes:
the token check value is the token credential; or the token check value is obtained by signing the token certificate and each request parameter; wherein, the resource obtaining request also comprises each request parameter.
Optionally, the processing module 602 is further configured to store the access token in a token database; the processing module 602 is further configured to fail to obtain the access token corresponding to the token identifier from the token database.
Optionally, the processing module 602 is further configured to obtain an access token corresponding to the token identifier from the token database; and determining whether the access token in the resource acquisition request is consistent with the access token acquired from the token database, thereby determining whether to generate a resource authorization response to return to the open server.
Optionally, the processing module 602 is further configured to configure the salt record by using a gray scale issuing mechanism, where the gray scale issuing mechanism is configured to set the salt value in the salt record to be used in a token verification stage when any authentication server is not configured with the salt record, and set the salt value in the salt record to be used in a token generation stage and a token verification stage when each authentication server is configured with the salt record.
Optionally, the transceiver module 601 is further configured to receive a token valid time change configuration; the token valid time indicated in the token valid time alteration configuration has a higher priority than the token expiration time in the access token. The processing module 602 is further configured to determine that the token expiration time of the expiration state in the token identifier is valid based on the token valid time change configuration, or determine that the token expiration time of the valid state in the token identifier is invalid based on the token valid time change configuration.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.
Claims (10)
1. An access authentication method, comprising:
the authentication server receives a token acquisition request sent by an open server, wherein the token acquisition request comprises first user information of an access user;
the authentication server side determines a first token identification for the token acquisition request; the first token identification comprises a first token expiration time and a first salt value number determined from a salt value record;
the authentication server generates a first token certificate on the basis of the first user information, a first salt value corresponding to the first salt value number and the first token identification;
the authentication server side sends a token generation response carrying a first access token to a resource request terminal or a resource request server side through the open server side; the first access token comprises the first token identification and the first token credential;
the authentication server receives a resource acquisition request sent by the access user aiming at the open server, so as to extract a second access token and second user information of the access user from the resource acquisition request; wherein the second access token comprises a token check value and a second token identification; the token check value is generated in accordance with a second token credential;
after determining that the second access token is valid according to the second token expiration time in the second token identification, the authentication server side obtains a second salt value corresponding to a second salt value number in the second token identification from the salt value record; the salt value record is stored in the memory of the authentication server;
the authentication server generates a comparison check value according to the second user information, the second salt value number and the second token failure time;
and after the authentication server side determines that the token check value is consistent with the comparison check value, generating a resource authorization response and returning the resource authorization response to the open server side.
2. The method of claim 1, wherein the first token identification further comprises a first extension field, and the second token identification further comprises a second extension field; the authentication server generates a first token credential based on the first user information, the first salt value corresponding to the first salt value number, and the first token identifier, including:
the authentication server generates the first token certificate based on the first user information, a first salt value corresponding to the first salt value number, a field value in the first extension field and the first token identifier;
the authentication server generates a comparison check value according to the second user information, the second salt value number and the second token expiration time, and includes:
and the authentication server generates the comparison check value according to the second user information, the second salt value number, the second token expiration time and the field value in the second extension field.
3. The method of claim 1, wherein the token check value is generated from a second token credential, comprising:
the token check value is the second token credential; or
The token check value is obtained by signing the second token certificate and each request parameter; the resource obtaining request also comprises various request parameters.
4. The method of claim 1, wherein after generating the first token credential, further comprising:
the authentication server stores the first access token in a token database;
before obtaining the second salt value corresponding to the second salt value number in the second token identifier from the salt value record, the method further includes:
and the authentication server side cannot acquire a third access token corresponding to the second token identification from the token database.
5. The method as recited in claim 4, further comprising:
the authentication server side obtains a third access token corresponding to the second token identification from the token database;
and the authentication server determines whether the second access token in the resource acquisition request is consistent with the third access token acquired from the token database, so as to determine whether to generate a resource authorization response to return to the open server.
6. The method of any one of claims 1-5, further comprising:
and the authentication server configures the salt value records by adopting a gray level issuing mechanism, wherein the gray level issuing mechanism is used for setting the salt values in the salt value records to be used in a token verification stage when any authentication server does not configure the salt value records, and setting the salt values in the salt value records to be used in a token generation stage and a token verification stage when each authentication server configures the salt value records.
7. The method of any one of claims 1-5, further comprising:
the authentication server receives the token valid time change configuration; the priority of the token valid time indicated in the token valid time alteration configuration is higher than the priority of the token invalid time in the access token;
and the authentication server determines the token failure time of the failure state in the token identification to be valid on the basis of the token valid time change configuration, or determines the token failure time of the valid state in the token identification to be invalid on the basis of the token valid time change configuration.
8. An access authentication apparatus, comprising:
the system comprises a receiving and sending module, a processing module and a sending and receiving module, wherein the receiving and sending module is used for receiving a token acquisition request sent by an open server, and the token acquisition request comprises first user information of an access user;
a processing module, configured to determine a first token identifier for the token obtaining request; the first token identification comprises a first token expiration time and a first salt value number determined from a salt value record;
the processing module is further configured to generate a first token credential based on the first user information, a first salt value corresponding to the first salt value number, and the first token identifier;
the receiving and sending module is further used for sending a token generation response carrying the first access token to the resource request terminal or the resource request server through the open server; the first access token comprises the first token identification and the first token credential;
the transceiver module is further configured to receive a resource acquisition request sent by the access user for the open server, so as to extract a second access token and second user information of the access user from the resource acquisition request; wherein the second access token comprises a token check value and a second token identification; the token check value is generated in accordance with a second token credential;
the processing module is further configured to, after determining that the second access token is valid according to a second token expiration time in the second token identifier, obtain a second salt value corresponding to a second salt value number in the second token identifier from the salt value record; the salt value record is stored in an authentication server memory;
the processing module is further configured to generate a comparison check value according to the second user information, the second salt value number, and the second token expiration time;
the processing module is further configured to generate a resource authorization response and return the resource authorization response to the open server through the transceiver module after determining that the token check value matches the comparison check value.
9. A computer-readable storage medium, characterized in that it stores a program which, when run on a computer, causes the computer to carry out the method of any one of claims 1 to 7.
10. A computer device, comprising:
a memory for storing a computer program;
a processor for calling a computer program stored in said memory to execute the method of any of claims 1 to 7 in accordance with the obtained program.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111419243.5A CN114117551B (en) | 2021-11-26 | 2021-11-26 | Access verification method and device |
| PCT/CN2022/129954 WO2023093500A1 (en) | 2021-11-26 | 2022-11-04 | Access verification method and apparatus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111419243.5A CN114117551B (en) | 2021-11-26 | 2021-11-26 | Access verification method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114117551A CN114117551A (en) | 2022-03-01 |
| CN114117551B true CN114117551B (en) | 2022-12-27 |
Family
ID=80369687
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111419243.5A Active CN114117551B (en) | 2021-11-26 | 2021-11-26 | Access verification method and device |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN114117551B (en) |
| WO (1) | WO2023093500A1 (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114117551B (en) * | 2021-11-26 | 2022-12-27 | 深圳前海微众银行股份有限公司 | Access verification method and device |
| CN116980233B (en) * | 2023-09-21 | 2024-01-30 | 宝略科技(浙江)有限公司 | Authorization verification method and system for discrete data during high-frequency access |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109902499A (en) * | 2019-03-13 | 2019-06-18 | 广州市网星信息技术有限公司 | A kind of resource authorization and access method, device, system, equipment and storage medium |
| CN111639327A (en) * | 2020-05-29 | 2020-09-08 | 深圳前海微众银行股份有限公司 | Authentication method and device for open platform |
| CN111756753A (en) * | 2020-06-28 | 2020-10-09 | 中国平安财产保险股份有限公司 | Authority verification method and system |
| CN112861089A (en) * | 2021-03-17 | 2021-05-28 | 北京数字医信科技有限公司 | Method, resource server, resource user side, device and medium for authorization authentication |
| CN112995098A (en) * | 2019-12-14 | 2021-06-18 | 深圳市优必选科技股份有限公司 | Authentication method, electronic device and storage medium |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10834096B2 (en) * | 2018-06-05 | 2020-11-10 | The Toronto-Dominion Bank | Methods and systems for controlling access to a protected resource |
| CN111431844B (en) * | 2019-04-23 | 2023-04-18 | 杭州海康威视数字技术股份有限公司 | Authority authentication method and device |
| CN111294337A (en) * | 2020-01-15 | 2020-06-16 | 平安科技(深圳)有限公司 | Token-based authentication method and device |
| CN113595743B (en) * | 2021-08-04 | 2022-10-21 | 中国银行股份有限公司 | Authorization token processing method and device |
| CN114117551B (en) * | 2021-11-26 | 2022-12-27 | 深圳前海微众银行股份有限公司 | Access verification method and device |
-
2021
- 2021-11-26 CN CN202111419243.5A patent/CN114117551B/en active Active
-
2022
- 2022-11-04 WO PCT/CN2022/129954 patent/WO2023093500A1/en unknown
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109902499A (en) * | 2019-03-13 | 2019-06-18 | 广州市网星信息技术有限公司 | A kind of resource authorization and access method, device, system, equipment and storage medium |
| CN112995098A (en) * | 2019-12-14 | 2021-06-18 | 深圳市优必选科技股份有限公司 | Authentication method, electronic device and storage medium |
| CN111639327A (en) * | 2020-05-29 | 2020-09-08 | 深圳前海微众银行股份有限公司 | Authentication method and device for open platform |
| CN111756753A (en) * | 2020-06-28 | 2020-10-09 | 中国平安财产保险股份有限公司 | Authority verification method and system |
| CN112861089A (en) * | 2021-03-17 | 2021-05-28 | 北京数字医信科技有限公司 | Method, resource server, resource user side, device and medium for authorization authentication |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2023093500A1 (en) | 2023-06-01 |
| CN114117551A (en) | 2022-03-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR102440626B1 (en) | Digital certificate management methods, devices, computer devices and storage media | |
| JP7060362B2 (en) | Event certificate for electronic devices | |
| CN108777684B (en) | Identity authentication method, system and computer readable storage medium | |
| CN110235410B (en) | Method for substituting user's login by PKI-based authentication using blockchain database of UTXO-based protocol and server using the same | |
| US20190312730A1 (en) | Authentication token request with referred application instance public key | |
| CN107483509A (en) | A kind of auth method, server and readable storage medium storing program for executing | |
| CN112671720B (en) | Token construction method, device and equipment for cloud platform resource access control | |
| CN114117551B (en) | Access verification method and device | |
| CN111639327A (en) | Authentication method and device for open platform | |
| CN110535884B (en) | Method, device and storage medium for cross-enterprise inter-system access control | |
| CN107493291A (en) | A kind of identity identifying method and device based on safety element SE | |
| CN109388937B (en) | Single sign-on method and sign-on system for multi-factor identity authentication | |
| KR101816652B1 (en) | Method for providing login flow via authentication based on public key infrastructure in response to user’s login request for using service provided by service provider server in use of merkle tree structure on the basis of unspent transaction output protocol and server using the same | |
| CN112448946B (en) | Log auditing method and device based on block chain | |
| CN111275419A (en) | Block chain wallet signature right confirming method, device and system | |
| CN112733178A (en) | Cross-chain trust method, device, equipment and medium based on digital certificate authentication | |
| WO2019178763A1 (en) | Certificate importing method and terminal | |
| CN116458117A (en) | Secure digital signatures | |
| CN113312664A (en) | User data authorization method and user data authorization system | |
| US10579984B2 (en) | Method for making contactless transactions secure | |
| US10616262B2 (en) | Automated and personalized protection system for mobile applications | |
| US20230403154A1 (en) | Verifier credential determination by a registrant | |
| JP6983685B2 (en) | Information processing system, client device, authentication / authorization server, control method and its program | |
| CN109063461B (en) | Third-party password-free login method and system | |
| CN112182009B (en) | Block chain data updating method and device and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |