CN114553432A

CN114553432A - Identity authentication method, device, equipment and computer readable storage medium

Info

Publication number: CN114553432A
Application number: CN202210109179.9A
Authority: CN
Inventors: 祖立军; 薛文哲; 周锦佳; 汤洋; 傅宜生; 赵海; 吴杰; 吕智慧
Original assignee: China Unionpay Co Ltd
Current assignee: China Unionpay Co Ltd
Priority date: 2022-01-28
Filing date: 2022-01-28
Publication date: 2022-05-27
Anticipated expiration: 2042-01-28
Also published as: TW202331563A; WO2023142437A1; CN114553432B

Abstract

The application discloses an identity authentication method, an identity authentication device, identity authentication equipment and a computer readable storage medium. The payment method comprises the following steps: receiving a service request aiming at a first mechanism sent by a client, wherein the service request comprises a plurality of tokens, the tokens are used for performing identity authentication on a target user by a plurality of servers respectively, and are distributed to the tokens of the target user under the condition that the identity authentication is passed, and the target user is a user logged in the client; matching the plurality of tokens with tokens stored in the block chain, and determining whether the target user is an authenticated user; in the event that the target user is determined to be an authenticated user, forwarding the service request to a first server corresponding to the first mechanism such that the first server responds to the service request. According to the embodiment of the application, the login times required by the user to obtain services of different mechanisms can be reduced while the service safety is ensured, the network resources are saved, and the user operation process is simplified.

Description

Identity authentication method, device, equipment and computer readable storage medium

Technical Field

The present application relates to the field of computer technologies, and in particular, to an identity authentication method, apparatus, device, and computer-readable storage medium.

Background

With the continuous development of science and technology, more and more mechanisms gradually move offline services to online, so that users can conveniently perform operations such as business query and business handling at any time and any place. Before each organization provides online service for users, the identity of the users needs to be authenticated to ensure the service security.

At present, because identity authentication systems of all organizations are mutually independent, a user needs to respectively fill in a user name and a password to log in a service platform of each organization to complete identity authentication, and further, the problems of network resource waste, complicated user operation and the like are caused.

Disclosure of Invention

The embodiment of the application provides an identity authentication method, an identity authentication device, identity authentication equipment and a computer-readable storage medium, which can ensure the service security, reduce the login times required by a user for acquiring services of different mechanisms, save network resources and simplify the operation process of the user.

In a first aspect, an embodiment of the present application provides an identity authentication method, which is applied to an identity authentication server, and the method includes:

receiving a service request aiming at a first mechanism sent by a client, wherein the service request comprises a plurality of tokens, the tokens are used for performing identity authentication on a target user by a plurality of servers respectively, and are distributed to the tokens of the target user under the condition that the identity authentication is passed, and the target user is a user logged in the client;

matching the plurality of tokens with tokens stored in the block chain, and determining whether the target user is an authenticated user;

in the event that the target user is determined to be an authenticated user, forwarding the service request to a first server corresponding to the first mechanism such that the first server responds to the service request.

In a second aspect, an embodiment of the present application provides an identity authentication method, applied to a first server, where the method includes:

receiving a service request forwarded by an identity authentication server, wherein the service request comprises a plurality of tokens, the tokens are tokens which are respectively used by the servers to authenticate the identity of a target user, and are distributed to the target user under the condition that the identity authentication is passed, and the target user is a user which logs in a client side which sends the service request to the identity authentication server;

and responding to the service request under the condition that the target user is determined to be the authenticated user.

In a third aspect, an embodiment of the present application provides an identity authentication method, which is applied to a second server, and the method includes:

receiving user identity information which is acquired by a client and corresponds to a target user;

performing identity authentication on a target user according to the user identity information;

and under the condition that the authentication is passed, distributing a second token for the target user, sending the second token to the client, and uploading the second token to the blockchain, so that the server of other organizations determines whether the target user is the authenticated user according to the plurality of tokens including the second token.

In a fourth aspect, an embodiment of the present application provides an identity authentication apparatus, which is applied to an identity authentication server, and the apparatus includes:

the system comprises a first receiving module, a second receiving module and a third receiving module, wherein the first receiving module is used for receiving a service request which is sent by a client and aims at a first mechanism, the service request comprises a plurality of tokens, the tokens are used for a plurality of servers to respectively perform identity authentication on a target user, and the tokens are distributed to the target user under the condition that the identity authentication is passed, and the target user is a user logged in the client;

the first matching module is used for matching the tokens with the tokens stored in the block chain and determining whether the target user is an authenticated user;

and the request forwarding module is used for forwarding the service request to a first server corresponding to the first mechanism under the condition that the target user is determined to be the authenticated user, so that the first server responds to the service request.

In a fifth aspect, an embodiment of the present application provides an identity authentication apparatus, which is applied to a first server, and includes:

the second receiving module is used for receiving a service request forwarded by the identity authentication server, wherein the service request comprises a plurality of tokens, the tokens are used for performing identity authentication on a target user by the plurality of servers respectively, and are distributed to the tokens of the target user under the condition that the identity authentication is passed, and the target user is a user who logs in a client side for sending the service request to the identity authentication server;

the second matching module is used for matching the tokens with the tokens stored in the block chain and determining whether the target user is an authenticated user;

and the service response module is used for responding to the service request under the condition that the target user is determined to be the authenticated user.

In a sixth aspect, an embodiment of the present application provides an identity authentication apparatus, which is applied to a second server, and includes:

the third receiving module is used for receiving user identity information which is acquired by the client and corresponds to the target user;

the first identity authentication module is used for authenticating the identity of the target user according to the user identity information;

the first token distribution module is used for distributing a second token for the target user under the condition that the authentication is passed, sending the second token to the client, and uploading the second token to the block chain, so that the server of other organizations determines whether the target user is the authenticated user according to the plurality of tokens including the second token.

In a seventh aspect, an embodiment of the present application provides an electronic device, including: a processor and a memory storing computer program instructions;

the steps of the identity authentication method as described in any of the embodiments of the first aspect are implemented when the computer program instructions are executed by a processor.

In an eighth aspect, the present application provides a computer-readable storage medium, on which computer program instructions are stored, where the computer program instructions, when executed by a processor, implement the steps of the identity authentication method as described in any one of the embodiments of the first aspect.

According to the identity authentication method, the identity authentication device, the identity authentication equipment and the computer readable storage medium in the embodiment of the application, under the condition that a service request which is sent by a client and aims at a first mechanism is received, after a plurality of servers contained in the service request are used for respectively authenticating the identity of a target user, tokens distributed to the target user are matched with the tokens stored in a block chain, whether the target user is an authenticated user is determined, under the condition that the target user is determined to be the authenticated user, the service request is forwarded to the first server corresponding to the first mechanism, and further, under the condition that the user does not need to log in a service platform of the first mechanism, the first server responds to the service request of the client. Therefore, the plurality of servers authenticate the identity of the target user, reliable identity endorsements are provided for the user, the block chain is used for sharing the token distributed by the target user after the identity authentication is passed, the identity authentication result of the user can be shared with other mechanisms on the chain, and the response of the first server to the client service request is realized under the condition that the user does not need to log in a service platform of the first mechanism, so that the login times of obtaining services of different mechanisms by the user are reduced while the service safety is ensured, the network resources are saved, and the user operation process is simplified.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed to be used in the embodiments of the present application will be briefly described below, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.

Fig. 1 is an architecture diagram to which an identity authentication method provided in an embodiment of the present application is applicable;

fig. 2 is a schematic flowchart of an embodiment of an identity authentication method provided in the first aspect of the present application;

FIG. 3 is a schematic flow chart diagram illustrating an embodiment of a method for authenticating an identity provided by a second aspect of the present application;

FIG. 4 is a schematic flow chart diagram illustrating an embodiment of a method for identity authentication provided by a third aspect of the present application;

fig. 5 is a schematic flowchart of an embodiment of an identity authentication method according to an embodiment of the present application;

fig. 6 is a schematic structural diagram of an embodiment of an identity authentication apparatus provided in the first aspect of the present application;

fig. 7 is a schematic structural diagram of an embodiment of an identity authentication device provided in a second aspect of the present application;

fig. 8 is a schematic structural diagram of an embodiment of an identity authentication apparatus provided in a third aspect of the present application;

fig. 9 is a schematic structural diagram of an electronic device provided in an embodiment of the present application.

Detailed Description

Features and exemplary embodiments of various aspects of the present application will be described in detail below, and in order to make objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail below with reference to the accompanying drawings and specific embodiments. It should be understood that the specific embodiments described herein are intended to be illustrative only and are not intended to be limiting. It will be apparent to one skilled in the art that the present application may be practiced without some of these specific details. The following description of the embodiments is merely intended to provide a better understanding of the present application by illustrating examples thereof.

It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

At present, a method for a user to obtain online services of multiple organizations mainly includes the steps of respectively opening service platforms of different organizations, inputting a user name and a password corresponding to each platform for login, and using corresponding service functions after identity authentication. Therefore, the user needs to log in repeatedly, which causes the problems of network resource waste, complicated user operation and the like. For example, since the identity authentication service of each bank cannot be commonly used, in an Initial Public Offering (IPO) pipelining verification project, a user needs to query account fund pipelining of multiple banks, and according to a general technical implementation scheme, the user needs to input a user name and a password to log in repeatedly at the multiple banks, so that the user experience is extremely unfriendly.

In order to solve the problem of the prior art, embodiments of the present application provide an identity authentication method, apparatus, device, and computer-readable storage medium. The identity authentication method provided by the present application can be applied to the architecture shown in fig. 1, and is specifically described in detail with reference to fig. 1.

Fig. 1 shows an architecture diagram of an example of identity authentication provided herein.

As shown in fig. 1, the architecture diagram may include at least one client 10, an authentication server 11, and a plurality of organization servers 12. The authentication server 11 provides a uniform service interface for the client 10, and the client 10 can request services from a plurality of agency servers 12 through the service interface. The client 10, the authentication server 11 and the institution server 12 may establish a connection through a network and perform information interaction. The client 10 may be installed in a device having a communication function, such as a mobile phone, a tablet computer, or a personal computer, or may be installed in a virtual machine or a simulator. The authentication server 11 and the institution server 12 may be devices having storage and computing functions, such as a cloud server or a server cluster. In addition, the authentication server 11 and the plurality of mechanism servers 12 may be servers on the same blockchain, so that any server in the plurality of mechanism servers 12 may share the user authentication result through the blockchain, and other servers on the chain may verify the user identity through the blockchain.

Here, the plurality of organization servers 12 may include a first server corresponding to a first organization and a second server corresponding to a second organization.

The authentication server 11 may be a server corresponding to the client 10, or may be a server provided by a third-party organization to provide a uniform service interface.

In addition, the identity authentication method provided by the present application may be applied to a scenario of performing identity authentication on a user requesting a service, and the identity authentication method provided by the present application is introduced below with reference to the above architecture and scenario.

Fig. 2 is a flowchart illustrating an embodiment of an identity authentication method provided in the present application. The identity authentication method can be applied to an identity authentication server. As shown in fig. 2, the identity authentication method may specifically include the following steps:

s210, receiving a service request aiming at a first organization sent by a client, wherein the service request comprises a plurality of tokens, the tokens are used for performing identity authentication on a target user by a plurality of servers respectively, and the tokens are distributed to the target user under the condition that the identity authentication is passed, and the target user is a user logged in the client.

S220, matching the tokens with the tokens stored in the block chain, and determining whether the target user is an authenticated user.

S230, in case that the target user is determined to be an authenticated user, forwarding the service request to a first server corresponding to the first mechanism, so that the first server responds to the service request.

Therefore, when a service request which is sent by a client and aims at a first mechanism is received, after a plurality of servers included in the service request are used for respectively authenticating identities of target users, tokens distributed to the target users are matched with the tokens stored in the block chain, whether the target users are authenticated or not is determined, so that when the target users are determined to be authenticated users, the service request is forwarded to the first server corresponding to the first mechanism, and further, when the users do not need to log in a service platform of the first mechanism, the first server responds to the service request of the client. Therefore, the plurality of servers authenticate the identity of the target user, reliable identity endorsements are provided for the user, the block chain is used for sharing the token distributed by the target user after the identity authentication is passed, the identity authentication result of the user can be shared with other mechanisms on the chain, and the response of the first server to the client service request is realized under the condition that the user does not need to log in a service platform of the first mechanism, so that the login times of obtaining services of different mechanisms by the user are reduced while the service safety is ensured, the network resources are saved, and the user operation process is simplified.

Specific implementations of the above steps are described below.

In some embodiments, in S210, the token (token) may be, for example, a session token returned after the user successfully logs in the corresponding agency service platform. Because each mechanism is respectively provided with a corresponding server, a user needs to input a user name and a password for logging in before calling the service of a certain mechanism. And after the user successfully logs in, the server returns a session token. The session token is effective in a period of time, and the user does not need to log in repeatedly when carrying the effective session token to access the service.

For example, when a target user who has logged in to a client needs to request a certain service of a first organization, a token that has been already logged in by the user and is allocated by a server that has passed identity authentication may be carried in a service request, so that the identity authentication server serves as a technical transfer server, and after receiving the request, the identity of the target user may be directly verified through a plurality of carried tokens to determine whether the target user is an authenticated user.

In some embodiments, the plurality of servers may include an identity authentication server and a second server corresponding to a second institution, and the plurality of tokens may include a first token assigned by the identity authentication server and a second token assigned by the second server.

That is to say, the user can complete two authentication operations through two login operations, and the service of the first organization can be acquired under the condition of no login. The first mechanism may be plural. Specifically, the identity authentication of the target user can be performed by the identity authentication server and the second server, the identity authentication server allocates a first token to the target user when the identity authentication of the target user by the identity authentication server passes, and the second server allocates a second token to the target user when the identity authentication of the target user by the second server passes. The first token may be a credential that the target user has been authenticated by the identity of the identity authentication server, and the second token may be a credential that the target user has been authenticated by the identity of the second server. The first token and the second token can be used for obtaining the service of any first organization without login.

Therefore, the user can obtain the service of any first mechanism under the condition of no login only by two login operations, the user operation process is simplified, and the user experience is improved.

In some embodiments, before the above S210, the method may further include:

and under the condition that the authentication is passed, distributing a first token for the target user, sending the first token to the client, and uploading the first token to the block chain.

Here, before receiving the service request for the first organization sent by the client, the identity authentication of the target user needs to be performed twice, namely, the identity authentication of the target user by the identity authentication server and the identity authentication of the target user by the second server.

The identity authentication server receives user identity information of a target user, performs identity authentication on the target user based on the user identity information, distributes a first token for the target user if the authentication is passed, sends the first token to a client side, and uploads the first token to a block chain. The user identity information may be information capable of uniquely determining the identity of the target user, for example, information that is filled in by the target user when the client performs real-name authentication, and the user identity information may be used for identity authentication of the target user. The first token is distributed to the target user and sent to the client, so that the target user can prove that the target user passes the identity authentication of the identity authentication server through the first token. Uploading the first token to the blockchain may enable both the first server and the second server to receive the first token, so that the first server and the second server may determine whether the target user has been authenticated by the authentication server according to the first token.

In some specific examples, after a target user logs in a client through a user name and a password, user identity information may be input to perform real-name authentication, an identity authentication server may receive the user identity information and perform real-name authentication, that is, identity authentication, on the target user according to the user identity information, and after the authentication is passed, a first token may be allocated to the target user, sent to the client, and uploaded to a block chain.

Therefore, the target user is subjected to identity authentication through the user identity information, the first token is distributed to the target user under the condition that the authentication is passed, the first token is sent to the client, and the first token is uploaded to the block chain, so that the target user can prove that the target user passes the identity authentication of the identity authentication server through the first token, and the first server and the second server can determine whether the target user passes the identity authentication of the identity authentication server or not according to the first token.

In some embodiments, in S220, since the tokens are also uploaded into the blockchain by the servers when the tokens are allocated to the target user, a plurality of tokens are also stored in the blockchain, and the matching of the plurality of tokens included in the service request with the tokens stored in the blockchain can determine whether the target user is an authenticated user. Here, the authenticated user may be a user who has been authenticated by the authentication server and the second server.

In some embodiments, the S220 may include:

matching the second token with tokens stored in the blockchain;

under the condition that a token matched with a second token exists in the block chain, acquiring user identity information corresponding to the first token, determining a second mechanism for distributing the second token, and acquiring the user identity information corresponding to the second token from a second server corresponding to the second mechanism;

comparing the user identity information corresponding to the first token with the user identity information corresponding to the second token;

under the condition that the user identity information is compared and consistent, determining that the target user is an authenticated user;

and under the condition that the token matched with the second token does not exist in the block chain or the comparison of the user identity information is inconsistent, determining that the target user is not the authenticated user.

Here, the second token distributed by the second server is matched with the token stored in the block chain, and if the token matched with the second token does not exist in the block chain, it may be determined that the target user is not an authenticated user; if the token matched with the second token exists in the block chain, whether the target user is an authenticated user can be further determined by comparing the user identity information.

Specifically, the user identity information corresponding to the first token and the user identity information corresponding to the second token may be obtained first. The first token is distributed after the identity authentication server receives the user identity information and passes the authentication, so that the user identity information corresponding to the first token is stored in the identity authentication server and can be directly acquired. The second token is distributed after the second server corresponding to the second organization receives the user identity information and passes the authentication, so that the user identity information corresponding to the second token is stored in the second server, and therefore the second organization distributing the second token needs to be determined first, and then the user identity information corresponding to the second token is obtained from the second server corresponding to the second organization. The second token may carry an identification of the second authority and thus the second authority that allocated the second token may be determined from the second token.

Then, whether the target user initiating the service request is a disguise carrying other user tokens or not can be judged by comparing the user identity information corresponding to the first token with the user identity information corresponding to the second token. If the user identity information is consistent in comparison, the target user can be determined to be the authenticated user. If the user identity information is not consistent in comparison, it can be determined that the target user is not an authenticated user.

In some specific examples, the identity authentication server matches the token a, that is, the second token, with the tokens stored in the blockchain, and if there is no token matching the token a in the blockchain, it is determined that the target user is not an authenticated user; if a token matched with the token A exists in the block chain, obtaining user identity information corresponding to the token B, namely the first token, and analyzing a mechanism a for distributing the token A, namely a second mechanism, from the token A, then obtaining the user identity information corresponding to the token B from the mechanism a, comparing the user identity information corresponding to the token A with the user identity information corresponding to the token B, and if the comparison is consistent, determining that the target user is an authenticated user; and if the comparison is inconsistent, determining that the target user is not the authenticated user.

Therefore, whether the target user is an authenticated user is determined by judging whether the token matched with the second token exists in the block chain or not and judging whether the user identity information corresponding to the first token is consistent with the user identity information corresponding to the second token or not, whether the target user is an authenticated user or not can be determined by two judgments, and the login safety of the user is improved.

In some embodiments, the second token may be a token obtained by encrypting, by the authority server of the second authority, the original token assigned to the target user by using the public key of the identity authentication server, and the matching the second token with the tokens stored in the blockchain may include:

decrypting the second token by using the public key to obtain an original token;

matching the original token with the token stored in the blockchain;

the determining a second mechanism for assigning a second token may include:

a second mechanism for assigning a second token is determined from the original token.

Here, in order to ensure security of user information in each organization and prevent an organization from obtaining user information from other organizations by forging tokens of other organizations, an original token assigned to a target user may be encrypted by using a public key of an identity authentication server to obtain a second token.

The identity authentication server needs to analyze the second mechanism for distributing the second token from the second token, so that the public key needs to be used for decrypting the second token to obtain the original token, and the second mechanism for distributing the second token is determined according to the original token.

In some specific examples, the identity authentication server may decrypt the token a according to the public key to obtain an original token C, and parse the institution identification from the original token C, so as to determine the institution a corresponding to the token a according to the institution representation.

Therefore, the original token is encrypted, and the situation that after the encrypted second token is uploaded to the block chain, one mechanism obtains user information from other mechanisms by forging tokens of other mechanisms can be avoided, so that the information safety of each mechanism is ensured.

In some embodiments, in S230, the first mechanism may be a mechanism that the user wants to obtain the service, and if the authentication server determines that the target user is an authenticated user, the service request may be forwarded to a first server corresponding to the first mechanism, so that the first server responds to the service request. The first institution and the second institution may both be banks. The service request may be a request for querying the account fund flow of the first organization, may also be a request for querying an account balance or a bank card number, and may also be other requests, which is not limited herein.

In some embodiments, after S230 above, the method may further include:

receiving an identity information acquisition request sent by a first server;

responding to the identity information acquisition request, sending user identity information corresponding to the target user to the first server, so that the first server responds to the service request according to the user identity information and generates response information;

receiving response information returned by the first server;

and forwarding the response information to the client.

Here, after determining that the target user is an authenticated user and forwarding the service request to the first server, the first server needs to generate response information according to the user identity information, and therefore, needs to send an identity information acquisition request to the identity authentication server, after receiving the identity information acquisition request, the identity authentication server sends the user identity information corresponding to the target user to the first server in response to the identity information acquisition request, the first server responds to the service request according to the user identity information to generate response information, and then sends the response information to the identity authentication server, and the identity authentication server forwards the response information to the client for display to the target user.

In some specific examples, after determining that a target user is an authenticated user, an identity authentication server forwards a service request for querying an account balance to a first server, where the first server sends an identity information acquisition request for acquiring user identity information of the target user to the identity authentication server, and after receiving the identity information acquisition request, the identity authentication server sends user identity information corresponding to the target user to the first server in response to the identity information acquisition request, and the first server responds to the service request according to the user identity information to generate, for example, "account balance: 3500 ", and then sending the response information to the identity authentication server, and then forwarding the response information to the client by the identity authentication server to be displayed to the target user.

Therefore, the service of the first server is obtained under the condition that the service platform corresponding to the first mechanism does not need to be logged in through the process, and the user operation process is simplified.

Fig. 3 is a flowchart illustrating an embodiment of an identity authentication method provided in the present application. The identity authentication method may be applied to a first server.

As shown in fig. 3, the identity authentication method may specifically include the following steps:

s310, receiving a service request forwarded by an identity authentication server, wherein the service request comprises a plurality of tokens, the tokens are tokens which are respectively used by the servers for identity authentication of a target user, and are distributed to the target user when the identity authentication is passed, and the target user is a user which logs in a client side which sends the service request to the identity authentication server;

s320, matching the tokens with the tokens stored in the block chain, and determining whether the target user is an authenticated user;

s330, under the condition that the target user is determined to be the authenticated user, responding to the service request.

Therefore, after receiving the service request forwarded by the identity authentication server, after the identity authentication is performed on the target user by the plurality of servers included in the service request, the token distributed to the target user is matched with the tokens stored in the block chain, so as to determine whether the target user is an authenticated user, and therefore, the service request is responded when the target user is determined to be the authenticated user. The plurality of servers authenticate the identity of the target user, reliable identity endorsements are provided for the user, the block chain is used for sharing the token distributed by the target user after the identity authentication is passed, the identity authentication result of the user can be shared with other mechanisms on the chain, and the response of the first server to the client service request is realized under the condition that the user does not need to log in a service platform of the first mechanism, so that the login times required by the user for obtaining services of different mechanisms are reduced while the service safety is ensured, the network resources are saved, and the user operation process is simplified.

Specific implementations of the above steps are described below.

In some embodiments, in S310, the authentication server forwards the service request to the first server after determining that the target user is an authenticated user, and the first server receives the service request forwarded by the authentication server.

In some embodiments, in S320, after the authentication server completes authentication of the target user, the first server also needs to authenticate the target user. Since multiple servers also upload tokens into the blockchain when assigning tokens to target users, multiple tokens are also stored in the blockchain. The first server may determine, after receiving the service request forwarded by the identity authentication server, whether the target user is an authenticated user by matching a plurality of tokens included in the service request, that is, the first token and the second token, with tokens stored in the blockchain.

In some embodiments, the S320 may include:

matching the first token and the second token with tokens stored in a block chain respectively;

determining that the target user is an authenticated user under the condition that a token matched with the first token and a token matched with the second token exist in the block chain;

in the absence of a token in the blockchain that matches the first token, or the absence of a token that matches the second token, it is determined that the target user is not an authenticated user.

Here, if there are both tokens that match the first token and tokens that match the second token in the blockchain, it may be determined that the target user is an authenticated user; if there is no token in the blockchain that matches the first token, or there is no token that matches the second token, then it may be determined that the target user is not an authenticated user.

Thus, through the above process, the first server can confirm whether the target user is an authenticated user, so that whether the service request of the target user is responded can be confirmed.

In some embodiments, in S330, if the target user is an authenticated user, the service request is responded. The explanation of the authenticated user and the service request can be seen in the related expression in the foregoing embodiment, and for brevity, the description is omitted here.

In some embodiments, the S330 may include:

sending an identity information acquisition request to an identity authentication server;

receiving user identity information which is sent by an identity authentication server and corresponds to a target user;

responding the service request according to the user identity information to generate response information;

and sending the response information to the identity authentication server so that the identity authentication server forwards the response information to the client.

Here, reference may be made to the related description in the foregoing embodiments, and details are not repeated herein for brevity of the table.

Fig. 4 is a flowchart illustrating an embodiment of an identity authentication method provided in the present application. The identity authentication method may be applied to the second server.

As shown in fig. 4, the identity authentication method may specifically include the following steps:

s410, receiving user identity information which is acquired by a client and corresponds to a target user;

s420, performing identity authentication on the target user according to the user identity information;

and S430, under the condition that the authentication is passed, distributing a second token for the target user, sending the second token to the client, and uploading the second token to the block chain, so that the server of other organizations determines whether the target user is the authenticated user according to the plurality of tokens including the second token.

Therefore, by receiving user identity information which is acquired by a client and corresponds to a target user and performing identity authentication on the target user according to the user identity information, distributing a second token for the target user under the condition that the authentication is passed, sending the second token to the client and uploading the second token to a block chain, the server of other organizations can determine whether the target user is an authenticated user according to a plurality of tokens including the second token, and further response of the server of other organizations to a client service request is realized under the condition that the user does not need to log in a service platform of other organizations, so that the login times of obtaining services of different organizations by the user are reduced while the service safety is ensured, network resources are saved, and the user operation process is simplified.

Specific implementations of the above steps are described below.

In some embodiments, in S410, S420 and S430, before receiving the service request sent by the client to the first organization, the target user needs to be authenticated twice, that is, the target user is authenticated by the authentication server and the target user is authenticated by the second server, respectively.

The second server receives user identity information of the target user, performs identity authentication on the target user based on the user identity information, distributes a second token for the target user if the authentication is passed, sends the second token to the client, and uploads the second token to the block chain. The user identity information may be information capable of uniquely determining the identity of the target user, for example, information that is filled in by the target user when the client performs real-name authentication, and the user identity information may be used for identity authentication of the target user. And distributing a second token for the target user, and sending the second token to the client, so that the target user can prove that the target user passes the identity authentication of the second server by virtue of the second token. Uploading the second token to the blockchain may cause the server of the other institution to determine whether the target user is an authenticated user based on the plurality of tokens including the second token.

In some specific examples, after the target user logs in the client through the user name and the password, the user identity information may be input to perform real-name authentication, the second server may receive the user identity information, perform real-name authentication, that is, identity authentication, on the target user according to the user identity information, and after the authentication is passed, a second token may be allocated to the target user, sent to the client, and uploaded to the block chain.

In some embodiments, the S430 may specifically include:

distributing an original token for a target user;

and encrypting the original token by using the public key of the identity authentication server to obtain a second token.

Here, in order to ensure security of user information in each organization and prevent an organization from obtaining user information from other organizations by forging tokens of other organizations, an original token assigned to a target user may be encrypted by using a public key of an identity authentication server to obtain a second token. .

In some specific examples, the second server may allocate a token C, that is, an original token, to the target user, and encrypt the token C with a public key of the identity authentication server to obtain a token a, that is, a second token.

To better describe the overall scheme, a specific example is given based on the above embodiments.

As shown in fig. 5, a target user inputs a user name and a password registered in an identity authentication server at a client to log in, inputs user identity information to perform real-name authentication, after receiving the user identity information, the identity authentication server performs identity authentication on the target user according to the user identity information, and after the authentication is passed, allocates a first token to the target user, sends the first token to the client, and uploads the first token to a block chain.

And then, the target user selects a second mechanism at the client, so that the user jumps to a login interface of the second mechanism, the target user inputs a user name and a password registered in a second server at the client to log in, and inputs user identity information to perform real-name authentication, after receiving the user identity information, the second server performs identity authentication on the target user according to the user identity information, distributes a second token for the target user after the authentication is passed, sends the second token to the client, and uploads the second token to a block chain, wherein the second token is an encrypted token.

After the two identity authentications are completed, the target user can send a service request aiming at the first mechanism to the identity authentication server through the client, the identity authentication server matches the second token with the tokens stored in the block chain, if the block chain has the token matched with the second token, user identity information corresponding to the first token and user identity information corresponding to the second token are obtained, the user identity information corresponding to the first token and the user identity information corresponding to the second token are compared, and if the comparison is consistent, the target user is determined to be the authenticated user. After the target user is determined to be the authenticated user, the identity authentication server forwards the service request to a first server corresponding to the first mechanism, the first server matches the first token and the second token with tokens stored in the block chain respectively, and if the block chain has both the token matched with the first token and the token matched with the second token, the target user is determined to be the authenticated user. Then, the first server sends an identity information acquisition request to the identity authentication server, the identity authentication server responds to the identity information acquisition request and sends user identity information corresponding to the target user to the first server, the first server responds to the service request according to the user identity information and generates response information, the response information is sent to the identity authentication server, and the identity authentication server forwards the response information to the client side and displays the response information to the user.

Based on this, because the multiple servers authenticate the identity of the target user, a reliable identity endorsement is provided for the user, and the block chain is used for sharing the token distributed by the target user after the identity authentication is passed, so that the identity authentication result of the user can be shared with other mechanisms on the chain, and further, the response of the first server to the client service request is realized under the condition that the user does not need to log in a service platform of the first mechanism, therefore, the login times required by the user to obtain the services of different mechanisms are reduced while the service security is ensured, the network resource is saved, and the user operation process is simplified.

It should be noted that the application scenario described in the embodiment of the present application is to illustrate the technical solution of the embodiment of the present application more clearly, and does not constitute a limitation to the technical solution provided in the embodiment of the present application, and as a person of ordinary skill in the art knows, with the occurrence of a new application scenario, the technical solution provided in the embodiment of the present application is also applicable to similar technical problems.

Based on the same inventive concept, the application also provides an identity authentication device. The details are described with reference to fig. 6.

Fig. 6 shows a schematic structural diagram of an embodiment of an identity authentication device provided in the present application. The identity authentication device can be applied to an identity authentication server.

As shown in fig. 6, the identity authentication apparatus 600 may include:

a first receiving module 601, configured to receive a service request, which is sent by a client and is addressed to a first organization, where the service request includes multiple tokens, the multiple tokens are used by multiple servers to perform identity authentication on a target user respectively, and are allocated to the token of the target user when the identity authentication passes, where the target user is a user logged in the client;

a first matching module 602, configured to match the multiple tokens with tokens stored in the blockchain, and determine whether the target user is an authenticated user;

the request forwarding module 603 is configured to, if it is determined that the target user is an authenticated user, forward the service request to a first server corresponding to the first mechanism, so that the first server responds to the service request.

The following describes the identity authentication apparatus 600 in detail, specifically as follows:

in some of these embodiments, the plurality of servers includes an identity authentication server and a second server corresponding to the second organization, and the plurality of tokens includes a first token assigned by the identity authentication server and a second token assigned by the second server.

In some embodiments, the identity authentication apparatus 600 further comprises:

the fourth receiving module is used for receiving user identity information which is collected by the client and corresponds to the target user before receiving a service request which is sent by the client and aims at the first mechanism;

the second identity authentication module is used for performing identity authentication on the target user according to the user identity information;

and the second token distribution module is used for distributing the first token for the target user, sending the first token to the client and uploading the first token to the block chain under the condition that the authentication is passed.

In some of these embodiments, the first matching module 602 includes:

the first matching submodule is used for matching the second token with the tokens stored in the block chain;

the obtaining submodule is used for obtaining the user identity information corresponding to the first token under the condition that the token matched with the second token exists in the blockchain, determining a second mechanism for distributing the second token, and obtaining the user identity information corresponding to the second token from a second server corresponding to the second mechanism;

the comparison submodule is used for comparing the user identity information corresponding to the first token with the user identity information corresponding to the second token;

the first determining submodule is used for determining that the target user is an authenticated user under the condition that the user identity information is compared and consistent;

and the second determining submodule is used for determining that the target user is not the authenticated user under the condition that the token matched with the second token does not exist in the block chain or the comparison of the user identity information is inconsistent.

In some embodiments, the second token is a token obtained by encrypting, by the authority server of the second authority, the original token assigned to the target user by using the public key of the identity authentication server; the first matching sub-module includes:

the decryption unit is used for decrypting the second token by using the public key to obtain an original token;

the matching unit is used for matching the original token with the token stored in the block chain;

the acquisition submodule includes:

a determining unit for determining a second authority for assigning a second token based on the original token.

a fifth receiving module, configured to receive an identity information acquisition request sent by a first server after forwarding the service request to the first server corresponding to the first mechanism;

the sending module is used for responding to the identity information acquisition request and sending the user identity information corresponding to the target user to the first server so that the first server responds to the service request according to the user identity information and generates response information;

a sixth receiving module, configured to receive response information returned by the first server;

and the response information forwarding module is used for forwarding the response information to the client.

Fig. 7 is a schematic structural diagram illustrating an embodiment of an identity authentication apparatus provided in the present application. The identity authentication device can be applied to the first server.

As shown in fig. 7, the identity authentication apparatus 700 may include:

a second receiving module 701, configured to receive a service request forwarded by an identity authentication server, where the service request includes multiple tokens, and the multiple tokens are tokens that are respectively used by the multiple servers to perform identity authentication on a target user, and are allocated to the target user when the identity authentication passes, where the target user is a user logged in a client that sends the service request to the identity authentication server;

a second matching module 702, configured to match the multiple tokens with tokens stored in the blockchain, and determine whether the target user is an authenticated user;

a service response module 703, configured to respond to the service request if it is determined that the target user is an authenticated user.

The identity authentication device 700 is described in detail below, which is specifically as follows:

In some of these embodiments, the second matching module 702 includes:

the second matching submodule is used for respectively matching the first token and the second token with the tokens stored in the block chain;

the third determining submodule is used for determining that the target user is the authenticated user under the condition that the token matched with the first token and the token matched with the second token exist in the blockchain;

and the fourth determining sub-module is used for determining that the target user is not the authenticated user under the condition that the token matched with the first token does not exist in the blockchain or the token matched with the second token does not exist in the blockchain.

In some of these embodiments, the service response module 703 includes:

the first sending submodule is used for sending an identity information acquisition request to the identity authentication server;

the receiving submodule is used for receiving user identity information which is sent by the identity authentication server and corresponds to the target user;

the generating submodule is used for responding to the service request according to the user identity information and generating response information;

and the second sending submodule is used for sending the response information to the identity authentication server so that the identity authentication server forwards the response information to the client.

Fig. 8 is a schematic structural diagram illustrating an embodiment of an identity authentication apparatus provided in the present application. The identity authentication device is applicable to the second server.

As shown in fig. 8, the identity authentication apparatus 800 may include:

a third receiving module 801, configured to receive user identity information corresponding to a target user, where the user identity information is acquired by a client;

a first identity authentication module 802, configured to perform identity authentication on a target user according to user identity information;

the first token allocating module 803 is configured to, if the authentication is passed, allocate a second token to the target user, send the second token to the client, and upload the second token to the blockchain, so that the server of the other entity determines whether the target user is an authenticated user according to the multiple tokens including the second token.

The following describes the identity authentication device 800 in detail, specifically as follows:

in some of these embodiments, the first token assignment module 803 comprises:

the distribution submodule is used for distributing the original token for the target user;

and the encryption submodule is used for encrypting the original token by using the public key of the identity authentication server to obtain a second token.

Fig. 9 shows a hardware structure diagram of an embodiment of the electronic device provided in the present application.

The electronic device 900 may include a processor 901 and memory 902 that stores computer program instructions.

Specifically, the processor 901 may include a Central Processing Unit (CPU), or an Application Specific Integrated Circuit (ASIC), or may be configured to implement one or more Integrated circuits of the embodiments of the present Application.

Memory 902 may include mass storage for data or instructions. By way of example, and not limitation, memory 902 may include a Hard Disk Drive (HDD), floppy Disk Drive, flash memory, optical Disk, magneto-optical Disk, tape, or Universal Serial Bus (USB) Drive or a combination of two or more of these. Memory 902 may include removable or non-removable (or fixed) media, where appropriate. The memory 902 may be internal or external to the integrated gateway disaster recovery device, where appropriate. In a particular embodiment, the memory 902 is a non-volatile solid-state memory.

The memory may include Read Only Memory (ROM), Random Access Memory (RAM), magnetic disk storage media devices, optical storage media devices, flash memory devices, electrical, optical, or other physical/tangible memory storage devices. Thus, in general, the memory includes one or more tangible (non-transitory) computer-readable storage media (e.g., memory devices) encoded with software comprising computer-executable instructions and when the software is executed (e.g., by one or more processors), it is operable to perform operations described with reference to the methods according to an aspect of the application.

The processor 901 reads and executes the computer program instructions stored in the memory 902 to implement any one of the identity authentication methods in the above embodiments.

In some examples, electronic device 900 may also include a communication interface 903 and a bus 910. As shown in fig. 9, the processor 901, the memory 902, and the communication interface 903 are connected via a bus 904 to complete communication therebetween.

The communication interface 903 is mainly used for implementing communication between various modules, apparatuses, units and/or devices in this embodiment.

Bus 904 comprises hardware, software, or both that couple the components of the online data traffic billing device to one another. By way of example, and not limitation, the bus 904 may include an Accelerated Graphics Port (AGP) or other graphics bus, an Enhanced Industry Standard Architecture (EISA) bus, a Front Side Bus (FSB), a Hyper Transport (HT) interconnect, an Industry Standard Architecture (ISA) bus, an infiniband interconnect, a Low Pin Count (LPC) bus, a memory bus, a Micro Channel Architecture (MCA) bus, a Peripheral Component Interconnect (PCI) bus, a PCI-Express (PCI-X) bus, a Serial Advanced Technology Attachment (SATA) bus, a video electronics standards association local (VLB) bus, or other suitable bus, or a combination of two or more of these. Bus 904 may include one or more buses, where appropriate. Although specific buses are described and shown in the embodiments of the application, any suitable buses or interconnects are contemplated by the application.

Illustratively, the electronic device 900 may be a mobile phone, a tablet computer, a notebook computer, a palm top computer, a vehicle-mounted electronic device, an ultra-mobile personal computer (UMPC), a netbook or a Personal Digital Assistant (PDA), and the like.

The electronic device 900 may execute the identity authentication method in the embodiment of the present application, so as to implement the identity authentication method and apparatus described in conjunction with fig. 1 and fig. 8.

In addition, in combination with the identity authentication method in the foregoing embodiments, embodiments of the present application may provide a computer-readable storage medium to implement. The computer readable storage medium having stored thereon computer program instructions; the computer program instructions, when executed by a processor, implement any of the identity authentication methods in the above embodiments. Examples of computer-readable storage media include non-transitory computer-readable storage media such as portable disks, hard disks, Random Access Memories (RAMs), Read Only Memories (ROMs), erasable programmable read only memories (EPROMs or flash memories), portable compact disk read only memories (CD-ROMs), optical storage devices, magnetic storage devices, and so forth.

It is to be understood that the present application is not limited to the particular arrangements and instrumentality described above and shown in the attached drawings. A detailed description of known methods is omitted herein for the sake of brevity. In the above embodiments, several specific steps are described and shown as examples. However, the method processes of the present application are not limited to the specific steps described and illustrated, and those skilled in the art can make various changes, modifications, and additions or change the order between the steps after comprehending the spirit of the present application.

The functional blocks shown in the above-described structural block diagrams may be implemented as hardware, software, firmware, or a combination thereof. When implemented in hardware, it may be, for example, an electronic circuit, an Application Specific Integrated Circuit (ASIC), suitable firmware, plug-in, function card, or the like. When implemented in software, the elements of the present application are the programs or code segments used to perform the required tasks. The program or code segments may be stored in a machine-readable medium or transmitted by a data signal carried in a carrier wave over a transmission medium or a communication link. A "machine-readable medium" may include any medium that can store or transfer information. Examples of a machine-readable medium include electronic circuits, semiconductor memory devices, ROM, flash memory, Erasable ROM (EROM), floppy disks, CD-ROMs, optical disks, hard disks, fiber optic media, Radio Frequency (RF) links, and so forth. The code segments may be downloaded via computer networks such as the internet, intranet, etc.

It should also be noted that the exemplary embodiments mentioned in this application describe some methods or systems based on a series of steps or devices. However, the present application is not limited to the order of the above-described steps, that is, the steps may be performed in the order mentioned in the embodiments, may be performed in an order different from the order in the embodiments, or may be performed simultaneously.

Aspects of the present application are described above with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, implement the functions/acts specified in the flowchart and/or block diagram block or blocks. Such a processor may be, but is not limited to, a general purpose processor, a special purpose processor, an application specific processor, or a field programmable logic circuit. It will also be understood that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based computer instructions which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

As described above, only the specific embodiments of the present application are provided, and it can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the system, the module and the unit described above may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again. It should be understood that the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive various equivalent modifications or substitutions within the technical scope of the present application, and these modifications or substitutions should be covered within the scope of the present application.

Claims

1. An identity authentication method is applied to an identity authentication server, and is characterized by comprising the following steps:

receiving a service request aiming at a first organization sent by a client, wherein the service request comprises a plurality of tokens, the tokens are tokens which are respectively used by a plurality of servers for carrying out identity authentication on a target user, and are distributed to the target user under the condition that the identity authentication is passed, and the target user is a user logged in the client;

matching the plurality of tokens with tokens stored in a blockchain, and determining whether the target user is an authenticated user;

in an instance in which the target user is determined to be an authenticated user, forwarding the service request to a first server corresponding to the first mechanism, such that the first server responds to the service request.

2. The method of claim 1, wherein the plurality of servers includes the identity authentication server and a second server corresponding to a second organization, and wherein the plurality of tokens includes a first token assigned by the identity authentication server and a second token assigned by the second server.

3. The method of claim 2, wherein prior to receiving the service request sent by the client for the first organization, the method further comprises:

receiving user identity information which is acquired by the client and corresponds to the target user;

performing identity authentication on the target user according to the user identity information;

and under the condition that the authentication is passed, distributing the first token for the target user, sending the first token to the client, and uploading the first token to the block chain.

4. The method of claim 2, wherein matching the plurality of tokens to tokens stored in a blockchain to determine whether the target user is an authenticated user comprises:

matching the second token with tokens stored in the blockchain;

under the condition that a token matched with the second token exists in the block chain, acquiring user identity information corresponding to the first token, determining the second mechanism for distributing the second token, and acquiring user identity information corresponding to the second token from the second server corresponding to the second mechanism;

and under the condition that the token matched with the second token does not exist in the block chain or the comparison of the user identity information is inconsistent, determining that the target user is not an authenticated user.

5. The method according to claim 4, wherein the second token is a token obtained by encrypting the original token allocated to the target user by the institution server of the second institution by using the public key of the identity authentication server;

the matching the second token with tokens stored in the blockchain includes:

decrypting the second token by using the public key to obtain the original token;

matching the original token with tokens stored in the blockchain;

the determining the second mechanism to assign the second token comprises:

determining the second mechanism to assign the second token based on the original token.

6. The method of claim 1, wherein after forwarding the service request to a first server corresponding to the first mechanism, the method further comprises:

receiving an identity information acquisition request sent by the first server;

receiving the response information returned by the first server;

and forwarding the response information to the client.

7. An identity authentication method applied to a first server is characterized by comprising the following steps:

receiving a service request forwarded by an identity authentication server, wherein the service request comprises a plurality of tokens, the tokens are tokens which are respectively used by the plurality of servers for identity authentication of a target user, and are distributed to the target user when the identity authentication is passed, and the target user is a user which sends the service request to a client of the identity authentication server and logs in;

responding to the service request if the target user is determined to be an authenticated user.

8. The method of claim 7, wherein the plurality of servers includes the identity authentication server and a second server corresponding to a second organization, and wherein the plurality of tokens includes a first token assigned by the identity authentication server and a second token assigned by the second server.

9. The method of claim 8, wherein matching the plurality of tokens to tokens stored in a blockchain to determine whether the target user is an authenticated user comprises:

matching the first token and the second token with tokens stored in the blockchain respectively;

determining that the target user is an authenticated user if a token matching the first token and a token matching the second token exist in the blockchain;

determining that the target user is not an authenticated user in the absence of a token in the blockchain that matches the first token or the absence of a token that matches the second token.

10. The method of claim 7, wherein responding to the service request comprises:

sending an identity information acquisition request to the identity authentication server;

receiving user identity information which is sent by the identity authentication server and corresponds to the target user;

11. An identity authentication method applied to a second server is characterized by comprising the following steps:

receiving user identity information which is acquired by the client and corresponds to a target user;

and under the condition that the authentication is passed, distributing a second token for the target user, sending the second token to the client, and uploading the second token to a block chain, so that the server of other organizations determines whether the target user is the authenticated user according to a plurality of tokens including the second token.

12. The method of claim 11, wherein said assigning a second token to the target user comprises:

distributing an original token for the target user;

and encrypting the original token by using a public key of an identity authentication server to obtain the second token.

13. An identity authentication device applied to an identity authentication server, the identity authentication device comprising:

and the request forwarding module is used for forwarding the service request to a first server corresponding to the first mechanism under the condition that the target user is determined to be an authenticated user, so that the first server responds to the service request.

14. An identity authentication apparatus applied to a first server, the apparatus comprising:

the second receiving module is used for receiving a service request forwarded by an identity authentication server, wherein the service request comprises a plurality of tokens, the tokens are tokens which are respectively used by the plurality of servers for identity authentication of a target user, and are distributed to the target user when the identity authentication is passed, and the target user is a user which sends the service request to a client of the identity authentication server and logs in;

15. An identity authentication apparatus applied to a second server, the apparatus comprising:

the third receiving module is used for receiving the user identity information which is acquired by the client and corresponds to the target user;

the first identity authentication module is used for performing identity authentication on the target user according to the user identity information;

the first token allocation module is used for allocating a second token for the target user under the condition that the authentication is passed, sending the second token to the client, and uploading the second token to the block chain, so that the server of other organizations determines whether the target user is the authenticated user according to a plurality of tokens including the second token.

16. An electronic device, characterized in that the device comprises: a processor and a memory storing computer program instructions;

the processor, when executing the computer program instructions, performs the steps of the identity authentication method of any of claims 1-6 or 7-10 or 11-12.

17. A computer-readable storage medium, having stored thereon computer program instructions, which, when executed by a processor, carry out the steps of the method of identity authentication according to any one of claims 1-6 or 7-10 or 11-12.