CN114553432B - Identity authentication method, device, equipment and computer readable storage medium - Google Patents
Identity authentication method, device, equipment and computer readable storage medium Download PDFInfo
- Publication number
- CN114553432B CN114553432B CN202210109179.9A CN202210109179A CN114553432B CN 114553432 B CN114553432 B CN 114553432B CN 202210109179 A CN202210109179 A CN 202210109179A CN 114553432 B CN114553432 B CN 114553432B
- Authority
- CN
- China
- Prior art keywords
- user
- token
- target user
- server
- tokens
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
Abstract
The application discloses an identity authentication method, an identity authentication device, identity authentication equipment and a computer readable storage medium. The payment method comprises the following steps: receiving a service request for a first mechanism sent by a client, wherein the service request comprises a plurality of tokens, the tokens are used for respectively carrying out identity authentication on a target user by a plurality of servers, and the tokens are distributed to the target user under the condition that the identity authentication is passed, and the target user is a user logged in the client; matching the plurality of tokens with tokens stored in the blockchain to determine whether the target user is an authenticated user; in the event that the target user is determined to be an authenticated user, the service request is forwarded to a first server corresponding to the first organization to cause the first server to respond to the service request. According to the embodiment of the application, the login times required by the user for acquiring different organization services can be reduced while the business safety is ensured, the network resources are saved, and the user operation process is simplified.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to an identity authentication method, apparatus, device, and computer readable storage medium.
Background
With the continuous development of technology, more and more institutions gradually move off-line services to on-line, so that users can conveniently perform operations such as service inquiry, service handling and the like at any time and any place. Before each organization provides online service for users, the identities of the users need to be authenticated so as to ensure the service security.
At present, because the identity authentication systems of all institutions are mutually independent, a user is required to fill in a user name and a password respectively on a service platform of each institution to log in so as to finish identity authentication, and further the problems of network resource waste, complex user operation and the like are caused.
Disclosure of Invention
The embodiment of the application provides an identity authentication method, an identity authentication device, identity authentication equipment and a computer readable storage medium, which can reduce the login times required by a user for obtaining different organization services while ensuring the service security, save network resources and simplify the operation process of the user.
In a first aspect, an embodiment of the present application provides an identity authentication method, applied to an identity authentication server, where the method includes:
receiving a service request for a first mechanism sent by a client, wherein the service request comprises a plurality of tokens, the tokens are used for respectively carrying out identity authentication on a target user by a plurality of servers, and the tokens are distributed to the target user under the condition that the identity authentication is passed, and the target user is a user logged in the client;
Matching the plurality of tokens with tokens stored in the blockchain to determine whether the target user is an authenticated user;
in the event that the target user is determined to be an authenticated user, the service request is forwarded to a first server corresponding to the first organization to cause the first server to respond to the service request.
In a second aspect, an embodiment of the present application provides an identity authentication method, applied to a first server, where the method includes:
receiving a service request forwarded by an identity authentication server, wherein the service request comprises a plurality of tokens, the tokens are used for respectively carrying out identity authentication on a target user by the plurality of servers, and the tokens are distributed to the target user under the condition that the identity authentication passes, and the target user is a user logged in a client side which sends the service request to the identity authentication server;
matching the plurality of tokens with tokens stored in the blockchain to determine whether the target user is an authenticated user;
in the event that the target user is determined to be an authenticated user, the service request is responded to.
In a third aspect, an embodiment of the present application provides an identity authentication method, applied to a second server, where the method includes:
receiving user identity information which is acquired by a client and corresponds to a target user;
Carrying out identity authentication on the target user according to the user identity information;
in the event that authentication is passed, a second token is assigned to the target user, the second token is sent to the client, and the second token is uploaded to the blockchain, such that servers of other institutions determine whether the target user is an authenticated user based on a plurality of tokens including the second token.
In a fourth aspect, an embodiment of the present application provides an identity authentication device, applied to an identity authentication server, including:
the first receiving module is used for receiving a service request which is sent by the client and aims at the first mechanism, wherein the service request comprises a plurality of tokens, the tokens are used for respectively carrying out identity authentication on a target user by a plurality of servers, and the tokens are distributed to the target user under the condition that the identity authentication is passed, and the target user is a user logged in the client;
the first matching module is used for matching the tokens with the tokens stored in the blockchain to determine whether the target user is an authenticated user or not;
and the request forwarding module is used for forwarding the service request to a first server corresponding to the first organization under the condition that the target user is determined to be an authenticated user, so that the first server responds to the service request.
In a fifth aspect, an embodiment of the present application provides an identity authentication device, applied to a first server, where the device includes:
the second receiving module is used for receiving a service request forwarded by the identity authentication server, wherein the service request comprises a plurality of tokens, the tokens are used for respectively carrying out identity authentication on a target user by the plurality of servers, and the tokens are distributed to the target user under the condition that the identity authentication passes, and the target user is a user logged in a client side which sends the service request to the identity authentication server;
the second matching module is used for matching the tokens with the tokens stored in the blockchain to determine whether the target user is an authenticated user or not;
and the service response module is used for responding to the service request under the condition that the target user is determined to be an authenticated user.
In a sixth aspect, an embodiment of the present application provides an identity authentication device, applied to a second server, where the device includes:
the third receiving module is used for receiving user identity information which is acquired by the client and corresponds to the target user;
the first identity authentication module is used for carrying out identity authentication on the target user according to the user identity information;
and the first token distribution module is used for distributing a second token to the target user under the condition that the authentication is passed, sending the second token to the client, and uploading the second token to the blockchain so that a server of other institutions can determine whether the target user is an authenticated user according to a plurality of tokens including the second token.
In a seventh aspect, an embodiment of the present application provides an electronic device, including: a processor and a memory storing computer program instructions;
the steps of the identity authentication method as described in any one of the embodiments of the first aspect are implemented when the computer program instructions are executed by a processor.
In an eighth aspect, embodiments of the present application provide a computer readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement the steps of the identity authentication method as described in any one of the embodiments of the first aspect.
According to the identity authentication method, the device, the equipment and the computer readable storage medium, under the condition that the service request sent by the client for the first mechanism is received, after the identity of the target user is authenticated by a plurality of servers contained in the service request, the tokens distributed to the target user are matched with the tokens stored in the blockchain, so that whether the target user is an authenticated user is determined, the service request is forwarded to the first server corresponding to the first mechanism under the condition that the target user is determined to be the authenticated user, and further, the response of the first server to the service request of the client is realized under the condition that the user does not need to log in a service platform of the first mechanism. In this way, the multiple servers have authenticated the identity of the target user, so that a reliable identity endorsement is provided for the user, and the block chain is utilized to share the token obtained by the target user after the identity authentication is passed, so that the identity authentication result of the user can be shared with other institutions on the chain, and further, under the condition that the user does not need to log in the service platform of the first institution, the response of the first server to the client service request is realized, therefore, the login times required by the user for obtaining different institution services is reduced while the service security is ensured, the network resources are saved, and the user operation process is simplified.
Drawings
In order to more clearly illustrate the technical solution of the embodiments of the present application, the drawings that are needed to be used in the embodiments of the present application will be briefly described, and it is possible for a person skilled in the art to obtain other drawings according to these drawings without inventive effort.
FIG. 1 is a schematic diagram to which the identity authentication method according to the embodiment of the present application is applied;
FIG. 2 is a flowchart illustrating an embodiment of an authentication method according to the first aspect of the present application;
FIG. 3 is a flowchart illustrating an embodiment of an authentication method according to a second aspect of the present application;
FIG. 4 is a flowchart illustrating an embodiment of an authentication method according to a third aspect of the present application;
FIG. 5 is a flowchart illustrating an embodiment of an authentication method according to an embodiment of the present application;
FIG. 6 is a schematic diagram illustrating the structure of an embodiment of an authentication device according to the first aspect of the present application;
FIG. 7 is a schematic diagram illustrating the structure of an embodiment of an authentication device according to a second aspect of the present application;
FIG. 8 is a schematic diagram illustrating the structure of an embodiment of an authentication device according to a third aspect of the present application;
fig. 9 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
Features and exemplary embodiments of various aspects of the present application will be described in detail below, and in order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described in further detail below with reference to the accompanying drawings and the detailed embodiments. It should be understood that the particular embodiments described herein are meant to be illustrative of the application only and not limiting. It will be apparent to one skilled in the art that the present application may be practiced without some of these specific details. The following description of the embodiments is merely intended to provide a better understanding of the application by showing examples of the application.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.
At present, a user obtains online services of a plurality of institutions mainly by opening service platforms of different institutions respectively, inputting a user name and a password corresponding to each platform for login, and using corresponding service functions after identity authentication. Therefore, the user needs to log in repeatedly, and the problems of network resource waste, complex user operation and the like are caused. For example, since the authentication services of each bank cannot be commonly used, in the first public branch (Initial Public Offering, IPO) running line check project, a user needs to query account funds running line of a plurality of banks, and according to a common technical implementation scheme, the user needs to input user names and passwords in the plurality of banks to repeatedly log in, so that the user experience is extremely unfriendly.
In order to solve the problems in the prior art, the embodiment of the application provides an identity authentication method, an identity authentication device, identity authentication equipment and a computer readable storage medium. The identity authentication method provided by the application can be applied to the architecture shown in fig. 1, and is specifically described in detail with reference to fig. 1.
Fig. 1 shows a schematic diagram of an example of identity authentication provided by the present application.
As shown in fig. 1, the architecture diagram may include at least one client 10, an authentication server 11, and a plurality of organization servers 12. The authentication server 11 provides a unified service interface for the client 10, through which the client 10 can request services from a plurality of organization servers 12. Wherein, the client 10, the authentication server 11 and the organization server 12 can establish connection and exchange information through a network. In addition, the client 10 may be installed in a device having a communication function, such as a mobile phone, a tablet computer, or an integrated machine, or may be installed in a device simulated by a virtual machine or a simulator. The authentication server 11 and the organization server 12 may be devices having a storage function and a calculation function, such as a cloud server or a server cluster. In addition, the identity authentication server 11 and the plurality of organization servers 12 may be servers on the same blockchain, so that any server of the plurality of organization servers 12 may share the user identity authentication result through the blockchain, and other servers on the chain may verify the user identity through the blockchain.
Here, the plurality of organization servers 12 may include a first server corresponding to a first organization and a second server corresponding to a second organization.
The authentication server 11 may be a server corresponding to the client 10, or may be a server set by a third party organization to provide a unified service interface.
In addition, the identity authentication method provided by the application can be applied to the scene of identity authentication of the user requesting the service, and is introduced by combining the framework and the scene.
Fig. 2 is a schematic flow chart of an embodiment of an identity authentication method according to the present application. The identity authentication method can be applied to an identity authentication server. As shown in fig. 2, the identity authentication method specifically includes the following steps:
s210, receiving a service request for a first mechanism sent by a client, wherein the service request comprises a plurality of tokens, the plurality of tokens are used for respectively carrying out identity authentication on a target user by a plurality of servers, and the tokens are distributed to the target user under the condition that the identity authentication is passed, and the target user is a user logged in the client.
S220, matching the tokens with the tokens stored in the blockchain to determine whether the target user is an authenticated user.
And S230, if the target user is determined to be the authenticated user, forwarding the service request to a first server corresponding to the first organization, so that the first server responds to the service request.
In this way, when a service request sent by a client for a first organization is received, after identity authentication is performed on a target user by using a plurality of servers included in the service request, the tokens are allocated to the target user, and the tokens are matched with tokens stored in a blockchain, so that whether the target user is an authenticated user is determined, the service request is forwarded to a first server corresponding to the first organization when the target user is determined to be the authenticated user, and further, the first server is used for responding to the service request of the client under the condition that the user does not need to log in a service platform of the first organization. In this way, the multiple servers have authenticated the identity of the target user, so that a reliable identity endorsement is provided for the user, and the block chain is utilized to share the token obtained by the target user after the identity authentication is passed, so that the identity authentication result of the user can be shared with other institutions on the chain, and further, under the condition that the user does not need to log in the service platform of the first institution, the response of the first server to the client service request is realized, therefore, the login times required by the user for obtaining different institution services is reduced while the service security is ensured, the network resources are saved, and the user operation process is simplified.
A specific implementation of each of the above steps is described below.
In some embodiments, in S210, the token (token) may be, for example, a session token returned after the user successfully logs into the corresponding organization service platform. Because each organization is respectively provided with a corresponding server, a user needs to input a user name and a password to log in before the user invokes the service of a certain organization. After the user successfully logs in, the server returns a session token. The session token is valid for a period of time, and the user does not need to log in again when carrying the valid session token to access the service.
For example, when a target user who logs in to the client needs to request a certain service of the first organization, a token which is logged in by the user and distributed by an authentication server can be carried in the service request, so that the authentication server serves as a technology transfer server, and after receiving the request, the authentication of the target user can be directly verified through a plurality of carried tokens to confirm whether the target user is an authenticated user.
In some embodiments, the plurality of servers may include an authentication server and a second server corresponding to the second organization, and the plurality of tokens may include a first token assigned by the authentication server and a second token assigned by the second server.
That is, the user can complete two authentication operations through two login operations, so that the service of the first mechanism can be obtained under the condition of no login. The first mechanism may be plural. Specifically, the identity authentication server and the second server can respectively perform identity authentication on the target user, the identity authentication server distributes a first token to the target user under the condition that the identity authentication server passes the identity authentication of the target user, and the second server distributes a second token to the target user under the condition that the second server passes the identity authentication of the target user. The first token may be a credential that the target user has authenticated by the identity of the identity authentication server and the second token may be a credential that the target user has authenticated by the identity of the second server. By means of the first token and the second token, the service of any first organization can be acquired without logging in.
Therefore, the user can obtain the service of any first mechanism under the condition of no login only by two login operations, the user operation process is simplified, and the user experience is improved.
In some embodiments, before the step S210, the method may further include:
Receiving user identity information which is acquired by a client and corresponds to a target user;
carrying out identity authentication on the target user according to the user identity information;
in the event that authentication passes, a first token is assigned to the target user, the first token is sent to the client, and the first token is uploaded to the blockchain.
Here, before receiving a service request for the first organization sent by the client, two times of identity authentication are required to be performed on the target user, which are respectively the identity authentication of the target user by the identity authentication server and the identity authentication of the target user by the second server.
The identity authentication server can receive user identity information of a target user, authenticate the target user based on the user identity information, if authentication is passed, allocate a first token to the target user, send the first token to the client, and upload the first token to the blockchain. The user identity information may be information capable of uniquely determining the identity of the target user, for example, information filled in by the target user when the client performs real-name authentication, and the user identity information may be used for authenticating the identity of the target user. The first token is distributed to the target user, and the first token is sent to the client, so that the target user can prove that the target user passes the identity authentication of the identity authentication server through the first token. Uploading the first token to the blockchain may enable both the first server and the second server to receive the first token, thereby enabling the first server and the second server to determine whether the target user has passed the authentication of the authentication server based on the first token.
In some specific examples, after the target user logs in the client through the user name and the password, user identity information can be input to perform real-name authentication, the identity authentication server can receive the user identity information and perform real-name authentication, namely identity authentication, on the target user according to the user identity information, after authentication, a first token can be allocated to the target user, the first token is sent to the client, and the first token is uploaded to the blockchain.
In this way, the identity of the target user is authenticated through the user identity information, a first token is distributed to the target user under the condition that the authentication is passed, the first token is sent to the client, and the first token is uploaded to the blockchain, so that the target user can prove that the target user passes the identity authentication of the identity authentication server through the first token, and the first server and the second server can determine whether the target user passes the identity authentication of the identity authentication server according to the first token.
In some embodiments, in S220, since the plurality of servers also upload the tokens to the blockchain when assigning the tokens to the target user, the plurality of tokens are also stored in the blockchain, and the plurality of tokens included in the service request are matched with the tokens stored in the blockchain, it may be determined whether the target user is an authenticated user. Here, the authenticated user may be a user who has been authenticated by the identities of the identity authentication server and the second server.
In some embodiments, the step S220 may include:
matching the second token with tokens stored in the blockchain;
acquiring user identity information corresponding to the first token when the token matched with the second token exists in the blockchain, determining a second mechanism for distributing the second token, and acquiring the user identity information corresponding to the second token from a second server corresponding to the second mechanism;
comparing the user identity information corresponding to the first token with the user identity information corresponding to the second token;
under the condition that the user identity information is consistent in comparison, determining that the target user is an authenticated user;
in the event that there is no token in the blockchain that matches the second token, or the user identity information comparison is inconsistent, it is determined that the target user is not an authenticated user.
Here, the second token distributed by the second server is matched with the tokens stored in the blockchain, and if no token matched with the second token exists in the blockchain, it can be determined that the target user is not an authenticated user; if there is a token in the blockchain that matches the second token, then it can be further determined whether the target user is an authenticated user by comparing the user identity information.
Specifically, user identity information corresponding to the first token and user identity information corresponding to the second token may be acquired first. The first token is distributed after the identity authentication server receives the user identity information and passes authentication, so that the user identity information corresponding to the first token is stored in the identity authentication server and can be directly acquired. The second token is distributed after the second server corresponding to the second organization receives the user identity information and passes the authentication, so that the user identity information corresponding to the second token is stored in the second server, the second organization for distributing the second token needs to be determined first, and then the user identity information corresponding to the second token is acquired from the second server corresponding to the second organization. The second token may carry an identity of the second institution, and thus the second institution that assigned the second token may be determined from the second token.
Then, whether the target user initiating the service request is a disguiser carrying other user tokens can be judged by comparing the user identity information corresponding to the first token with the user identity information corresponding to the second token. If the user identity information is consistent in comparison, the target user can be determined to be an authenticated user. If the user identity information is inconsistent in comparison, it can be determined that the target user is not an authenticated user.
In some specific examples, the identity authentication server matches token a, i.e., the second token, with tokens stored in the blockchain, and if there is no token in the blockchain that matches token a, then it is determined that the target user is not an authenticated user; if the block chain has the token matched with the token A, obtaining the token B, namely a first token, corresponding user identity information, analyzing a mechanism a for distributing the token A, namely a second mechanism, from the token A, then obtaining the user identity information corresponding to the token B from the mechanism a, comparing the user identity information corresponding to the token A with the user identity information corresponding to the token B, and if the comparison is consistent, determining that the target user is an authenticated user; if the comparison is inconsistent, the target user is determined not to be an authenticated user.
In this way, whether the target user is an authenticated user or not is determined by judging whether a token matched with the second token exists in the blockchain and judging whether the user identity information corresponding to the first token is consistent with the user identity information corresponding to the second token, and whether the target user is the authenticated user or not can be determined by judging twice, so that the login security of the user is improved.
In some embodiments, the second token may be a token obtained by encrypting the original token allocated to the target user by the institution server of the second institution using the public key of the identity authentication server, where the matching the second token with the token stored in the blockchain may include:
decrypting the second token by using the public key to obtain an original token;
matching the original token with the tokens stored in the blockchain;
the determining the second mechanism for assigning the second token may include:
a second mechanism for assigning a second token is determined from the original token.
Here, in order to ensure the security of the user information in each organization, to avoid that a certain organization acquires the user information from other organizations by forging the tokens of other organizations, the original tokens assigned to the target users may be encrypted by using the public key of the identity authentication server, so as to obtain the second tokens.
Since the identity authentication server needs to parse the second mechanism for distributing the second token from the second token, the second token needs to be decrypted by utilizing the public key to obtain the original token, and the second mechanism for distributing the second token is determined according to the original token.
In some specific examples, the identity authentication server may decrypt the token a according to the public key to obtain the original token C, and parse the mechanism identifier from the original token C, so as to determine the mechanism a corresponding to the token a according to the mechanism representation.
Therefore, the original token is encrypted, and after the encrypted second token is uploaded to the blockchain, a certain organization can be prevented from acquiring user information from other organizations by forging the tokens of other organizations, so that the information security of each organization is ensured.
In some embodiments, in S230, the first organization may be an organization that the user wants to obtain a service, and if the authentication server determines that the target user is an authenticated user, the service request may be forwarded to a first server corresponding to the first organization, so that the first server responds to the service request. The first institution and the second institution may each be a bank. The service request may be a request for inquiring account funds flowing in the first institution, or may be a request for inquiring account balance or bank card number, or may be other requests, which is not limited herein.
In some embodiments, after S230 above, the method may further include:
receiving an identity information acquisition request sent by a first server;
responding to the identity information acquisition request, and transmitting user identity information corresponding to the target user to a first server so that the first server responds to the service request according to the user identity information to generate response information;
Receiving response information returned by the first server;
and forwarding the response information to the client.
Here, after determining that the target user is an authenticated user and forwarding the service request to the first server, the first server needs to generate response information according to the user identity information, and therefore, needs to send an identity information acquisition request to the identity authentication server, after receiving the identity information acquisition request, the identity authentication server sends user identity information corresponding to the target user to the first server in response to the identity information acquisition request, the first server generates response information according to the user identity information in response to the service request, and then sends the response information to the identity authentication server, and the identity authentication server forwards the response information to the client so as to be displayed to the target user.
In some specific examples, after determining that the target user is an authenticated user, the identity authentication server forwards a service request for inquiring account balance to a first server, the first server sends an identity information acquisition request for acquiring user identity information of the target user to the identity authentication server, after receiving the identity information acquisition request, the identity authentication server responds to the identity information acquisition request and sends user identity information corresponding to the target user to the first server, and the first server responds to the service request according to the user identity information to generate, for example, "account balance: 3500', then sending the response information to an identity authentication server, and forwarding the response information to the client side by the identity authentication server to display the response information to the target user.
Therefore, the service of the first server is obtained under the condition that a service platform corresponding to the first mechanism is not required to be logged in through the process, and the operation process of a user is simplified.
Fig. 3 is a schematic flow chart of an embodiment of an identity authentication method provided by the present application. The identity authentication method can be applied to the first server.
As shown in fig. 3, the identity authentication method specifically includes the following steps:
s310, receiving a service request forwarded by an identity authentication server, wherein the service request comprises a plurality of tokens, the tokens are used for respectively carrying out identity authentication on a target user by the plurality of servers, and the tokens are distributed to the target user under the condition that the identity authentication passes, and the target user is a user logged in a client side which sends the service request to the identity authentication server;
s320, matching the tokens with the tokens stored in the blockchain to determine whether the target user is an authenticated user;
s330, responding to the service request in the case that the target user is determined to be the authenticated user.
After receiving the service request forwarded by the identity authentication server, the service request is utilized to respectively authenticate the identity of the target user by a plurality of servers, then the tokens are distributed to the target user, and the tokens are matched with the tokens stored in the blockchain, so that whether the target user is an authenticated user is determined, and the service request is responded under the condition that the target user is determined to be the authenticated user. Because the plurality of servers authenticate the identity of the target user, reliable identity endorsements are provided for the user, and the block chain is utilized to share the token which is obtained by the target user after the identity authentication is passed, the identity authentication result of the user can be shared with other institutions on the chain, and further, under the condition that the user does not need to log in a service platform of the first institution, the response of the first server to the client service request is realized, so that the login times required by the user for obtaining services of different institutions are reduced while the service security is ensured, the network resources are saved, and the operation process of the user is simplified.
A specific implementation of each of the above steps is described below.
In some embodiments, in S310, the authentication server forwards the service request to the first server upon determining that the target user is an authenticated user, the first server receiving the service request forwarded by the authentication server.
In some embodiments, the plurality of servers may include an authentication server and a second server corresponding to the second organization, and the plurality of tokens may include a first token assigned by the authentication server and a second token assigned by the second server.
That is, the user can complete two authentication operations through two login operations, so that the service of the first mechanism can be obtained under the condition of no login. The first mechanism may be plural. Specifically, the identity authentication server and the second server can respectively perform identity authentication on the target user, the identity authentication server distributes a first token to the target user under the condition that the identity authentication server passes the identity authentication of the target user, and the second server distributes a second token to the target user under the condition that the second server passes the identity authentication of the target user. The first token may be a credential that the target user has authenticated by the identity of the identity authentication server and the second token may be a credential that the target user has authenticated by the identity of the second server. By means of the first token and the second token, the service of any first organization can be acquired without logging in.
Therefore, the user can obtain the service of any first mechanism under the condition of no login only by two login operations, the user operation process is simplified, and the user experience is improved.
In some embodiments, in S320, after the authentication server completes the authentication of the target user, the first server also needs to authenticate the target user. Since the multiple servers also upload tokens to the blockchain when assigning tokens to target users, the multiple tokens are also stored in the blockchain. The first server may determine whether the target user is an authenticated user by matching a plurality of tokens included in the service request, that is, the first token and the second token, with tokens stored in the blockchain after receiving the service request forwarded by the authentication server.
In some embodiments, the step S320 may include:
matching the first token and the second token with tokens stored in the blockchain respectively;
determining that the target user is an authenticated user in the case that a token matching the first token exists in the blockchain and a token matching the second token exists in the blockchain;
In the event that there is no token in the blockchain that matches the first token or there is no token that matches the second token, it is determined that the target user is not an authenticated user.
Here, if there is a token in the blockchain that matches both the first token and the second token, then the target user may be determined to be an authenticated user; if there is no token in the blockchain that matches the first token or there is no token that matches the second token, then it may be determined that the target user is not an authenticated user.
Thus, through the above-mentioned process, the confirmation of whether the target user is an authenticated user by the first server can be completed, so that it can be confirmed whether to respond to the service request of the target user.
In some embodiments, in S330, if the target user is an authenticated user, the service request is responded to. The explanation of the authenticated user and the service request can be found in the related expressions in the foregoing embodiments, and for brevity, the description is omitted here.
In some embodiments, the step S330 may include:
sending an identity information acquisition request to an identity authentication server;
receiving user identity information corresponding to a target user, which is sent by an identity authentication server;
Responding to the service request according to the user identity information, and generating response information;
and sending the response information to the identity authentication server so that the identity authentication server forwards the response information to the client.
Here, reference may be made to the related descriptions in the foregoing embodiments, and for brevity of the table, the description is omitted here.
Fig. 4 is a schematic flow chart of an embodiment of an identity authentication method provided by the present application. The identity authentication method can be applied to the second server.
As shown in fig. 4, the identity authentication method specifically includes the following steps:
s410, receiving user identity information which is acquired by a client and corresponds to a target user;
s420, carrying out identity authentication on the target user according to the user identity information;
and S430, in the case that the authentication is passed, a second token is allocated for the target user, the second token is sent to the client, and the second token is uploaded to the blockchain, so that a server of other institutions determines whether the target user is an authenticated user according to a plurality of tokens including the second token.
Therefore, by receiving the user identity information corresponding to the target user acquired by the client and carrying out identity authentication on the target user according to the user identity information, under the condition that authentication is passed, a second token is distributed to the target user, the second token is sent to the client, and the second token is uploaded to the blockchain, the server of other institutions can determine whether the target user is an authenticated user according to a plurality of tokens including the second token, and further under the condition that the user does not need to log on a service platform of other institutions, the response of the server of other institutions to the service request of the client is realized, so that the login times required by the user for acquiring services of different institutions are reduced while the business security is ensured, network resources are saved, and the operation process of the user is simplified.
A specific implementation of each of the above steps is described below.
In some embodiments, in S410, S420, and S430, before receiving the service request for the first organization sent by the client, the target user needs to be authenticated twice, which is respectively the authentication of the target user by the authentication server and the authentication of the target user by the second server.
The second server may receive user identity information of the target user, authenticate the target user based on the user identity information, and if authentication is passed, assign a second token to the target user, send the second token to the client, and upload the second token to the blockchain. The user identity information may be information capable of uniquely determining the identity of the target user, for example, information filled in by the target user when the client performs real-name authentication, and the user identity information may be used for authenticating the identity of the target user. The second token is distributed to the target user, and the second token is sent to the client, so that the target user can prove that the target user passes the identity authentication of the second server through the second token. Uploading the second token to the blockchain may cause a server of the other organization to determine whether the target user is an authenticated user based on the plurality of tokens including the second token.
In some specific examples, after the target user logs in the client through the user name and the password, user identity information can be input to perform real-name authentication, the second server can receive the user identity information and perform real-name authentication, namely identity authentication, on the target user according to the user identity information, after authentication, a second token can be allocated to the target user, the second token is sent to the client, and the second token is uploaded to the blockchain.
In some embodiments, the step S430 may specifically include:
assigning an original token to the target user;
and encrypting the original token by using the public key of the identity authentication server to obtain a second token.
Here, in order to ensure the security of the user information in each organization, to avoid that a certain organization acquires the user information from other organizations by forging the tokens of other organizations, the original tokens assigned to the target users may be encrypted by using the public key of the identity authentication server, so as to obtain the second tokens. .
In some specific examples, the second server may assign a token C, i.e. the original token, to the target user, and encrypt the token C with the public key of the authentication server to obtain a token a, i.e. the second token.
Therefore, the original token is encrypted, and after the encrypted second token is uploaded to the blockchain, a certain organization can be prevented from acquiring user information from other organizations by forging the tokens of other organizations, so that the information security of each organization is ensured.
In order to better describe the whole solution, a specific example is given based on the above embodiments.
As shown in fig. 5, a target user inputs a user name and a password registered in an identity authentication server at a client to log in, inputs user identity information to perform real-name authentication, and after receiving the user identity information, the identity authentication server performs identity authentication on the target user according to the user identity information, distributes a first token for the target user after passing the authentication, sends the first token to the client, and uploads the first token to a blockchain.
And then, the target user selects a second mechanism at the client, so as to jump to a login interface of the second mechanism, the target user inputs a user name and a password registered at a second server at the client to log in, inputs user identity information to carry out real-name authentication, the second server receives the user identity information and carries out identity authentication on the target user according to the user identity information, a second token is distributed to the target user after the authentication is passed and is sent to the client, and the second token is uploaded to a blockchain and is an encrypted token.
After the two times of identity authentication are completed, the target user can send a service request for the first mechanism to the identity authentication server through the client, the identity authentication server matches the second token with the tokens stored in the blockchain, if the tokens matched with the second token exist in the blockchain, the user identity information corresponding to the first token and the user identity information corresponding to the second token are obtained, the user identity information corresponding to the first token and the user identity information corresponding to the second token are compared, and if the comparison is consistent, the target user is determined to be an authenticated user. After the target user is determined to be the authenticated user, the identity authentication server forwards the service request to a first server corresponding to the first organization, the first server respectively matches the first token and the second token with tokens stored in the blockchain, and if the blockchain has both the tokens matched with the first token and the tokens matched with the second token, the target user is determined to be the authenticated user. Then, the first server sends an identity information acquisition request to the identity authentication server, the identity authentication server responds to the identity information acquisition request and sends user identity information corresponding to the target user to the first server, the first server responds to the service request according to the user identity information, after response information is generated, the response information is sent to the identity authentication server, and the identity authentication server forwards the response information to the client and displays the response information to the user.
Based on the method, the multiple servers perform authentication on the identity of the target user, a reliable identity endorsement is provided for the user, and the block chain is utilized to share the token obtained by the target user after the identity authentication is passed, so that the identity authentication result of the user can be shared with other institutions on the chain, and further, the response of the first server to the client service request is realized under the condition that the user does not need to log on the service platform of the first institution, thereby realizing the purpose of reducing the login times required by the user to obtain different institution services while ensuring the service security, saving network resources and simplifying the user operation process.
It should be noted that, the application scenario described in the foregoing embodiment of the present application is for more clearly describing the technical solution of the embodiment of the present application, and does not constitute a limitation on the technical solution provided by the embodiment of the present application, and as a person of ordinary skill in the art can know, with the appearance of a new application scenario, the technical solution provided by the embodiment of the present application is also applicable to similar technical problems.
Based on the same inventive concept, the application also provides an identity authentication device. This is described in detail with reference to fig. 6.
Fig. 6 is a schematic structural diagram of an embodiment of an identity authentication device according to the present application. The identity authentication device can be applied to an identity authentication server.
As shown in fig. 6, the identity authentication device 600 may include:
the first receiving module 601 is configured to receive a service request for a first mechanism sent by a client, where the service request includes a plurality of tokens, the plurality of tokens are a plurality of servers respectively perform identity authentication on a target user, and the target user is a user logged in the client when the identity authentication passes;
a first matching module 602, configured to match the plurality of tokens with tokens stored in the blockchain, and determine whether the target user is an authenticated user;
the request forwarding module 603 is configured to forward, in a case where the target user is determined to be an authenticated user, the service request to a first server corresponding to the first organization, so that the first server responds to the service request.
The identity authentication device 600 will be described in detail below, and is specifically as follows:
in some of these embodiments, the plurality of servers includes an authentication server and a second server corresponding to the second organization, and the plurality of tokens includes a first token assigned by the authentication server and a second token assigned by the second server.
In some of these embodiments, the identity authentication device 600 further includes:
the fourth receiving module is used for receiving user identity information which is acquired by the client and corresponds to the target user before receiving the service request which is sent by the client and aims at the first mechanism;
the second identity authentication module is used for carrying out identity authentication on the target user according to the user identity information;
and the second token distribution module is used for distributing a first token to the target user under the condition that the authentication is passed, sending the first token to the client, and uploading the first token to the blockchain.
In some of these embodiments, the first matching module 602 includes:
the first matching submodule is used for matching the second token with the tokens stored in the blockchain;
the acquisition sub-module is used for acquiring the user identity information corresponding to the first token under the condition that the token matched with the second token exists in the blockchain, determining a second mechanism for distributing the second token and acquiring the user identity information corresponding to the second token from a second server corresponding to the second mechanism;
the comparison sub-module is used for comparing the user identity information corresponding to the first token with the user identity information corresponding to the second token;
The first determining submodule is used for determining that the target user is an authenticated user under the condition that the user identity information is consistent in comparison;
and the second determining submodule is used for determining that the target user is not an authenticated user in the case that no token matched with the second token exists in the blockchain or the user identity information is inconsistent in comparison.
In some embodiments, the second token is a token obtained by encrypting the original token assigned to the target user by the institution server of the second institution using the public key of the identity authentication server; the first matching submodule includes:
the decryption unit is used for decrypting the second token by utilizing the public key to obtain an original token;
the matching unit is used for matching the original token with the tokens stored in the blockchain;
the acquisition submodule comprises:
and the determining unit is used for determining a second mechanism for distributing the second token according to the original token.
In some of these embodiments, the identity authentication device 600 further includes:
a fifth receiving module, configured to receive an identity information obtaining request sent by a first server after forwarding a service request to the first server corresponding to the first mechanism;
the sending module is used for responding to the identity information acquisition request and sending the user identity information corresponding to the target user to the first server so that the first server responds to the service request according to the user identity information and generates response information;
The sixth receiving module is used for receiving response information returned by the first server;
and the response information forwarding module is used for forwarding the response information to the client.
In this way, when a service request sent by a client for a first organization is received, after identity authentication is performed on a target user by using a plurality of servers included in the service request, the tokens are allocated to the target user, and the tokens are matched with tokens stored in a blockchain, so that whether the target user is an authenticated user is determined, the service request is forwarded to a first server corresponding to the first organization when the target user is determined to be the authenticated user, and further, the first server is used for responding to the service request of the client under the condition that the user does not need to log in a service platform of the first organization. In this way, the multiple servers have authenticated the identity of the target user, so that a reliable identity endorsement is provided for the user, and the block chain is utilized to share the token obtained by the target user after the identity authentication is passed, so that the identity authentication result of the user can be shared with other institutions on the chain, and further, under the condition that the user does not need to log in the service platform of the first institution, the response of the first server to the client service request is realized, therefore, the login times required by the user for obtaining different institution services is reduced while the service security is ensured, the network resources are saved, and the user operation process is simplified.
Fig. 7 is a schematic structural diagram of an embodiment of an identity authentication device according to the present application. The identity authentication device can be applied to a first server.
As shown in fig. 7, the identity authentication device 700 may include:
the second receiving module 701 is configured to receive a service request forwarded by an authentication server, where the service request includes a plurality of tokens, the plurality of tokens are tokens that the plurality of servers respectively perform identity authentication on a target user, and are assigned to the target user when the identity authentication passes, and the target user is a user logged in a client that sends the service request to the authentication server;
a second matching module 702, configured to match the plurality of tokens with tokens stored in the blockchain, and determine whether the target user is an authenticated user;
a service response module 703, configured to respond to the service request if it is determined that the target user is an authenticated user.
The identity authentication device 700 is described in detail below, and is specifically as follows:
in some of these embodiments, the plurality of servers includes an authentication server and a second server corresponding to the second organization, and the plurality of tokens includes a first token assigned by the authentication server and a second token assigned by the second server.
In some of these embodiments, the second matching module 702 includes:
the second matching submodule is used for matching the first token and the second token with the tokens stored in the blockchain respectively;
a third determining submodule, configured to determine that the target user is an authenticated user in a case where there is a token matching the first token and a token matching the second token in the blockchain;
a fourth determination submodule for determining that the target user is not an authenticated user in the case that no token exists in the blockchain that matches the first token or that matches the second token.
In some of these embodiments, the service response module 703 includes:
the first sending submodule is used for sending an identity information acquisition request to the identity authentication server;
the receiving sub-module is used for receiving user identity information corresponding to the target user and sent by the identity authentication server;
the generating sub-module is used for responding to the service request according to the user identity information and generating response information;
and the second sending sub-module is used for sending the response information to the identity authentication server so that the identity authentication server forwards the response information to the client.
After receiving the service request forwarded by the identity authentication server, the service request is utilized to respectively authenticate the identity of the target user by a plurality of servers, then the tokens are distributed to the target user, and the tokens are matched with the tokens stored in the blockchain, so that whether the target user is an authenticated user is determined, and the service request is responded under the condition that the target user is determined to be the authenticated user. Because the plurality of servers authenticate the identity of the target user, reliable identity endorsements are provided for the user, and the block chain is utilized to share the token which is obtained by the target user after the identity authentication is passed, the identity authentication result of the user can be shared with other institutions on the chain, and further, under the condition that the user does not need to log in a service platform of the first institution, the response of the first server to the client service request is realized, so that the login times required by the user for obtaining services of different institutions are reduced while the service security is ensured, the network resources are saved, and the operation process of the user is simplified.
Fig. 8 is a schematic structural diagram of an embodiment of an identity authentication device according to the present application. The identity authentication device can be applied to a second server.
As shown in fig. 8, the identity authentication device 800 may include:
a third receiving module 801, configured to receive user identity information corresponding to a target user, where the user identity information is collected by a client;
a first identity authentication module 802, configured to perform identity authentication on a target user according to user identity information;
the first token allocation module 803 is configured to allocate a second token for the target user if authentication is passed, send the second token to the client, and upload the second token to the blockchain, so that the server of the other institution determines whether the target user is an authenticated user according to a plurality of tokens including the second token.
The identity authentication device 800 will be described in detail, and is specifically as follows:
in some of these embodiments, the first token assignment module 803 includes:
the allocation submodule is used for allocating an original token to a target user;
and the encryption sub-module is used for encrypting the original token by utilizing the public key of the identity authentication server to obtain a second token.
Therefore, by receiving the user identity information corresponding to the target user acquired by the client and carrying out identity authentication on the target user according to the user identity information, under the condition that authentication is passed, a second token is distributed to the target user, the second token is sent to the client, and the second token is uploaded to the blockchain, the server of other institutions can determine whether the target user is an authenticated user according to a plurality of tokens including the second token, and further under the condition that the user does not need to log on a service platform of other institutions, the response of the server of other institutions to the service request of the client is realized, so that the login times required by the user for acquiring services of different institutions are reduced while the business security is ensured, network resources are saved, and the operation process of the user is simplified.
Fig. 9 is a schematic diagram of a hardware structure of an embodiment of an electronic device according to the present application.
A processor 901 may be included in the electronic device 900 along with a memory 902 in which computer program instructions are stored.
In particular, the processor 901 may include a Central Processing Unit (CPU), or an application specific integrated circuit (Application Specific Integrated Circuit, ASIC), or may be configured as one or more integrated circuits that implement embodiments of the present application.
Memory 902 may include mass storage for data or instructions. By way of example, and not limitation, the memory 902 may comprise a Hard Disk Drive (HDD), floppy Disk Drive, flash memory, optical Disk, magneto-optical Disk, magnetic tape, or universal serial bus (Universal Serial Bus, USB) Drive, or a combination of two or more of the foregoing. The memory 902 may include removable or non-removable (or fixed) media, where appropriate. The memory 902 may be internal or external to the integrated gateway disaster recovery device, where appropriate. In a particular embodiment, the memory 902 is a non-volatile solid state memory.
The memory may include Read Only Memory (ROM), random Access Memory (RAM), magnetic disk storage media devices, optical storage media devices, flash memory devices, electrical, optical, or other physical/tangible memory storage devices. Thus, in general, the memory includes one or more tangible (non-transitory) computer-readable storage media (e.g., memory devices) encoded with software comprising computer-executable instructions and when the software is executed (e.g., by one or more processors) it is operable to perform the operations described with reference to a method in accordance with an aspect of the application.
The processor 901 implements any one of the authentication methods of the above embodiments by reading and executing the computer program instructions stored in the memory 902.
In some examples, electronic device 900 may also include a communication interface 903 and a bus 910. As shown in fig. 9, the processor 901, the memory 902, and the communication interface 903 are connected to each other via a bus 904, and communicate with each other.
The communication interface 903 is mainly used to implement communication between modules, devices, units, and/or apparatuses in an embodiment of the present application.
Bus 904 includes hardware, software, or both, coupling the components of the online data flow billing device to each other. By way of example, and not limitation, bus 904 may include an Accelerated Graphics Port (AGP) or other graphics bus, an Enhanced Industry Standard Architecture (EISA) bus, a Front Side Bus (FSB), a HyperTransport (HT) interconnect, an Industry Standard Architecture (ISA) bus, an infiniband interconnect, a Low Pin Count (LPC) bus, a memory bus, a micro channel architecture (MCa) bus, a Peripheral Component Interconnect (PCI) bus, a PCI-Express (PCI-X) bus, a Serial Advanced Technology Attachment (SATA) bus, a video electronics standards association local (VLB) bus, or other suitable bus, or a combination of two or more of the above. Bus 904 may include one or more buses, where appropriate. Although embodiments of the application have been described and illustrated with respect to a particular bus, the application contemplates any suitable bus or interconnect.
By way of example, the electronic device 900 may be a cell phone, tablet, notebook, palm, in-vehicle electronic device, ultra-mobile personal computer (UMPC), netbook, personal digital assistant (personal digital assistant, PDA), or the like.
The electronic device 900 may perform the authentication method in the embodiment of the present application, thereby implementing the authentication method and apparatus described in connection with fig. 1 and 8.
In addition, in combination with the identity authentication method in the above embodiment, the embodiment of the present application may be implemented by providing a computer readable storage medium. The computer readable storage medium has stored thereon computer program instructions; the computer program instructions, when executed by a processor, implement any of the identity authentication methods of the above embodiments. Examples of computer readable storage media include non-transitory computer readable storage media such as portable disks, hard disks, random Access Memories (RAMs), read-only memories (ROMs), erasable programmable read-only memories (EPROM or flash memories), portable compact disk read-only memories (CD-ROMs), optical storage devices, magnetic storage devices, and the like.
It should be understood that the application is not limited to the particular arrangements and instrumentality described above and shown in the drawings. For the sake of brevity, a detailed description of known methods is omitted here. In the above embodiments, several specific steps are described and shown as examples. However, the method processes of the present application are not limited to the specific steps described and shown, and those skilled in the art can make various changes, modifications and additions, or change the order between steps, after appreciating the spirit of the present application.
The functional blocks shown in the above-described structural block diagrams may be implemented in hardware, software, firmware, or a combination thereof. When implemented in hardware, it may be, for example, an electronic circuit, an Application Specific Integrated Circuit (ASIC), suitable firmware, a plug-in, a function card, or the like. When implemented in software, the elements of the application are the programs or code segments used to perform the required tasks. The program or code segments may be stored in a machine readable medium or transmitted over transmission media or communication links by a data signal carried in a carrier wave. A "machine-readable medium" may include any medium that can store or transfer information. Examples of machine-readable media include electronic circuitry, semiconductor memory devices, ROM, flash memory, erasable ROM (EROM), floppy disks, CD-ROMs, optical disks, hard disks, fiber optic media, radio Frequency (RF) links, and the like. The code segments may be downloaded via computer networks such as the internet, intranets, etc.
It should also be noted that the exemplary embodiments mentioned in this disclosure describe some methods or systems based on a series of steps or devices. However, the present application is not limited to the order of the above-described steps, that is, the steps may be performed in the order mentioned in the embodiments, or may be performed in a different order from the order in the embodiments, or several steps may be performed simultaneously.
Aspects of the present application are described above with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, enable the implementation of the functions/acts specified in the flowchart and/or block diagram block or blocks. Such a processor may be, but is not limited to being, a general purpose processor, a special purpose processor, an application specific processor, or a field programmable logic circuit. It will also be understood that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware which performs the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In the foregoing, only the specific embodiments of the present application are described, and it will be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the systems, modules and units described above may refer to the corresponding processes in the foregoing method embodiments, which are not repeated herein. It should be understood that the scope of the present application is not limited thereto, and any equivalent modifications or substitutions can be easily made by those skilled in the art within the technical scope of the present application, and they should be included in the scope of the present application.
Claims (14)
1. An identity authentication method applied to an identity authentication server, comprising the following steps:
receiving a service request for a first mechanism sent by a client, wherein the service request comprises a plurality of tokens, the tokens are used for respectively carrying out identity authentication on a target user by a plurality of servers, and under the condition that the identity authentication is passed, the tokens are distributed to the target user and uploaded to a blockchain, and the target user is a user logged in the client;
matching the plurality of tokens with tokens stored in a blockchain to determine whether the target user is an authenticated user;
and in the case that the target user is determined to be an authenticated user, forwarding the service request to a first server corresponding to the first organization so that the first server responds to the service request.
2. The method of claim 1, wherein the plurality of servers includes the authentication server and a second server corresponding to a second organization, the plurality of tokens including a first token assigned by the authentication server and a second token assigned by the second server.
3. The method of claim 2, wherein prior to receiving the service request for the first institution sent by the client, the method further comprises:
Receiving user identity information which is acquired by the client and corresponds to the target user;
carrying out identity authentication on the target user according to the user identity information;
in the event that authentication is passed, assigning the first token to the target user, sending the first token to the client, and uploading the first token to the blockchain.
4. The method of claim 2, wherein the matching the plurality of tokens with tokens stored in a blockchain to determine whether the target user is an authenticated user comprises:
matching the second token with tokens stored in the blockchain;
acquiring user identity information corresponding to the first token when a token matched with the second token exists in the blockchain, determining a second mechanism for distributing the second token, and acquiring the user identity information corresponding to the second token from the second server corresponding to the second mechanism;
comparing the user identity information corresponding to the first token with the user identity information corresponding to the second token;
Under the condition that the user identity information is consistent in comparison, determining that the target user is an authenticated user;
in the event that there is no token in the blockchain that matches the second token, or that the user identity information comparison is inconsistent, it is determined that the target user is not an authenticated user.
5. The method of claim 4, wherein the second token is a token obtained by encrypting an original token assigned to the target user by an institution server of the second institution using a public key of the authentication server;
the matching the second token with the tokens stored in the blockchain includes:
decrypting the second token by using the public key to obtain the original token;
matching the original token with tokens stored in the blockchain;
the determining the second mechanism to dispense the second token comprises:
determining the second mechanism for distributing the second token according to the original token.
6. The method of claim 1, wherein after forwarding the service request to a first server corresponding to the first organization, the method further comprises:
Receiving an identity information acquisition request sent by the first server;
responding to the identity information acquisition request, and sending user identity information corresponding to the target user to the first server so that the first server responds to the service request according to the user identity information to generate response information;
receiving the response information returned by the first server;
and forwarding the response information to the client.
7. An identity authentication method applied to a first server, comprising the following steps:
receiving a service request forwarded by an identity authentication server, wherein the service request comprises a plurality of tokens, the tokens are used for respectively carrying out identity authentication on a target user by the plurality of servers, and under the condition that the identity authentication passes, the tokens are distributed to the target user and uploaded to a blockchain, and the target user is a user logged in a client side which sends the service request to the identity authentication server;
matching the plurality of tokens with tokens stored in a blockchain to determine whether the target user is an authenticated user;
and responding to the service request in the condition that the target user is determined to be an authenticated user.
8. The method of claim 7, wherein the plurality of servers includes the authentication server and a second server corresponding to a second organization, the plurality of tokens including a first token assigned by the authentication server and a second token assigned by the second server.
9. The method of claim 8, wherein the matching the plurality of tokens with tokens stored in a blockchain to determine whether the target user is an authenticated user comprises:
matching the first token and the second token with tokens stored in the blockchain respectively;
determining that the target user is an authenticated user if there is a token in the blockchain that matches the first token and a token that matches the second token;
in the event that there is no token in the blockchain that matches the first token or no token that matches the second token, it is determined that the target user is not an authenticated user.
10. The method of claim 7, wherein said responding to said service request comprises:
Sending an identity information acquisition request to the identity authentication server;
receiving user identity information corresponding to the target user, which is sent by the identity authentication server;
responding to the service request according to the user identity information, and generating response information;
and sending the response information to the identity authentication server so that the identity authentication server forwards the response information to the client.
11. An identity authentication device applied to an identity authentication server, the device comprising:
the first receiving module is used for receiving a service request for a first mechanism sent by a client, wherein the service request comprises a plurality of tokens, the tokens are used for respectively carrying out identity authentication on a target user by a plurality of servers, and the tokens are distributed to the target user and uploaded to a blockchain under the condition that the identity authentication is passed, and the target user is a user logged in the client;
the first matching module is used for matching the tokens with the tokens stored in the blockchain and determining whether the target user is an authenticated user or not;
and the request forwarding module is used for forwarding the service request to a first server corresponding to the first organization under the condition that the target user is determined to be an authenticated user, so that the first server responds to the service request.
12. An identity authentication device applied to a first server, the device comprising:
the second receiving module is used for receiving a service request forwarded by an identity authentication server, wherein the service request comprises a plurality of tokens, the tokens are used for authenticating the identity of a target user by the plurality of servers respectively, and the tokens are distributed to the target user and uploaded to a blockchain when the identity authentication passes, and the target user is a user logged in a client for sending the service request to the identity authentication server;
the second matching module is used for matching the tokens with the tokens stored in the blockchain and determining whether the target user is an authenticated user or not;
and the service response module is used for responding to the service request under the condition that the target user is determined to be an authenticated user.
13. An electronic device, the device comprising: a processor and a memory storing computer program instructions;
the processor, when executing the computer program instructions, implements the steps of the identity authentication method as claimed in any one of claims 1-6 or 7-10.
14. A computer readable storage medium, characterized in that the computer readable storage medium has stored thereon computer program instructions which, when executed by a processor, implement the steps of the identity authentication method according to any one of claims 1-6 or 7-10.
Priority Applications (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210109179.9A CN114553432B (en) | 2022-01-28 | 2022-01-28 | Identity authentication method, device, equipment and computer readable storage medium |
| PCT/CN2022/112488 WO2023142437A1 (en) | 2022-01-28 | 2022-08-15 | Identity authentication method and apparatus, device, and computer readable storage medium |
| TW111137392A TWI843220B (en) | 2022-01-28 | 2022-09-30 | Identity authentication method, device, equipment and computer-readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210109179.9A CN114553432B (en) | 2022-01-28 | 2022-01-28 | Identity authentication method, device, equipment and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114553432A CN114553432A (en) | 2022-05-27 |
| CN114553432B true CN114553432B (en) | 2023-08-18 |
Family
ID=81674386
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210109179.9A Active CN114553432B (en) | 2022-01-28 | 2022-01-28 | Identity authentication method, device, equipment and computer readable storage medium |
Country Status (3)
| Country | Link |
|---|---|
| CN (1) | CN114553432B (en) |
| TW (1) | TWI843220B (en) |
| WO (1) | WO2023142437A1 (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114553432B (en) * | 2022-01-28 | 2023-08-18 | 中国银联股份有限公司 | Identity authentication method, device, equipment and computer readable storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110177124A (en) * | 2019-06-20 | 2019-08-27 | 深圳市网心科技有限公司 | Identity identifying method and relevant device based on block chain |
| WO2019239591A1 (en) * | 2018-06-15 | 2019-12-19 | Capy株式会社 | Authentication system, authentication method, application provision device, authentication device, and authentication program |
| CN111211908A (en) * | 2019-12-25 | 2020-05-29 | 深圳供电局有限公司 | Access control method, system, computer device and storage medium |
| WO2020190720A1 (en) * | 2019-03-15 | 2020-09-24 | Madisetti Vijay | Method and system for exchange of value or tokens between blockchain networks |
| CN112788033A (en) * | 2021-01-13 | 2021-05-11 | 京东方科技集团股份有限公司 | Authentication method and authentication system |
| CN113221093A (en) * | 2021-05-25 | 2021-08-06 | 成都佰纳瑞信息技术有限公司 | Single sign-on system, method, equipment and product based on block chain |
Family Cites Families (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018143983A1 (en) * | 2017-02-01 | 2018-08-09 | Equifax, Inc. | Verifying an identity based on multiple distributed data sources using a blockchain to safeguard the identity |
| WO2019033394A1 (en) * | 2017-08-18 | 2019-02-21 | 达闼科技成都有限公司 | Blockchain system and right management method therefor |
| TWI650658B (en) * | 2017-09-22 | 2019-02-11 | 天逸財金科技服務股份有限公司 | Method and system for querying data through verification of identity and authorization |
| US11227284B2 (en) * | 2017-12-13 | 2022-01-18 | Mastercard International Incorporated | Method and system for consumer-initiated transactions using encrypted tokens |
| CN109936547A (en) * | 2017-12-18 | 2019-06-25 | 阿里巴巴集团控股有限公司 | Identity identifying method, system and calculating equipment |
| CN110276693B (en) * | 2018-06-07 | 2021-05-07 | 腾讯科技(深圳)有限公司 | Insurance claim settlement method and system |
| US11196551B2 (en) * | 2018-06-27 | 2021-12-07 | International Business Machines Corporation | Automated task management on a blockchain based on predictive and analytical analysis |
| CN110839002B (en) * | 2018-08-15 | 2022-05-17 | 华为云计算技术有限公司 | Cloud account opening, authentication and access method and device |
| CN109493024B (en) * | 2018-09-29 | 2021-02-09 | 杭州复杂美科技有限公司 | Digital asset hosting method, apparatus, and storage medium |
| CN109658103B (en) * | 2018-10-25 | 2021-01-01 | 创新先进技术有限公司 | Method, device and equipment for identity authentication, number storage and sending and number binding |
| CN110493220B (en) * | 2019-08-16 | 2021-05-25 | 腾讯科技(深圳)有限公司 | Data sharing method and device based on block chain and storage medium |
| CN111222885B (en) * | 2019-11-13 | 2021-04-16 | 腾讯科技(深圳)有限公司 | Data processing request endorsement method and device, computer equipment and storage medium |
| US11843593B2 (en) * | 2020-06-01 | 2023-12-12 | Citrix Systems, Inc. | Application integration using multiple user identities |
| CN112055017B (en) * | 2020-09-02 | 2022-08-30 | 中国平安财产保险股份有限公司 | Single-account multi-application unified login method and device and computer equipment |
| CN114553432B (en) * | 2022-01-28 | 2023-08-18 | 中国银联股份有限公司 | Identity authentication method, device, equipment and computer readable storage medium |
-
2022
- 2022-01-28 CN CN202210109179.9A patent/CN114553432B/en active Active
- 2022-08-15 WO PCT/CN2022/112488 patent/WO2023142437A1/en active Search and Examination
- 2022-09-30 TW TW111137392A patent/TWI843220B/en active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2019239591A1 (en) * | 2018-06-15 | 2019-12-19 | Capy株式会社 | Authentication system, authentication method, application provision device, authentication device, and authentication program |
| WO2020190720A1 (en) * | 2019-03-15 | 2020-09-24 | Madisetti Vijay | Method and system for exchange of value or tokens between blockchain networks |
| CN110177124A (en) * | 2019-06-20 | 2019-08-27 | 深圳市网心科技有限公司 | Identity identifying method and relevant device based on block chain |
| CN111211908A (en) * | 2019-12-25 | 2020-05-29 | 深圳供电局有限公司 | Access control method, system, computer device and storage medium |
| CN112788033A (en) * | 2021-01-13 | 2021-05-11 | 京东方科技集团股份有限公司 | Authentication method and authentication system |
| CN113221093A (en) * | 2021-05-25 | 2021-08-06 | 成都佰纳瑞信息技术有限公司 | Single sign-on system, method, equipment and product based on block chain |
Non-Patent Citations (1)
| Title |
|---|
| 基于OAuth2.0,OpenID Connect和UMA的用户认证授权系统架构;沈桐;王勇;刘俊艳;;软件(第11期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2023142437A1 (en) | 2023-08-03 |
| TW202331563A (en) | 2023-08-01 |
| CN114553432A (en) | 2022-05-27 |
| TWI843220B (en) | 2024-05-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112202772B (en) | Authorization management method, device, electronic equipment and medium | |
| US20190296920A1 (en) | Method and service-providing server for secure transmission of user-authenticating information | |
| CN102088353B (en) | Two-factor authentication method and system based on mobile terminal | |
| CN112104665B (en) | Block chain-based identity authentication method and device, computer and storage medium | |
| CN108833507B (en) | Authorization authentication system and method for shared product | |
| CN110838010B (en) | Service processing method, device, terminal, server and storage medium | |
| CN110311880B (en) | File uploading method, device and system | |
| CN111161056A (en) | Method, system and equipment for improving transaction security of digital assets | |
| CN112084234A (en) | Data acquisition method, apparatus, device and medium | |
| CN111669351B (en) | Authentication method, service server, client and computer readable storage medium | |
| CN115760082B (en) | Digital payment processing method, device, equipment, system and medium | |
| TWI839875B (en) | Payment method, user terminal, device, equipment, system and medium | |
| CN116074023A (en) | Authentication method and communication device | |
| CN114553432B (en) | Identity authentication method, device, equipment and computer readable storage medium | |
| CN114463012A (en) | Authentication method, payment method, device and equipment | |
| CN112084527B (en) | Data storage and acquisition method, device, equipment and medium | |
| CN112446050B (en) | Business data processing method and device applied to block chain system | |
| CN107480980A (en) | A kind of method of virtual resource allocation, server and system | |
| CN105141624A (en) | Login method, account management server and client system | |
| CN106888200B (en) | Identification association method, information sending method and device | |
| CN115955364B (en) | User identity information confidentiality method and system of network bidding transaction system | |
| CN104123635B (en) | A kind of method, system and equipment that handling object is processed | |
| CN108289100B (en) | A kind of safety access method, terminal device and system | |
| CN115297137A (en) | Shared bicycle using method, electronic equipment and storage medium | |
| CN104123636B (en) | A kind of method, system and equipment that handling object is processed |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 40069692 Country of ref document: HK |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |