CN114640472A - Protected resource data acquisition method and device and unified open platform - Google Patents
Protected resource data acquisition method and device and unified open platform Download PDFInfo
- Publication number
- CN114640472A CN114640472A CN202210282919.9A CN202210282919A CN114640472A CN 114640472 A CN114640472 A CN 114640472A CN 202210282919 A CN202210282919 A CN 202210282919A CN 114640472 A CN114640472 A CN 114640472A
- Authority
- CN
- China
- Prior art keywords
- party application
- protected resource
- resource data
- access token
- authorization
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 31
- 238000012795 verification Methods 0.000 claims abstract description 69
- 238000013475 authorization Methods 0.000 claims description 95
- 239000008186 active pharmaceutical agent Substances 0.000 claims description 11
- 238000013507 mapping Methods 0.000 claims description 6
- 238000012986 modification Methods 0.000 abstract description 4
- 230000004048 modification Effects 0.000 abstract description 4
- 238000010586 diagram Methods 0.000 description 12
- 230000008569 process Effects 0.000 description 6
- 238000012545 processing Methods 0.000 description 4
- 238000012550 audit Methods 0.000 description 3
- 238000007726 management method Methods 0.000 description 3
- 239000003795 chemical substances by application Substances 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 238000012797 qualification Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Telephonic Communication Services (AREA)
Abstract
The embodiment of the application discloses a method and a device for acquiring protected resource data and a unified open platform, wherein the method comprises the following steps: receiving request data sent by a third party application; the request data carries an access token and third-party application information; obtaining a verification result of the access token; obtaining a verification result of the third-party application information; if the access token and the verification result of the third-party application information both pass, returning the protected resource data to the third-party application; based on the authorized gateway service module for obtaining the request, checking the information and requesting the protected resource data, the platform side can provide the service for the protected resource without any modification on the premise of ensuring the safety, and the access to the protected resource is loosely coupled with the third party application, so that the convenience of realizing the service of each protected resource in the platform side is improved.
Description
Technical Field
The present application relates to the field of third party login and open platform protection, and more particularly, to a method and an apparatus for acquiring protected resource data, and a unified open platform.
Background
For providing access of protected resources for a third party, the access is mainly realized by calling interfaces of a platform party, such as registration, login and the like, by the third party at present, for example, some SNS websites (third parties) require users to provide user names and passwords (or PIN codes), the SNS websites serve as user agents to obtain user friend information from the MSN service side, enable third parties to access protected resources of users on the platform, for the user, the third party application is a special client, but the method for providing the third party with the access to the protected resource in the prior art has a serious security problem, because the third-party application is not controlled by the platform, the authentication certificate of the user can be transmitted between the third-party application and the platform, and the authentication certificate can be leaked in any link, so that the security of the user account is low, and the protected resources of the platform cannot be safely guaranteed; meanwhile, decoupling with a third party is not facilitated, authorization is performed in an authentication mode, an authentication system of a platform side is coupled with application of the third party, and accordingly subsequent expansibility is poor and convenience is low.
Disclosure of Invention
The purpose of the application is to provide a method and a device for acquiring protected resource data and a unified open platform, which can improve the convenience of service implementation of each protected resource inside a platform side by loosely coupling with a third-party application without any modification of the protected resource related service of the platform side on the premise of ensuring safety.
In order to achieve the above object, the present application provides a method for acquiring protected resource data, including:
receiving request data sent by a third party application; the request data carries an access token and third-party application information;
obtaining a verification result of the access token;
obtaining a verification result of the third-party application information; the third-party application information comprises an identification ID (identity) distributed to the third-party application by an open portal module, a key distributed to the third-party application by the open portal module and a callback address registered in the open portal module for the third-party application;
and if the verification results of the access token and the third-party application information are both passed, returning the protected resource data to the third-party application.
Optionally, the obtaining a verification result of the access token includes:
and verifying the access token through an authorization service module, and acquiring a verification result returned by the authorization service module.
Optionally, the obtaining a verification result of the third-party application information includes:
and verifying the third-party application information through an open portal module, and acquiring a verification result returned by the open portal module.
Optionally, the returning the protected resource data to the third-party application includes:
converting the access token into an authentication identifier of a unified open platform side, acquiring protected resource data according to the authentication identifier and prestored configuration information, and returning the protected resource data to the third-party application; the configuration information comprises mapping configuration information of an application program identification API of the authorization gateway service module and an API of the protected resource data;
the API of the protected resource data is one or a group of APIs corresponding to the protected resource data generated by the open portal module, and the API of the protected resource data is bound with the authority identifier and then stored in a database.
Optionally, the method further comprises:
receiving an uploading request of protected resource data submitted by a protected resource service developer, wherein the uploading request comprises an API of the protected resource data, an access path of the protected resource data, parameter configuration and an access protocol type;
acquiring access parameters of protected resource data according to the uploading request, sending the access parameters to an open portal module, and auditing and permission binding the access parameters by the open portal module; the access parameters include: type of API, rights scope, interface, rights capabilities, rights type, application style, and default state.
Optionally, the access token is generated after the authorization service module verifies that the login succeeds to the authentication service module;
the access token is returned to the third-party application by the authorization service module after receiving the request for authorization sent by the third-party application.
The present application further provides a protected resource data acquisition apparatus, the apparatus including:
the receiving unit is used for receiving request data sent by a third-party application; the request data carries an access token and third-party application information;
a first authentication unit configured to acquire an authentication result of the access token;
the second verification unit is used for acquiring a verification result of the third-party application information; the third-party application information comprises an identification ID (identity) distributed to the third-party application by an open portal module, a key distributed to the third-party application by the open portal module and a callback address acquired when the third-party application is registered in the open portal module;
and the sending unit is used for returning the protected resource data to the third-party application if the verification results of the access token and the third-party application information are both passed.
Optionally, the first verifying unit is specifically configured to verify the access token through an authorization service module, and obtain a verification result returned by the authorization service module.
Optionally, the second verification unit is specifically configured to verify the third-party application information through an open portal module, and obtain a verification result returned by the open portal module.
The application also provides a unified open platform, the unified open platform includes:
the authorization gateway service module is used for receiving request data sent by a third-party application; the request data carries an access token and third-party application information; obtaining a verification result of the access token; obtaining a verification result of the third-party application information; the third-party application information comprises an identification ID (identity) distributed to the third-party application by an open portal module, a key distributed to the third-party application by the open portal module and a callback address registered in the open portal module for the third-party application; if the verification results of the access token and the third-party application information are both passed, returning protected resource data to the third-party application;
the authorization service module is used for verifying the access token in the request data and returning the verification result of the access token to the authorization gateway service module;
the open portal module is used for verifying the third-party application information and returning a verification result of the third-party application information to the authorization gateway service module;
and the protected resource service module is used for receiving a data request of the authorized gateway service module for the protected resource data and returning the requested protected resource data to the authorized gateway service module.
The embodiment of the application provides a method for acquiring protected resource data, which is based on receiving request data sent by a third-party application; the request data carries an access token and third-party application information; obtaining a verification result of the access token; obtaining a verification result of the third-party application information; the third-party application information comprises an identification ID (identity) distributed to the third-party application by an open portal module, a key distributed to the third-party application by the open portal module and a callback address registered in the open portal module for the third-party application; and if the verification results of the access token and the third-party application information are both passed, returning the protected resource data to the third-party application. Therefore, based on the authorization gateway service module for obtaining the request, checking the information and requesting the protected resource data, the platform side can provide the service for the protected resource without any modification on the premise of ensuring the safety, and the access to the protected resource is loosely coupled with the third party application, so that the convenience of realizing the service of each protected resource in the platform side is improved.
In addition, the embodiment of the application also provides a protected resource data acquisition device and a unified open platform, and the effect is as above.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the embodiments or the prior art descriptions will be briefly described below, it is obvious that the drawings in the following description are only the embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is an overall flowchart illustrating a process in which a user authorizes a third-party application to obtain protected resource data of a unified open platform according to an embodiment of the present application;
fig. 2 is a flowchart of a method for acquiring protected resource data according to an embodiment of the present application;
FIG. 3 is a block diagram illustrating a privilege design of protected resource data according to an embodiment of the present application;
FIG. 4 is a timing diagram illustrating a third party application accessing a user protected resource according to an embodiment of the present disclosure;
FIG. 5 is an authorization sequence diagram illustrating a third-party application obtaining an access token based on user authorization according to an embodiment of the present disclosure;
fig. 6 is a processing diagram of an authorization service module issuing an access token according to an embodiment of the present application;
fig. 7 is a schematic diagram of an apparatus for acquiring protected resource data according to an embodiment of the present application;
fig. 8 is a schematic diagram of a unified open platform provided in an embodiment of the present application;
fig. 9 is a schematic structural and functional diagram of a unified open platform according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
First, the related explanation is made for the parameter nouns mentioned in the present application:
(1) domain noun
OAuth 2.0: the method is an open user authentication and authorization standard protocol, and allows a user to enable a third-party application to access a specific private resource of the user in a certain service but not provide account password information to the third-party application.
authorization-code: the authorization code mode is the most secure and perfect mode in OAuth 2.0, including various practices that follow, and is used by default.
AuthZ: authorization-authorization.
AuthN: authentication-authentication.
(2) Parameter noun
client _ id: the platform assigns an identification ID to the third party application.
client _ secret: the platform assigns a key to the third party application.
code: a temporary authorization credential.
access _ token: an access token.
refresh _ token: the token is refreshed.
scope: scope of authority granted, multiple use, split.
And (3) uid: a user unique credential.
Fig. 1 is an overall flowchart illustrating a process of a user authorizing a third-party application to obtain protected resource data of a unified open platform according to an embodiment of the present application. As shown in fig. 1, the embodiment of the present application abstracts a layer of authorized gateway service (OPEN API GETEWAY) between a third-party application and a protected resource service, and is different from the existing gateway service in that the gateway adds capabilities such as authorization check, payment check, frequency check, and the like. Because the protected resources are distributed in different micro services, functions such as verification and the like of the authorized gateway service are added, services of all the protected resources in the unified open platform side do not need to be specially and compatibly transformed, the protected resources are accessed, the third-party application interacts with the authorized gateway service module, access is not directly requested to the protected resources of the unified open platform, the third-party application and the platform side are coupled as loosely as possible, and convenience in service implementation of all the protected resources in the platform side is improved. Furthermore, in the embodiment of the application, an authorization service is added between the third-party application and the platform authentication service to solve the problem of isolation between the user authentication certificate and the outside, so that the third-party application is prevented from directly interacting with the authentication service module, and the security of the user authentication certificate is improved. And an open portal is added for managing the relationship among a third-party developer, third-party application and protected resources, and the management capability and the processing efficiency of the unified open platform are improved.
Fig. 2 is a flowchart of a method for acquiring protected resource data according to an embodiment of the present application. As shown in fig. 2, the method for acquiring protected resource data in the embodiment of the present application includes:
s10: receiving request data sent by a third party application; the request data carries an access token and third-party application information;
s11: obtaining a verification result of the access token;
specifically, the verifying the access token includes: verifying if the access token (access token) is invalid, verifying if the access is unauthorized, and verifying if the requested frequency of the access exceeds a frequency limit.
S12: obtaining a verification result of the third-party application information; the third-party application information comprises an identification ID (identity) distributed to the third-party application by an open portal module, a key distributed to the third-party application by the open portal module and a callback address registered in the open portal module for the third-party application;
specifically, the verifying the information of the third-party application includes: verifying whether third-party application information (client) is normal or not, namely verifying whether an Identification (ID) distributed to the third-party application by an open portal module is normal or not, whether a key distributed to the third-party application by the open portal module is normal or not and whether a callback address registered in the open portal module for the third-party application is normal or not; verifying whether the requested frequency exceeds a frequency limit; and verifying whether the resource requested to be accessed is charged, and if the access interface accessed by the third party application is a charging interface, verifying whether a request balance exists.
S13: and if the verification results of the access token and the third-party application information are both passed, returning the protected resource data to the third-party application.
It should be noted that, as the authority design block diagram of the protected resource data provided in fig. 3, the open portal module changes the specific implementation of the protected resource data into one or a group of application program identification APIs, that is, the protected resource data is represented by one or a group of APIs; the open portal module binds an API (application programming interface) of each or a group of protected resource data with a permission identifier (scope), wherein the permission identifier corresponds to an authorized permission range; the open portal module in the unified open platform can manage the access authority range of the third-party application; when the user authorizes, the user can flexibly control which permissions are allowed to be accessed to the appointed third-party application; because the protected resource of the platform side only recognizes the authentication identification of the platform side, the access token is converted into the authentication identification of the unified open platform side, and therefore the access to the protected resource data of the platform side is realized.
Specifically, after an access token in an access request of a third-party application is converted into an authentication identifier of a platform side, an authorization gateway service module realizes access acquisition of protected resource data according to the authentication identifier and pre-stored configuration information, wherein the configuration information comprises mapping configuration information of an API (application programming interface) of each authorization gateway service module and an API of the protected resource data, so that the third-party application realizes acquisition of the protected resource data according to the access token (access _ token) obtained by user authorization.
According to the embodiment of the application, a layer of authorized gateway service (OPEN API GETEWAY) is abstracted between third-party application and protected resource service, and the difference from the general gateway service is that the gateway adds capabilities such as authorization verification, payment verification, frequency verification and the like, and based on the acquisition of a request, the verification of information and the request of protected resource data by an authorized gateway service module, the protected resource related service on a platform side can provide services without any transformation on the premise of ensuring safety, and the access to the protected resource is loosely coupled with the third-party application, so that the convenience of service implementation of each protected resource inside the platform side is improved.
As shown in fig. 4, for example, a resource owner strongly authorizes a third-party application to access a play record on a unified open platform, a user authorizes the third-party application to access the play record on the unified open platform, a back end of the third-party application sends request data carrying an access token to an authorization gateway service, the authorization gateway service module sends the access token to the authorization service module and receives a verification result to verify the access token, and sends third-party application information to the open portal module and receives the verification result to verify the third-party application information; and under the condition that the authorization gateway service module determines that the access token and the information of the third-party application are verified, accessing the playing record on the acquisition platform, and returning the playing record to the third-party application, so that the third-party application displays the playing record to the user, and the user authorizes the third-party application to acquire the protected resource data on the platform.
Preferably, another embodiment of the present application introduces a management process of protected resources, specifically:
receiving an uploading request of protected resource data submitted by a protected resource service developer, wherein the uploading request comprises an API of the protected resource data, an access path of the protected resource data, parameter configuration and an access protocol type;
acquiring access parameters of protected resource data according to the uploading request, sending the access parameters to an open portal module, and auditing and permission binding the access parameters by the open portal module; the access parameters include: type of API, rights scope, interface, rights capabilities, rights type, application style, and default state.
The parameter information of the specific configuration is as the following table one.
Watch 1
Based on the configuration and management of the protected resource data submitted by the protected resource service developer, when the protected resource data is accessed and obtained by the subsequent third-party application, the authorization gateway service module can provide parameters matched with the requested protected resource data according to the parameters such as the authority of the protected resource configuration, and the security of the protected resource data stored in the platform is guaranteed.
Preferably, another embodiment of the present application provides a registration process method of a third party application on a unified open platform, which specifically includes: a developer of the third-party application registers an account number of the third-party developer on the unified open platform, and submits related materials for authentication; the unified open platform operates and audits the account qualification of the third-party developer; the third-party developer adds an application to the account number of the third-party developer, and configures application information and permission information; the unified open platform operates the audit application information, after the audit is passed, the third party application completes the registration, the third party application interacts with the unified open platform and accesses and acquires the qualification of the protected resource data on the unified open platform, and therefore the user can acquire the protected resource data through the interaction of the third party application and the unified open platform.
Preferably, fig. 5 is an authorization sequence diagram of obtaining an access token by a third-party application based on user authorization provided in the embodiment of the present application, fig. 6 is a processing process diagram of issuing an access token by an authorization service module provided in the embodiment of the present application, and another embodiment of the authorization sequence diagram of obtaining an access token by a third-party application based on user authorization provided in the embodiment of the present application provides a method for obtaining an access token by a third-party application based on user authorization, which specifically includes:
the authorization service module receives a request for requesting authorization sent by a third-party application based on the fact that a user accesses the third-party application, and issues an authorization code to the third-party application; and the authorization service module generates an access token and returns the access token to the third-party application based on receiving a token acquisition request which is sent by the third-party application and carries the authorization code.
Specifically, the issuing of the authorization code to the third-party application includes the following processes:
first, the basic information is verified. Since the issuance of the authorization code is generally completed by front-end communication such as a browser, all information is at risk of being impersonated. Therefore, the authorization service module must make a determination of the presence of the third party application. Also, redirect _ uri can be forged and the authorization service module needs to basically check it. After the presence of the third party application and the redirect uri are verified, an authorization page is generated or responded to in the authorization service front end (browser) to prompt the user for authorization.
And secondly, carrying out first authority range verification on the third-party application. The parameter of the scope of authority (scope) transmitted by the third-party application needs to be compared with the scope applied by the third-party application during registration. If the requested authority is greater than the authority during registration, an override prompt is required. This is the first permission check.
All authorization verification is carried out based on the login state of the user, login is required first in a scene that the user account is not logged in, and only after login, the authorization service can obtain user information and finally generate the corresponding relation between the code and the client _ id, the uid and the scope. After the login authentication is completed, the authorization service front end displays a request for applying for acquiring related information to the user so as to enable the user to confirm, and the authorization service module acquires the information, such as a head portrait and a nickname.
It should be noted that, in the embodiment of the present application, the login authentication page and the authorization interface are all pages of a unified open platform side, and the platform side has a control right, which is completely different from a method in which a user provides a user name and a password (or a PIN code) and a third-party application is used as a user agent to obtain friend information of the user from an open platform side in the prior art.
And fourthly, performing second authority range verification on the third-party application registration authority, wherein the verification is the authority after the user is authorized, and verifying the authority again with the third-party software registration authority.
And fifthly, processing an authorization request sent by the third-party application to generate an authorization code. Specifically, after the user agrees to authorize, a login credential (ticket) introduced by an authorization service module web page is verified, and corresponding user information (uid, id) is obtained; the authorization service performs relational mapping on the generated authorization code value (code value), the ID (client _ ID) of the third party, the user unique credential (uid), and the authorization authority range (scope), and sets a validity period for the code value.
And sixthly, redirecting to third-party software, and informing the code value to the third-party software by the authorization service. The issuance of the authorization code is done via front-end communication and therefore here a redirection (the application etc. jumps back to the application via a callback) approach is used. This is the second redirection in the grant timing diagram.
Specifically, the step of the authorization service module generating an access token and returning the access token to the third-party application based on receiving a token obtaining request carrying an authorization code sent by the third-party application specifically includes:
verifying whether a third party application exists; in this step, it is specifically checked whether the identifier client _ id allocated to the third-party application by the open portal module matches the key client _ secret allocated to the third-party application by the open portal module.
Verifying whether the authorization code value is legal, specifically, verifying whether the authorization code is expired; checking whether the ID (client _ ID) of the generated third-party application corresponding to the authorization code (code) is consistent with the ID (client _ ID) of the requesting third-party application; it should be noted that one authorization code (code) can be used only once, and is destroyed after the token is generated.
And generating an access token, and carrying out relational mapping on the access token (access _ token), the ID (client _ ID) of the third-party application, the user unique credential (uid) and the authorization authority range (scope). An access token (access token) indicates which authorizations a user has given to a third party application; setting an expiration time (expire) for the access token; and stores the access token (access token) with the above-mentioned related information. It should be noted that the access token (access token) must comply with three principles: uniqueness, discontinuity, unsuspectability;
in the embodiment of the application, based on the fact that the authorization service module is additionally arranged between the third-party application and the platform authentication service module, the generation and the issuance of the authorization code and the access token are performed, the problem of isolation of the user authentication voucher from the outside is solved, the third-party application is prevented from directly making contact with the platform authentication service module of the platform, and the safety of the user authentication voucher is ensured.
In the above description on the method for acquiring protected resource data in the embodiment of the present application, an apparatus for acquiring protected resource data in the embodiment of the present application is described below, please refer to fig. 7, where the apparatus in the embodiment of the present application includes:
a receiving unit 201, configured to receive request data sent by a third party application; the request data carries an access token and third-party application information;
the access token is generated after the authorization service module verifies the successful login to the authentication service module; the access token is returned to the third-party application by the authorization service module after receiving the request for authorization sent by the third-party application;
a first verification unit 202, configured to obtain a verification result for the access token;
a second verification unit 203, configured to obtain a verification result of the third-party application information; the third-party application information comprises an identification ID (identity) distributed to the third-party application by an open portal module, a key distributed to the third-party application by the open portal module and a callback address acquired when the third-party application is registered in the open portal module;
and the sending unit 204 returns the protected resource data to the third-party application if the verification results of the access token and the third-party application information are both passed.
Optionally, the first verification unit 202 is specifically configured to verify the access token through an authorization service module, and obtain a verification result returned by the authorization service module.
Optionally, the second verification unit 203 is specifically configured to verify the third-party application information through an open portal module, and obtain a verification result returned by the open portal module.
Optionally, the sending unit is specifically configured to: converting the access token into an authentication identifier of a unified open platform side, acquiring protected resource data according to the authentication identifier and prestored configuration information, and returning the protected resource data to the third-party application; the configuration information comprises mapping configuration information of an application program identification API of the authorization gateway service module and an API of the protected resource data;
the API of the protected resource data is one or a group of APIs corresponding to the protected resource data generated by the open portal module, and the API of the protected resource data is bound with the authority identifier and then stored in a database.
Optionally, the receiving unit is further configured to receive an upload request of protected resource data submitted by a protected resource service developer, where the upload request includes an API of the protected resource data, an access path of the protected resource data, parameter configuration, and an access protocol type;
the receiving unit is further configured to obtain an access parameter of the protected resource data according to the upload request, send the access parameter to an open portal module, and the open portal module performs auditing and permission binding on the access parameter; the access parameters include: type of API, rights scope, interface, rights capabilities, rights type, application style, and default state.
Referring to fig. 8 and 9, a unified open platform in an embodiment of the present application is described below, where the unified open platform in the embodiment of the present application includes:
the authorization gateway service module is used for receiving request data sent by a third-party application; the request data carries an access token and third-party application information; obtaining a verification result of the access token; obtaining a verification result of the third-party application information; the third-party application information comprises an identification ID (identity) distributed to the third-party application by an open portal module, a key distributed to the third-party application by the open portal module and a callback address registered in the open portal module for the third-party application; if the verification results of the access token and the third-party application information are both passed, returning protected resource data to the third-party application;
the authorization service module is used for verifying the access token in the request data and returning the verification result of the access token to the authorization gateway service module;
the open portal module is used for verifying the third-party application information and returning a verification result of the third-party application information to the authorization gateway service module;
and the protected resource service module is used for receiving a data request of the authorized gateway service module for the protected resource data and returning the requested protected resource data to the authorized gateway service module.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. A method for acquiring protected resource data, the method comprising:
receiving request data sent by a third party application; the request data carries an access token and third-party application information;
obtaining a verification result of the access token;
obtaining a verification result of the third-party application information; the third-party application information comprises an identification ID (identity) distributed to the third-party application by an open portal module, a key distributed to the third-party application by the open portal module and a callback address registered in the open portal module for the third-party application;
and if the verification results of the access token and the third-party application information are both passed, returning the protected resource data to the third-party application.
2. The method of claim 1, wherein obtaining the verification result of the access token comprises:
and verifying the access token through an authorization service module, and acquiring a verification result returned by the authorization service module.
3. The method of claim 1, wherein obtaining the verification result of the third-party application information comprises:
and verifying the third-party application information through an open portal module, and acquiring a verification result returned by the open portal module.
4. The method of claim 1, wherein returning the protected resource data to the third-party application comprises:
converting the access token into an authentication identifier of a unified open platform side, acquiring protected resource data according to the authentication identifier and prestored configuration information, and returning the protected resource data to the third-party application; the configuration information comprises mapping configuration information of an application program identification API of the authorization gateway service module and an API of the protected resource data;
the API of the protected resource data is one or a group of APIs corresponding to the protected resource data generated by the open portal module, and the API of the protected resource data is bound with the authority identifier and then stored in a database.
5. The method of claim 4, further comprising:
receiving an uploading request of protected resource data submitted by a protected resource service developer, wherein the uploading request comprises an API of the protected resource data, an access path of the protected resource data, parameter configuration and an access protocol type;
acquiring access parameters of protected resource data according to the uploading request, sending the access parameters to an open portal module, and auditing and permission binding the access parameters by the open portal module; the access parameters include: type of API, rights scope, interface, rights capabilities, rights type, application style, and default state.
6. The method of claim 1, wherein the access token is generated by the authorization service module after the authentication service module verifies that the login is successful;
the access token is returned to the third-party application by the authorization service module after receiving the request for authorization sent by the third-party application.
7. A protected resource data acquisition apparatus, the apparatus comprising:
the receiving unit is used for receiving request data sent by a third-party application; the request data carries an access token and third-party application information;
a first authentication unit configured to acquire an authentication result of the access token;
the second verification unit is used for acquiring a verification result of the third-party application information; the third-party application information comprises an identification ID (identity) distributed to the third-party application by an open portal module, a key distributed to the third-party application by the open portal module and a callback address acquired when the third-party application is registered in the open portal module;
and the sending unit is used for returning the protected resource data to the third-party application if the verification results of the access token and the third-party application information are both passed.
8. The apparatus according to claim 7, wherein the first authentication unit is specifically configured to authenticate the access token through an authorization service module, and obtain an authentication result returned by the authorization service module.
9. The apparatus according to claim 7, wherein the second verification unit is specifically configured to verify the third-party application information through an open portal module, and obtain a verification result returned by the open portal module.
10. A unified open platform, comprising:
the authorization gateway service module is used for receiving request data sent by a third party application; the request data carries an access token and third-party application information; obtaining a verification result of the access token; obtaining a verification result of the third-party application information; the third-party application information comprises an identification ID (identity) distributed to the third-party application by an open portal module, a key distributed to the third-party application by the open portal module and a callback address registered in the open portal module for the third-party application; if the verification results of the access token and the third-party application information are both passed, returning protected resource data to the third-party application;
the authorization service module is used for verifying the access token in the request data and returning the verification result of the access token to the authorization gateway service module;
the open portal module is used for verifying the third-party application information and returning a verification result of the third-party application information to the authorization gateway service module;
and the protected resource service module is used for receiving a data request of the authorized gateway service module for the protected resource data and returning the requested protected resource data to the authorized gateway service module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210282919.9A CN114640472A (en) | 2022-03-22 | 2022-03-22 | Protected resource data acquisition method and device and unified open platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210282919.9A CN114640472A (en) | 2022-03-22 | 2022-03-22 | Protected resource data acquisition method and device and unified open platform |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114640472A true CN114640472A (en) | 2022-06-17 |
Family
ID=81950677
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210282919.9A Pending CN114640472A (en) | 2022-03-22 | 2022-03-22 | Protected resource data acquisition method and device and unified open platform |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114640472A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2024065453A1 (en) * | 2022-09-29 | 2024-04-04 | 北京小米移动软件有限公司 | Resource calling method and apparatus |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103716326A (en) * | 2013-12-31 | 2014-04-09 | 华为技术有限公司 | Resource access method and URG |
| US20150150109A1 (en) * | 2013-11-27 | 2015-05-28 | Adobe Systems Incorporated | Authenticated access to a protected resource using an encoded and signed token |
| CN106230838A (en) * | 2016-08-04 | 2016-12-14 | 中国银联股份有限公司 | A kind of third-party application accesses the method and apparatus of resource |
| WO2017067227A1 (en) * | 2015-10-22 | 2017-04-27 | 乐视控股(北京)有限公司 | Third party account number authorisation method, device, server, and system |
| CN107332861A (en) * | 2017-08-11 | 2017-11-07 | 杭州亿方云网络科技有限公司 | A kind of open platform architecture system based on OAuth agreements |
| CN112564916A (en) * | 2020-12-01 | 2021-03-26 | 上海艾融软件股份有限公司 | Access client authentication system applied to micro-service architecture |
-
2022
- 2022-03-22 CN CN202210282919.9A patent/CN114640472A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150150109A1 (en) * | 2013-11-27 | 2015-05-28 | Adobe Systems Incorporated | Authenticated access to a protected resource using an encoded and signed token |
| CN103716326A (en) * | 2013-12-31 | 2014-04-09 | 华为技术有限公司 | Resource access method and URG |
| WO2017067227A1 (en) * | 2015-10-22 | 2017-04-27 | 乐视控股(北京)有限公司 | Third party account number authorisation method, device, server, and system |
| CN106230838A (en) * | 2016-08-04 | 2016-12-14 | 中国银联股份有限公司 | A kind of third-party application accesses the method and apparatus of resource |
| CN107332861A (en) * | 2017-08-11 | 2017-11-07 | 杭州亿方云网络科技有限公司 | A kind of open platform architecture system based on OAuth agreements |
| CN112564916A (en) * | 2020-12-01 | 2021-03-26 | 上海艾融软件股份有限公司 | Access client authentication system applied to micro-service architecture |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2024065453A1 (en) * | 2022-09-29 | 2024-04-04 | 北京小米移动软件有限公司 | Resource calling method and apparatus |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109309683B (en) | Token-based client identity authentication method and system | |
| KR102313859B1 (en) | Authority transfer system, control method therefor, and client | |
| US7010600B1 (en) | Method and apparatus for managing network resources for externally authenticated users | |
| US7409543B1 (en) | Method and apparatus for using a third party authentication server | |
| US7752434B2 (en) | System and method for secure communication | |
| US8650622B2 (en) | Methods and arrangements for authorizing and authentication interworking | |
| US6523067B2 (en) | System and method for using internet based caller ID for controlling access to an object stored in a computer | |
| JP5458888B2 (en) | Certificate generation / distribution system, certificate generation / distribution method, and program | |
| US20160337351A1 (en) | Authentication system | |
| CN106394486A (en) | Authorization method and system of virtual key and server | |
| US9825938B2 (en) | System and method for managing certificate based secure network access with a certificate having a buffer period prior to expiration | |
| US20120174198A1 (en) | Shared Registration Multi-Factor Authentication Tokens | |
| US20020049912A1 (en) | Access control method | |
| RU2008141288A (en) | AUTHENTICATION FOR COMMERCIAL TRANSACTION WITH THE MOBILE MODULE | |
| JP2003534589A (en) | Authentication system and method | |
| CN101515932A (en) | Method and system for accessing Web service safely | |
| CN102265255A (en) | Method and system for providing a federated authentication service with gradual expiration of credentials | |
| CN113645247A (en) | Authority authentication control method based on HTTP (hyper text transport protocol) and storage medium | |
| JPH05333775A (en) | User authentication system | |
| KR101719511B1 (en) | Method for approving access to gate through network, and server and computer-readable recording media using the same | |
| US20170104748A1 (en) | System and method for managing network access with a certificate having soft expiration | |
| KR20240023589A (en) | Cross authentication method and system between online service server and client | |
| US20230412400A1 (en) | Method for suspending protection of an object achieved by a protection device | |
| CN114640472A (en) | Protected resource data acquisition method and device and unified open platform | |
| JPH05298174A (en) | Remote file access system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |