CN114826777B

CN114826777B - Identity authentication method, identity authentication device, computer equipment and storage medium

Info

Publication number: CN114826777B
Application number: CN202210638575.0A
Authority: CN
Inventors: 何明慧; 申乐; 何涛; 杨淑玲
Original assignee: Industrial and Commercial Bank of China Ltd ICBC
Current assignee: Industrial and Commercial Bank of China Ltd ICBC
Priority date: 2022-06-08
Filing date: 2022-06-08
Publication date: 2023-09-15
Anticipated expiration: 2042-06-08
Also published as: CN114826777A

Abstract

The application relates to an identity authentication method, an identity authentication device, identity authentication equipment, an identity authentication storage medium and an identity authentication product, which can be used in the field of information security, wherein the identity authentication method comprises the following steps: after receiving an identity authentication request of a first access object, the scheduling module sends the identity authentication request to one authentication node in a plurality of authentication nodes based on a preset load balancing strategy; the authentication node authenticates the first access object according to the credentials carried by the identity authentication request, and encapsulates the characteristic information of the first access object under the condition that the authentication passes to obtain a characteristic token corresponding to the first access object; and sending the feature token corresponding to the first access object to the shared storage module for storage so as to verify the first access object based on the feature token corresponding to the first access object in the shared storage module when other authentication nodes in the plurality of authentication nodes receive the identity authentication request of the first access object. By adopting the method, the authentication efficiency can be improved, and the maintenance difficulty of the authentication resource data can be reduced.

Description

Identity authentication method, identity authentication device, computer equipment and storage medium

Technical Field

The present application relates to the field of information security technologies, and in particular, to an identity authentication method, an identity authentication device, a computer device, a storage medium, and a computer program product.

Background

With the increasing population of internet applications, to improve the security of data interaction, authenticating access objects is becoming more popular and important.

In the conventional technology, as the number of access objects to be authenticated is continuously increased, in order to reduce the processing pressure of the authentication servers, the overall authentication capability of the system can be improved by increasing the number of the authentication servers in the system, each authentication server can respectively authenticate the access objects, and after authentication, the characteristic information or authentication result of the access objects is kept in a local place.

However, the above method still has difficulty in relieving the single-point pressure of system authentication, and has a problem of low authentication efficiency.

Disclosure of Invention

In view of the foregoing, it is desirable to provide an identity authentication method, apparatus, computer device, computer-readable storage medium, and computer program product that improve authentication efficiency.

In a first aspect, the present application provides an identity authentication method. The method comprises the following steps:

Acquiring an identity authentication request for a first access object sent by a scheduling module, wherein the scheduling module is used for sending the identity authentication request to one authentication node in a plurality of authentication nodes based on a preset load balancing strategy after receiving the identity authentication request of the first access object;

authenticating the first access object according to the credentials carried by the identity authentication request, and packaging the characteristic information of the first access object under the condition that the authentication passes to obtain a characteristic token corresponding to the first access object;

and sending the feature token corresponding to the first access object to a shared storage module for storage, so that when other authentication nodes in the plurality of authentication nodes receive an identity authentication request of the first access object, the first access object is checked based on the feature token corresponding to the first access object in the shared storage module.

In one embodiment, the sending the feature token corresponding to the first access object to the shared storage module for storage includes:

naming the feature tokens corresponding to the first access objects according to preset rule naming, and obtaining token identifications;

And sending the feature token and the token identifier corresponding to the first access object to the shared storage module, and triggering the shared storage module to perform unstructured storage on the feature token corresponding to the first access object based on the token identifier.

if the shared memory module stores the historical feature token corresponding to the first access object, the feature token corresponding to the first access object is sent to the shared memory module, and the shared memory module is triggered to update the historical feature token by adopting the feature token corresponding to the first access object.

In one embodiment, the step of encapsulating the feature information of the first access object to obtain the feature token corresponding to the first access object when the authentication passes includes:

acquiring identity information of the first access object;

acquiring authentication time information and authentication node information of a current authentication node, and generating encryption information according to the authentication time information and the authentication node information;

And packaging the identity information and the encryption information by adopting a preset packaging format to obtain the characteristic token.

In one embodiment, the method further comprises:

acquiring an identity authentication request aiming at a second access object, which is sent by the scheduling module;

if the second access object passes the authentication, acquiring a feature token corresponding to the second access object from the shared storage module;

analyzing the feature token corresponding to the second access object, and checking the second access object according to the analyzed feature information.

In one embodiment, the method further comprises:

if the second access object passes the verification, acquiring a feature token updated by the second access object;

and sending the updated characteristic token to a shared storage module, and triggering the shared storage module to update the characteristic token corresponding to the second access object in the shared storage module by adopting the updated characteristic token.

In a second aspect, the application also provides an identity authentication method. The method comprises the following steps:

acquiring an identity authentication request of an access object;

transmitting the identity authentication request to one authentication node in a plurality of authentication nodes based on a preset load balancing strategy;

The authentication node is configured to authenticate the access object according to a credential carried by the identity authentication request, encapsulate feature information of the access object to obtain a feature token corresponding to the access object when authentication is passed, and send the feature token corresponding to the access object to a shared storage module for storage, so that when other authentication nodes in the plurality of authentication nodes receive the identity authentication request of the access object, the authentication node verifies the access object based on the feature token corresponding to the access object in the shared storage module.

In one embodiment, the sending the identity authentication request to an authentication node of a plurality of authentication nodes based on a preset load balancing policy includes:

acquiring request distribution sequences of a plurality of authentication nodes, and determining a history authentication node for processing an authentication request of the last entity;

and determining a current target authentication node according to the request distribution sequence and the historical authentication node, and sending the identity authentication request to the target authentication node.

In one embodiment, the obtaining the authentication request of the access object includes:

Receiving a plurality of network requests, and filtering the plurality of network requests to obtain at least one network request aiming at a target system;

filtering the at least one network request to obtain a service processing request in the at least one network request;

and obtaining an identity authentication request of the access object based on the service processing request.

In a third aspect, the application further provides an identity authentication device. The device comprises:

the system comprises an acquisition module, a scheduling module and a load balancing module, wherein the acquisition module is used for acquiring an identity authentication request aiming at a first access object, which is sent by the scheduling module, and the scheduling module is used for sending the identity authentication request to one authentication node in a plurality of authentication nodes based on a preset load balancing strategy after receiving the identity authentication request of the first access object;

the authentication module is used for authenticating the first access object according to the credentials carried by the identity authentication request, and packaging the characteristic information of the first access object under the condition that the authentication is passed to obtain a characteristic token corresponding to the first access object;

and the sending module is used for sending the characteristic token corresponding to the first access object to the shared storage module for storage so as to verify the first access object based on the characteristic token corresponding to the first access object in the shared storage module when other authentication nodes in the plurality of authentication nodes receive the identity authentication request of the first access object.

In a fourth aspect, the application also provides an identity authentication device. The device comprises:

the receiving module is used for acquiring an identity authentication request of the access object;

the scheduling module is used for sending the identity authentication request to one authentication node in a plurality of authentication nodes based on a preset load balancing strategy;

In a fifth aspect, the present application also provides a computer device. The computer device comprises a memory storing a computer program and a processor implementing the steps of the method according to any one of the preceding claims when the computer program is executed by the processor.

In a sixth aspect, the present application also provides a computer readable storage medium. The computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the method as claimed in any of the preceding claims.

In a seventh aspect, the present application also provides a computer program product. The computer program product comprising a computer program which, when executed by a processor, implements the steps of the method as claimed in any one of the preceding claims.

The identity authentication method, the device, the computer equipment, the computer readable storage medium and the computer program product, wherein the scheduling module sends the identity authentication request to one authentication node in a plurality of authentication nodes based on a preset load balancing strategy after receiving the identity authentication request of the first access object; after the authentication node acquires the identity authentication request, authenticating the first access object according to the credentials carried by the identity authentication request, and packaging the characteristic information of the first access object under the condition that the authentication is passed to obtain a characteristic token corresponding to the first access object; and sending the feature token corresponding to the first access object to the shared storage module for storage so as to verify the first access object based on the feature token corresponding to the first access object in the shared storage module when other authentication nodes in the plurality of authentication nodes receive the identity authentication request of the first access object. In this embodiment, the scheduling module may allocate an identity authentication request according to a load balancing policy, so as to avoid that the identity authentication request from the same routing rule source is allocated to the same authentication node, thereby alleviating authentication pressure of each authentication node and improving authentication efficiency of an access object; on the other hand, the feature tokens are uniformly stored through the shared storage module, so that the information of each authentication node is symmetrical, the other authentication nodes can conveniently execute the identity authentication request of the access object, the authentication efficiency of the access object is improved, the storage pressure of the authentication nodes can be reduced, and the authentication efficiency of the access object is further improved; the data scattering phenomenon can be reduced, and the maintenance difficulty of the authentication resource data is reduced.

Drawings

FIG. 1 is an application environment diagram of an identity authentication method in one embodiment;

FIG. 2 is a flow chart of an identity authentication method according to one embodiment;

FIG. 3 is a flowchart of an identity authentication method according to another embodiment;

FIG. 4 is a flowchart of an authentication method according to another embodiment;

FIG. 5 is a diagram of an application environment of an authentication method according to another embodiment;

FIG. 6 is a diagram of an application environment of an authentication method according to another embodiment;

FIG. 7 is a block diagram of an identity authentication device according to one embodiment;

FIG. 8 is a block diagram of an authentication device according to another embodiment;

FIG. 9 is an internal block diagram of a computer device in one embodiment.

Detailed Description

The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.

The identity authentication method, the device, the computer equipment, the storage medium and the computer program product can be used in the field of information security and can also be used in any field except the field of information security, and the application fields of the identity authentication method, the device, the computer equipment, the storage medium and the computer program product are not limited.

The identity authentication method provided by the embodiment of the application can be applied to an application environment shown in figure 1. The application environment can comprise an authentication system, wherein the authentication system comprises a dispatching module 1, a distributed authentication cluster 2 and a shared storage module 3; the distributed authentication cluster 2 is respectively connected with the dispatching module 1 and the shared storage module 3, and the distributed authentication cluster 2 comprises a plurality of authentication nodes.

In practical application, after receiving the identity authentication request of the first access object, the scheduling module 1 may send the identity authentication request to one authentication node of the plurality of authentication nodes based on a preset load balancing policy.

The authentication node may authenticate the first access object according to the credentials carried by the identity authentication request after the identity authentication request is acquired, and encapsulate the feature information of the first access object under the condition that the authentication passes, so as to obtain a feature token corresponding to the first access object, and then send the feature token corresponding to the first access object to the shared storage module 3.

The shared storage module 3 may store the feature token corresponding to the first access object after receiving the feature token corresponding to the first access object, so that when other authentication nodes in the plurality of authentication nodes receive the identity authentication request of the first access object, the feature token corresponding to the first access object may be obtained from the feature token, to realize verification of the first access object.

Alternatively, the scheduling module 1 and the shared storage module 3 in the authentication system may be implemented by a separate server or a server cluster formed by a plurality of servers.

In one embodiment, as shown in fig. 2, an identity authentication method is provided, which is illustrated by taking as an example that the method is applied to any authentication node in the distributed authentication cluster 2 in fig. 1, and includes the following steps:

step S202, an authentication request for the first access object sent by a scheduling module is obtained, and the scheduling module is configured to send the authentication request to an authentication node of the plurality of authentication nodes based on a preset load balancing policy after receiving the authentication request for the first access object.

As an example, the first access object may be a terminal device in the internet.

In practical application, before the first access object accesses the target system, the first access object can be authenticated by the authentication system, and after the authentication is passed, the subsequent operation is performed. Specifically, before the first access object accesses the target system, the authentication system may send an identity authentication request to the authentication system, the authentication system may trigger the calling module therein to receive the identity authentication request from different access objects, and the scheduling module may determine an authentication node for processing the identity authentication request of the first access object from a plurality of authentication nodes based on a preset load balancing policy after receiving the identity authentication request of the first access object, and then send the identity authentication request of the first access object to the authentication node.

Step S204, the first access object is authenticated according to the credentials carried by the identity authentication request, and the characteristic information of the first access object is packaged under the condition that the authentication is passed, so as to obtain the characteristic token corresponding to the first access object.

In this step, after receiving the identity authentication request of the first access object, the authentication node may read the credential of the first access object from the identity authentication request, where the credential may include, for example, an account number and a password of the first access object; and then the authentication node can authenticate the first access object according to the certificate, if the authentication result of the first access object is passed, the authentication node determines the characteristic information of the first access object and encapsulates the characteristic information of the first access object to obtain a characteristic token corresponding to the first access object. If the authentication result of the first access object is not passed, blocking the access operation of the first access object and reminding the first access object of failure in authentication.

Step S206, the feature token corresponding to the first access object is sent to the shared storage module for storage, so that when other authentication nodes in the plurality of authentication nodes receive the identity authentication request of the first access object, the first access object is checked based on the feature token corresponding to the first access object in the shared storage module.

In a specific implementation, after the authentication node obtains the feature token, the feature token may be sent to the shared memory module to be stored, and when other authentication nodes receive the identity authentication request of the authenticated first access object again, the shared memory module may be traversed to query and obtain the feature token of the first access object, so that other authentication nodes may verify the first access object according to the feature token corresponding to the first access object.

According to the identity authentication method, after the scheduling module receives the identity authentication request of the first access object, the scheduling module sends the identity authentication request to one authentication node in a plurality of authentication nodes based on a preset load balancing strategy, after the authentication node acquires the identity authentication request, the authentication node authenticates the first access object according to the credentials carried by the identity authentication request, and under the condition that the authentication passes, the characteristic information of the first access object is packaged to obtain the characteristic token corresponding to the first access object, and the characteristic token corresponding to the first access object is sent to the shared storage module to be stored, so that when other authentication nodes in the plurality of authentication nodes receive the identity authentication request of the first access object, the authentication node verifies the first access object based on the characteristic token corresponding to the first access object in the shared storage module. In this embodiment, the scheduling module may allocate an identity authentication request according to a load balancing policy, so as to avoid that the identity authentication request from the same routing rule source is allocated to the same authentication node, thereby alleviating authentication pressure of each authentication node and improving authentication efficiency of an access object; on the other hand, the feature tokens are uniformly stored through the shared storage module, so that the information of each authentication node is symmetrical, the other authentication nodes can conveniently execute the identity authentication request of the access object, the authentication efficiency of the access object is improved, the storage pressure of the authentication nodes can be reduced, and the authentication efficiency of the access object is further improved; the data scattering phenomenon can be reduced, and the maintenance difficulty of the authentication resource data is reduced.

In one embodiment, the sending, in step S206, the feature token corresponding to the first access object to the shared storage module for storage may include:

step S2061, naming the feature tokens corresponding to the first access object according to the preset rule, and obtaining token identifications.

In an example, the token identification may be a string of characters that can be used to distinguish between individual feature tokens. In this step, the authentication node may name the feature tokens according to the time sequence of obtaining the feature tokens, to obtain token identifiers of the feature tokens corresponding to the first access object.

Step S2062, the feature token and the token identifier corresponding to the first access object are sent to the shared storage module, and the shared storage module is triggered to perform unstructured storage on the feature token corresponding to the first access object based on the token identifier.

In an example, unstructured storage may be a set of data that does not require structured database format storage. In this step, the authentication node may send the feature token and the token identifier corresponding to the first access object to the shared storage module, so that after the shared storage module receives the feature token and the token identifier corresponding to the first access object, the shared storage module performs unstructured storage after associating the token identifier of the first access object and the feature token thereof.

In this embodiment, the feature token may be named according to a unified rule to obtain a token identifier corresponding to the first access object, and then the token identifier and the feature token are sent to the shared storage module, so as to trigger the shared storage module to perform unstructured storage based on the token identifier and the feature token.

And the feature tokens of all the access objects are stored in the sharing module, and the storage time of the feature tokens is recorded, so that the expired feature tokens can be cleaned according to the acquired frequency and/or the storage time of all the feature tokens, memory fragments are reduced, the time for traversing the feature tokens is shortened, and the authentication efficiency of the access objects is improved.

In one embodiment, the sending, in step 206, the feature token corresponding to the first access object to the shared storage module for storage may include:

Step S2063, if the shared memory module stores the history feature token corresponding to the first access object, the feature token corresponding to the first access object is sent to the shared memory module, and the shared memory module is triggered to update the history feature token by using the feature token corresponding to the first access object.

In an example, the historical feature token is a feature token generated after the last authentication node determines that the first access object passed authentication or after the verification passed. In this embodiment, if the shared memory module stores the history feature token corresponding to the first access object, the feature token corresponding to the first access object is sent to the shared memory module, and the shared memory module is triggered to overwrite the history feature token with the feature token corresponding to the first access object. And if the history feature token corresponding to the first access object is not stored in the shared memory module, sending the feature token corresponding to the first access object to the shared memory module for storage.

In this embodiment, by covering the history feature token, it can be ensured that the latest feature token is stored in the shared storage module, so that other authentication nodes can check the first access object conveniently, and the phenomenon of checking errors caused by untimely updating of the feature token is avoided, thereby further improving authentication efficiency.

In one embodiment, in step 204, when the authentication is passed, the encapsulating the feature information of the first access object to obtain the feature token corresponding to the first access object may include:

in step S2041, identity information of a first access object is acquired.

In an example, the identity information may characterize an identity of the access object and may be used to uniquely identify a particular access object. The identity information includes, for example, a name, an identity, and communication information of the first access object. The communication information may be, but is not limited to, a telephone number.

In this step, the authentication node may obtain the identity information of the first access object when authentication is passed, for example, the identity information may be searched from a database according to an account number of the first access object, or when the first access object generates an identity authentication request, the corresponding identity information may be added to the identity authentication request, so that the authentication node may obtain the identity information of the first access object from the identity authentication request.

Step S2042, acquiring authentication time information and authentication node information of the current authentication node, and generating encryption information according to the authentication time information and the authentication node information.

In an example, the authentication time information may be a time when the current authentication node performs authentication processing on the first access object, and the authentication node information may include address information of the current authentication node; the encryption information may be an encryption string, which may be formed by concatenating authentication time information and authentication node information. In addition, the authentication node information may further include a service function and a processing module, the service function is an application service layer name, and the processing module is an application processing layer name.

In a specific implementation, when the authentication node performs identity authentication on the first access object, current authentication time information may also be recorded, and encryption information may be generated according to the authentication node information and the authentication time information of the authentication node, for example, the authentication node information and the authentication time information may be spliced, and a character string obtained after the splicing may be used as an encryption string, so as to obtain encryption information.

And step S2043, packaging the identity information and the encryption information by adopting a preset packaging format to obtain the characteristic token.

As an example, the encapsulation format may include a header, a payload, a signature.

In this step, the identity information and the encrypted information may be combined, and the combined information is encapsulated into a payload, and then the header, the payload, and the signature form a feature token.

According to the embodiment, the identity information can be encrypted by the generation mode of the characteristic token, so that the risk of privacy leakage in the authentication process is reduced, and the security of identity authentication is improved. And all authentication nodes adopt the same packaging format, so that subsequent characteristic token analysis is facilitated, and the identity authentication efficiency can be effectively improved.

In one embodiment, the method may further comprise:

step S208, an identity authentication request for the second access object sent by the scheduling module is obtained.

Step S210, if the second access object is authenticated, the feature token corresponding to the second access object is obtained from the shared storage module.

In this embodiment, the authentication node may obtain the identity authentication request of the other access object sent by the scheduling module, and in order to distinguish the identity authentication request from the first access object, the access object may be referred to as a second access object. For the second access object, if the second access object has been authenticated, for example, the identity of the second access object has been authenticated by another authentication node in the authentication system and the authentication has been passed, the current authentication node may obtain the feature token corresponding to the second access object from the shared storage module. For example, a token identifier of a feature token of the second access object may be determined, and further, the feature token corresponding to the second access object may be obtained from the shared storage module through the token identifier.

And S212, analyzing the feature token corresponding to the second access object, and checking the second access object according to the analyzed feature information.

After the feature token of the second access object is obtained, the authentication node can analyze the feature token corresponding to the second access object, and verify the second access object according to the feature information in the analyzed token.

Through the steps, the authentication node for processing the identity authentication request of the second access object is different from the authentication node for processing the identity authentication request verification of the second access object, so that the identity authentication request of one access object can be prevented from being processed by only one authentication node, the authentication time of the access object is shortened, and the authentication efficiency of the access object is improved.

In one embodiment, the method may further comprise:

step S214, if the second access object passes the verification, the updated feature token of the second access object is obtained.

In an example, if the second access object passes the verification, when the feature token of the second access object is updated, the authentication time information and the authentication node information of the current authentication node may be obtained, encryption information is generated according to the authentication time information and the authentication node information, and then the feature token is updated according to the encryption information, so as to obtain the updated feature token. And if the second access object is not checked, feeding back information of check failure to the second access object.

Step S216, the updated feature token is sent to the shared storage module, and the shared storage module is triggered to update the feature token corresponding to the second access object in the shared storage module by adopting the updated feature token.

By the method, the shared storage module can be ensured to store the latest feature token, so that other authentication nodes can check the second access object conveniently, the phenomenon of checking errors caused by untimely updating of the feature token is avoided, and the authentication efficiency of the access object is further improved.

In order that those skilled in the art may better understand the above steps, an embodiment of the present application will be described below by way of an example, but it should be understood that the embodiment of the present application is not limited thereto.

As shown in fig. 3, after receiving an identity authentication request of an access object, an authentication node authenticates the access object through credentials carried by the identity authentication request, and if the authentication is passed, an encryption string is obtained, and identity information of the access object is combined with the encryption string to obtain a feature token.

And then, the authentication node detects whether the history feature token corresponding to the access object exists in the shared storage module, and when detecting that the history feature token corresponding to the access object is stored in the shared storage module, the authentication node sends the feature token to the shared storage module and the resource storage module to trigger the shared storage module and the resource storage module to update the history feature token by adopting the feature token.

When the authentication node determines that the history feature token corresponding to the access object is not stored in the shared storage module, the authentication node sends the feature token to the shared storage module and the resource storage module, and triggers the shared storage module and the resource storage module to store the feature token.

If the authentication node determines that the authentication of the access object does not pass according to the credentials carried by the identity authentication request, blocking the access operation of the access object and reminding the first access object of authentication failure.

In one embodiment, as shown in fig. 4, an identity authentication method is provided, and the method is applied to the scheduling module in fig. 1 for illustration, and includes the following steps:

step 302, an authentication request for accessing an object is obtained.

In practical application, the scheduling module can receive an identity authentication request of an access object sent by a terminal; the terminal may be, but is not limited to, various personal computers, notebook computers, smart phones, tablet computers, internet of things devices, and portable wearable devices.

In the example, the identity authentication request sent by the terminal and the authentication node can be decoupled through the scheduling module, so that the identity authentication request sent by the terminal can be prevented from being directly sent to the authentication node, the risk of exposing the Internet by the authentication node is reduced, and the security of service processing and the confidentiality of data are ensured.

Step 304, an identity authentication request is sent to an authentication node of the plurality of authentication nodes based on a preset load balancing policy.

The authentication nodes are used for authenticating the access object according to credentials carried by the identity authentication request, and packaging feature information of the access object under the condition that authentication is passed to obtain a feature token corresponding to the access object, and sending the feature token corresponding to the access object to the shared storage module for storage, so that when other authentication nodes in the plurality of authentication nodes receive the identity authentication request of the access object, the access object is checked based on the feature token corresponding to the access object in the shared storage module.

As an example, after receiving an authentication request of an access object, the scheduling module determines an authentication node for processing the authentication request of the access object from a plurality of authentication nodes according to a preset load balancing policy, and then sends the authentication request of the access object to the authentication node.

According to the identity authentication method, after receiving the identity authentication request of the first access object, the scheduling module sends the identity authentication request to one authentication node in a plurality of authentication nodes based on a preset load balancing strategy; after the authentication node acquires the identity authentication request, authenticating the first access object according to the credentials carried by the identity authentication request, and packaging the characteristic information of the first access object under the condition that the authentication is passed to obtain a characteristic token corresponding to the first access object; and sending the feature token corresponding to the first access object to the shared storage module for storage so as to verify the first access object based on the feature token corresponding to the first access object in the shared storage module when other authentication nodes in the plurality of authentication nodes receive the identity authentication request of the first access object. In this embodiment, the scheduling module may allocate an identity authentication request according to a load balancing policy, so as to avoid that the identity authentication request from the same routing rule source is allocated to the same authentication node, thereby alleviating authentication pressure of each authentication node and improving authentication efficiency of an access object; on the other hand, the feature tokens are uniformly stored through the shared storage module, so that the information of each authentication node is symmetrical, the other authentication nodes can conveniently execute the identity authentication request of the access object, the authentication efficiency of the access object is improved, the storage pressure of the authentication nodes can be reduced, and the authentication efficiency of the access object is further improved; the data scattering phenomenon can be reduced, and the maintenance difficulty of the authentication resource data is reduced.

In one embodiment, the step 304 of sending the identity authentication request to an authentication node of the plurality of authentication nodes based on a preset load balancing policy includes:

step 3041, obtaining the request distribution sequence of a plurality of authentication nodes, and determining a history authentication node for processing the last authentication request.

As an example, the request allocation order may be an order in which the plurality of authentication nodes acquire and process the identity authentication requests. For example, there are 3 authentication nodes in the distributed authentication cluster, which are respectively a first authentication node, a second authentication node, and a third authentication node, and the request allocation order is set according to the order of the first authentication node, the second authentication node, and the third authentication node, so that when the 3 authentication nodes receive multiple identity authentication requests, the requests are sequentially acquired according to the order.

Step 3042, determining the current target authentication node according to the request distribution sequence and the history authentication node, and sending the identity authentication request to the target authentication node.

As an example, if the second authentication node of the previous identity authentication request is the third authentication node, then the current target authentication node sends the identity authentication request to the third authentication node to perform the authentication of the current identity authentication request.

For example, as shown in fig. 5, after acquiring multiple identity authentication requests, the scheduling module may allocate the multiple identity authentication requests to each authentication node according to a processing sequence (i.e., a request allocation order) based on a Round-Robin load scheduling policy.

In this embodiment, through the request allocation sequence of the authentication nodes and the history authentication nodes of the last authentication request, each authentication request can be allocated to each authentication node in an equalizing manner, so that the authentication requests from the same routing rule source cannot be loaded to the same authentication node for authentication processing, excessive accumulation of the authentication requests by a single authentication node is avoided, the authentication efficiency of an access object is improved, the processing pressure of the authentication node can be reduced, and the failure of the authentication node is avoided.

In one embodiment, the step 302 of obtaining an authentication request for accessing an object includes:

step 3021, receiving a plurality of network requests, and filtering the plurality of network requests to obtain at least one network request for the target system.

In a specific implementation, the scheduling module may receive multiple network requests from different terminal devices, where the multiple network requests may be network requests for different systems, for example, network requests for system a, system B, and system C may all be first collected into the scheduling module for processing.

The scheduling module may further filter the plurality of network requests to obtain at least one network request for the target system, where the target system may be the authentication system in the above embodiment. For example, the scheduling module may invoke the quarantine gateway to filter the plurality of network requests as they are filtered.

Step 3022, filtering the at least one network request to obtain a service processing request in the at least one network request.

As an example, the service processing request may be a request requiring authentication of the access object, e.g., a transfer request, an account balance preview request.

In particular, the network request filtered by the quarantine gateway may further include a processing request that does not need to authenticate the identity of the access object, such as a consultation request, an information browsing request, and the like. And the scheduling module can utilize the service gateway to filter the network request filtered by the isolation gateway again, and screen out the service processing request.

Step 3023, obtaining an authentication request of the access object based on the service processing request.

In this embodiment, a plurality of network requests are received, and the plurality of network requests are filtered by using an isolation gateway to obtain at least one network request for the authentication system shown in fig. 1; then, filtering at least one network again by utilizing a service gateway to obtain a service processing request, and obtaining an identity authentication request of an access object based on the service processing request; through the twice filtering, the interference of other requests can be avoided, the processing pressure of the authentication node is reduced, and the authentication efficiency of the access object is improved.

It should be understood that, although the steps in the flowcharts related to the above embodiments are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.

The present embodiment can be applied to an application environment as shown in fig. 6. The application environment may comprise an authentication system comprising a scheduling module 1, a distributed authentication cluster 2, a shared storage module 3, a resource storage module 4.

The scheduling module 1 may receive a plurality of network requests sent from the terminal in advance, and filter the plurality of network requests by using the isolation gateway to obtain a plurality of network requests for the system of fig. 6, and then filter the plurality of network requests by using the service gateway to obtain a service processing request in the plurality of network requests, so that an identity authentication request of the access object may be obtained based on the service processing request.

Then, the scheduling module 1 may acquire a request allocation sequence of each authentication node in the distributed authentication cluster, determine a history authentication node that processes a last authentication request, further determine a current target authentication node according to the request allocation sequence and the history authentication node, and send the authentication request to the target authentication node.

The target authentication node can authenticate the access object according to the credentials carried by the identity authentication request, and encapsulates the characteristic information of the access object under the condition that the authentication passes to obtain the characteristic token corresponding to the access object; illustratively, the target authentication node may obtain identity information of the access object; acquiring authentication time information and authentication node information of a current authentication node, and generating encryption information according to the authentication time information and the authentication node information; and packaging the identity information and the encryption information by adopting a preset packaging format to obtain the characteristic token.

Then, the target authentication node can send the feature token corresponding to the access object to the shared storage module for storage, and feed back the feature token corresponding to the access object to the terminal corresponding to the access object; the target authentication node may name the feature token corresponding to the access object according to a preset rule, so as to obtain a token identifier; and transmitting the feature token and the token identification corresponding to the access object to the shared storage module.

The shared storage module 3 may perform unstructured storage on the feature token corresponding to the access object and the hotspot data with high access frequency.

When other authentication nodes can also receive an identity authentication request of an access object, checking the access object based on a feature token corresponding to the access object in the shared storage module; when a request for processing the hot spot data with high access frequency is received, the hot spot data with high access frequency is processed based on the hot spot data with high access frequency in the shared storage module, and a processing result is fed back to a terminal corresponding to the access object.

The resource storage module 4 may store the feature token, the data record, the system white list, and the log file generated by the distributed authentication cluster 2, and feed back the storage result to the distributed authentication cluster.

The scheduling module can decouple the identity authentication request sent by the terminal from the authentication nodes, avoid the identity authentication request sent by the terminal to be directly sent to the authentication nodes, and then send the identity authentication request to one authentication node in a plurality of authentication nodes through a load balancing strategy, and avoid the identity authentication request from the same routing rule source to be distributed to the same authentication node, thereby relieving the authentication pressure of each authentication node, improving the authentication efficiency of an access object and reducing the probability of the failure of the authentication node; the feature tokens are uniformly stored through the shared storage module, so that information of each authentication node is symmetrical, other authentication nodes can conveniently execute identity authentication requests of access objects, authentication efficiency of the access objects is improved, storage pressure of the authentication nodes can be reduced, and authentication efficiency of the access objects is further improved; the scattered phenomenon of data can be reduced, and the maintenance difficulty of authentication resource data is reduced. By storing the feature tokens and the hot spot data with high access frequency through the shared storage module, each authentication node can acquire the feature tokens and the hot spot data with high access frequency generated by other authentication nodes, so that the interaction efficiency of system data is improved, and the diversification of data structures is increased. The resource storage module is used for storing the feature token, the data record, the system white list and the log file generated by the distributed authentication cluster, so that the functions of permanent archiving of data and real-time change of service data can be realized, and the safety of the system data and the permanent record of the system log are ensured.

Based on the same inventive concept, the embodiment of the application also provides an identity authentication device for realizing the identity authentication method. The implementation scheme of the device for solving the problem is similar to that described in the above method, so the specific limitation in the two embodiments of the identity authentication device provided below can be referred to the limitation of the identity authentication method hereinabove, and will not be repeated here.

In one embodiment, as shown in fig. 7, there is provided an identity authentication apparatus including: an acquisition module 11, an authentication module 12 and a transmission module 13, wherein:

the acquiring module 11 is configured to acquire an identity authentication request for the first access object sent by the scheduling module, where the scheduling module is configured to send the identity authentication request to one authentication node of the plurality of authentication nodes based on a preset load balancing policy after receiving the identity authentication request for the first access object;

the authentication module 12 is configured to authenticate the first access object according to a credential carried by the identity authentication request, and encapsulate feature information of the first access object to obtain a feature token corresponding to the first access object if the authentication passes;

And the sending module 13 is configured to send the feature token corresponding to the first access object to the shared storage module for storage, so that when other authentication nodes in the plurality of authentication nodes receive the identity authentication request of the first access object, the first access object is checked based on the feature token corresponding to the first access object in the shared storage module.

In one embodiment, the transmitting module includes:

the naming unit is used for naming the feature tokens corresponding to the first access objects according to preset rules to obtain token identifications;

and the sending unit is used for sending the characteristic token and the token identifier corresponding to the first access object to the shared storage module, and triggering the shared storage module to perform unstructured storage on the characteristic token corresponding to the first access object based on the token identifier.

In one embodiment, the transmitting module includes:

and the updating unit is used for sending the characteristic token corresponding to the first access object to the shared memory module if the shared memory module stores the history characteristic token corresponding to the first access object, and triggering the shared memory module to update the history characteristic token by adopting the characteristic token corresponding to the first access object.

In one embodiment, the authentication module includes:

the first acquisition unit is used for acquiring the identity information of the first access object;

the second acquisition unit is used for acquiring authentication time information and authentication node information of the current authentication node and generating encryption information according to the authentication time information and the authentication node information;

and the packaging unit is used for packaging the identity information and the encryption information by adopting a preset packaging format to obtain the characteristic token.

In one embodiment, the apparatus may further include:

the third acquisition unit is used for acquiring the identity authentication request for the second access object, which is sent by the scheduling module;

the feature token obtaining unit is used for obtaining a feature token corresponding to the second access object from the shared storage module if the second access object passes the authentication;

and the analysis unit is used for analyzing the feature token corresponding to the second access object and checking the second access object according to the analyzed feature information.

In one embodiment, the apparatus may further include:

the verification unit is used for acquiring the updated characteristic token of the second access object if the second access object passes the verification;

and the updating unit is used for sending the updated characteristic token to the shared storage module, and triggering the shared storage module to update the characteristic token corresponding to the second access object in the shared storage module by adopting the updated characteristic token.

In one embodiment, as shown in fig. 8, there is provided an identity authentication apparatus including: a receiving module 21, a scheduling module 22, wherein:

a receiving module 21, configured to obtain an identity authentication request of an access object;

a scheduling module 22, configured to send an identity authentication request to one authentication node of the plurality of authentication nodes based on a preset load balancing policy;

In one embodiment, the scheduling module further comprises:

an allocation sequence obtaining unit, configured to obtain a request allocation sequence of a plurality of authentication nodes, and determine a history authentication node that processes an authentication request of a last entity;

and the authentication node determining unit is used for determining the current target authentication node according to the request distribution sequence and the historical authentication nodes and sending the identity authentication request to the target authentication node.

In one embodiment, the receiving module comprises:

the first filtering unit is used for receiving a plurality of network requests and filtering the network requests to obtain at least one network request aiming at a target system;

the second filtering unit is used for filtering the at least one network request and acquiring a service processing request in the at least one network request;

and the determining unit is used for obtaining the identity authentication request of the access object based on the service processing request.

The modules in the identity authentication device can be all or partially realized by software, hardware and a combination thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.

In one embodiment, a computer device is provided, which may be a server, and the internal structure of which may be as shown in fig. 9. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement an identity authentication method.

It will be appreciated by persons skilled in the art that the architecture shown in fig. 9 is merely a block diagram of some of the architecture relevant to the present inventive arrangements and is not limiting as to the computer device to which the present inventive arrangements are applicable, and that a particular computer device may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.

In one embodiment, a computer device is provided comprising a memory and a processor, the memory having stored therein a computer program, the processor when executing the computer program performing the steps of:

authenticating the first access object according to credentials carried by the identity authentication request, and packaging the characteristic information of the first access object under the condition that the authentication passes to obtain a characteristic token corresponding to the first access object;

and sending the feature token corresponding to the first access object to the shared storage module for storage so as to verify the first access object based on the feature token corresponding to the first access object in the shared storage module when other authentication nodes in the plurality of authentication nodes receive the identity authentication request of the first access object.

In one embodiment, the steps of the other embodiments described above are also implemented when the processor executes a computer program.

acquiring an identity authentication request of an access object;

based on a preset load balancing strategy, sending an identity authentication request to one authentication node in a plurality of authentication nodes;

In one embodiment, a computer readable storage medium is provided having a computer program stored thereon, which when executed by a processor, performs the steps of:

acquiring an identity authentication request of an access object;

In one embodiment, a computer program product is provided comprising a computer program which, when executed by a processor, performs the steps of:

acquiring an identity authentication request of an access object;

Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magnetic random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (Phase Change Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in the form of a variety of forms, such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), and the like. The databases referred to in the embodiments provided herein may include at least one of a relational database and a non-relational database. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processor referred to in the embodiments provided in the present application may be a general-purpose processor, a central processing unit, a graphics processor, a digital signal processor, a programmable logic unit, a data processing logic unit based on quantum computing, or the like, but is not limited thereto.

The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.

The foregoing examples illustrate only a few embodiments of the application and are described in detail herein without thereby limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of the application should be assessed as that of the appended claims.

Claims

1. An identity authentication method, the method comprising:

2. The method of claim 1, wherein the sending the feature token corresponding to the first access object to the shared storage module for storage comprises:

3. The method of claim 1, wherein the sending the feature token corresponding to the first access object to the shared storage module for storage comprises:

if the shared storage module stores the history feature token corresponding to the first access object, the feature token corresponding to the first access object is sent to the shared storage module, and the shared storage module is triggered to update the history feature token by adopting the feature token corresponding to the first access object.

4. The method according to claim 1, wherein the step of encapsulating the feature information of the first access object to obtain the feature token corresponding to the first access object in the case that the authentication is passed includes:

acquiring identity information of the first access object;

5. The method as recited in claim 1, further comprising:

6. The method as recited in claim 5, further comprising:

7. An identity authentication method, the method comprising:

acquiring an identity authentication request of an access object;

8. The method of claim 7, wherein the sending the authentication request to one of a plurality of authentication nodes based on a preset load balancing policy comprises:

9. The method of claim 7, wherein the obtaining the authentication request of the access object comprises:

10. An identity authentication device, the device comprising:

11. An identity authentication device, the device comprising:

12. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the method of any of claims 1-6 or the steps of the method of any of claims 7-9 when the computer program is executed.

13. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any one of claims 1-6 or of the method of any one of claims 7-9.