CN115174162B - Authorization method, device, system and storage medium based on OAuth protocol - Google Patents

Authorization method, device, system and storage medium based on OAuth protocol Download PDF

Info

Publication number
CN115174162B
CN115174162B CN202210688892.3A CN202210688892A CN115174162B CN 115174162 B CN115174162 B CN 115174162B CN 202210688892 A CN202210688892 A CN 202210688892A CN 115174162 B CN115174162 B CN 115174162B
Authority
CN
China
Prior art keywords
token
resource
service
server
parameter
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210688892.3A
Other languages
Chinese (zh)
Other versions
CN115174162A (en
Inventor
李鲁浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qingdao Haier Technology Co Ltd
Haier Smart Home Co Ltd
Original Assignee
Qingdao Haier Technology Co Ltd
Haier Smart Home Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qingdao Haier Technology Co Ltd, Haier Smart Home Co Ltd filed Critical Qingdao Haier Technology Co Ltd
Priority to CN202210688892.3A priority Critical patent/CN115174162B/en
Publication of CN115174162A publication Critical patent/CN115174162A/en
Application granted granted Critical
Publication of CN115174162B publication Critical patent/CN115174162B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/108Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/068Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/084Access security using delegated authorisation, e.g. open authorisation [OAuth] protocol

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The application discloses an authorization method, device and system based on an OAuth protocol and a storage medium, and relates to the technical field of Internet. And under the condition that the access token fails, the client calls a service interface to send a request message to the server, wherein the request message comprises a token refreshing parameter and a resource request parameter, the request message is used for requesting an effective access token and user resources, the effective access token and the user resources from the server are received, the server supports authentication service and resource service, the authentication service is used for determining the effective access token according to the token refreshing parameter, and the resource service is used for obtaining the user resources according to the effective access token and the resource request parameter. The application can simplify the interaction steps of the client, reduce the interaction complexity of the front end and the rear end, reduce the error probability and improve the user experience.

Description

Authorization method, device, system and storage medium based on OAuth protocol
Technical Field
The application relates to the technical field of Internet, in particular to an authorization method, device and system based on an OAuth protocol and a storage medium.
Background
The open authorization (OAuth) 2.0 protocol is an open standard, which allows a third party Application (APP) to securely obtain flow guidance of a corresponding user Resource from a Resource Server (Resource Server) through authentication of an authentication Server (Authorization Server) in case of authorization of the Resource holder (Resource Owner, or user). Wherein the authentication server generates a short-term access token (accesskey) after user authentication, which is used to replace the password for the third party application. But the access token will automatically fail after expiration, so that the APP cannot continue to obtain user resources.
In the related art, after the entering token is invalid, the server side returns a token invalid message to the client side through the service interface, the client side responds to the message and calls the token refreshing interface to acquire an effective entering token, and then calls the service interface to carry the effective entering token to request the resource service and acquire the user resource.
The inventors have studied and found that the above related art exists at least: the front end and the back end are complex in interaction, and the error probability is increased.
Disclosure of Invention
The application provides an authorization method, device, system and storage medium based on an OAuth protocol, which simplify the interaction steps of front and back ends, reduce the interaction complexity, namely the error probability and improve the user experience.
In a first aspect, the present application provides an OAuth protocol-based authorization method, applied to a client, including: under the condition that an access token fails, a service interface is called to send a request message to a server, wherein the request message comprises a token refreshing parameter and a resource request parameter, and the request message is used for requesting effective access tokens and user resources; receiving an effective entry token and user resources from a server; the server side supports authentication service and resource service, the authentication service is used for determining an effective entry token according to the token refreshing parameter, and the resource service is used for obtaining user resources according to the effective entry token and the resource request parameter.
Optionally, the authentication service and the resource service are deployed in the same server; alternatively, the authentication service and the resource service are deployed in different servers, where the server deployed with the authentication service and the server deployed with the resource service interact through a local area network protocol.
Optionally, the token refresh parameter is carried in a header of the request message.
In a second aspect, the present application provides an authorization method based on OAuth protocol, which is applied to a server, where the server supports an authentication service and a resource service, the authentication service is used for determining an effective entry token according to a token refresh parameter, and the resource service is used for obtaining user resources according to the effective entry token and a resource request parameter; the authorization method comprises the following steps: receiving a request message of a client for a service interface, wherein the request message comprises a token refreshing parameter and a resource request parameter, and is used for requesting effective access tokens and user resources, and the request message is sent by the client under the condition that the access tokens are invalid; determining an effective entering token according to the token refreshing parameter through authentication service; determining user resources according to the effective entering token and the resource request parameters through the resource service; and sending the valid entry token and the user resource to the client.
Optionally, the token refresh parameter is carried in a header of the request message.
Optionally, the authentication service is deployed in a first server, and the resource service is deployed in a second server; receiving a request message of a client to a service interface, including: the method comprises the steps that a first server receives a request message of a client to a service interface; determining, by the authentication service, a valid entry token based on the token refresh parameter, comprising: the first server determines an effective entering token according to the token refreshing parameter, and sends the effective entering token and the resource request parameter to the second server based on the local area network protocol; through the resource service, determining the user resource according to the effective entry token and the resource request parameter, including: the second server determines user resources according to the effective entry token and the resource request parameters; sending valid entry tokens and user resources to the client, comprising: the second server sends the valid entry token and the user resource to the client.
In a third aspect, the present application provides an authorization device based on OAuth protocol, applied to a client, including: the calling module is used for calling the service interface to send a request message to the server under the condition that the entering token fails, wherein the request message comprises a token refreshing parameter and a resource request parameter, and the request message is used for requesting effective entering token and user resources; the receiving module is used for receiving the effective entering token and the user resource from the service end; the server side supports authentication service and resource service, the authentication service is used for determining an effective entry token according to the token refreshing parameter, and the resource service is used for obtaining user resources according to the effective entry token and the resource request parameter.
In a fourth aspect, the present application provides an authorization device based on OAuth protocol, which is applied to a server, where the server supports an authentication service and a resource service, the authentication service is used for determining an effective entry token according to a token refresh parameter, and the resource service is used for obtaining user resources according to the effective entry token and a resource request parameter; the authorization device includes: the receiving module is used for receiving a request message of the client for the service interface, wherein the request message comprises a token refreshing parameter and a resource request parameter, and the request message is used for requesting effective access tokens and user resources, and is sent by the client under the condition that the access tokens are invalid; the first determining module is used for determining an effective entering token according to the token refreshing parameter through the authentication service; the second determining module is used for determining user resources according to the effective entering token and the resource request parameters through the resource service; and the sending module is used for sending the effective entry token and the user resource to the client.
In a fifth aspect, the present application provides an electronic device, comprising: a memory, a processor; a memory for storing computer-executable instructions; and a processor for executing computer-executable instructions to implement the authorization method provided in the first aspect, or implement the authorization method provided in the second aspect.
In a sixth aspect, the present application provides an OAuth protocol-based authorization system, including: a client for implementing the authorization method provided in the first aspect; a server for implementing the authorization method provided in the second aspect; for implementing the authorization method provided in the first aspect or the second aspect.
In a seventh aspect, the present application provides a computer-readable storage medium having stored therein computer-executable instructions which, when executed by a processor, are adapted to carry out the authorisation method provided in the first aspect or the second aspect.
In an eighth aspect, the present application provides a computer program product comprising a computer program; the computer program, when executed, implements the authorization method provided in the first aspect or the second aspect.
The authorization method, the device, the system and the storage medium based on the OAuth protocol have at least the following advantages:
and under the condition that the access token fails, the client calls a service interface to send a request message to the server, wherein the request message comprises a token refreshing parameter and a resource request parameter, the request message is used for requesting an effective access token and user resources, the effective access token and the user resources from the server are received, the server supports authentication service and resource service, the authentication service is used for determining the effective access token according to the token refreshing parameter, and the resource service is used for obtaining the user resources according to the effective access token and the resource request parameter. By the method and the device, under the premise of keeping normal authorization and obtaining the user resource function, the HTTP interaction amount is reduced by about one time in a short time when the entering token is invalid, the service interface can be called as early as possible to return data to the user, the response time is shortened, the code amount is relatively small, the step of refreshing the token is simplified as a whole, the complexity of front-end and back-end interaction and the error probability are reduced, and the user experience is improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.
In order to more clearly illustrate the embodiments of the application or the technical solutions of the prior art, the drawings which are used in the description of the embodiments or the prior art will be briefly described, and it will be obvious to a person skilled in the art that other drawings can be obtained from these drawings without inventive effort.
FIG. 1a is a schematic diagram of an application environment based on an OAuth protocol according to an embodiment of the present application;
FIG. 1b is a schematic diagram of an interaction flow based on an OAuth protocol according to an embodiment of the present application;
fig. 2 is a flowchart of an authorization method based on OAuth protocol according to an embodiment of the present application;
fig. 3 is a second flow chart of an authorization method based on OAuth protocol according to an embodiment of the present application;
fig. 4 is a signaling interaction schematic diagram of an authorization method based on OAuth protocol according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an authorization device based on OAuth protocol according to an embodiment of the present application;
fig. 6 is a schematic structural diagram II of an authorization device based on OAuth protocol according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Specific embodiments of the present application have been shown by way of the above drawings and will be described in more detail below. The drawings and the written description are not intended to limit the scope of the inventive concepts in any way, but rather to illustrate the inventive concepts to those skilled in the art by reference to the specific embodiments.
Detailed Description
In order that those skilled in the art will better understand the present application, a technical solution in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present application without making any inventive effort, shall fall within the scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present application and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. In addition, the OAuth protocol described in the embodiments of the present application is generally referred to as OAuth 2.0 (OAuth 1.0 has been disabled).
Fig. 1a is a schematic diagram of an application environment based on OAuth protocol according to an embodiment of the present application. As shown in fig. 1, the application environment involves a terminal device 101 and a server 102. The terminal device 101 and the server 102 may be connected to each other via a wireless network or a wired network.
The terminal device 101, or user terminal, provides a third party application client. The terminal device 101 may be a mobile phone, a tablet computer, an electronic book reader, a vehicle-mounted device, a laptop portable computer, a desktop computer, or the like. The third party application client may be an application, applet, web page or plug-in, or the like.
The server 102 is a server corresponding to a service provider, and functionally may include an authorization server (or referred to as an authentication server) that is a server dedicated by the service provider to process authentication and authorization, and a resource server that is a server carrying user resources that are protected, and may be the same server as the authorization server or may be a different server. The server 102 may be a server in a physical structure, a server cluster formed by a plurality of servers, or a cloud computing service center.
The Oauth protocol is an open standard that allows a third party application (client) to generate a short-term entry token for use by the third party application (client) in place of a password by authentication by an authentication server under user authorization. The access token (access token) and the password (password) function in the same way, both can enter the system, but the two mainly have the following three differences:
(1) The entering token is short-term, and the entering token automatically fails due to expiration, so that the entering token cannot be modified by a user; the password is generally valid for a long time, and the user does not change without modifying the password;
(2) The entry token may be revoked by the data owner and may fail immediately; passwords are generally not allowed to be revoked by others;
(3) Entering a token has a scope of authority (scope), such as a five-door which can only enter a cell, and for network service, a read-only token is safer than a read-write token; passwords typically have complete rights.
Fig. 1b is a schematic diagram of an interaction flow based on OAuth protocol according to an embodiment of the present application, where the interaction flow includes:
(A) The client sends an authorization request to the user; (B) the user feeding back an authorized license to the client; (C) the client sending an authorization permission to the authorization server; (D) the authorization server feeding back an entry grant to the client; (E) the client sending an entry grant to the resource server; (F) the resource server feeds back the user resources to the client.
The interaction flow based on the OAuth protocol ensures that the access token not only can enable the third party application (client) to obtain the authority, but also can be controlled at any time, and the system security is not endangered, which is the advantage of the OAuth protocol. Also because of these features, OAuth protocol is widely used for authentication and authorization of third party clients and other applications.
In the above example, the time of the entry token obtained by the client from the authorization server is short, and after the entry token fails, the third party application (client) cannot continue to obtain the user resource. When the entering token is invalid, the server side returns a token invalid message to the client side through the service interface, the client side responds to the message and calls the token refreshing interface to acquire an effective entering token, and then the service interface is called to carry the effective entering token to request the resource server and acquire the user resource. However, when the client calls the back-end service interface, the client initiates calls to multiple interfaces at the same time, and in this case, a large amount of interactions between the hypertext transfer protocol (Hyper Text Transfer Protocol, abbreviated as HTTP) interfaces are generated, which occupies a large network bandwidth, increases the complexity of code logic, and may cause situations of slow response, jamming, and the like of the client. Particularly, as the development of the mobile internet evolves, more and more contents are loaded in one page, more and more server interfaces are called, and more complex interfaces are called. Authentication and authorization of user information is also indispensable when each interface is invoked. In this case, the interaction is done in a completely fixed fashion, which adds great complexity and thus increases the chance of error.
In order to solve the problems, the application provides a thinking of combining a refreshing interface for refreshing an access token and a service interface for accessing user resources, the refreshing interface is not required to be independently called to acquire an effective access token, only the service interface is required to be added with an access token refreshing parameter and called again when the service interface is called to return the expiration of the access token, and the refreshed effective access token is returned while the service interface is normally returned to the result.
Fig. 2 is a flowchart of an authorization method based on OAuth protocol according to an embodiment of the present application. The authorization method provided by the embodiment of the application is applied to a client, for example, a third party application client provided by the terminal equipment 101 shown in fig. 1 a. As shown in fig. 2, the authorization method includes:
s201: and under the condition that the access token fails, calling a service interface to send a request message to the server, wherein the request message comprises a token refreshing parameter and a resource request parameter, and the request message is used for requesting effective access token and user resources.
Wherein the service interface is provided by a client, and the server may be the server 102 shown in fig. 1 a.
The entering token has timeliness, and can be reused to obtain user resources until the expiration of the validity period; when the entry token exceeds the validity period, the entry token will fail and the user resource will not be acquired. For example, when the client wants to acquire the user resource, the service interface is called to carry the entry token to request the user resource from the server, at this time, the server verifies whether the entry instruction is valid, if so, the user resource is fed back to the service interface, and if not, the entry token invalidation message is fed back to the service interface.
The token refresh parameter and the resource request parameter are contained in the same request message. In the case of failure of the entry token, for example, when the service interface receives the failure message of the entry token fed back by the server, the client may invoke the service interface to send a request message to the server, so as to request the server for an effective entry token and user resources. The token refreshing parameter can comprise the just-spent entering token information, a refreshing token instruction and the like, so that the service end can determine that a new and effective entering token can be released to the service interface according to the token refreshing parameter; the resource request parameters may include category information, request instructions, etc. that specify the user resources, enabling the server to determine the content of the user resources requested by the service interface according to the resource request parameters.
S202: and receiving the effective entry token and the user resource from the service end. The server side supports authentication service and resource service, the authentication service is used for determining an effective entry token according to the token refreshing parameter, and the resource service is used for obtaining user resources according to the effective entry token and the resource request parameter.
After the service interface sends a request message containing the token refreshing parameter and the resource request parameter to the service end, the service end feeds back the effective entering token and the user resource to the service interface.
The server may functionally include an authentication service and a resource service, and optionally, the authentication service and the resource service are deployed in the same server; alternatively, the authentication service and the resource service are deployed in different servers, where the server deployed with the authentication service and the server deployed with the resource service interact through a local area network protocol. Optionally, when the authentication service and the resource service are deployed in the same server, the server receives a request message sent by the service interface, invokes the authentication service function to determine an effective entry token according to the token refresh parameter therein, invokes the resource service function to determine a user resource according to the effective entry token and the resource request parameter, that is, the resource service function verifies that the entry token is effective, and feeds back the user resource corresponding to the resource request parameter and the effective entry token to the service interface together. Optionally, when the authentication service and the resource service are deployed in different servers, the server deployed with the authentication service receives the request message, determines an effective entry token according to the token refresh parameter therein, sends the entry token and the resource request parameter to the server deployed with the resource service through a local area network protocol, and the server deployed with the resource service determines the user resource according to the entry token and the resource request parameter, namely, the entry token is verified to be the effective entry token in a priori, and then feeds back the user resource corresponding to the resource request parameter and the effective entry token to the service interface together.
In the embodiment of the application, a service interface is called by a client to send a request message to a server under the condition that an access token fails, wherein the request message comprises a token refreshing parameter and a resource request parameter, the request message is used for requesting an effective access token and user resources, and receiving the effective access token and the user resources from the server, wherein the server supports an authentication service and a resource service, the authentication service is used for determining the effective access token according to the token refreshing parameter, and the resource service is used for obtaining the user resources according to the effective access token and the resource request parameter. By the embodiment of the application, on the premise of keeping normal authorization and obtaining the user resource function, the HTTP interaction amount is reduced by about one time in a short time when the entering token is invalid, the service interface can be called as early as possible to return data to the user, the response time is shortened, the code amount is relatively less, the step of refreshing the token is simplified as a whole, the complexity of front-end and back-end interaction and the error probability are reduced, and the user experience is improved.
Optionally, the token refresh parameter is carried in a header (header) of the request message. The server side can obtain information of the client side according to the data in the message header, for example, in this embodiment, the server side reads the token refresh parameter carried in the message header of the request message, and triggers the authentication service function according to the token refresh parameter, so as to generate a new and effective entry token.
Fig. 3 is a second flowchart of an authorization method based on OAuth protocol according to an embodiment of the present application. The authorization method provided in this embodiment is applied to a server, for example, the server 102 shown in fig. 1a, where the server supports authentication services and resource services. As shown in fig. 3, the authorization method includes:
s301: and receiving a request message of the client for the service interface, wherein the request message comprises a token refreshing parameter and a resource request parameter, and is used for requesting effective access tokens and user resources, and the request message is sent by the client under the condition that the access tokens are invalid.
Corresponding to the step S201, after the token entering is invalid, the client sends a request message to the server; the specific process of receiving the request message by the server is not described here.
S302: and determining a valid entry token according to the token refreshing parameter through the authentication service.
And the server side invokes an authentication service function, determines that a new token can be released to the service interface according to the token refreshing parameter in the request message, and determines an effective entering token. Specifically, the authentication service is configured to determine an effective entry token according to the token refresh parameter, and the server determines that the client where the service interface is located is still within the authorized period according to the token refresh parameter, and may continue to open the user resource to the client, so as to generate a new effective entry token. If the server determines that the client where the service interface is located is not in the authorized period or the authorization is invalid according to the token refreshing parameter, the user resource can not be continuously opened to the client, and at the moment, the server feeds back an authorization invalidation message to the service interface.
Optionally, the token refresh parameter is carried in a header of the request message. The server can obtain the information of the client according to the data in the message header.
S303: and determining user resources according to the effective entry token and the resource request parameters through the resource service.
After the server determines the effective entry token, the server invokes the resource service function, and determines the user resource according to the effective entry token and the resource request parameter in the request message. Specifically, the resource service is configured to obtain user resources according to an effective entry token and a resource request parameter, and the resource service first verifies whether the entry token is effective, and after determining that the entry token is effective, continues to open the user resources to the service interface, that is, determines user resources required by the service interface according to the resource request parameter.
S304: and sending the valid entry token and the user resource to the client.
The service end feeds back the new effective entry token and the user resource to the service interface, namely, after the service interface sends a request instruction to the service end, the service end can receive the user resource accessed at the time when receiving the refreshed entry token. It should be noted that, the "together" and "simultaneously" described in the embodiments of the present application are not limited to the arrival time of the refreshed access token and the arrival time of the user resource at the service interface, but express that the two are based on the feedback results obtained by the same request packet, and there may be a succession in the arrival time.
In the embodiment of the application, a service end receives a request message of a client for a service interface under the condition that an access token fails, wherein the request message comprises a token refreshing parameter and a resource request parameter, the request message is used for requesting effective access tokens and user resources, the request message is sent by the client under the condition that the access tokens fail, the effective access tokens are determined according to the token refreshing parameter through an authentication service, the user resources are determined according to the effective access tokens and the resource request parameter through a resource service, and the effective access tokens and the user resources are sent to the client. By the embodiment of the application, on the premise of keeping normal authorization and obtaining the user resource function, the HTTP interaction amount is reduced by about one time in a short time when the entering token is invalid, the service interface can be called as early as possible to return data to the user, the response time is shortened, the code amount is relatively less, the step of refreshing the token is simplified as a whole, the complexity of front-end and back-end interaction and the error probability are reduced, and the user experience is improved.
Alternatively, the authentication service and the resource service may be deployed in the same server. Alternatively, the authentication service and the resource service may be deployed in different servers, i.e., the authentication service is deployed in a first server and the resource service is deployed in a second server; receiving a request message of a client to a service interface, including: the method comprises the steps that a first server receives a request message of a client to a service interface; determining, by the authentication service, a valid entry token based on the token refresh parameter, comprising: the first server determines an effective entering token according to the token refreshing parameter, and sends the effective entering token and the resource request parameter to the second server based on the local area network protocol; through the resource service, determining the user resource according to the effective entry token and the resource request parameter, including: the second server determines user resources according to the effective entry token and the resource request parameters; sending valid entry tokens and user resources to the client, comprising: the second server sends the valid entry token and the user resource to the client.
The above embodiments introduce the flow of executing the authorization method from the perspective of the client and the server, respectively, and the authorization method provided by the embodiments of the present application is explained by interaction among the client, the server and the user.
Fig. 4 is a signaling interaction schematic diagram of an authorization method based on OAuth protocol according to an embodiment of the present application. As shown in fig. 4, the authorization method includes:
s401: the user opens a page of a certain client.
S402: the client side respectively calls a service interface 1, a service interface 2 and a service interface 3 to carry an Access Token and send the Access Token to the server side.
S403: the service end returns the invalid message of the entering token to the service interface 1, the service interface 2 and the service interface 3 of the client respectively.
S404: the client side respectively calls the service interface 1, the service interface 2 and the service interface 3 to carry token refreshing parameters and send the token refreshing parameters to the server side.
S405: the service end returns refreshed effective access tokens and user resources to the service interface 1, the service interface 2 and the service interface 3 of the client respectively.
S406: the client presents the page data to the user.
The embodiment of the application shows a time sequence diagram of a client page opened by a user, if the page needs to call three back-end service interfaces at the same time (concurrent call), after the three service interfaces return to the invalid of the entering token respectively, the client can put the token refreshing parameters into the service interface (for example, put in the message header of the service interface) to directly call the service interface again, and the new entering token is acquired by calling the refreshing interface for refreshing the entering token according to the invalid message of the entering token without the need of calling the new entering token according to the flow in the OAuth protocol, and then the service interface is called again by using the new entering token. The embodiment of the application simplifies the step of refreshing the token, reduces the complexity of front-end and back-end interaction and the error probability, and particularly greatly simplifies the complexity of interaction and improves the user experience under the condition of more concurrent calls.
Fig. 5 is a schematic structural diagram of an authorization device based on OAuth protocol according to an embodiment of the present application. The embodiment of the application provides an authorization device which is applied to a client. Referring to fig. 5, the authorizing apparatus 500 includes:
the calling module 501 is configured to call the service interface to send a request packet to the server under the condition that the access token fails, where the request packet includes a token refresh parameter and a resource request parameter, and the request packet is used to request an effective access token and user resources;
a receiving module 502, configured to receive a valid entry token and a user resource from a server;
the server side supports authentication service and resource service, the authentication service is used for determining an effective entry token according to the token refreshing parameter, and the resource service is used for obtaining user resources according to the effective entry token and the resource request parameter.
Fig. 6 is a schematic structural diagram of an authorization device based on OAuth protocol according to an embodiment of the present application. The embodiment of the application provides an authorization device which is applied to a server, wherein the server supports authentication service and resource service, the authentication service is used for determining an effective entry token according to token refreshing parameters, and the resource service is used for obtaining user resources according to the effective entry token and resource request parameters. Referring to fig. 6, the authorizing apparatus 600 includes:
a receiving module 601, configured to receive a request packet of a service interface from a client, where the request packet includes a token refresh parameter and a resource request parameter, and the request packet is used to request an effective access token and a user resource, and the request packet is sent by the client when the access token fails;
a first determining module 602, configured to determine, by an authentication service, a valid entry token according to a token refresh parameter;
a second determining module 603, configured to determine, through a resource service, a user resource according to the valid entry token and the resource request parameter;
a sending module 604, configured to send the valid entry token and the user resource to the client.
Fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application. Referring to fig. 7, an electronic apparatus 700 includes: a processor 701, a memory 702, a communication interface 703 and a system bus 704.
The memory 702 and the communication interface 703 are connected to the processor 701 through the system bus 704 and perform communication with each other, the memory 702 is used for storing program instructions, the communication interface 703 is used for communicating with other devices, and the processor 701 is used for calling the program instructions in the memory to execute the scheme of the data processing method according to the method embodiment.
In particular, the processor 701 may include one or more processing units, such as: the processor 701 may be a central processing unit (Central Processing Unit, abbreviated as CPU), a digital signal processor (Digital Signal Processor, abbreviated as DSP), an application specific integrated circuit (Application Specific Integrated Circuit, abbreviated as ASIC), or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of a method disclosed in connection with the present application may be embodied directly in a hardware processor for execution, or in a combination of hardware and software modules in a processor for execution.
Memory 702 may be used to store program instructions. The memory 702 may include a stored program area and a stored data area. The storage program area may store an application program (such as a sound playing function, etc.) required for at least one function of the operating system, and the like. The storage data area may store data created during use of the electronic device 700 (e.g., audio data, etc.), and so on. In addition, the memory 702 may include high-speed random access memory, and may also include nonvolatile memory, such as at least one magnetic disk storage device, flash memory device, universal flash memory (universal flash storage, abbreviated UFS), and the like. The processor 701 performs various functional applications and data processing of the electronic device 700 by executing program instructions stored in the memory 702.
The communication interface 703 may provide a solution for wireless communication, including 2G/3G/4G/17G, as applied on the electronic device 700. The communication interface 703 may receive electromagnetic waves from an antenna, filter, amplify, and the like the received electromagnetic waves, and transmit the electromagnetic waves to a modem processor for demodulation. The communication interface 703 may also amplify the signal modulated by the modem processor, and convert the signal into electromagnetic waves through an antenna to radiate. In some embodiments, at least some of the functional modules of the communication interface 703 may be provided in the processor 701. In some embodiments, at least some of the functional modules of the communication interface 703 may be provided in the same device as at least some of the modules of the processor 701.
The system bus 704 may be a Peripheral Component Interconnect (PCI) bus, or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, among others. The system bus 704 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus.
It should be noted that, the number of the memories 702 and the processors 701 is not limited in the embodiment of the present application, and one or more of them may be used, and fig. 7 illustrates one example; the memory 702 and the processor 701 may be connected by a wired or wireless connection in a variety of ways, such as via a bus connection. In practice, the electronic device 700 may be a computer or a mobile terminal in various forms. Examples of the computer include a laptop computer, a desktop computer, a workstation, a server, a blade server, and a mainframe computer; mobile terminals are, for example, personal digital assistants, cellular telephones, smart phones, wearable devices, and other similar computing devices.
The electronic device of the embodiment of the present application may be used to execute the technical solution of the embodiment of the method, and its implementation principle and technical effects are similar, and are not repeated here.
The embodiment of the application also provides an authorization system based on the OAuth protocol. The authorization system includes the client and the server as described above, which can be used to execute the technical scheme in the above method embodiment, and its implementation principle and technical effects are similar, and are not repeated here.
The embodiment of the application also provides a computer readable storage medium, wherein the computer readable storage medium stores computer execution instructions, and when the computer execution instructions are executed by a processor, the scheme of the authorization method is realized.
The embodiment of the application also provides a computer program product, which comprises a computer program; when the computer program is executed, the scheme of the authorization method is realized.
The foregoing is merely a preferred embodiment of the present application and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present application, which are intended to be comprehended within the scope of the present application.

Claims (11)

1. An authorization method based on OAuth protocol, which is applied to a client, the authorization method comprises:
under the condition that an entry token fails, a service interface is called to send a request message to a server, wherein the request message comprises a token refreshing parameter and a resource request parameter, and the request message is used for requesting effective entry tokens and user resources;
receiving an effective entry token and user resources from the server;
the server side supports authentication service and resource service, the authentication service is used for determining an effective access token according to the token refreshing parameter, and the resource service is used for obtaining user resources according to the effective access token and the resource request parameter.
2. The authorization method according to claim 1, wherein the authentication service and the resource service are deployed in the same server;
or the authentication service and the resource service are deployed in different servers, wherein the server deployed with the authentication service and the server deployed with the resource service interact through a local area network protocol.
3. An authorization method according to claim 1 or 2, characterized in that the token refresh parameter is carried in a header of the request message.
4. An authorization method based on an OAuth protocol is characterized by being applied to a server, wherein the server supports authentication service and resource service, the authentication service is used for determining an effective entry token according to token refreshing parameters, and the resource service is used for obtaining user resources according to the effective entry token and resource request parameters;
the authorization method comprises the following steps:
receiving a request message of a client to a service interface, wherein the request message comprises a token refreshing parameter and a resource request parameter, the request message is used for requesting effective access tokens and user resources, and the request message is sent by the client under the condition that the access tokens are invalid;
determining, by the authentication service, the valid entry token according to the token refresh parameter;
determining, by the resource service, the user resource according to the valid entry token and the resource request parameter;
and sending the valid entry token and the user resource to the client.
5. The authorization method of claim 4, wherein the token refresh parameter is carried in a header of the request message.
6. An authorisation method as claimed in claim 4 or 5 in which the authentication service is deployed in a first server and the resource service is deployed in a second server;
the receiving the request message of the client to the service interface includes: the first server receives a request message of a client to a service interface;
the determining, by the authentication service, the valid entry token according to the token refresh parameter, including: the first server determines the effective entry token according to the token refreshing parameter, and sends the effective entry token and the resource request parameter to the second server based on a local area network protocol;
the determining, by the resource service, the user resource according to the valid entry token and the resource request parameter, including: the second server determines the user resource according to the effective entry token and the resource request parameter;
the sending the valid entry token and the user resource to the client comprises: the second server sends the valid entry token and the user resource to the client.
7. An OAuth protocol-based authorization device for application to a client, the authorization device comprising:
the calling module is used for calling the service interface to send a request message to the server under the condition that the entering token fails, wherein the request message comprises a token refreshing parameter and a resource request parameter, and the request message is used for requesting effective entering token and user resources;
the receiving module is used for receiving the effective entry token and the user resource from the server;
the server side supports authentication service and resource service, the authentication service is used for determining an effective access token according to the token refreshing parameter, and the resource service is used for obtaining user resources according to the effective access token and the resource request parameter.
8. An authorization device based on OAuth protocol is characterized by being applied to a server, wherein the server supports authentication service and resource service, the authentication service is used for determining an effective entry token according to token refreshing parameters, and the resource service is used for obtaining user resources according to the effective entry token and resource request parameters;
the authorization device includes:
the receiving module is used for receiving a request message of a client to a service interface, wherein the request message comprises a token refreshing parameter and a resource request parameter, the request message is used for requesting effective access tokens and user resources, and the request message is sent by the client under the condition that the access tokens are invalid;
the first determining module is used for determining the valid entering token according to the token refreshing parameter through the authentication service;
the second determining module is used for determining the user resource according to the valid entry token and the resource request parameter through the resource service;
and the sending module is used for sending the valid entry token and the user resource to the client.
9. An electronic device, comprising: a memory, a processor;
a memory for storing computer-executable instructions;
the processor is configured to execute the computer-executable instructions to implement the authorization method according to any one of claims 1 to 3 or to implement the authorization method according to any one of claims 4 to 6.
10. An OAuth protocol-based authorization system, comprising:
a client for implementing the authorization method according to any one of claims 1 to 3;
a server for implementing the authorization method according to any one of claims 4 to 6.
11. A computer readable storage medium having stored therein computer executable instructions which when executed by a processor are for implementing the authorisation method of any of claims 1 to 3 or for implementing the authorisation method of any of claims 4 to 6.
CN202210688892.3A 2022-06-17 2022-06-17 Authorization method, device, system and storage medium based on OAuth protocol Active CN115174162B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210688892.3A CN115174162B (en) 2022-06-17 2022-06-17 Authorization method, device, system and storage medium based on OAuth protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210688892.3A CN115174162B (en) 2022-06-17 2022-06-17 Authorization method, device, system and storage medium based on OAuth protocol

Publications (2)

Publication Number Publication Date
CN115174162A CN115174162A (en) 2022-10-11
CN115174162B true CN115174162B (en) 2023-10-24

Family

ID=83484539

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210688892.3A Active CN115174162B (en) 2022-06-17 2022-06-17 Authorization method, device, system and storage medium based on OAuth protocol

Country Status (1)

Country Link
CN (1) CN115174162B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117762601A (en) * 2024-02-22 2024-03-26 北方健康医疗大数据科技有限公司 Method, system, terminal and storage medium for invoking hydra service

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104350501A (en) * 2012-05-25 2015-02-11 佳能株式会社 Authorization server and client apparatus, server cooperative system, and token management method
CN106534175A (en) * 2016-12-07 2017-03-22 西安电子科技大学 Open platform authorization and authentication system and method based on OAuth protocol
US9882892B1 (en) * 2014-06-18 2018-01-30 Intuit Inc. User authorization using intent tokens
WO2018077169A1 (en) * 2016-10-31 2018-05-03 中兴通讯股份有限公司 Image repository authorization, access and management method, server, and client

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10404699B2 (en) * 2014-02-18 2019-09-03 Oracle International Corporation Facilitating third parties to perform batch processing of requests requiring authorization from resource owners for repeat access to resources
US9306939B2 (en) * 2014-05-30 2016-04-05 Oracle International Corporation Authorization token cache system and method
US9817645B2 (en) * 2014-09-17 2017-11-14 Sap Se Reusable application configuration with dynamic resource determination
US20180330368A1 (en) * 2017-05-11 2018-11-15 Circle Media Labs Inc. Secure authenticated passwordless communications between networked devices
US10708053B2 (en) * 2017-05-19 2020-07-07 Intuit Inc. Coordinating access authorization across multiple systems at different mutual trust levels
US11563580B2 (en) * 2020-11-12 2023-01-24 Sap Se Security token validation

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104350501A (en) * 2012-05-25 2015-02-11 佳能株式会社 Authorization server and client apparatus, server cooperative system, and token management method
US9882892B1 (en) * 2014-06-18 2018-01-30 Intuit Inc. User authorization using intent tokens
WO2018077169A1 (en) * 2016-10-31 2018-05-03 中兴通讯股份有限公司 Image repository authorization, access and management method, server, and client
CN106534175A (en) * 2016-12-07 2017-03-22 西安电子科技大学 Open platform authorization and authentication system and method based on OAuth protocol

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
B. Campbell ; Ping Identity ; J. Bradley ; Yubico ; N. Sakimura ; Nomura Research Institute ; T. Lodderstedt ; YES.com AG ; .OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens.IETF .2020,全文. *

Also Published As

Publication number Publication date
CN115174162A (en) 2022-10-11

Similar Documents

Publication Publication Date Title
US9954855B2 (en) Login method and apparatus, and open platform system
CN102857484B (en) A kind of method, system and device realizing single-sign-on
CN109815683B (en) Authority verification method and related device
CN112131021B (en) Access request processing method and device
CN111787521B (en) Terminal application permission obtaining method, terminal equipment and USIM
US10694381B1 (en) System and method for authentication and sharing of subscriber data
CN115174162B (en) Authorization method, device, system and storage medium based on OAuth protocol
CN112866385B (en) Interface calling method and device, electronic equipment and storage medium
CN112491778A (en) Authentication method, device, system and medium
WO2019134494A1 (en) Verification information processing method, communication device, service platform, and storage medium
CN112702336A (en) Security control method and device for government affair service, security gateway and storage medium
CN116484338A (en) Database access method and device
CN114938288A (en) Data access method, device, equipment and storage medium
CN111125667A (en) Roaming key calling method, device and system
CN116032546A (en) Resource access method and device and electronic equipment
CN114157472B (en) Network access control method, device, equipment and storage medium
CN115310958A (en) Payment method, device, equipment, system and medium based on 5G message application
CN114091077A (en) Authentication method, device, equipment and storage medium
CN114257441A (en) Data processing method and device based on cloud document component
CN113065120A (en) Interface calling authentication method and device, electronic equipment and readable storage medium
CN112770314A (en) Method and device for establishing communication connection
CN114401110B (en) Request authentication method, system, computer device and readable storage medium
CN115361683B (en) Service access method, SIM card, server and service platform
CN112804224B (en) Authentication and authorization method and device based on micro-service, medium and electronic equipment
CN114285845B (en) Networking authentication method and system in cloud environment, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant