CN115766018A

CN115766018A - Authentication method, device and equipment based on decentralized identity

Info

Publication number: CN115766018A
Application number: CN202211260037.9A
Authority: CN
Inventors: 邱子博; 白云; 王熙; 陈琦; 黄道星; 邓永庆; 余廷钊; 何秋佳; 樊金龙
Original assignee: Ant Blockchain Technology Shanghai Co Ltd
Current assignee: Ant Blockchain Technology Shanghai Co Ltd
Priority date: 2022-10-14
Filing date: 2022-10-14
Publication date: 2023-03-07

Abstract

The embodiment of the specification discloses an authentication method, an authentication device and authentication equipment based on decentralized identity. The scheme can comprise the following steps: the unified authentication system can identify whether the decentralized identity provided by the user side equipment has the access right to the first system or not based on the authority information of the decentralized identity in the blockchain system, and feed back information for indicating whether the decentralized identity at the user side equipment has the access right to the first system or not to the first system, so as to complete the authentication of the user side equipment at the first system.

Description

Authentication method, device and equipment based on decentralized identity

Technical Field

The present application relates to the field of internet technologies, and in particular, to an authentication method, apparatus, and device based on decentralized identity.

Background

With the development of internet technology, people increasingly rely on the internet to acquire information or transact business. For example, browsing a news web page through a browser, transacting business through an application client, etc. Since some systems generally require users to perform authentication operations and allow the users to be provided with corresponding services after determining that the users have corresponding rights. Therefore, currently, when a user uses each system, the user account at each system is usually obtained in advance, and a corresponding account secret is set, so as to perform user authentication in a manner of "user account + account password" in the following process. The user authentication mode not only needs to frequently switch user accounts when the user uses different systems, but also is inconvenient to operate, and the security of the user privacy information is influenced because the account password of the user needs to be frequently transmitted in the authentication process, so that the operation security of the user authentication process is influenced.

Therefore, how to improve the operation convenience and the operation security of the user in the authentication process of each system becomes a technical problem to be solved urgently.

Disclosure of Invention

The authentication method, device and equipment based on the decentralized identity provided by the embodiment of the specification can improve the operation convenience and operation safety of the user in the authentication process of each system.

In order to solve the above technical problem, the embodiments of the present specification are implemented as follows:

an authentication method based on decentralized identity provided by an embodiment of the present specification includes:

acquiring a verification request of a first system for the access authority of user side equipment;

based on the verification request, acquiring a decentralized identity of the user side equipment;

searching the authority information of the decentralized identity from a block chain system;

determining, based on the permission information, that the decentralized identity has access to the first system;

feeding back information to the first system indicating that the decentralized identity has access rights to the first system.

the block chain system acquires a query request for the authority information of the first decentralized identity sent by the unified authentication system; the query request is used for querying whether the first decentralized identity has access right to a first system;

determining that the first decentralized identity has access rights to the first system based on the permission information of the first decentralized identity stored by the blockchain system;

sending information to the unified authentication system indicating that the first decentralized identity has access to the first system.

An authentication device based on decentralized identity provided by an embodiment of this specification includes:

the first acquisition module is used for acquiring a verification request of the first system for the access authority of the user side equipment;

the second obtaining module is used for obtaining the decentralized identity of the user side equipment based on the verification request;

the searching module is used for searching the authority information of the decentralized identity from the block chain system;

a first access permission determination module, configured to determine, based on the permission information, that the decentralized identity has access permission to the first system;

a first feedback module for feeding back information indicating that the decentralized identity has access rights to the first system.

the first acquisition module is used for enabling the block chain system to acquire a query request for the authority information of the first decentralized identity mark, which is sent by the unified authentication system; the query request is used for querying whether the first decentralized identity has access right to a first system;

an access permission determination module, configured to determine that the first decentralized identity has an access permission to the first system based on permission information of the first decentralized identity stored in the blockchain system;

a first sending module, configured to send, to the unified authentication system, information indicating that the first decentralized identity has an access right to the first system.

An authentication device based on decentralized identity provided in an embodiment of this specification includes:

at least one processor; and the number of the first and second groups,

a memory communicatively coupled to the at least one processor; wherein, the first and the second end of the pipe are connected with each other,

the memory stores instructions executable by the at least one processor to enable the at least one processor to:

acquiring a decentralized identity of the user side equipment based on the verification request;

searching the authority information of the decentralized identity identification from a block chain system;

feeding back information to the first system indicating that the decentralized identity has access to the first system.

An authentication device based on decentralized identity provided in an embodiment of the present specification, where the authentication device is a node device at a blockchain system, includes:

at least one processor; and the number of the first and second groups,

acquiring a query request for authority information of a first decentralized identity sent by a unified authentication system; the query request is used for querying whether the first decentralized identity has access right to a first system;

At least one embodiment provided in the present specification can achieve the following advantageous effects:

the user can use the distributed digital identity service provided by the blockchain system to register the decentralized identity of the individual, and the decentralized identity is used for managing the access right of the user to each system. The unified authentication system can identify whether the decentralized identity provided by the user side equipment has the access right to the first system or not based on the authority information of the decentralized identity in the blockchain system, and feeds back information for indicating whether the decentralized identity at the user side equipment has the access right to the first system or not to the first system, so that the authentication of the user side equipment at the first system is completed. According to the scheme, the user can use the decentralized identity mark to realize identity authentication operation at each system, the user does not need to register a plurality of user accounts at each system, and the user can perform authentication by executing operation of inputting the user accounts and the user passwords, so that the convenience of user operation is improved. In addition, the private information (such as account password) of the user and the like do not need to be transmitted in the user authentication process, so that the operation safety of the user in the authentication process of each system is improved.

Drawings

In order to more clearly illustrate the embodiments of the present specification or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the description below are only some embodiments described in the present application, and for those skilled in the art, other drawings may be obtained according to the drawings without creative efforts.

Fig. 1 is a schematic view of an application scenario of an authentication method based on decentralized identity according to an embodiment of the present specification;

fig. 2 is a schematic flowchart of an authentication method based on decentralized identity according to an embodiment of the present disclosure;

fig. 3 is a schematic flowchart of another authentication method based on decentralized identity according to an embodiment of the present disclosure;

FIG. 4 is a schematic swim-lane flow diagram of a decentralized identity based authentication method according to an embodiment of the present disclosure, corresponding to FIGS. 2 and 3;

fig. 5 is a schematic structural diagram of an authentication apparatus based on decentralized identity according to an embodiment of the present disclosure and corresponding to fig. 2;

fig. 6 is a schematic structural diagram of an authentication apparatus based on decentralized identity according to an embodiment of the present disclosure and corresponding to fig. 3;

fig. 7 is a schematic structural diagram of an authentication apparatus based on decentralized identity according to an embodiment of the present specification, and corresponds to fig. 2;

fig. 8 is a schematic structural diagram of an authentication apparatus based on decentralized identity according to an embodiment of the present specification, and corresponds to fig. 3.

Detailed Description

To make the objects, technical solutions and advantages of one or more embodiments of the present disclosure more apparent, the technical solutions of one or more embodiments of the present disclosure will be clearly and completely described below with reference to specific embodiments of the present disclosure and the accompanying drawings. It is to be understood that the embodiments described are only a few embodiments of the present specification, and not all embodiments. All other embodiments that can be derived by a person skilled in the art from the embodiments given herein without making any creative effort fall within the scope of protection of one or more embodiments of the present specification.

The technical solutions provided by the embodiments of the present description are described in detail below with reference to the accompanying drawings.

In the prior art, different systems usually have their own account systems, and the account systems at different systems are usually not open to the outside due to security considerations, so that when a user uses multiple systems, the user needs to perform account registration at each system, so as to complete the user authentication operation at a specific system by using a user account and an account password registered at the specific system subsequently. The user authentication mode not only makes the user operation inconvenient, but also may affect the security of the authentication process of the user at a plurality of systems if a lawless person intercepts the account information and the account password of the user at a certain system in the subsequent authentication process because the user may use the same mobile phone number or the mailbox address as the user account at a plurality of systems and sets the same account password for a plurality of user accounts. Therefore, there is a need for an authentication scheme that can improve the operation convenience and security of the authentication process of the user at each system.

In order to solve the defects in the prior art, the scheme provides the following embodiments:

fig. 1 is a schematic view of an application scenario of an authentication method based on decentralized identity in an embodiment of this specification.

As shown in fig. 1, a user may operate a user-side device 101 to access a first system, and a first system 102 may generate and send a verification request for an access right of the user-side device to a unified authentication system 103. The unified authentication system 103 may obtain the decentralized identity of the user-side device 101 based on the verification request.

Since the block chain system 104 usually stores the authority information of each decentralized identity, the unified authentication system 103 can search the authority information of the decentralized identity from the block chain system 104; if the unified authentication system 103 is based on the authority information, determining that the decentralized identity has the access authority for the first system; information indicating that the decentralized identity has an access right to the first system may be fed back to the first system 102, so that the first system 102 may determine that the user-side device 101 has an access right to the first system 102, thereby completing a user authentication process at the first system 102 for the user-side device 101.

In the scheme in fig. 1, since the user can use the personal decentralized identity to implement the identity authentication operation at each system, the user does not need to register multiple user accounts at each system, and the user account and the user password are input to perform the authentication, which is beneficial to improving the convenience of the user operation. In addition, the private information (such as account password) of the user and the like do not need to be transmitted in the user authentication process, so that the operation safety of the user in the authentication process of each system is improved.

Next, an authentication method based on decentralized identity authentication provided in an embodiment of the specification will be specifically described with reference to the accompanying drawings:

fig. 2 is a schematic flowchart of an authentication method based on decentralized identity according to an embodiment of the present disclosure. From a program perspective, the execution subject of the flow may be a unified authentication system, or an application installed at the unified authentication system. As shown in fig. 2, the process may include the following steps:

step 202: and acquiring a verification request of the first system for the access authority of the user side equipment.

In the embodiment of the present specification, since a user usually has a need to authenticate a plurality of systems based on the same user authentication credential, in order to implement intercommunication between authentication systems at different systems, a unified authentication system may be set, and the unified authentication system may be in communication connection with the plurality of systems, respectively, so that when any system needs to authenticate the user, the system may request the unified authentication system to verify whether the user has an access right to the system.

Based on this, when the user-side device needs to access the first system, the first system may send a verification request for the access right of the user-side device to the unified authentication system, so that the unified authentication system may obtain the verification request for the access right of the user-side device by the first system mentioned in step 202. In practical applications, the first system may be a client of the application program, or may also be a server of the application program, and the first system may also be a browser or a web server, which is not limited in particular.

Step 204: and acquiring the decentralized identity of the user side equipment based on the verification request.

In this embodiment, a Block chain (Block chain) may be understood as a data chain formed by sequentially storing a plurality of blocks, where a Block header of each Block includes a timestamp of the Block, a hash value of previous Block information, and a hash value of the Block information, so as to implement mutual authentication between the blocks and form a non-falsifiable Block chain. Each block can be understood as a data block (unit of storage data). The block chain as a decentralized database is a series of data blocks generated by correlating with each other by using a cryptographic method, and each data block contains information of one network transaction, which is used for verifying the validity (anti-counterfeiting) of the information and generating the next block. The block chain is formed by connecting the blocks end to end. If the data in the block needs to be modified, the contents of all blocks behind the block need to be modified, and the data backed up by all nodes in the block chain network needs to be modified. Therefore, the blockchain has the characteristic of being difficult to tamper and delete, and the method for maintaining the integrity of the content has reliability after the data is saved in the blockchain.

In embodiments of the present description, distributed digital identity services may be provided through a blockchain system. Specifically, the user may create a Decentralized Identities (DID) of the individual based on the blockchain system, and manage the related rights of the individual at each system by using the Decentralized identities, for example, access rights for the system, push rights for push information at the system, call rights for related data of the individual, and the like. Because the decentralized identity identification and the related authority information can be stored in the block chain system, the related user data can be managed and protected in a standardized way, and meanwhile, the authenticity and efficiency of information transfer are ensured, so that the problems of cross-system and cross-platform identity authentication, service cooperation and the like are solved.

Based on this, when the user accesses the first system through the user-side device, so that the first system needs to authenticate the user-side device, the user can provide the decentralized identity of the user through the user-side device for authentication. In the embodiment of the present specification, since the unified authentication system needs to be used to perform the authority authentication on the user side device, the unified authentication system can be made to obtain the decentralized identity of the user side device based on the verification request. In practical applications, the decentralized id of the user-side device may be unique identification information of a DID registered by the user, for example, address information of the DID.

Step 206: and searching the authority information of the decentralized identity from the block chain system.

In the embodiment of the present specification, authority information of each decentralized identity is usually stored in advance in a blockchain system, for example, access authority information of the decentralized identity for each system, push authority information of push information for each system, call authority information of personal related data, and the like.

Based on this, when the unified authentication system needs to determine whether the decentralized identity of the user side device has an access right to the first system, the right information related to the decentralized identity may be searched from the blockchain system.

In practical applications, the decentralized identity of the user-side device may generally have access rights of multiple systems, so that the right information related to the decentralized identity, which can be found from the blockchain system, may generally correspond to the multiple systems, so that a user may authenticate at the multiple systems using the same decentralized identity.

Step 208: determining, based on the permission information, that the decentralized identity has access to the first system.

In this embodiment of the present specification, if it is indicated that permission information reflecting that the decentralized identity of the user side device has an access permission to the first system is stored in the blockchain system according to the query result, it may be determined that the decentralized identity provided by the user side device has an access permission to the first system.

Step 210: feeding back information to the first system indicating that the decentralized identity has access rights to the first system.

In this embodiment, after determining that the decentralized identity of the user-side device has an access right to the first system, the unified authentication system needs to feed back, to the first system, information indicating that the decentralized identity has an access right to the first system. After receiving the information, the first system may directly determine that the authentication result of the user-side device indicates that the authentication passes, thereby allowing the user-side device to access the first system.

In addition, if the unified authentication system determines that the decentralized identity does not have the access right to the first system based on the right information, information indicating that the decentralized identity does not have the access right to the first system may be fed back to the first system, so that the first system may deny the access of the user-side device.

In the method in fig. 2, a user may manage access rights of the user to each system by using a decentralized identity thereof, based on which, the unified authentication system may recognize whether the decentralized identity provided by the user-side device has an access right to the first system based on the right information of the decentralized identity in the blockchain system, and feed back information indicating whether the decentralized identity at the user-side device has an access right to the first system, thereby completing authentication of the user-side device at the first system. The user can realize the identity authentication operation at each system by utilizing the personal decentralized identity, and does not need to register a plurality of user accounts at each system, and the user can perform authentication by executing the operation of inputting the user account and the user password, thereby being beneficial to improving the convenience of the user operation. In addition, the private information (such as account password) of the user and the like do not need to be transmitted in the user authentication process, so that the operation safety of the user in the authentication process of each system is improved.

Based on the method in fig. 2, some specific embodiments of the method are also provided in the examples of this specification, which are described below.

Based on this, step 202: the obtaining of the verification request of the first system for the access right of the user-side device may specifically include:

and acquiring a redirection request sent by the first system, wherein the redirection request is generated by the first system after acquiring an access request of the user side equipment in an unregistered state to the first system.

In this embodiment, redirection (Redirect) may refer to a way of redirecting various requests to other locations, for example, web page redirection, domain name redirection, route redirection, etc.

Because the first system needs to determine whether the user-side device has the access right for the first system through the unified authentication system, after the first system acquires the access request of the user-side device for the first system, if the user-side device is determined to be in the non-login state and the user authentication is needed, a redirection request can be generated for the access request, and the redirection request is sent to the unified authentication system, so that the unified authentication system can respond to the redirection request to determine whether the user-side device has the access right for the first system.

In practical applications, during the process of executing the service by using the first system, there may be a plurality of links that need to authenticate the user, for example, a link that the user logs in a personal account, a link that the user executes a payment operation, a link that the user reads private data, and the like, which is not particularly limited. However, each user authentication link can be generally implemented by using the authentication method based on decentralized identity provided in the embodiments of the present specification.

For understanding, the authentication method based on decentralized identity provided in this specification is explained in a scenario where a user logs in to a personal account. Specifically, at this time, since the user has not successfully logged in to the personal account of the first system at the user side device, the user side device is still in the unregistered state, and based on this, the first system may generate the redirection request after acquiring the access request, to the first system, of the user side device in the unregistered state.

In addition, after the user successfully logs in to the personal account of the first system at the user side device, if user authentication is required in the process of accessing the first system, the redirection request may be generated by the first system after acquiring an access request of the user side device in the logged-in state to the first system, which is not described in detail herein.

In the embodiment of the present specification, since the user needs to provide the decentralized identity to complete the user authentication at the first system, an implementation manner is also provided for enabling the user to provide the decentralized identity of the individual in the authentication process.

Specifically, step 204: obtaining the decentralized identity of the user-side device may include:

and feeding back a single sign-on page to the user side equipment.

And acquiring a single sign-on request which is sent by the user side equipment based on the single sign-on page and contains the decentralized identity.

In the embodiment of the present specification, single Sign On (SSO) may refer to a login manner in which, after a user successfully logs in a user account in a certain system, a right to access other associated systems and application software in the system may be obtained. This means that in multiple systems, a user only needs to log in once to access all mutually trusted systems. This way, the time consumption caused by login is reduced, which is beneficial to improving the user experience.

In the embodiment of the specification, because the user can perform user authentication at the multiple systems respectively by using the same decentralized identity, in an account login scene, the user can perform account login operation at the multiple systems including the first system based on a single sign-on mode, which is convenient and fast.

Based on this, the unified authentication system may, in response to a verification request of the first system for the access right of the user-side device, feed back a single sign-on page to the user-side device, so that the user may feed back a decentralized identity required for verifying the access right to the unified authentication system through the single sign-on page.

In practical applications, an application program or a browser of the user-side device for displaying the single sign-on page generally has a target plug-in, so that after the single sign-on page is displayed, the target plug-in may automatically or based on a user operation invoke the decentralized identity, and generate and send a single sign-on request including the decentralized identity to the unified authentication system.

In practical applications, the decentralized id may be pre-stored at the ue, or may be stored in the blockchain system. If the decentralized identity is stored in the blockchain system, the target plugin can also acquire the decentralized identity from the blockchain system by itself, or the target plugin can also be in communication connection with an on-chain application so as to acquire the decentralized identity from the blockchain system through the on-chain application, so as to ensure the authenticity and accuracy of the decentralized identity, and no specific limitation is made on the authenticity and accuracy.

In the embodiment of the present specification, in order to avoid a user from using a decentralized identity of another person to perform user authentication cheating, it is further required to ensure that the user side device has a use right for the decentralized identity provided by the user side device.

Based on this, step 204: after obtaining the decentralized identity of the user side device, the method may further include:

and determining that the user side equipment has the use authority for the decentralized identity.

In the embodiment of the present specification, there may be various implementation manners for verifying whether the user-side device has the usage right for the decentralized identity provided by the user-side device, but in general, the user-side device may provide only verification information that the user-side device can provide, which is convenient and fast.

Based on this, the determining that the user-side device has the right to use the decentralized identity may specifically include:

and acquiring verification information sent by the user side equipment based on a private key corresponding to the decentralized identity.

And determining that the user side equipment has the use authority for the decentralized identity according to the verification information.

In the embodiment of the present specification, each decentralized id is usually configured with at least one public and private key pair, and a public key in the public and private key pair corresponding to the decentralized id is stored in a blockchain system, and a private key in the public and private key pair corresponding to the decentralized id is kept by a user.

Based on this, the user side device can be enabled to generate verification information based on the private key corresponding to the decentralized identity, subsequently, the unified authentication system can check the verification information based on the public key corresponding to the decentralized identity at the block chain system, if the verification is passed, it can be determined that the user side device has the use authority for the decentralized identity provided by the user side device, otherwise, it can be determined that the user side device does not have the use authority for the decentralized identity.

Specifically, the verification information may be generally carried in a single sign-on request including the decentralized identity, and certainly, the verification information may also be sent to the unified authentication system by other ways without being carried in the single sign-on request, which is not limited in this respect. However, in practical applications, the verification information may be a digital signature generated using a private key corresponding to the decentralized identity.

Subsequently, the unified authentication system can verify the verification information by using the block chain system in the form of calling an intelligent contract, and if the verification is passed, the user side equipment can be determined to have the use permission of the decentralized identity provided by the user side equipment, so that the method is convenient and quick, and has good accuracy. Or, the unified authentication system may also download the public key corresponding to the decentralized identity from the blockchain system, so as to verify the verification information by using the public key by itself, which is not specifically limited.

In practical application, although a user may perform authentication at each system by using the decentralized identity, each system generally allocates a unique user identity to the user in order to manage data of the user, and the unique user identity may also be used as user account information.

In this embodiment, a Session (Session) may refer to a special object created by a server to save a user state. The Session object may store attributes and configuration information needed for a particular user Session. In this way, when a user jumps between applications or web pages (web pages), the variables stored in the Session object will not be lost, but will persist throughout the user Session. When a user requests from an application or web page, the server will automatically create a Session object if the user has not already a Session. When the session expires or is abandoned, the server terminates the session to store and manage the user.

Based on this, after the unified authentication system determines that the decentralized identity has the access right to the first system, if a Session (Session) corresponding to the decentralized identity is not currently available, a Session (Session) may be created for the decentralized identity, so that a user may use the decentralized identity to conveniently execute login operations at multiple systems based on a single sign-on manner.

Specifically, after determining that the decentralized identity has an access right to the first system, the method may further include:

generating global session control information corresponding to the decentralized identity, wherein the global session control information comprises access authority information of the decentralized identity to the first system.

In this embodiment of the present specification, since a Session (Session) may be used to store and manage a user, after determining that the decentralized identity has an access right to the first system, if it is determined that the unified authentication system does not currently have global Session control information corresponding to the decentralized identity, the unified authentication system may generate global Session control information (i.e., global Session) corresponding to the decentralized identity, so as to respond to and process a user authentication process related to a subsequent user accessing another system using the decentralized identity by using the decentralized identity, by using the global Session control information corresponding to the decentralized identity.

In practical application, after receiving the information which is fed back by the unified authentication system and used for indicating that the decentralized identity provided by the user side device has the access right to the first system, the first system may also create local session control information for the user side device and/or the decentralized identity by itself, so as to provide services or data to the user based on the local session control information, which is beneficial to improving the stability of the interaction process between the first system and the user side device.

In this embodiment of the present specification, the global session control information may further include access right information of the decentralized identity with respect to a plurality of systems including the first system, so that when the user passes the user authentication at the first system by using the decentralized identity, the unified authentication system may further use the global session control information to verify the access right of the decentralized identity with respect to other systems, so that the user may conveniently use the decentralized identity to perform authentication at other systems.

Based on this, after generating the global session control information corresponding to the decentralized identity, the method may further include:

and acquiring a verification request of the second system for the access authority of the user side equipment applying the decentralized identity.

Determining, based on the global session control information, that the decentralized identity has access to the second system.

Feeding back information to the second system indicating that the decentralized identity has access rights to the second system.

In this embodiment of the present specification, the request for verifying the access right of the user-side device to which the decentralized identity is applied by the second system may be a request for verifying whether the decentralized identity has the access right of the second system, which is generated by the second system and sent to the unified authentication system, when the user-side device accesses the second system by using the decentralized identity after the user authentication operation at the first system is passed by using the decentralized identity.

In practical application, the request for verifying the access right of the user-side device to which the decentralized identity is applied by the second system may be a redirection request generated by the second system after the access request of the user-side device to the second system is obtained. In an account login scenario, the authentication request may specifically be a redirection request generated by the second system after determining that the user-side device is in an unregistered state. However, different from the redirection request sent by the first system, the verification request sent by the second system may directly carry the decentralized identity, and the user does not need to feed back the decentralized identity through a single sign-on page, which is convenient and fast. Certainly, the verification request sent by the second system may not carry the decentralized identity, and the user may feed back the decentralized identity to the unified authentication system through a single sign-on page or in another manner, which is not specifically limited.

Subsequently, the unified authentication system may determine whether the decentralized identity has access to the second system based on the global session control information. If yes, the information used for indicating that the decentralized identity has the access right to the second system can be fed back to the second system, so that the second system can determine that the user side equipment passes the authentication, and the second system can also create local session control information for the decentralized identity to provide services or data for the user based on the local session control information. If not, the information which is used for indicating that the decentralized identity does not have the access right to the second system can be fed back to the second system, so that the second system can determine that the user side equipment fails to pass the authentication, the user side equipment is forbidden to access the second system, and the operation safety of the second system is guaranteed.

Based on the same idea as the scheme shown in fig. 2, the embodiment of the present specification further provides another authentication method based on decentralized identity. Fig. 3 is a flowchart illustrating another authentication method based on decentralized identity according to an embodiment of the present disclosure. The execution subject of the process may be a blockchain system, or an application program loaded at the blockchain system. As shown in fig. 3, the process may include:

step 302: the block chain system acquires a query request for authority information of the first decentralized identity mark, which is sent by the unified authentication system; the query request is used for querying whether the first decentralized identity has access right to the first system.

In this embodiment, the query request mentioned in step 302 may be generated and sent to the blockchain system by the execution entity (i.e. unified authentication system) in fig. 2 when step 206 (i.e. searching the authorization information of the decentralized identity from the blockchain system) is executed.

In practical applications, the query request may be a request generated by the unified authentication system by invoking an intelligent contract deployed at the blockchain system for detecting access rights of the user, and an Input Parameter (Input Parameter) of the intelligent contract may include the first decentralized identity and unique identification information of the first system. The first decentralized identity may be information provided by the user when performing access right authentication at the first system. And the first system may be a system in which there is a need for user access right detection.

Step 304: determining that the first decentralized identity has access rights to the first system based on the permission information of the first decentralized identity stored by the blockchain system.

In the embodiment of the present specification, authority information of each decentralized identity is usually stored in advance in a blockchain system, for example, access authority information of the decentralized identity for each system, push authority information of push information for each system, call authority information of personal related data, and the like. Based thereon, it can be determined whether the first decentralized identity has access rights to the first system based on the rights information of the first decentralized identity stored by the blockchain system.

In practical applications, when the query request mentioned in step 302 is a request generated by invoking an intelligent contract by the unified authentication system, the operation result of the intelligent contract may be generally used to reflect whether the first decentralized identity has an access right to the first system, and in this case, step 304 may be specifically implemented by obtaining the operation result of the intelligent contract invoked by the unified authentication system.

Step 306: sending information indicating that the first decentralized identity has access rights to the first system to the unified authentication system.

In this embodiment of the present specification, the blockchain system further needs to feed back an access right check result for the first decentralized identity to the first system, so that the first system determines whether to allow the user-side device providing the first decentralized identity to access the first system.

Specifically, if the blockchain system determines that the first decentralized identity has access right to the first system in step 304, the blockchain system may send information indicating that the first decentralized identity has access right to the first system to the unified authentication system in step 306, and then the first system may allow the user-side device providing the first decentralized identity to access the first system. If, in step 304, the blockchain system determines that the first decentralized identity does not have access to the first system, then, in step 306, the blockchain system may send information to the unified authentication system indicating that the first decentralized identity does not have access to the first system, and subsequently, the first system may prohibit the user-side device providing the first decentralized identity from accessing the first system.

In the method of fig. 3, the blockchain system and the unified authentication system may cooperate to complete the detection of the access right of the decentralized identity of the user to the first system, so that the user may perform the authentication operation at each system by using the individual decentralized identity, without registering a plurality of user accounts at each system, and perform the authentication by performing the operation of inputting the user account and the user password, thereby facilitating the improvement of the user operation convenience. In addition, the private information (such as account password) of the user and the like do not need to be transmitted in the user authentication process, so that the operation safety of the user in the authentication process of each system is improved.

In the embodiment of the present specification, in addition to managing the access rights of the user to each system by using the decentralized identity, the user may also manage and control other rights related to each system by using the decentralized identity, and for understanding, explanation will be made later.

Example one

Because each system may need to push related service information to the user in the operation process, the user may have a need of receiving the pushed information or a need of prohibiting receiving the pushed information, and based on this, the user can manage the pushing authority of the pushed information at each system by using the decentralized identity.

Specifically, the method in fig. 3 may further include:

and acquiring an information push request which is sent by a second system in the form of an intelligent contract and contains a second decentralized identity.

And determining the communication address of each second decentralized identity under the contact way based on the contact way specified in the intelligent contract.

And executing the information pushing request according to the communication address.

In the embodiments of the present specification, a smart contract (smart contract) on a blockchain is a computer protocol that aims to propagate, verify, or execute contracts in an informational manner. When a user-initiated blockchain transaction satisfies a trigger condition of the intelligent contract, program code of the intelligent contract can automatically run to process the blockchain transaction. The intelligent contract is widely applied to the blockchain technology because the intelligent contract can enable the blockchain application to be more convenient and extensible.

Specifically, the second system may be a system with an information push requirement. When the second system needs to push information to a user with a second decentralized identity, the second system may invoke an intelligent contract for executing information pushing at the blockchain system, where the intelligent contract may determine a communication address (e.g., a mobile phone number, a mailbox address, etc.) of the second decentralized identity after detecting that the second decentralized identity has an authority to allow the second system to push information to the second decentralized identity, and send information to be pushed by the second system to the communication address of the second decentralized identity to execute the information pushing request.

Wherein the intelligent contract for performing information push may be pre-deployed to the blockchain system by the second system or other mechanism. The Input Parameter of the intelligent contract for performing information push may include the second decentralized identity, a contact manner (e.g., short message, email) specified by the second system, information to be pushed, and the like.

In practical applications, a user needs to provide a blockchain system with a contact manner corresponding to the second decentralized identity and communication addresses in various types of contact manners, so that an intelligent contract for performing information push at the blockchain system can determine the communication address of the second decentralized identity by itself.

In addition, in order to prevent the second system from avoiding the blockchain system and pushing information to the user by itself, the user may not provide the second system with a communication address thereof, or the second system is not granted the authority of pushing information to the user by itself, so that the second system can perform information pushing depending on the blockchain system, and the user can better manage the information pushing authority of each system based on the second decentralized identity at the blockchain system.

It is to be noted that the second system and the first system in this embodiment may be the same system or different systems, and the second decentralized identity and the first decentralized identity may be the same decentralized identity or different decentralized identities. The second system may initiate one information push request for each second decentralized identity, or may initiate only one information push request for a plurality of second decentralized identities. This is not particularly limited.

In this embodiment, the blockchain system may further record information pushing between each system and the decentralized identity, so as to facilitate review by subsequent parties.

Based on this, after the executing the information push request according to the communication address, the method may further include:

and generating an information push record aiming at each second decentralized identity according to the information pushed to the communication address of each second decentralized identity.

And storing the information push record to the block chain system.

In this embodiment, the information push record may be used to record information such as an information push party (e.g., the second system), an information receiving party (e.g., the second decentralized identity), a communication address of the information receiving party, push information received by the information receiving party, information push time, information push times, and the like. So that the user to which the second system or the second decentralized identity belongs can look up the statistical information of the information pushing or receiving condition of the user subsequently.

In practical applications, in order to avoid leakage of private information of a user, the information push record and the communication address of the information receiver in the intelligent contract may be encrypted, so that only a user (e.g., a communication address owner or a regulatory agency) having a private information reference authority may decrypt the reference.

In this embodiment of the present specification, if the second user does not want to receive the push information of the second system any more, the information push authority of the second system to the second decentralized identity thereof may also be shielded.

Based on this, the scheme in fig. 3 may further include:

and acquiring a push information shielding instruction which is sent by the user based on any one second decentralized identity and is used for the second system.

And shielding the information push authority of the second system to any one second decentralized identity in the block chain system based on the push information shielding instruction.

In this embodiment of the present specification, the push information masking instruction may be an instruction sent by a user by calling a smart contract at the blockchain system, or may be an instruction sent by the user to the blockchain system through a Decentralized Application (DApp), which is not limited in particular. After the information pushing authority of the second system to any one of the second decentralized identity identifiers is shielded in the blockchain system, subsequently, if an information pushing request containing the second decentralized identity identifier, which is sent by the second system in the form of an intelligent contract, is obtained by the blockchain system, the blockchain system is prohibited from pushing information to the communication address of the second decentralized identity identifier, and besides, a prompt message that the blockchain system does not have the information pushing authority for the second decentralized identity identifier can be sent to the second system. It is advantageous to prevent misuse of the second system and/or blockchain system for the communication address of the second decentralized identity.

Example two

The user can not only use the decentralized identity to manage the access authority information of the relevant system, but also can bind the personal information with the decentralized identity at the blockchain system, so that each system can use the personal information of the user at the blockchain system to identify whether each user meets the preset conditions.

Based on this, the method in fig. 3 may further include:

and acquiring a user information verification request which is sent by a third system in the form of an intelligent contract and contains a third decentralized identity.

And checking whether the user information of the third decentralized identity meets the condition (namely a preset condition) in the user information verification request or not based on the user information of the decentralized identity stored in the block chain system to obtain a check result.

Sending the inspection result to the third system.

In this embodiment, the third system may be a system in which there is a need for user information verification. When the third system needs to check whether the user information of the user to which the third decentralized identity belongs meets the preset condition, the third system may invoke an intelligent contract for user information check at the blockchain system to send a user information verification request, and after the intelligent contract detects that the third decentralized identity has the authority of allowing the third system to invoke the user information of the third decentralized identity, the intelligent contract may check whether the user information corresponding to the third decentralized identity at the blockchain system meets the condition in the user information verification request, and feed back the check result to the third system.

The intelligent contract for user information verification can be pre-deployed to the blockchain system by a third system or other mechanisms. The Input Parameter of the intelligent contract for user information verification may include the third decentralized identity, a preset condition, unique identification information of a third system, and the like.

It is noted that the first system, the second system, and the third system in this embodiment may be the same system or different systems, and the first decentralized identity, the second decentralized identity, and the third decentralized identity may be the same decentralized identity or different decentralized identities. The third system may initiate one user information authentication request for each of the third decentralized ids, or may initiate only one user information authentication request for a plurality of third decentralized ids. This is not particularly limited.

In this embodiment, the blockchain system may further record the usage of the user information corresponding to each decentralized identity by each system, so as to facilitate review by subsequent parties.

Based on this, after acquiring the user information verification request containing the third decentralized identity sent by the third system in the form of the intelligent contract, the method may further include:

and generating a user information calling record aiming at the third decentralized identity according to the checking process aiming at the user information of the third decentralized identity.

And storing the user information call record to the block chain system.

In this embodiment of the present description, if the second user does not want to make the third system call the user information of the second user any more, the call permission of the third system to the user information corresponding to the third decentralized identity may also be shielded.

Based on this, the scheme in fig. 3 may further include:

and acquiring a privacy information shielding instruction for the third system, which is sent by the user based on the third decentralized identity.

And based on the privacy information shielding instruction, shielding the user information calling authority of the third system for the third decentralized identity in the blockchain system.

In this embodiment, after the user information invoking authority of the third system for the third decentralized identity is shielded in the blockchain system, if the blockchain system receives a user information verification request that is sent by the third system in the form of an intelligent contract and includes the third decentralized identity, a check result indicating whether the user information for the third decentralized identity meets a condition in the user information verification request is prohibited from being generated, and a prompt message indicating that the invoking authority of the user information for the third decentralized identity is not included is sent to the third system. Advantageously, misuse of user information corresponding to the third decentralized identity by the third system and/or the blockchain system is prevented.

FIG. 4 is a schematic swimlane flow chart corresponding to the decentralized identity based authentication method shown in FIG. 2 and FIG. 3 according to an embodiment of the present disclosure. As shown in fig. 4, the authentication process based on decentralized id may involve execution entities such as the ue, the first system, the second system, the unified authentication center, and the blockchain system.

In an authentication phase at the first system, the user-side device may send an access request to the first system, and the first system may generate and send a redirection request to the unified authentication system after determining that the user-side device is in an unregistered state. If the unified authentication system determines that the global session control information corresponding to the user side device does not exist, a single sign-on page can be fed back to the user side device, so as to obtain a single sign-on request which is sent by the user side device based on the single sign-on page and contains a decentralized identity. Subsequently, the unified authentication system may generate and send a query request for the authority information of the decentralized identity to the blockchain system, where the query request may be used to query whether the first decentralized identity has an access authority for the first system.

The blockchain system can determine that the decentralized identity has access rights to the first system based on the rights information for the decentralized identity stored at the blockchain system; and sending information indicating that the first decentralized identity has access rights to the first system to the unified authentication system.

The unified authentication system may feed back, to the first system, information indicating that the user-side device has an access right to the first system, based on the information fed back by the blockchain system, so that the first system may allow the user-side device to access the unified authentication system. In addition, the unified authentication system may further generate, for the user-side device and the decentralized identity, corresponding global session control information, so as to control, based on the global session control information, an access right of the user-side device when accessing each system using the decentralized identity.

In an authentication phase at the second system, the user-side device may send an access request to the second system, and the second system may generate and send a redirection request to the unified authentication system after determining that the user-side device is in an unregistered state. If the unified authentication system determines that the decentralized identity corresponding to the user side device has the access right to the second system based on the global session control information, the unified authentication system may feed back, to the second system, information indicating that the user side device has the access right to the second system, so that the second system may allow the user side device to access the decentralized identity.

Based on the same idea, the embodiment of the present specification further provides a device corresponding to the above method. Fig. 5 is a schematic structural diagram of an authentication apparatus based on decentralized identity according to an embodiment of the present disclosure and corresponding to fig. 2. As shown in fig. 5, the apparatus may include:

a first obtaining module 502, configured to obtain a verification request of an access right of a user-side device by a first system.

A second obtaining module 504, configured to obtain a decentralized identity of the ue based on the verification request.

A searching module 506, configured to search the permission information of the decentralized identity from the blockchain system.

A first access right determining module 508, configured to determine that the decentralized identity has an access right to the first system based on the right information.

A first feedback module 510, configured to feed back, to the first system, information indicating that the decentralized identity has an access right to the first system.

The examples of this specification also provide some specific embodiments of the apparatus based on the apparatus of fig. 5, which is described below.

Optionally, the first obtaining module 502 may be specifically configured to:

Optionally, the second obtaining module 504 may be specifically configured to: and feeding back a single sign-on page to the user side equipment. And acquiring the single sign-on request which is sent by the user side equipment based on the single sign-on page and contains the decentralized identity.

Optionally, the apparatus in fig. 5 may further include:

and the use authority determining module is used for determining that the user side equipment has the use authority for the decentralized identity.

The usage right determining module may specifically include:

and the verification information acquisition unit is used for acquiring the verification information sent by the user side equipment based on the private key corresponding to the decentralized identity.

And the use permission determining unit is used for determining that the user side equipment has the use permission for the decentralized identity according to the verification information.

Optionally, the apparatus in fig. 5 may further include:

and the global session control information generation module is used for generating global session control information corresponding to the decentralized identity, wherein the global session control information comprises access authority information of the decentralized identity to the first system.

And the third acquisition module is used for acquiring a verification request of the second system for the access authority of the user side equipment applying the decentralized identity.

A second access permission determination module to determine that the decentralized identity has access permission to the second system based on the global session control information.

A second feedback module for feeding back information indicating that the decentralized identity has access rights to the second system.

Based on the same idea, the embodiment of the present specification further provides a device corresponding to the above method. Fig. 6 is a schematic structural diagram of an authentication apparatus based on decentralized identity according to an embodiment of the present disclosure and corresponding to fig. 3. As shown in fig. 6, the apparatus may include:

a first obtaining module 602, configured to enable the blockchain system to obtain a query request for permission information of a first decentralized identity sent by the unified authentication system; the query request is used for querying whether the first decentralized identity has access right to the first system.

An access permission determination module 604, configured to determine that the first decentralized identity has an access permission to the first system based on permission information of the first decentralized identity stored by the blockchain system.

A first sending module 606, configured to send, to the unified authentication system, information indicating that the first decentralized identity has an access right to the first system.

The examples of this specification also provide some specific embodiments of the apparatus based on the apparatus of fig. 6, which is described below.

Optionally, the apparatus in fig. 6 may further include:

and the second acquisition module is used for acquiring an information push request which is sent by a second system in the form of an intelligent contract and contains a second decentralized identity.

And the communication address determining module is used for determining the communication address of each second decentralized identity under the contact way based on the contact way specified in the intelligent contract.

And the information push request execution module is used for executing the information push request according to the communication address.

And the information pushing record generating module is used for generating an information pushing record aiming at each second decentralized identity according to the information pushed to the communication address of each second decentralized identity.

The first storage module is used for storing the information push record to the block chain system.

Optionally, the apparatus in fig. 6 may further include:

and the third acquisition module is used for acquiring a push information shielding instruction which is sent by the user based on any one of the second decentralized identity identifications and is used for the second system.

And the first permission shielding module is used for shielding the information push permission of the second system to any one second decentralized identity mark in the block chain system based on the push information shielding instruction.

Optionally, the apparatus in fig. 6 may further include:

and the fourth acquisition module is used for acquiring a user information verification request which is sent by the third system in the form of an intelligent contract and contains the third decentralized identity.

And the checking module is used for checking whether the user information of the third decentralized identity meets the condition in the user information verification request or not based on the user information of the decentralized identity stored in the block chain system, so as to obtain a checking result.

And the second sending module is used for sending the inspection result to the third system.

And the user information call record generation module is used for generating a user information call record aiming at the third decentralized identity according to the checking process of the user information aiming at the third decentralized identity.

And the second storage module is used for storing the user information calling record to the block chain system.

Optionally, the apparatus in fig. 6 may further include:

and the fifth acquisition module is used for acquiring a privacy information shielding instruction which is sent by the user based on the third decentralized identity and is used for the third system.

And the second permission shielding module is used for shielding the user information calling permission of the third system for the third decentralized identity in the blockchain system based on the privacy information shielding instruction.

Based on the same idea, the embodiment of the present specification further provides a device corresponding to the method.

Fig. 7 is a schematic structural diagram of an authentication apparatus based on decentralized identity according to an embodiment of the present disclosure and corresponding to fig. 2. As shown in fig. 7, the apparatus 700 may include:

at least one processor 710; and the number of the first and second groups,

a memory 730 communicatively coupled to the at least one processor; wherein, the first and the second end of the pipe are connected with each other,

the memory 730 stores instructions 720 executable by the at least one processor 710 to enable the at least one processor 710 to:

and acquiring a verification request of the first system for the access authority of the user side equipment.

And acquiring the decentralized identity of the user side equipment based on the verification request.

And searching the authority information of the decentralized identity from the block chain system.

Based on the same idea, the embodiment of the present specification further provides a device corresponding to the above method.

Fig. 8 is a schematic structural diagram of an authentication apparatus based on decentralized identity, corresponding to fig. 3, provided in an embodiment of the present specification. As shown in fig. 8, device 800 may be a node device at a blockchain system, and device 800 may include:

at least one processor 810; and (c) a second step of,

a memory 830 communicatively coupled to the at least one processor; wherein the content of the first and second substances,

the memory 830 stores instructions 820 executable by the at least one processor 810 to enable the at least one processor 810 to:

acquiring a query request for authority information of a first decentralized identity mark, which is sent by a unified authentication system; the query request is used for querying whether the first decentralized identity has access right to the first system.

Determining that the first decentralized identity has access rights to the first system based on the permission information of the first decentralized identity stored by the blockchain system.

Sending information indicating that the first decentralized identity has access rights to the first system to the unified authentication system.

The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the apparatuses shown in fig. 7 and 8, since they are substantially similar to the method embodiments, the description is simple, and the relevant points can be referred to the partial description of the method embodiments.

In the 90's of the 20 th century, improvements to a technology could clearly distinguish between improvements in hardware (e.g., improvements to circuit structures such as diodes, transistors, switches, etc.) and improvements in software (improvements to process flow). However, as technology advances, many of today's process flow improvements have been seen as direct improvements in hardware circuit architecture. Designers almost always obtain the corresponding hardware circuit structure by programming an improved method flow into the hardware circuit. Thus, it cannot be said that an improvement in the process flow cannot be realized by hardware physical blocks. For example, a Programmable Logic Device (PLD), such as a Field Programmable Gate Array (FPGA), is an integrated circuit whose Logic functions are determined by programming the Device by a user. A digital character system is "integrated" on a PLD by the designer's own programming without requiring the chip manufacturer to design and fabricate a dedicated integrated circuit chip. Furthermore, nowadays, instead of manually manufacturing an Integrated Circuit chip, such Programming is often implemented by "logic compiler" software, which is similar to a software compiler used in program development, but the original code before compiling is also written in a specific Programming Language, which is called Hardware Description Language (HDL), and the HDL is not only one kind but many kinds, such as abll (Advanced boot Expression Language), AHDL (alternate hard Description Language), traffic, CUPL (computer universal Programming Language), HDCal (Java hard Description Language), lava, lola, HDL, PALASM, software, rhydl (Hardware Description Language), and vhul-Language (vhyg-Language), which is currently used in the field. It will also be apparent to those skilled in the art that hardware circuitry that implements the logical method flows can be readily obtained by merely slightly programming the method flows into an integrated circuit using the hardware description languages described above.

The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer readable medium that stores computer readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, an Application Specific Integrated Circuit (ASIC), a programmable logic controller, and embedded microcontrollers, examples of which include, but are not limited to, the following microcontrollers: ARC625D, atmel AT91SAM, microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic for the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller in purely computer readable program code means, the same functionality can be implemented by logically programming method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Such a controller may thus be regarded as a hardware component and the means for performing the various functions included therein may also be regarded as structures within the hardware component. Or even means for performing the functions may be regarded as being both a software module for performing the method and a structure within a hardware component.

The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. One typical implementation device is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smartphone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.

For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the units may be implemented in one or more software and/or hardware when implementing the present application.

As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include forms of volatile memory in a computer readable medium, random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.

Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising one of 8230; \8230;" 8230; "does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises that element.

As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.

The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims

1. An authentication method based on decentralized identity identification comprises the following steps:

2. The method according to claim 1, wherein the obtaining of the verification request of the first system for the access right of the user-side device specifically includes:

and acquiring a redirection request sent by the first system, wherein the redirection request is generated after the first system acquires an access request of the user side equipment in an unregistered state to the first system.

3. The method according to claim 1, wherein the obtaining of the decentralized identity of the user equipment specifically includes:

feeding back a single sign-on page to the user side equipment;

and acquiring the single sign-on request which is sent by the user side equipment based on the single sign-on page and contains the decentralized identity.

4. The method of claim 1, after obtaining the decentralized identity of the ue, further comprising:

5. The method according to claim 4, wherein the determining that the user-side device has the right to use the decentralized identity specifically includes:

obtaining verification information sent by the user side equipment based on a private key corresponding to the decentralized identity;

6. The method of claim 1, after determining that the decentralized identity has access to the first system, further comprising:

7. The method of claim 6, after generating the global session control information corresponding to the decentralized identity, further comprising:

acquiring a verification request of a second system for the access authority of the user side equipment applying the decentralized identity;

determining, based on the global session control information, that the decentralized identity has access to the second system;

8. An authentication method based on decentralized identity identification comprises the following steps:

9. The method of claim 8, further comprising:

acquiring an information pushing request which is sent by a second system in the form of an intelligent contract and contains a second decentralized identity;

determining the communication address of each second decentralized identity under the contact way based on the contact way specified in the intelligent contract;

10. The method of claim 9, further comprising, after the executing the information push request according to the communication address:

generating an information push record aiming at each second decentralized identity according to the information pushed to the communication address of each second decentralized identity;

and storing the information push record to the block chain system.

11. The method of claim 9 or 10, further comprising:

acquiring a push information shielding instruction which is sent by a user based on any one second decentralized identity and is used for the second system;

12. The method of claim 8, further comprising:

acquiring a user information verification request which is sent by a third system in the form of an intelligent contract and contains a third decentralized identity;

based on the user information of the decentralized identity stored in the block chain system, checking whether the user information of the third decentralized identity meets the condition in the user information verification request or not to obtain a checking result;

sending the inspection result to the third system.

13. The method of claim 12, after obtaining the user information verification request containing the third decentralized identity sent by the third system in the form of the smart contract, further comprising:

generating a user information calling record aiming at the third decentralized identity mark according to the checking process aiming at the user information of the third decentralized identity mark;

and storing the user information call record to the block chain system.

14. The method of claim 12 or 13, further comprising:

acquiring a privacy information shielding instruction for the third system, which is sent by a user based on the third decentralized identity;

15. An authentication apparatus based on decentralized identity, comprising:

the searching module is used for searching the authority information of the decentralized identity identification from the block chain system;

16. The apparatus of claim 15, wherein the first obtaining module is specifically configured to:

17. The apparatus according to claim 15, wherein the second obtaining module is specifically configured to:

feeding back a single sign-on page to the user side equipment;

18. The apparatus of claim 15, further comprising:

a global session control information generating module, configured to generate global session control information corresponding to the decentralized identity, where the global session control information includes access right information of the decentralized identity to the first system;

a third obtaining module, configured to obtain a verification request of an access right of a user-side device to which the decentralized identity is applied by a second system;

a second access permission determination module, configured to determine, based on the global session control information, that the decentralized identity has access permission to the second system;

19. An authentication apparatus based on decentralized identity, comprising:

the first acquisition module is used for enabling the block chain system to acquire a query request for authority information of the first decentralized identity mark, which is sent by the unified authentication system; the query request is used for querying whether the first decentralized identity has access right to a first system;

20. The apparatus of claim 19, further comprising:

the second acquisition module is used for acquiring an information push request which is sent by a second system in the form of an intelligent contract and contains a second decentralized identity;

the communication address determination module is used for determining the communication address of each second decentralized identity under the contact way based on the contact way specified in the intelligent contract;

the information pushing request executing module is used for executing the information pushing request according to the communication address;

an information push record generating module, configured to generate an information push record for each second decentralized identity according to information pushed to the communication address of each second decentralized identity;

21. The apparatus of claim 20, further comprising:

a third obtaining module, configured to obtain a push information shielding instruction for the second system, where the push information shielding instruction is sent by a user based on any one of the second decentralized identity identifiers;

and the first permission shielding module is used for shielding the information pushing permission of the second system to any one second decentralized identity in the block chain system based on the pushing information shielding instruction.

22. The apparatus of claim 19, further comprising:

the fourth acquisition module is used for acquiring a user information verification request which is sent by a third system in the form of an intelligent contract and contains a third decentralized identity;

the checking module is used for checking whether the user information of the third decentralized identity meets the condition in the user information verification request or not based on the user information of the decentralized identity stored in the block chain system to obtain a checking result;

the second sending module is used for sending the inspection result to the third system;

a user information call record generation module, configured to generate a user information call record for the third decentralized identity according to a checking process of the user information for the third decentralized identity;

23. The apparatus of claim 22, further comprising:

a fifth obtaining module, configured to obtain a privacy information shielding instruction for the third system, where the privacy information shielding instruction is sent by the user based on the third decentralized identity;

24. An authentication device based on decentralized identity, comprising:

at least one processor; and (c) a second step of,

25. An authentication apparatus based on decentralized identity, the apparatus being a node apparatus at a blockchain system, comprising:

at least one processor; and the number of the first and second groups,

a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,

acquiring a query request for authority information of a first decentralized identity sent by a unified authentication system; the query request is used for querying whether the first decentralized identity mark has access right to a first system;