CN116112232A - Login authentication method and system based on multiple authentication modes - Google Patents

Login authentication method and system based on multiple authentication modes Download PDF

Info

Publication number
CN116112232A
CN116112232A CN202211742008.6A CN202211742008A CN116112232A CN 116112232 A CN116112232 A CN 116112232A CN 202211742008 A CN202211742008 A CN 202211742008A CN 116112232 A CN116112232 A CN 116112232A
Authority
CN
China
Prior art keywords
platform
authentication
request
encryption
parameters
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211742008.6A
Other languages
Chinese (zh)
Inventor
乔北京
张仁田
张挚庸
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong Credit Information Co ltd
Original Assignee
Shandong Credit Information Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong Credit Information Co ltd filed Critical Shandong Credit Information Co ltd
Priority to CN202211742008.6A priority Critical patent/CN116112232A/en
Publication of CN116112232A publication Critical patent/CN116112232A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Abstract

The invention discloses a login authentication method and a login authentication system based on a plurality of authentication modes, wherein the method comprises the following steps: the front end of the platform to be accessed requests the back end authentication service to acquire encryption parameters and signatures, the request address is spliced and returned to the front end of the platform to be accessed, and the front end of the platform to be accessed skips to the login verification page of the docking platform after resolving the address; the front end of the docking platform transmits the encryption parameters carried by the address to the back end to request authentication service and returns a result; and the docking platform acquires the result of the authentication service, acquires the user information when the authentication is passed, and jumps to the page after the docking platform logs in. The method of the invention realizes login authentication of a plurality of independent platforms in a plurality of authentication modes, has strong applicability, performs security verification by a plurality of combined secret keys and a plurality of encryption modes, and ensures the security of information in the process.

Description

Login authentication method and system based on multiple authentication modes
Technical Field
The invention relates to a login authentication method and a login authentication system based on multiple authentication modes, and belongs to the technical field of network communication.
Background
For a platform and a system login authentication method, at present, single sign-on mainly has two architectures: the specific implementation technologies of the centralized verification mode and the multipoint verification mode are as follows: the first step is realized by a session broadcasting mechanism, after a user logs in a system, session information is copied to other services, and the scheme can cause data redundancy, waste resources, low efficiency and even the problem of conflict of copy information. (two) agent login (agent): the login authentication is carried out through the intermediate proxy service, and the method is mainly used for old systems which cannot be modified, but has poor stability, and once a certain server cannot respond during the login, the server cannot perform single sign-on; the security is poor, and the user name password is transmitted through a plaintext; since the response of each system needs to be monitored during login, a large number of uses are not recommended, otherwise the performance of login is affected; due to security restrictions of the IE, proxy login must run in the same domain. (III) token Ring (token): the current user information is transferred in a mode of Cookie sharing token ring, so that SSO is realized, but the problem of cross-domain exists, and the same domain of each application server must be ensured. (IV) identity ticket (ticket): a trust verification server needs to be added, the problems of storage trust, verification trust, application range and safety are completely met, the webSSO implementation mode with the widest application range is also realized, one is CAS, a framework for realizing SSO single sign-on based on a Kerberos bill mode is needed, an authentication center is needed, global bills are acquired from the authentication center, each system needs to be registered to the authentication center and uniformly logged in from the authentication center, and other systems acquire uniform authentication from the authentication center, so that a verification server needs to be added, and stable operation of the verification server under high pressure is ensured.
Because some city platforms are put into operation for several years, the influence on the existing system of the city needs to be reduced as much as possible, the original system is expanded as much as possible, the current normal use of the city system cannot be influenced, and the realization logic of the system and the associated fields of users of different cities can be quite different, so that the login authentication cannot be carried out by forcedly using the identical authentication mode. The conventional system is widely used as a CAS (central processing unit), the provincial platform and the local market platform are complex to reform based on the CAS, and the applicability is poor, so that the requirements of the conventional system for using unified authentication service and supporting various authentication modes can not be met.
Disclosure of Invention
In order to solve the problems, the invention provides a login authentication method and a login authentication system based on multiple authentication modes, which can realize login authentication docking of a platform through the multiple authentication modes and ensure the security of the system.
The technical scheme adopted for solving the technical problems is as follows:
on one hand, the login authentication method based on multiple authentication modes provided by the embodiment of the invention comprises the following steps:
the front end of the platform to be accessed requests the back end authentication service to acquire encryption parameters and signatures, the request address is spliced and returned to the front end of the platform to be accessed, and the front end of the platform to be accessed skips to the login verification page of the docking platform after resolving the address;
the front end of the docking platform transmits the encryption parameters carried by the address to the back end to request authentication service and returns a result;
and the docking platform acquires the result of the authentication service, acquires the user information when the authentication is passed, and jumps to the page after the docking platform logs in.
As a possible implementation manner of this embodiment, the front-end request back-end authentication service of the platform to be accessed obtains an encryption parameter and a signature, splices a request address, and returns the request address to the front-end of the platform to be accessed, including:
the front end of the platform to be accessed carries unique identification information of a user and requests a rear end authentication interface;
the back end obtains relevant user information and corresponding authentication information according to the unique user identification information and uses the relevant user information and the corresponding authentication information as an authentication platform of the entering request;
the authentication platform generates encryption parameters, calculates a signature and returns;
and the platform to be accessed acquires the encrypted character string and the signature, splices the complete request address according to the rule and returns the complete request address to the front end of the platform to be accessed.
As a possible implementation manner of this embodiment, the authentication platform generates encryption parameters, calculates a signature, and returns the signature, including:
the authentication platform splices the json format request character string and generates an encryption character string through an encryption algorithm;
according to the parameters and the ordering of the parameters which are expected to be negotiated by the access platform and the docking platform, the key of the authentication platform is requested by the access platform, the time stamp using the readable time format is added, and the signature is calculated and returned by using the agreed signature algorithm.
As a possible implementation manner of this embodiment, the transferring, by the front end of the docking platform, the encryption parameter carried by the address to the back end to request the authentication service and return the result includes:
the front end of the docking platform receives the request, the parameters carried by the address are assembled, and the back end of the request logs in the authentication interface;
the back end of the docking platform carries the assembled parameters to call an authentication interface of the authentication platform;
the authentication platform decrypts the parameters, calculates whether the signature is correct or not, whether the time stamp meets the requirement or not, and returns an authentication result.
As a possible implementation manner of this embodiment, the authentication platform decrypts the parameter, calculates whether the signature is correct, whether the timestamp meets the requirement, and returns an authentication result, including:
acquiring an account number appId distributed by an authentication service and acquiring key information of a corresponding platform according to the appId;
acquiring configuration parameter information of a corresponding platform according to the app Id, and recalculating signature information according to parameters and ordering of the parameters agreed by the platform to be accessed and the platform to be docked;
comparing the newly calculated signature with the signature carried by the request, and if the newly calculated signature is consistent with the signature carried by the request, proving that the signature carried by the request is correct;
the time difference between the request initiation time and the current time is calculated, and if the set value is exceeded, the request is considered invalid.
As a possible implementation manner of this embodiment, the process of obtaining the encryption parameters and signing by the front-end request back-end authentication service of the platform to be accessed supports multiple encryption modes, including at least symmetric encryption AES, SM4, asymmetric encryption RSA, md5 encryption, and before docking, the two platforms need to confirm the encryption mode of docking well and write the configuration file.
As a possible implementation manner of this embodiment, the process of requesting, by the front end of the platform to be accessed, the back end authentication service to obtain the encryption parameter and the signing process supports multi-field encryption, where the supported fields at least include an account number appId and a key appSecret allocated by the authentication service, a platform user account number, a user id, a request timestamp, a request parameter, a request signature, a request unique identifier, and an encryption type, where the account number appId and the key appSecret are a pair of parameters associated with each other and allocated simultaneously by the authentication service.
As a possible implementation manner of this embodiment, the process of obtaining the encryption parameter and signing by the front-end request back-end authentication service of the platform to be accessed supports multi-field ordering, at least 3 fields are selected, the sequence of the fields can be arranged at will, and the encrypted fields and the sequence of the fields need to be confirmed in advance and written into the configuration file.
On the other hand, the login authentication system based on multiple authentication modes provided by the embodiment of the invention comprises:
the request module is used for requesting the back-end authentication service to acquire encryption parameters and signatures by the front end of the platform to be accessed, splicing the request address and returning the request address to the front end of the platform to be accessed, and jumping to the login verification page of the docking platform after the front end of the platform to be accessed analyzes the address;
the docking module is used for transmitting the encryption parameters carried by the address to the rear end by the front end of the docking platform to request authentication service and returning a result;
and the login module is used for acquiring the result of the authentication service by the docking platform, acquiring user information when the authentication is passed and jumping to a page after the docking platform logs in.
As one possible implementation manner of this embodiment, the authentication service supports 1 to n multiple authentication modes, and the login authentication system selects a configuration file based on the platform feature code to analyze the authentication mode of the platform, decrypts according to the selected authentication mode, and performs verification on whether the parameters are correct.
The technical scheme of the embodiment of the invention has the following beneficial effects:
the invention supports multiple encryption modes and multiple fields, and can have multiple encryption algorithms by selecting the encryption modes and the encrypted fields and the arrangement sequence of the fields, thereby ensuring the security of the system.
The invention has flexible and changeable docking modes, strong applicability, relatively simple transformation and expansion of the original platform, and can only call login authentication service according to a general interface without affecting the original business logic, and the docking modes are flexible and changeable, can meet the requirements of each docking system, can be suitable for docking of provincial and urban platforms and can also be suitable for docking of platforms of the same level
The invention supports a plurality of configuration modes, supports configuration files and database configuration, and uses different authentication modes according to the field application environment; the deployment is simple, the authentication service can be directly started as long as the related parameters are configured according to the configuration file, the authentication service is not required to be restarted when the modification parameters are added, the configuration file parameters are queried through the parameter version numbers and compared with the original parameters, and if the update is based on the latest version.
The method realizes login authentication of multiple authentication modes of multiple independent platforms, has strong applicability, performs security verification of multiple combined secret keys and multiple encryption modes, and ensures the security of information in the process.
Drawings
FIG. 1 is a flow chart illustrating a login authentication method based on multiple authentication approaches, according to an exemplary embodiment;
fig. 2 is a schematic diagram illustrating a login authentication system based on multiple authentication methods according to an exemplary embodiment.
FIG. 3 is a flow chart illustrating a method of logging onto a provincial platform using the method of the present invention, according to an exemplary embodiment;
FIG. 4 is a flow chart illustrating a method of using the present invention to log a provincial level platform into a municipal level platform according to an example embodiment.
Detailed Description
The invention is further illustrated by the following examples in conjunction with the accompanying drawings:
in order to clearly illustrate the technical features of the present solution, the present invention will be described in detail below with reference to the following detailed description and the accompanying drawings. The following disclosure provides many different embodiments, or examples, for implementing different structures of the invention. In order to simplify the present disclosure, components and arrangements of specific examples are described below. Furthermore, the present invention may repeat reference numerals and/or letters in the various examples. This repetition is for the purpose of simplicity and clarity and does not in itself dictate a relationship between the various embodiments and/or configurations discussed. It should be noted that the components illustrated in the figures are not necessarily drawn to scale. Descriptions of well-known components and processing techniques and processes are omitted so as to not unnecessarily obscure the present invention.
As shown in fig. 1, the login authentication method based on multiple authentication modes provided by the embodiment of the invention includes the following steps:
the front end of the platform to be accessed requests the back end authentication service to acquire encryption parameters and signatures, the request address is spliced and returned to the front end of the platform to be accessed, and the front end of the platform to be accessed skips to the login verification page of the docking platform after resolving the address;
the front end of the docking platform transmits the encryption parameters carried by the address to the back end to request authentication service and returns a result;
and the docking platform acquires the result of the authentication service, acquires the user information when the authentication is passed, and jumps to the page after the docking platform logs in.
As a possible implementation manner of this embodiment, the front-end request back-end authentication service of the platform to be accessed obtains an encryption parameter and a signature, splices a request address, and returns the request address to the front-end of the platform to be accessed, including:
the front end of the platform to be accessed carries unique identification information of a user and requests a rear end authentication interface;
the back end obtains relevant user information and corresponding authentication information according to the unique user identification information and uses the relevant user information and the corresponding authentication information as an authentication platform of the entering request;
the authentication platform generates encryption parameters, calculates a signature and returns;
and the platform to be accessed acquires the encrypted character string and the signature, splices the complete request address according to the rule and returns the complete request address to the front end of the platform to be accessed.
As a possible implementation manner of this embodiment, the authentication platform generates encryption parameters, calculates a signature, and returns the signature, including:
the authentication platform splices the json format request character string and generates an encryption character string through an encryption algorithm;
according to the parameters and the ordering of the parameters which are expected to be negotiated by the access platform and the docking platform, the key of the authentication platform is requested by the access platform, the time stamp using the readable time format is added, and the signature is calculated and returned by using the agreed signature algorithm.
As a possible implementation manner of this embodiment, the transferring, by the front end of the docking platform, the encryption parameter carried by the address to the back end to request the authentication service and return the result includes:
the front end of the docking platform receives the request, the parameters carried by the address are assembled, and the back end of the request logs in the authentication interface;
the back end of the docking platform carries the assembled parameters to call an authentication interface of the authentication platform;
the authentication platform decrypts the parameters, calculates whether the signature is correct or not, whether the time stamp meets the requirement or not, and returns an authentication result.
As a possible implementation manner of this embodiment, the authentication platform decrypts the parameter, calculates whether the signature is correct, whether the timestamp meets the requirement, and returns an authentication result, including:
acquiring an account number appId distributed by an authentication service and acquiring key information of a corresponding platform according to the appId;
acquiring configuration parameter information of a corresponding platform according to the app Id, and recalculating signature information according to parameters and ordering of the parameters agreed by the platform to be accessed and the platform to be docked;
comparing the newly calculated signature with the signature carried by the request, and if the newly calculated signature is consistent with the signature carried by the request, proving that the signature carried by the request is correct;
the time difference between the request initiation time and the current time is calculated, and if the set value is exceeded, the request is considered invalid.
As a possible implementation manner of this embodiment, the process of obtaining the encryption parameters and signing by the front-end request back-end authentication service of the platform to be accessed supports multiple encryption modes, including at least symmetric encryption AES, SM4, asymmetric encryption RSA, md5 encryption, and before docking, the two platforms need to confirm the encryption mode of docking well and write the configuration file.
As a possible implementation manner of this embodiment, the process of requesting, by the front end of the platform to be accessed, the back end authentication service to obtain the encryption parameter and the signing process supports multi-field encryption, where the supported fields at least include an account number appId and a key appSecret allocated by the authentication service, a platform user account number, a user id, a request timestamp, a request parameter, a request signature, a request unique identifier, and an encryption type, where the account number appId and the key appSecret are a pair of parameters associated with each other and allocated simultaneously by the authentication service.
As a possible implementation manner of this embodiment, the process of obtaining the encryption parameter and signing by the front-end request back-end authentication service of the platform to be accessed supports multi-field ordering, at least 3 fields are selected, the sequence of the fields can be arranged at will, and the encrypted fields and the sequence of the fields need to be confirmed in advance and written into the configuration file.
As shown in fig. 2, a login authentication system based on multiple authentication modes provided in an embodiment of the present invention includes:
the request module is used for requesting the back-end authentication service to acquire encryption parameters and signatures by the front end of the platform to be accessed, splicing the request address and returning the request address to the front end of the platform to be accessed, and jumping to the login verification page of the docking platform after the front end of the platform to be accessed analyzes the address;
the docking module is used for transmitting the encryption parameters carried by the address to the rear end by the front end of the docking platform to request authentication service and returning a result;
and the login module is used for acquiring the result of the authentication service by the docking platform, acquiring user information when the authentication is passed and jumping to a page after the docking platform logs in.
As one possible implementation manner of this embodiment, the authentication service supports 1 to n multiple authentication modes, and the login authentication system selects a configuration file based on the platform feature code to analyze the authentication mode of the platform, decrypts according to the selected authentication mode, and performs verification on whether the parameters are correct.
As shown in fig. 3, the city level platform login provincial level platform process includes the following steps:
for safety reasons, preventing part of information from being revealed during internet delivery, the authentication service is deployed in a server which is accessible to each platform background service; related services and interfaces are not exposed to the outside; to further enhance information access security, authentication services add whitelists, allowing access only to specific ip addresses; still another advantage is that the service does not need to stop, only the configuration file needs to be modified (the configuration file is firstly obtained in the cache, if the configuration file cannot be obtained, the file obtaining parameters are specified according to the parameters, if the configuration file cannot be obtained, the log record is recorded), and the detailed business processing flow is as follows:
step 1: the front end of the municipal platform requests the back end authentication service to acquire encryption parameters and signatures, the request address is spliced and returned to the front end of the municipal platform, and the front end of the municipal platform skips the login verification page of the municipal platform after resolving the address.
Firstly, carrying a user sessionId at the front end of a city, and requesting a back-end authentication interface of the city;
secondly, the ground city back-end service obtains the information of the current login user according to the sessionId, obtains an account number account of a provincial platform corresponding to the account number, and then uses the parameters as an authentication service for a request of the login according to the app Id distributed by the authentication service;
thirdly, the city authentication service splices the request character string in json format and encrypts the request character string in base64 to generate the request JsonString according to the parameters (request character string, provincial platform account number, timestamp, secret key) and the ordering of the parameters well defined by the provincial platform, the city service platform requests the secret key appSecret of the authentication service, and adds the timestamp in readable time format, such as '2022-09-22:30:59', and uses md5 to calculate the signature and returns according to the following method:
$sign=md5(base64.encode($requestJsonString)+$account+$timestamp+$appSecret)
fourthly, the ground city platform obtains the encryption character string reqString and the signature sign, judges whether the user role type is enterprise user or financial institution user (financial institution: enterprise) and splices the complete request address according to the following rules: the { province platform address }/sso-loginreqString = $ { reqString } & sign = $ { sign } & sign type=md 5& roletype=finish & auth=t and return to the city front end;
and fifthly, the front end of the city directly jumps to the provincial platform verification page after resolving to the complete address according to the parameters returned by the interface.
Step 2: the front end of the provincial level platform transmits the encryption parameters carried by the address to the back end to request authentication service and returns the result.
The first step, after receiving the request, the front end of the provincial platform assembles the parameters carried by the address, and requests the provincial background to log in the authentication interface;
step two, provincial background service carries parameter to call authentication interface of authentication service;
thirdly, the authentication service decrypts the parameters, obtains the app Id distributed to the city platform, obtains the key information of the corresponding city according to the app Id, obtains the configuration parameter information of the corresponding city according to the app Id, recalculates the signature information according to the parameters and the ordering of the parameters agreed with the city platform, compares the newly calculated signature with the signature carried by the request, and if the newly calculated signature is consistent with the signature carried by the request, the request is proved to be correct; secondly, calculating the current time difference of the request initiation time and the current time difference, and if the current time difference exceeds a set value (default 5 minutes), still considering the request as invalid; after checking the signature and the time stamp, returning a result of whether the authentication passes or not.
Step 3: and the provincial level platform acquires the result of the authentication service, acquires the user information when the authentication is passed, and jumps to the page after the provincial level platform logs in.
And if the sessionId exists, the front end of the provincial platform calls the rear end interface of the provincial platform to acquire user information and jumps to a designated logged page.
As shown in fig. 4, the provincial level platform login market level platform process includes the following steps:
because the login implementation modes of all the city platforms are different, the provincial level platform is used as a convergence center to provide a set of adaptation scheme, and the city platforms perform respective authentication login according to the adaptation scheme:
step 1: the provincial platform front end requests the back-end authentication service to acquire encryption parameters and signatures, splices the request address and returns the request address to the provincial platform front end, and the provincial platform front end jumps to the city-level platform login verification page after resolving the address.
Firstly, carrying user session Id, account number account and ground city platform identification platform information required to be logged in by a provincial front end, and requesting a provincial back end authentication interface;
step two, the provincial back-end service obtains the app Id of the corresponding city according to the city platform identifier platform, and takes the parameters as the authentication service of the entering request;
thirdly, the provincial authentication service splices the request character string in json format according to the parameters and encrypts the request character string in base64 to generate a request JsonString, calculates a signature and returns according to the parameters (authentication service id, provincial platform account number, sessionId, timestamp, secret key) and the ordering of the parameters negotiated by the provincial and the local market platforms, the provincial service platform requests the secret key appSecret of the authentication service, and adds a timestamp in readable time format, such as '2022-09-22 08:30:59', and calculates the signature by using md5 according to the following method:
$sign=md5($appId+$account+$sessionId+$timestamp+$appSecret)
fourthly, the provincial level platform acquires the encryption character string reqString and the signature sign, and splices the complete request address according to the following rules: ? reqString= { requestJsonString } & sign= { sign }, and returning to the provincial front end;
and fifthly, the provincial front end directly jumps to the ground platform verification page after analyzing the complete address according to the parameters returned by the interface.
Step 2: the front end of the municipal platform transmits the encryption parameters carried by the address to the back end to request authentication service and returns the result.
The method comprises the steps that firstly, after a front end of a ground city platform receives a request, parameters carried by an address are assembled, a background of the ground city is requested to log in an authentication interface;
secondly, the ground city background service carries request parameters to call an authentication interface of the authentication service;
thirdly, the authentication service decrypts the parameters, obtains the app Id of the authentication service, obtains key information corresponding to the city according to the app Id, obtains configuration parameter information corresponding to the city according to the app Id, recalculates signature information according to the parameters and the ordering of the parameters agreed with the provincial platform, compares the newly calculated signature with the signature carried by the request, and if the newly calculated signature is consistent with the signature carried by the request, the request is proved to be correct; secondly, calculating the current time difference of the request initiation time and the current time difference, and if the current time difference exceeds a set value (default 5 minutes), still considering the request as invalid; after checking the signature and the time stamp, returning a result of whether the authentication passes or not.
Step 3: and the city level platform acquires the result of the authentication service, acquires the user information when the authentication is passed, and jumps to the page after the city level platform logs in.
The first step, the provincial level platform calls an acquisition platform account information interface of the provincial level open platform according to a request parameter sessionId to acquire user information of the provincial level platform according to a result of the authentication service if the provincial level platform passes the authentication service;
and secondly, checking the related information of the user on the ground city platform according to the user information returned by the provincial level platform and fields such as account numbers, unified social credit codes and the like, and if the user passes the check, automatically logging in the ground city platform and jumping to the home page of the ground city platform.
As shown in Table 1, the method of the invention can use various association fields (one of which is optional), can support the association of unique elements of two platform users such as an identity card number, a mobile phone number, a platform account number and the like, and can also associate the same user information of two platforms through non-common fields (intermediate mapping fields).
Table 1 association information
Figure BDA0004024146750000131
Figure BDA0004024146750000141
As shown in table 2, the encryption method in the process of obtaining the encryption parameters and signing by the front-end request back-end authentication service of the platform to be accessed can support multiple encryption modes, multi-field encryption and multi-field sequencing:
the encryption mode supported by the method comprises symmetric encryption: AES, SM4, asymmetric encryption: RSA, other algorithms, such as md5, require that both platforms confirm the encrypted version of the good docking and write the configuration file (database) before docking, otherwise verification fails due to the different encrypted versions.
The method can support multi-field encryption, some local market platforms are already in use, certain necessary fields cannot be provided according to unified requirements, encryption can be carried out according to fields which are good in quotation between two parties, and the supported fields comprise an allocated app Id and a secret key app secret of a login authentication system, a platform user account number, a user id, a request timestamp, a request parameter, a request signature, a request unique identifier, an encryption type and the like.
The method can support the ordering of multiple fields, at least 3 fields are selected according to the fields supported by the method, the sequences of the fields can be arranged at will, the encrypted fields and the sequences of the fields are selected to be confirmed in advance and written into a configuration file (database), and the system security of authentication service can be improved by supporting multiple encryption modes and the encrypted fields.
Table 2 encryption method
Figure BDA0004024146750000142
According to the currently realized city level platform jump provincial level platform, 4 parameters are adopted, besides the necessary app secret and time stamp, 2 encryption fields can be selected, 21 choices can be selected, 24 choices can be selected according to field ordering, 21 x 24 = 504 encryption choices can be selected, and 2016 encryption manners can be provided if one encryption manner (4 choice 1) is selected; if the city level platform is jumped according to the provincial level platform, 5 encryption parameters are adopted, besides the necessary app secret and the timestamp, 3 encryption fields can be selected, 35 choices can be selected, then 120 choices can be selected according to field ordering, 35×120=4200 choices can be selected, and 16800 encryption modes can be selected if one encryption mode (4 choice 1) is selected; with the increase of the number of the fields, the final encryption algorithm grows exponentially, so that the security of the system is ensured.
The authentication method of the invention supports 1 pair n multiple authentication modes, supports mutual authentication of 1 provincial platform and n city platforms, if the city platforms which are actually used face more difficulties according to a unified authentication mode, the login authentication system supports multiple authentication modes of multiple platforms, mainly relates to platform identification, authentication mode selection and authentication mode verification, and the authentication complexity of the system is higher than that of common single sign-on. Platform identification means that each platform is unique in platform feature code no matter being used as an upper level or a lower level; and (3) selecting an authentication mode: the login authentication system selects a configuration file (database) based on the platform feature code so as to analyze the authentication mode of the platform, wherein the authentication mode comprises an encryption mode, encryption fields, the sequence of the encryption fields and the like. Checking an authentication mode: the login authentication system decrypts according to the selected authentication mode and checks whether the parameters are correct. Each authentication needs to carry the platform feature code of the requesting party, whether the requesting party is at an upper level or a lower level, and whether the requesting receiver is at an upper level or a lower level, and the platform feature code of the requesting receiver, so that the login authentication system can also support login authentication of a plurality of levels.
The method of the invention supports a plurality of configuration modes, supports configuration files and also supports database configuration, and uses different authentication modes according to the field application environment.
Finally, it should be noted that: the above embodiments are only for illustrating the technical aspects of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the above embodiments, it should be understood by those of ordinary skill in the art that: modifications and equivalents may be made to the specific embodiments of the invention without departing from the spirit and scope of the invention, which is intended to be covered by the claims.

Claims (10)

1. A login authentication method based on a plurality of authentication modes is characterized by comprising the following steps:
the front end of the platform to be accessed requests the back end authentication service to acquire encryption parameters and signatures, the request address is spliced and returned to the front end of the platform to be accessed, and the front end of the platform to be accessed skips to the login verification page of the docking platform after resolving the address;
the front end of the docking platform transmits the encryption parameters carried by the address to the back end to request authentication service and returns a result;
and the docking platform acquires the result of the authentication service, acquires the user information when the authentication is passed, and jumps to the page after the docking platform logs in.
2. The login authentication method based on multiple authentication modes according to claim 1, wherein the front-end request back-end authentication service of the platform to be accessed acquires encryption parameters and a signature, concatenates the request address and returns the request address to the front-end of the platform to be accessed, and the login authentication method comprises the following steps:
the front end of the platform to be accessed carries unique identification information of a user and requests a rear end authentication interface;
the back end obtains relevant user information and corresponding authentication information according to the unique user identification information and uses the relevant user information and the corresponding authentication information as an authentication platform of the entering request;
the authentication platform generates encryption parameters, calculates a signature and returns;
and the platform to be accessed acquires the encrypted character string and the signature, splices the complete request address according to the rule and returns the complete request address to the front end of the platform to be accessed.
3. The login authentication method based on a plurality of authentication modes according to claim 2, wherein the authentication platform generates encryption parameters, calculates a signature and returns, comprising:
the authentication platform splices the json format request character string and generates an encryption character string through an encryption algorithm;
according to the parameters and the ordering of the parameters which are expected to be negotiated by the access platform and the docking platform, the key of the authentication platform is requested by the access platform, the time stamp using the readable time format is added, and the signature is calculated and returned by using the agreed signature algorithm.
4. The login authentication method based on multiple authentication modes according to claim 1, wherein the step of transmitting the encryption parameter carried by the address to the back-end request authentication service and returning the result by the front-end of the docking platform comprises the following steps:
the front end of the docking platform receives the request, the parameters carried by the address are assembled, and the back end of the request logs in the authentication interface;
the back end of the docking platform carries the assembled parameters to call an authentication interface of the authentication platform;
the authentication platform decrypts the parameters, calculates whether the signature is correct or not, whether the time stamp meets the requirement or not, and returns an authentication result.
5. The login authentication method based on multiple authentication modes according to claim 4, wherein the authentication platform decrypts parameters, calculates whether a signature is correct, whether a time stamp meets a requirement, and returns an authentication result, comprising:
acquiring an account number appId distributed by an authentication service and acquiring key information of a corresponding platform according to the appId;
acquiring configuration parameter information of a corresponding platform according to the app Id, and recalculating signature information according to parameters and ordering of the parameters agreed by the platform to be accessed and the platform to be docked;
comparing the newly calculated signature with the signature carried by the request, and if the newly calculated signature is consistent with the signature carried by the request, proving that the signature carried by the request is correct;
the time difference between the request initiation time and the current time is calculated, and if the set value is exceeded, the request is considered invalid.
6. The login authentication method based on multiple authentication modes according to claim 1, wherein the process of requesting the backend authentication service to acquire the encryption parameters and signing the encrypted parameters by the front end of the platform to be accessed supports multiple encryption modes, at least including symmetric encryption AES, SM4, asymmetric encryption RSA, md5 encryption, and before docking, the two platforms need to confirm the well-docked encryption mode and write configuration files.
7. The login authentication method based on multiple authentication modes according to claim 1, wherein the process of requesting the backend authentication service to obtain the encryption parameters by the front end of the platform to be accessed and signing supports multiple field encryption, and the supported fields at least comprise an account number appId and a key appSecret allocated by the authentication service, a platform user account number, a user id, a request timestamp, a request parameter, a request signature, a request unique identifier and an encryption type.
8. The login authentication method based on multiple authentication modes according to claim 1, wherein the process of requesting the backend authentication service to obtain the encryption parameters and signing the encrypted parameters by the front end of the platform to be accessed supports multi-field ordering, at least 3 fields are selected, the sequence of the fields can be randomly arranged, and the encrypted fields and the sequence of the fields are selected to be confirmed in advance and written into the configuration file.
9. A login authentication system based on a plurality of authentication modes, comprising:
the request module is used for requesting the back-end authentication service to acquire encryption parameters and signatures by the front end of the platform to be accessed, splicing the request address and returning the request address to the front end of the platform to be accessed, and jumping to the login verification page of the docking platform after the front end of the platform to be accessed analyzes the address;
the docking module is used for transmitting the encryption parameters carried by the address to the rear end by the front end of the docking platform to request authentication service and returning a result;
and the login module is used for acquiring the result of the authentication service by the docking platform, acquiring user information when the authentication is passed and jumping to a page after the docking platform logs in.
10. The login authentication system based on multiple authentication modes according to claim 9, wherein the authentication service supports multiple authentication modes of 1 to n, the login authentication system selects a configuration file based on a platform feature code to analyze the authentication mode of the platform, decrypts according to the selected authentication mode, and verifies whether parameters are correct.
CN202211742008.6A 2022-12-28 2022-12-28 Login authentication method and system based on multiple authentication modes Pending CN116112232A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211742008.6A CN116112232A (en) 2022-12-28 2022-12-28 Login authentication method and system based on multiple authentication modes

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211742008.6A CN116112232A (en) 2022-12-28 2022-12-28 Login authentication method and system based on multiple authentication modes

Publications (1)

Publication Number Publication Date
CN116112232A true CN116112232A (en) 2023-05-12

Family

ID=86260867

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211742008.6A Pending CN116112232A (en) 2022-12-28 2022-12-28 Login authentication method and system based on multiple authentication modes

Country Status (1)

Country Link
CN (1) CN116112232A (en)

Similar Documents

Publication Publication Date Title
CN110291757B (en) Method for providing simplified account registration service, user authentication service, and authentication server using the same
JP4685876B2 (en) System and method for providing multiple credential authentication protocols
CN101414909B (en) System, method and mobile communication terminal for verifying network application user identification
US8424068B2 (en) Methods and apparatus for providing application credentials
CN102067145B (en) Obtaining digital identities or tokens through independent endpoint resolution
CN103220344B (en) Microblogging licenses method and system
US8261336B2 (en) System and method for making accessible a set of services to users
CN109450877A (en) Distributed IDaaS Unified Identification system based on block chain
CN111191283A (en) Beidou positioning information security encryption method and device based on alliance block chain
CN101582886A (en) Method and system for identity authentication based on dynamic password
CN114338242B (en) Cross-domain single sign-on access method and system based on block chain technology
US11646897B2 (en) Method and apparatus for utilizing off-platform-resolved data as an input to code execution on a decentralized platform
CN112311779B (en) Data access control method and device applied to block chain system
CN101998387A (en) Client authentication method, password agent device and system
CN106533681B (en) A kind of attribute method of proof and system that support section is shown
CN103559430B (en) application account management method and device based on Android system
CN112187453A (en) Digital certificate updating method and system, electronic equipment and readable storage medium
CN111723347B (en) Identity authentication method, identity authentication device, electronic equipment and storage medium
CN116112232A (en) Login authentication method and system based on multiple authentication modes
CN112422570B (en) Game login method and device
CN115118454A (en) Cascade authentication system and method based on mobile application
CN108763965A (en) Method, apparatus, equipment and the medium that electronic contract data are saved from damage
CN110098931A (en) Data transmission method based on trusted " government and enterprises' connection connects " platform
CN111190738B (en) User mirroring method, device and system under multi-tenant system
CN117580041A (en) Terminal management method and terminal management device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination