CN116114219A

CN116114219A - Access token processing method and equipment

Info

Publication number: CN116114219A
Application number: CN202080105407.4A
Authority: CN
Inventors: 罗朝明; 茹昭; 吕小强
Original assignee: Guangdong Oppo Mobile Telecommunications Corp Ltd
Current assignee: Guangdong Oppo Mobile Telecommunications Corp Ltd
Priority date: 2020-12-25
Filing date: 2020-12-25
Publication date: 2023-05-12
Also published as: CN116114219A8; WO2022134059A1

Abstract

The application relates to an access token processing method and equipment. The access token processing method comprises the following steps: the first device receives at least one level of access token from the second device. Another access token processing method includes: the second device sends at least one level of access token to the first device. According to the embodiment of the application, the access rights with finer granularity can be controlled through the access tokens with different levels.

Description

Access token processing method and equipment

Technical Field

The present application relates to the field of communications, and more particularly, to an access token processing method and apparatus.

Background

In the smart home open connection alliance (Open Link Alliance, OLA) specifications, access control rights and methods of application terminals have not been specified. The user issues an access Token (Token) to the device through the mobile phone application or the cloud platform, or the device actively requests the access Token from the cloud platform, so that the devices under the user account can access each other. The cloud platform may also be referred to as a cloud, an access cloud, and the like. However, current access tokens do not achieve finer granularity of access rights control.

Disclosure of Invention

The embodiment of the application provides an access token processing method and equipment, which can control access authority with finer granularity.

The embodiment of the application provides an access token processing method, which comprises the following steps: the first device receives at least one level of access token from the second device.

The embodiment of the application provides an access token processing method, which comprises the following steps: the second device sends at least one level of access token to the first device.

The embodiment of the application provides first equipment, which comprises: a receiving unit for receiving at least one level of access tokens from the second device.

The embodiment of the application provides a second device, which comprises: and the sending unit is used for sending the at least one level of access token to the first device.

The embodiment of the application provides first equipment which comprises a processor and a memory. The memory is used for storing a computer program, and the processor is used for calling and running the computer program stored in the memory so as to enable the first device to execute the access token processing method.

The embodiment of the application provides second equipment which comprises a processor and a memory. The memory is used for storing a computer program, and the processor is used for calling and running the computer program stored in the memory so as to enable the second device to execute the access token processing method.

The embodiment of the application provides a chip for realizing the access token processing method.

Specifically, the chip includes: and a processor for calling and running the computer program from the memory, so that the device provided with the chip executes the access token processing method.

The embodiment of the application provides a computer readable storage medium for storing a computer program, which when executed by a device, causes the device to execute the above access token processing method.

Embodiments of the present application provide a computer program product comprising computer program instructions for causing a computer to perform the above-described access token processing method.

The embodiment of the application provides a computer program which, when run on a computer, causes the computer to execute the access token processing method.

According to the embodiment of the application, the access rights with finer granularity can be controlled through the access tokens with different levels.

Drawings

Fig. 1 is a schematic diagram of an equipment model of an OLA according to an embodiment of the present application.

FIG. 2 is a flow chart of one example of issuing an access token.

Fig. 3 is a schematic flow chart diagram of an access token processing method according to an embodiment of the present application.

Fig. 4 is a schematic flow chart of an access token processing method according to another embodiment of the present application.

Fig. 5 is a flow chart of an example of issuing tokens 1 for issuing access tokens.

Fig. 6 is a flow chart of an issued token example 2 for issuing an access token.

Fig. 7 is a flow chart of an issued token example 3 that issues an access token.

Fig. 8 is a flow chart of an update token example 1 of issuing an access token.

Fig. 9 is a flow chart of update token example 2 for issuing an access token.

Fig. 10 is a flow chart of a delete token example 1 of issuing an access token.

Fig. 11 is a flow chart of a delete token example 2 of issuing an access token.

Fig. 12 is a schematic block diagram of a first device according to an embodiment of the present application.

Fig. 13 is a schematic block diagram of a first device according to another embodiment of the present application.

Fig. 14 is a schematic block diagram of a second device according to an embodiment of the present application.

Fig. 15 is a schematic block diagram of a second device according to another embodiment of the present application.

Fig. 16 is a schematic block diagram of a communication device according to an embodiment of the present application.

Fig. 17 is a schematic block diagram of a chip according to an embodiment of the present application.

Fig. 18 is a schematic block diagram of a communication system according to an embodiment of the present application.

Detailed Description

The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.

In order to facilitate understanding of the technical solutions of the embodiments of the present application, the following description is given of related technologies of the embodiments of the present application, and the following related technologies may be optionally combined with the technical solutions of the embodiments of the present application as an alternative, which all belong to the protection scope of the embodiments of the present application.

Device model for open connection alliance (Open Link Alliance, OLA):

according to the Smart home OLA Specification draft, the device model of OLA can be seen in FIG. 1. The device may include various application terminals, such as smart home devices in a smart home scenario. The application terminal may describe its functionality through different sets of services. The service may be a separate and meaningful set of functions, and the service may include attributes, methods, events, etc. Wherein the attribute may be a minimum unit describing a state and a function of the application terminal. Methods may be used to implement specific functions of a service, which cannot generally be accomplished by reading and writing of a single attribute. The event may include specific information actively reported by the application terminal to other devices.

For example, a device (device) may include the following fields:

type: a device type, which may include a device name (name), a unique identification of the device type (deviceUUID), etc.;

description: description of the device to illustrate functions of the device, etc.;

serviceList: a list of services, each of which may identify a service type and whether it is necessary in the device.

For another example, a service (service) may include the following fields:

type: a service type, which may include a service name (name), a unique identification of the service type (ServiceUUID), etc.;

description: description of the service to explain the purpose of the service, etc.;

actionList: a list of methods, wherein each method may contain a method type and whether it is necessary in the service;

eventList: an event list, wherein each event may contain an event type and whether it is necessary to choose in the service;

propertyList: a list of attributes, where each attribute may contain an attribute type and whether it is necessary in the service.

For another example, the attribute (property) may include the following fields:

type: an attribute type, which may include an attribute name (name), a unique identification of the attribute type (propertyUUID), etc.;

dataType: attribute value data types such as integers, strings, structures, etc.;

access: access rights for attributes, such as: read (R), write (W), notify (N), and any combination of the three. The attribute supporting notification (N) rights generally needs to support read (R) rights; only write (W) rights are supported, and attributes that do not support read (R) rights should not support a notify (N) right;

For another example, the method (action) may include the following fields:

type: a method type, which may include an operation name (name), a unique identification of the operation type (actionUUID), etc.;

description: description of operations to illustrate purposes of the operations or usage rules, etc.;

inParameter: the input parameter list can be 0 or more;

outParameter: the list of output parameters may be 0 or more.

For another example, an event (event) may include the following fields:

type: event type, which may include event name (name), unique identification of event (eventUUID), etc.; for example, event types may include, for example: message (general message, e.g., on/off line of a device), alert (alarm message, e.g., refrigerator door not closed), fault (device failure message, e.g., compressor not working), etc.;

outParameter: reporting 0 or more parameters possibly contained in the event message; the above-mentioned properties should support notifiable;

description: description of the event, purpose of illustrating the event or usage rule, etc.

Regarding access tokens (Token):

the user issues the access token to the equipment through the mobile phone application or through the cloud platform, or the equipment actively requests the access token to the cloud platform, so that the equipment under the user account can access each other. The cloud platform may also be referred to as a cloud, an access cloud, and the like. Referring to FIG. 2, an example of a flow of issuing token (token) accesses is as follows:

(1) Examples of a process of issuing an access token to a device through a cloud may include:

s11 and S12, configuring equipment to access the network. For example, a user configures an IoT (Internet of Things ) device to be networked through a mobile phone application.

S13, the equipment is firstly accessed to the network.

S14, if the access cloud does not have an account-level access token (token), an account-level token can be generated and stored; if the account-level token exists in the access cloud, directly executing S15 to issue the account-level token to the equipment. Generally, when the device first accesses the network, the access cloud has no account level token, and when the device accesses the network again, the access cloud may have an access token.

S15, the cloud is accessed to issue an account level token to the equipment.

(2) Examples of the process of issuing an access token to a device by a cell phone may include:

s21, the mobile phone application requests an account level token from the access cloud.

S22, if the access cloud does not have the account-level token, an account-level token can be generated and stored, and if the access cloud does have the account-level token, S23 is directly executed to issue the account-level token to the mobile phone application.

S23, accessing the cloud to issue an account level token to the mobile phone application.

S24, the mobile phone application issues an account level token to the equipment.

(3) Examples of the flow of the device actively requesting access to the token may include.

S31, the iot device detects whether the iot device has an account level token or not, and if not, the iot device executes S32 to request the access cloud.

S32. the iot device requests access to the cloud to obtain an account level token.

S33, if the account-level token is not in the access cloud, an account-level token can be generated and stored, and if the account-level token is in the access cloud, S34 can be directly executed to issue the account-level token to the equipment.

S34, the cloud is accessed to issue an account level token to the equipment.

In this example, only account-level access control is performed in the access Token (Token), and the granularity of access authority control is not fine enough, so that finer granularity access control on devices, services, attributes and the like cannot be flexibly performed.

Fig. 3 is a schematic flow chart of an access token processing method 40 according to an embodiment of the present application. The method may alternatively be applied to the device model shown in fig. 1, but is not limited thereto. The method includes at least some of the following.

S41, the first device receives at least one level of access token from the second device.

Optionally, in an embodiment of the present application, the at least one level of access token includes at least one of:

an account-level access token;

a device-level access token;

A service level access token;

attribute-level access token.

For example, in issuing the token, the first device may receive one or more of an account-level access token, a device-level access token, a service-level access token, and an attribute-level access token issued by the second device. The scope of authority of access tokens of different levels may be different. Based on the scope of rights required by the first device, one or more levels of access tokens corresponding to the scope of rights may be received from the second device.

In the embodiment of the application, the account-level access token can control the account-level access right, the equipment-level access token can control the equipment-level access right, and the service-level access token can control the service-level access right; the access token of the attribute level can control the access authority of the attribute level, the granularity of control is finer, and the access control on equipment, service, attribute and the like is facilitated flexibly.

Optionally, in an embodiment of the present application, the account-level access token is used to access at least one of an unrestricted attribute, an unrestricted method, and an unrestricted event of unrestricted service of the device under the same account.

Illustratively, the scope of authority of the account-level access token may include at least one of an unrestricted attribute, an unrestricted method, and an unrestricted event that allows access to unrestricted services of all devices under a certain account. In embodiments of the present application, allowing access to the unrestricted attribute may include allowing operations to read, write, add, delete, modify, etc. the unrestricted attribute.

In one specific example of a scope of rights, device A and device B are included under an account, device A having restricted services S1, S2 and unrestricted service S3, wherein S1 has unrestricted attributes C1, C2 and restricted event E0, S2 has restricted attributes C3 and unrestricted attributes C4, and S3 has unrestricted method F1 and restricted method F2. The device B has an unrestricted service S4 and restricted services S5, S6, where S4 has an unrestricted attribute C5, S5 has an unrestricted attribute C6 and unrestricted events E1, S6 has an unrestricted attribute C7, a restricted attribute C8 and a restricted method F3.

The scope of authority of the account-level access token of the account may include an unrestricted method F1 that allows access to the unrestricted service S3 of device a, and an unrestricted attribute C5 of the unrestricted service S4 of device B. In addition, if the C5 supports read-write rights, the rights range of the account-level access token may also include allowing read-write operations to the C5.

Optionally, in an embodiment of the present application, the device-level access token is used to access at least one of an unrestricted attribute, an unrestricted method, and an unrestricted event of an unrestricted service of the same device or multiple devices under the same account.

For example, the scope of authority of the access token at the device level may include at least one of an unrestricted attribute, an unrestricted method, and an unrestricted event that allows access to all unrestricted services of the same device. If all devices under an account use the same device-level access token, then the scope of authority of the device-level access token is equivalent to the scope of authority of the account-level access token. Referring to the above example of a scope of rights, in one specific example, a scope of rights for a device-level access token of device a may include an unrestricted method F1 that allows access to unrestricted service S3 of device a. The scope of authority of the access token for the device level of device B may include an unrestricted attribute C5 that allows access to unrestricted service S4 of device B.

Optionally, in an embodiment of the present application, the service-level access token includes:

a service level access token for the same device;

a cross-device service level access token.

Illustratively, the scope of authority of the service-level access token may include all unrestricted attributes of the one or more restricted services that allow access to the specified one or more devices.

Alternatively, in embodiments of the present application,

an access token at a service level of the same device for accessing at least one of an unrestricted attribute, an unrestricted method, and an unrestricted event of at least one restricted service of the same device;

an access token at a service level across devices is used to access at least one of unrestricted attributes, unrestricted methods, and unrestricted events of at least one restricted service of a plurality of devices.

In one specific example, the scope of authority of the service level access token of the same device may include: unrestricted attributes C1 and C2 of restricted service S1 of device a are allowed to be accessed.

In one particular example, the scope of authority of the access token across the service levels of the device may include: unrestricted attributes C1 and C2 of restricted service S1 of device a and unrestricted attribute C7 of restricted service S6 of device B are allowed to be accessed.

Optionally, in an embodiment of the present application, the attribute-level access token includes:

an access token at the attribute level of the same service;

an access token across attribute levels of a service;

An access token across attribute levels of a device.

For example, the scope of authority of the attribute-level access token may include one or more restricted attributes, restricted methods, or restricted events that allow access to one or more restricted services of the specified one or more devices. The scope of authority of the attribute-level access token may also include one or more restricted attributes, restricted methods, or restricted events that allow access to one or more unrestricted services of the specified one or more devices.

Alternatively, in embodiments of the present application,

an access token of an attribute level of the same service is used to access at least one of at least one restricted attribute, a restricted method, and a restricted event of the same service of the same device;

an access token across attribute levels of a service is used to access at least one of a restricted attribute, a restricted method, and a restricted event of a plurality of services of the same device;

an access token across attribute levels of a device is used to access at least one of a restricted attribute, a restricted method, and a restricted event of a plurality of services of a plurality of devices.

The same service may be the same limited service or the same unlimited service.

The plurality of services may include a plurality of limited services, a plurality of non-limited services, and both limited and non-limited services.

In one specific example, the scope of authority of the access token of the attribute level of the same service may include: the restricted attribute C3 of the restricted service S2 of the access device a is allowed.

In one specific example, the scope of authority of the access token of the attribute level of the same service may include: a restricted method F2 allowing access to unrestricted services S3 of device a.

In one particular example, the scope of authority of the access token across attribute levels of the service may include: a restricted event E0 that allows access to the restricted service S1 of device a, and a restricted attribute C3 of the restricted service S2.

In one particular example, the scope of authority of the access token across attribute levels of the service may include: a restricted event E0 that allows access to a restricted service S1 of the device a, and a restricted method F2 of an unrestricted service S3.

In one particular example, the scope of authority of the access token across the attribute levels of the device may include: restricted attribute C3 of restricted service S2 of device a, and restricted attribute C8 and restricted method F3 of restricted service S6 of device B are allowed to be accessed.

In one particular example, the scope of authority of the access token across the attribute levels of the device may include: a restricted method F2 allowing access to the unrestricted service S3 of device a, and restricted attributes C8 and restricted methods F3 of the restricted service S6 of device B.

Optionally, in an embodiment of the present application, the first device receives at least one level of access token from the second device, and further includes: in the case that the first device is a controlled device, the first device receives a device-level access token from the second device; or in the case that the first device is a master device, the first device receives a device-level access token and a controlled device identification list from the second device.

For example, if the first device is an IoT device and the second device is a cloud device, the first device may request to the cloud device to issue a device-level access token. If the IoT device is a controlled device, the cloud device may issue a device-level access token to the IoT device after generating the device-level access token. If the IoT device is the master device, the cloud device may issue a device-level access token and a list of controlled device identities to the IoT device after generating the device-level access token. In embodiments of the present application, the list of controlled device identifications may include identifications of one or more devices that the master device is permitted to access based on the received access token.

For example, if the first device is an IoT device, the second device is a configuration device, and the cloud device issues a device-level access token to the IoT device via the configuration device. Specifically, the first device may request to the cloud device to issue a device-level access token. If the IoT device is a controlled device, the cloud device may send the device-level access token to the configuration device after generating the device-level access token, which is issued by the configuration device to the IoT device. If the IoT device is the master device, the cloud device may send the device-level access token to the configuration device after generating the device-level access token, which is issued by the configuration device to the IoT device along with the list of controlled device identities.

In the embodiment of the present application, a device having a function of configuring a device to access the network may be referred to as a configuration device. For example, the configuration device may include a mobile phone application, tablet, smart box, etc. with the capability of configuring the device to access the network.

Optionally, in an embodiment of the present application, the first device receives at least one level of access token from the second device, and further includes: in the case that the first device is a controlled device, the first device receives a service-level access token and a service name list from the second device; or in the case that the first device is a master device, the first device receives a service-level access token, a service name list and a controlled device identification from the second device.

For example, if the first device is an IoT device and the second device is a cloud device, the first device may request to the cloud device to issue a service-level access token. If the IoT device is a controlled device, the cloud device may issue a service-level access token and a list of service names to the IoT device after generating the service-level access token. If the IoT device is the master device, the cloud device may issue the service-level access token, the list of service names, and the controlled device identification to the IoT device after generating the service-level access token. In embodiments of the present application, the list of service names may include one or more service names that allow the master device to access based on the received access token. In the embodiment of the application, if the access token is the service level access token of the same device, a controlled device identifier is issued together with the service level access token and the service name list. In the case of a cross-device service level access token, a plurality of controlled device identifications are issued along with the service level access token and a service name list.

For example, if the first device is an IoT device, the second device is a configuration device, and the cloud device issues a service-level access token to the IoT device via the configuration device. Specifically, the first device may request to the cloud device to issue a service-level access token. If the IoT device is a controlled device, the cloud device may send the service-level access token to the configuration device after generating the service-level access token, which is issued by the configuration device to the IoT device. If the IoT device is the master device, the cloud device may send the service-level access token to the configuration device after generating the service-level access token, which is issued by the configuration device to the IoT device, the list of service names, and the controlled device identification.

Optionally, in an embodiment of the present application, the first device receives at least one level of access token from the second device, and further includes: receiving an access token, a service name and attribute related information of an attribute level from the second device by the first device under the condition that the first device is a controlled device; or in the case that the first device is a master control device, the first device receives a service-level access token, a service name, attribute related information and a controlled device identifier from the second device; the attribute related information comprises at least one of an attribute name list, a read and/or write operation corresponding to the attribute, an addition, deletion or modification of an attribute value, a method name list and an event name list.

For example, if the first device is an IoT device and the second device is a cloud device, the first device may request to the cloud device to issue an attribute-level access token, a service name, and attribute-related information. If the IoT device is a controlled device, the cloud device may issue an attribute-level access token to the IoT device after generating the attribute-level access token. If the IoT device is a master device, the cloud device may issue the attribute-level access token, the service name list, and the controlled device identification, the service name, the attribute-related information, and the controlled device identification to the IoT device after generating the attribute-level access token. In the embodiment of the application, if the access tokens are the same service and have the attribute level, a service name is issued together with the attribute level access token. In the case of an access token at the attribute level across services, a plurality of service names are issued along with the access token at the attribute level. In the case of an access token at the attribute level across devices, a plurality of controlled device identifications and a plurality of service names are issued with the access token at the attribute level.

For example, if the first device is an IoT device, the second device is a configuration device, and the cloud device issues an attribute-level access token to the IoT device via the configuration device. Specifically, the first device may request to the cloud device to issue an access token, a service name, and attribute related information at an attribute level. If the IoT device is a controlled device, the cloud device may send the service-level access token to the configuration device after generating the service-level access token, and the configuration device issues the service-level access token, the service name list, the controlled device identification, the service name, the attribute-related information, and the controlled device identification to the IoT device. If the IoT device is the master device, the cloud device may send the service-level access token to the configuration device after generating the service-level access token, which is issued by the configuration device to the IoT device, the list of service names, and the controlled device identification.

Alternatively, in the embodiment of the present application, the device may actively request the token, in addition to the above-mentioned token issued by the cloud device or the configuration device.

Optionally, in an embodiment of the present application, if the first device actively requests the token, the method further includes: the first device sends a token issuing request to a second device.

Optionally, in an embodiment of the present application, the token issue request includes one of:

a controlled device identification list, the token issuing a request for requesting a device-level access token;

a controlled device identifier and a list of service names, the token issuing a request for requesting a service level access token;

the controlled device identification, the service name and attribute related information, wherein the token issue request is used for requesting an access token of an attribute level, and the attribute related information comprises at least one of an attribute name list, a read and/or write operation corresponding to the attribute, an addition, deletion or modification of an attribute value, a method name list and an event name list.

For example, if the first device needs to request a device-level access token and the first device is an IoT device and the second device is a cloud device, the IoT device may send a token issuing request to the cloud device that includes a list of controlled device identifications.

For another example, if the first device needs to request a service-level access token, and the first device is an IoT device and the second device is a cloud device, the IoT device may send a token issuing request to the cloud device that includes a controlled device identification and a list of service names.

For another example, if the first device needs to request an access token at the attribute level, and the first device is an IoT device and the second device is a cloud device, the IoT device may send a token issuing request including the controlled device identifier, the service name, and the attribute-related information to the cloud device.

The cloud device directly issues the generated token or the configuration device issues the token generated by the cloud device.

Optionally, in an embodiment of the present application, if the token needs to be updated, the method further includes: the first device receives the identification of the access token of at least one level which needs to be updated and the content which needs to be updated from the second device; and the first equipment updates the access token corresponding to the identification of the access token of at least one level which needs to be updated based on the content which needs to be updated.

Optionally, the content that needs to be updated may include the validity period, scope of authority, etc. of one or more tokens. One or more access tokens may be updated at a time.

For example, if the first device is an IoT device and the second device is a cloud device, the configuration device sends to the cloud device an identification of a level of access tokens that need to be updated and content that needs to be updated. After the cloud device updates the access token, the identification of the access token and the content to be updated may be issued to the IoT device by the cloud device. After receiving the identification of the access token and the content to be updated, the IoT device modifies the content to be updated in the access token corresponding to the identification of the access token.

For another example, if the first device is an IoT device and the second device is a cloud device, the configuration device sends to the cloud device an identification of a level of access token that needs to be updated and content that needs to be updated. After the cloud device updates the access token, the identifier of the access token and the content to be updated can be sent to the configuration device through the cloud device. The configuration device then issues to the IoT device the identity of the access token and the content that needs to be updated. After receiving the identification of the access token and the content to be updated, the IoT device modifies the content to be updated in the access token corresponding to the identification of the access token.

Optionally, in an embodiment of the present application, if the token needs to be deleted, the method further includes:

the first device receives an identification of at least one level of access tokens to be deleted from the second device;

the first device deletes the corresponding access token based on the identification of the access token of at least one level which needs to be deleted.

Optionally, in an embodiment of the present application, the second device is a configuration device or a cloud device.

Alternatively, the identification of at least one level of access tokens to be deleted may be obtained on the configuration device in response to a user selection operation. One or more access tokens may be deleted at a time.

For example, if the first device is an IoT device, the second device is a cloud device, and the configuration device sends to the cloud device an identification of a certain level of access tokens that need to be deleted. After the cloud device deletes the access token, the cloud device may notify the IoT device of the identity of the deleted access token.

For another example, if the first device is an IoT device and the second device is a cloud device, the configuration device sends an identification of a certain level of access token that needs to be deleted to the cloud device. After the cloud device deletes the access token, the configuration device may be notified of the identifier of the deleted access token by the cloud device. The configuration device then notifies the IoT device of the identity of the deleted access token.

Optionally, in an embodiment of the present application, the method further includes at least one of the following sharing modes:

the first device shares at least one level of access token to configuration devices or internet of things devices bound to other accounts of the same platform;

the first device shares at least one level of access token to configuration devices or Internet of things devices bound to other accounts of the same platform through the cloud device;

the first device shares at least one level of access token to configuration devices or internet of things devices bound to other accounts of different platforms;

and the first device shares at least one level of access token with configuration devices or Internet of things devices bound to other accounts of different platforms through the cloud device.

Illustratively, if account 1 and account 2 access the same cloud platform, devices under account 1 may share one or more levels of access tokens to configuration devices under account 2, such as a cell phone application, and may also share one or more levels of access tokens to IoT devices under account 2.

For example, if account 1 and account 2 access the same cloud platform, the first device under account 1 may share one or more levels of access tokens with a configuration device under account 2, such as a cell phone application, through the cloud platform, and may also share one or more levels of access tokens with IoT devices under account 2 through the cloud platform.

Illustratively, if account 1, device 1-1 under account 1, account 2, and device 2-1 under account 2 access the same cloud platform, device 1-1 may share one or more levels of access tokens under account 1 to device 2-1 under account 2.

Illustratively, if account 1, device 1-1 under account 1, account 2, and device 2-1 under account 2 access the same cloud platform, device 1-1 may share one or more levels of access tokens under account 1 to device 2-1 under account 2 via the cloud platform.

Illustratively, if account 1, device 1-1 under account 1 access cloud platform C-1, account 2, and device 2-1 under account 2 access cloud platform C-2, device 1-1 may share one or more levels of access tokens under account 1 to device 2-1 under account 2.

Illustratively, if account 1, device 1-1 under account 1 access cloud platform C-1, account 2, and device 2-1 under account 2 access cloud platform C-2, device 1-1 may share one or more levels of access tokens under account 1 to device 2-1 under account 2 through cloud platforms C-1 and C-2.

Fig. 4 is a schematic flow chart diagram of an access token processing method 50 according to an embodiment of the present application. The method may alternatively be applied to the device model shown in fig. 1, but is not limited thereto. The method includes at least some of the following.

S51, the second device sends at least one level of access token to the first device.

In the scenario of issuing the token, the second device may be a cloud device or a configuration device. After the cloud device generates at least one level of access token, the access token can be directly issued to the first device, or can be issued to the first device through the configuration device.

an account-level access token;

a device-level access token;

a service level access token;

attribute-level access token.

a service level access token for the same device;

a cross-device service level access token.

an access token at the attribute level of the same service;

an access token across attribute levels of a service;

an access token across attribute levels of a device.

Alternatively, in embodiments of the present application,

Optionally, in an embodiment of the present application, the second device sends at least one level of access token to the first device, including: in the case that the first device is a controlled device, the second device sends a service-level access token and a service name list to the first device; or in the case that the first device is a master control device, the second device sends a service-level access token, a service name list and a controlled device identifier to the first device.

Optionally, in an embodiment of the present application, the first device receives at least one level of access token from the second device, and further includes: the second device sends an attribute-level access token, a service name and attribute related information to the first device under the condition that the first device is a controlled device; or in the case that the first device is a master control device, the second device sends a service-level access token, a service name, attribute related information and a controlled device identifier to the first device; the attribute related information comprises at least one of an attribute name list, a read and/or write operation corresponding to the attribute, an addition, deletion or modification of an attribute value, a method name list and an event name list.

Optionally, in an embodiment of the present application, the method further includes: the second device receives a token issuing request from the first device.

Optionally, in an embodiment of the present application, the method further includes:

the second device sends to the first device an identification of at least one level of access tokens that need to be updated and content that needs to be updated.

In the context of updating the token, the second device may be a cloud device or a configuration device. After the cloud device updates the at least one level of access token, the identifier of the at least one level of access token and the content to be updated can be directly sent to the first device, or the identifier of the at least one level of access token and the content to be updated can be sent to the first device through the configuration device.

the second device sends to the first device an identification of at least one level of access tokens that need to be deleted.

In the context of deleting the token, the second device may be a cloud device or a configuration device. After deleting the at least one level of access token, the cloud device may directly notify the first device of the identifier of the at least one level of access token that needs to be deleted, or may notify the first device of the identifier of the at least one level of access token that needs to be deleted through the configuration device.

Optionally, in the embodiment of the present application, in a scenario of issuing a token, updating a token, deleting a token, or sharing a token, the second device may be a cloud device.

Optionally, in an embodiment of the present application, if the second device is a cloud device, the method further includes at least one of the following sharing modes:

the cloud device shares at least one level of access token from the first device to configuration devices or internet of things devices bound with other accounts on the same platform as the first device;

and the cloud device shares at least one level of access token from the first device to configuration devices or Internet of things devices bound with other accounts of different platforms of the first device.

the cloud device receives a selected main control device identification list and/or a controlled device identification list from configuration devices;

and the cloud device generates a device-level access token and stores the device-level access token and a corresponding main control device identification list and/or a controlled device identification list.

For example, if the first device is an IoT device (including a master device and/or a controlled device), and the second device is a cloud device, the user may select the master device and/or the controlled device through the configuration device, and obtain a selected master device identification list and/or controlled device identification list. The configuration device may send the master device identification list and/or the controlled device identification list selected by the user to the cloud device. After receiving the main control equipment identification list and/or the controlled equipment identification list, the cloud equipment can generate an equipment-level access token and store the equipment-level access token and the corresponding main control equipment identification list and/or the controlled equipment identification list. The cloud device may then issue the device-level access token directly to the IoT device or through a configuration device to the IoT device. See above for the process of the second device sending a token to the first device (master device and/or slave device).

Optionally, in an embodiment of the present application, if the second device is a cloud device, the method further includes: the cloud device receives a selected main control device identification list, a controlled device identification and a service name list from configuration devices; and the cloud device generates a service-level access token and stores the service-level access token and a corresponding main control device identification list, a controlled device identification and a service name list.

For example, if the first device is an IoT device (including a master device and/or a controlled device), and the second device is a cloud device, the user may obtain a selected master device identification list, a controlled device identification, and a service name list by configuring a service or the like of the device to select the master device, the controlled device, and the controlled device. The configuration device may send a master device identification list, a controlled device identification, and a service name list selected by the user to the cloud device. After receiving the main control equipment identification list, the controlled equipment identification and the service name list, the cloud equipment can generate a service-level access token and store the service-level access token and the corresponding main control equipment identification list, the controlled equipment identification and the service name list. The cloud device may then issue the service-level access token directly to the IoT device or through a configuration device to the IoT device. See procedure for the second device to send a service level access token to the first device (master device and/or slave device).

Optionally, in an embodiment of the present application, if the second device is a cloud device, the method further includes:

the cloud device receives a selected main control device identification list, a controlled device identification, a service name and attribute related information from configuration devices, wherein the attribute related information comprises at least one of an attribute name list, a read and/or write operation corresponding to an attribute, an addition, deletion or modification of an attribute value, a method name list and an event name list;

and the cloud device generates an access token of an attribute level and stores the access token of the attribute level, a corresponding main control device identification list, a controlled device identification, a service name and attribute related information.

For example, if the first device is an IoT device (including a master device and/or a controlled device), and the second device is a cloud device, the user may obtain the selected master device identification list, the controlled device identification, the service name, and the attribute related information by selecting, by the configuration device, attributes in the services of the master device, the controlled device, and so on. The configuration device may send the main control device identifier list, the controlled device identifier, the service name and the attribute related information selected by the user to the cloud device. After receiving the main control equipment identification list, the controlled equipment identification, the service name and the attribute related information, the cloud equipment can generate an access token of an attribute level, and store the access token of the attribute level and the corresponding main control equipment identification list, the controlled equipment identification, the service name and the attribute related information. The cloud device may then issue the attribute-level access token directly to the IoT device or through a configuration device to the IoT device. See procedure for the second device to send an access token of attribute level to the first device (master device and/or slave device).

Optionally, in the embodiment of the present application, in a scenario of issuing a token, updating a token, deleting a token, or sharing a token, the second device may be a configuration device.

Optionally, in an embodiment of the present application, if the second device is a configuration device, the method further includes at least one of:

the configuration equipment responds to the equipment selection operation and sends a selected main control equipment identification list and/or a controlled equipment identification list to the cloud equipment;

the configuration equipment responds to service selection operation and sends a selected main control equipment identification list, a controlled equipment identification and a service name list to the cloud equipment;

the configuration equipment responds to the attribute selection operation and sends a selected main control equipment identification list, a controlled equipment identification, a service name and attribute related information to the cloud equipment, wherein the attribute related information comprises at least one of an attribute name list, a read and/or write operation corresponding to the attribute, an addition, deletion or modification of an attribute value, a method name list and an event name list.

the configuration device receives a device-level access token from the cloud device;

The configuration device receives a service-level access token from the cloud device;

the configuration device receives an access token from the cloud device at an attribute level.

Illustratively, in the scenario of issuing tokens, various levels of access tokens may be issued to IoT devices by configuration devices.

For example, a user may select an IoT device (including a master device and/or a controlled device) via a configuration device, and the configuration device may obtain a master device identification list and/or a controlled device identification list selected by the user in response to a device selection operation of the user, and send the master device identification list and/or the controlled device identification list to the cloud device. After the cloud device generates the device-level access token based on the master device identification list and/or the controlled device identification list, the cloud device may send the device-level access token to the configuration device. The device-level access token is issued by the configuration device to the IoT device. See procedure for the second device to send device-level access tokens to the first device (master device and/or slave device).

For another example, the user may select a service of the IoT device (including the master device and/or the controlled device) through the configuration device, and the configuration device may obtain a master device identifier list, a controlled device identifier, and a service name list selected by the user in response to a service selection operation of the user, and send the master device identifier list, the controlled device identifier, and the service name list to the cloud device. After the cloud device generates a service-level access token based on the selected master device identification list, the controlled device identification and the service name list, the cloud device may send the service-level access token to the configuration device. The service-level access token is issued to the IoT device by the configuration device. See procedure for the second device to send a service level access token to the first device (master device and/or slave device).

For another example, a user may select an attribute in a service of an IoT device (including a master device and/or a controlled device) through a configuration device, and the configuration device may obtain a master device identifier list, a controlled device identifier, a service name, and attribute related information selected by the user in response to an attribute selection operation of the user, and send the master device identifier list, the controlled device identifier, the service name, and the attribute related information to the cloud device. After the cloud device generates an access token of an attribute level based on the selected main control device identification list, the controlled device identification, the service name and the attribute related information, the cloud device can send the access token of the attribute level to the configuration device. The attribute-level access token is issued by the configuration device to the IoT device. See procedure for the second device to send device-level access tokens to the first device (master device and/or slave device).

For a specific example of the second device execution method 50 in this embodiment, reference may be made to the description about the second device, such as the configuration device or the cloud device, in the above method 40, and for brevity, the description is omitted here.

The embodiment of the application can provide the multi-level access token and perform various management on the multi-level access token.

1 Multi-level Access Token (Token) an example of the attributes and level descriptions of a multi-level Access Token (Token) is as follows:

Alternatively, if a device belongs to multiple accounts on the same platform at the same time, the token ID may be a combination of account ID and in-account index to avoid collision of token indexes under different accounts.

Alternatively, if a device is simultaneously assigned to accounts of multiple different platforms, the token ID may be a combination of the platform ID, the account ID, and the index in the account, so as to avoid collision of token indexes under different accounts.

According to the actual rights control requirements of the user, one device can be set with zero, one or a plurality of device-level token, can be set with zero, one or a plurality of service-level token, and can be set with zero, one or a plurality of attribute-level token.

1.1 rights Range example

Permission scope example of multi-level token: if the device a owns the services S1, S2 and S3, S1 owns the attributes C1 and C2, S2 owns the attributes C3 and C4, S3 owns the methods F1 and F2; the device B owns the services S4, S5 and S6, S4 owns the attribute C5, S5 owns the attribute C6 and the event E1, S6 owns the attribute C7, C8 and the method F3. The default account level token is T0. The user sets a device level Token T1 for A, a service level Token T2 for S1, an attribute level Token T20 for E0 of S1, a service level Token T3 for S2, an attribute level Token T4 for C3 write rights, and an attribute level Token T21 for F2 of S3. A service level token T5 is set for S5 and S6 of B and an attribute level token T6 is set for C8 and F3. The following is an exemplary relationship of devices, services, attributes, etc.:

A --T1

S1 (limited service) -T2

C1 (rw) (unrestricted property)

C2 (rw) (unrestricted property)

E0 (restricted event) - - -T20

S2 (limited service) -T3

C3 (r) (unrestricted property)

C3 (w) (restricted attribute) - - -T4

C4 (rw) (unrestricted property)

S3 (unrestricted service)

F1 (unrestricted method)

F2 (restricted method) - - -T21

B

S4 (unrestricted service)

C5 (rw) (unrestricted property)

S5 (limited service) -T5

C6 (rw) (unrestricted property)

E1 (unrestricted event)

S6 (limited service) -T5

C7 (rw) (unrestricted property)

C8 (rw) (restricted attribute) - - -T6

F3 (restricted method) - - -T6

Based on the relationships between the above devices, services, attributes, the following examples of the scope of rights for the access token can be derived:

(1) The authority range of T0 can be expressed as JSON (JavaScript Object Notation, JS object profile):

(2) The authority range of T1 can be expressed as JSON:

(3) The authority range of T2 can be expressed as JSON:

(4) The authority range of T3 can be expressed as JSON:

(5) The authority range of T4 can be expressed as JSON:

(6) The authority range of T5 can be expressed as JSON:

(7) The authority range of T6 can be expressed as JSON:

(8) The authority range of T20 can be expressed as JSON:

(9) The authority range of T21 can be expressed as JSON:

1.2 application example

Application example of multi-level token: in the case where the smoke sensor detects a delay and triggers the smoke alarm to alarm, the alarm itself may be controlled by the alarm only with the right of the attribute of smoke sensing, or another device such as an intelligent sound box may be used as the right of the master control device to access the smoke sensing device and the right of the alarm service of the alarm).

Application examples of attributes (distinguishing reads from writes): if the user gives the authority to the A device to read the D attribute in the C service of the B device, an attribute level token T1 is generated. If the user gives the authority to the A device to write the D attribute in the C service of the B device, an attribute level token T2 is generated. If the user gives the authority to the A device to read and write the D attribute in the C service of the B device, the attribute level token T1 and the attribute level token T2 can be generated simultaneously, or only one attribute level token T3 can be generated.

Optionally, if the value of the attribute is a data list (array/list), the write authority of the attribute may be further split into add/delete/modify authority. Examples: if the user gives the authority to the A device to write the E attribute (the attribute value of which is the data list) in the C service of the B device, the authority of generating the attribute level token T4, T4 is the attribute value of which can be modified arbitrarily (including adding/deleting/modifying the elements in the data list). If the user gives the authority to the a device to add the E attribute (whose attribute value is the data list) in the C service of the B device, the authority to generate attribute level token T5, T5 is the attribute value subelement that can add E (i.e. add an element to its data list). If the user gives the authority to the device a to delete the E attribute (the attribute value is the data list) in the service C of the device B, the authority to generate the attribute level token T6, T6 is the attribute value subelement that can delete the E (i.e. delete the existing element in the data list). If the user gives the authority to the device a to modify the E attribute (the attribute value of which is the data list) in the service C of the device B, the authority to generate the attribute level token T7, T7 is the attribute value subelement (i.e. modify the existing element in the data list) that can modify E. Possible usage scenarios are for example: fingerprint data of the door lock (the value of the attribute is a list of fingerprints), the mobile phone of the owner has the added and deleted authority, the mobile phone of the child has the checking authority, and the mobile phone of the guest has the added authority.

Alternatively, the token for accessing other devices and the token for controlling access rights of itself may be stored separately on the device. The storage can also be combined, and an identification is added for each token to distinguish.

1.3 Authority Range expansion

1.3.1 Cross-device service level token

Alternatively, to meet the requirement of accessing similar or related limited services of multiple devices at the same time (e.g., turning on the switches of multiple air conditioners at the same time and setting the target temperature of the air conditioners), the authority range of the token of the service level may be extended to multiple devices without being limited to only one device. For example, in the foregoing example, the user may set a service level token T7 for S2 of device a and S4 of device B, and the permission range of T7 may be expressed as JSON:

1.3.2 Cross-service Attribute level token

Alternatively, to meet the requirement of accessing similar or related restricted properties/methods/events of a device at the same time (e.g., setting a temperature while opening a switch of an air conditioner), the scope of authority of a token of a property level may be extended to multiple services of a device instead of being limited to only one service. For example, in the foregoing example, the user may set an attribute level token T8 for C6 and C7 of device B, and the permission range of T8 may be expressed as JSON:

1.3.3 Cross-device Attribute level token

Optionally, to meet the requirement of accessing similar or related limited attributes/methods/events of multiple devices at the same time (e.g. turning on the switches of multiple air conditioners at the same time, acquiring the current temperature of the temperature sensor, and setting the target temperature of the air conditioner), the authority range of the token of the attribute level may be further extended to multiple devices, not limited to only one device. For example, in the foregoing example, the user may set an attribute level token T9 for C1 of device a and C6 and C7 of device B, and the permission range of T9 may be expressed as JSON:

the user can create a token, update the validity period of the token, update the authority range of the token and update the token value, delete the token, and share the token with other accounts and devices, and the flow is as follows.

Specific examples of application scenarios of token creation, issuing, updating, deleting, sharing, etc. are described below. In the following application scenario, taking a configuration device as a mobile phone application, a cloud device as an access cloud, and a first device as an IoT device (including a master device and/or a controlled device) as an example. The specific types of the configuration device, the cloud device and the first device are not limited.

Creation of 2-level access tokens

The creation and distribution flow of a multi-level access Token (Token) is described as follows:

2.1 issue token example 1 (cloud give device issue token)

The user issues a corresponding access token (token) to the device through a cloud platform (also called cloud device, access cloud and the like) by setting access rights on the device (such as a mobile phone application) with user account login capability and an operation interface. The specific flow is as follows, see fig. 5:

s101 and S102, configuring equipment to access the network. A user may configure an IoT (internet of things) device to access the network by configuring the device, such as a mobile phone application.

S103, the equipment is accessed to the network for the first time.

S104, if no account-level token exists in the access cloud, an account-level token can be generated and stored; if the account-level token exists in the access cloud, directly executing S15 to issue the account-level token to the equipment. Generally, when the device first accesses the network, the access cloud has no account level token, and when the device accesses the network again, the access cloud may have an access token. .

S105, the cloud is accessed to issue an account level token to the equipment.

S106, discovering the device. For example, ioT devices are discovered by a mobile phone application.

S107, selecting one or more controlled devices and/or one or more master control devices by a user through a mobile phone application.

S108, the mobile phone application sends the selected controlled equipment ID list and/or the master control equipment ID list to the access cloud.

S109, the access cloud generates a device-level token for the selected controlled device, and stores the token, a corresponding controlled device ID list and a corresponding master device ID list.

S110, accessing a cloud issuing device-level token to all selected controlled devices; and/or issuing a device level token and a list of controlled device IDs to the selected master device.

And S111, discovering equipment and services. For example, the mobile application discovers services in IoT devices. In the embodiments of the present application, the service may also be referred to as a device service.

S112, selecting the controlled equipment and partial services of the equipment by the user through mobile phone application, and selecting one or more main control equipment.

S113, the mobile phone application sends the selected controlled equipment ID and the service name list to the access cloud, and/or sends the selected main control equipment ID list to the access cloud.

S114, the access cloud generates a service level token for the controlled device, and stores the token and at least one of a corresponding controlled device ID, a device service name list and a main control device ID list.

S115, the cloud is accessed to send the service level token and the service name list to the controlled equipment, and the service level token, the service name list and the ID of the controlled equipment are sent to the selected main control equipment.

S116. discovery devices, services, attributes, methods and events. For example, ioT devices, services in the devices, attributes, methods, and events in the services are discovered by the handset application. In the embodiments of the present application, the attribute may also be referred to as a device attribute.

S117, a user selects the controlled device and part of attributes (distinguishing reading and writing)/methods/events of the device through mobile phone application, and/or selects one or more main control devices.

S118, the mobile phone application sends the controlled device ID, the service name, the attribute (distinguishing reading and writing)/the method/event name list and/or the main control device ID list to the access cloud.

S119, the access cloud generates an attribute level token for the controlled device, stores the token and a corresponding controlled device ID, a service name, an attribute (read and write distinction)/method/event name list and a main control device ID list.

S120, accessing a cloud issuing attribute level token, a service name and an attribute (reading and writing distinction)/method/event name list to controlled equipment; and issuing an attribute level token, a controlled device ID, a service name and an attribute (read and write distinction)/method/event name list to the selected master control device.

In this example, the step of issuing access tokens at the account level, device level, service level, attribute level, is not timing limited, nor does it need to be performed in its entirety. The step of issuing access tokens of any one or more levels may be performed only according to specific requirements.

2.2 token issuing example 2 (token issuing for Mobile phone application)

A user account login capable device (e.g., a mobile phone application) issues an access token to an application terminal (smart device). The specific flow is as follows, see fig. 6:

s201 to S209 may refer to the description related to S101 to S109 in the above token issuing example 1, and are not described herein.

S210, the access cloud returns a device-level token to the mobile phone application.

S211, the mobile phone application issues a device-level token to all selected controlled devices; and issuing a device-level token and a controlled device ID list to the selected master control device.

S212 to S215 may refer to the description of S111 to S114 in the above issued token example 1, and are not described herein.

S216, the access cloud returns a service level token to the mobile phone application.

S217, the mobile phone application transmits the service level token and the service name list to the controlled equipment, and transmits the service level token, the service name list and the ID of the controlled equipment to the selected main control equipment.

S218 to S221 may be referred to the description of S116 to S119 in the above issued token example 1, and will not be described here.

S222, the access cloud returns an attribute level token to the mobile phone application.

S223, the mobile phone application transmits an attribute level token, a service name and an attribute (read/write distinction)/method/event name list to the controlled equipment, and transmits an attribute level token, a controlled equipment ID, a service name and an attribute (read/write distinction)/method/event name list to the selected main control equipment.

2.3 issue token example 3 (device active request token)

If the device needs to access the opposite terminal device, but it is checked that the device has no corresponding access right, the device may acquire the corresponding access token by sending a request to the access cloud to acquire the authorization of the user.

Optionally, in this example, the step of the access cloud issuing the token to the device may also be issued by the access cloud to the mobile application, and forwarded by the mobile application to the device (as shown in token example 2 below). The specific flow is as follows, see fig. 7.

S301 to S305 may refer to the description related to S101 to S105 in the above token issuing example 1, and will not be described herein.

S306, the iot device sends a controlled device ID list to the access cloud requesting a device-level token.

S307, the access cloud sends a controlled device ID list to the mobile phone application, and the controlled device ID requests the authorization of the user.

S308, user authorization. For example, the user may choose whether to request the device level token in a cell phone application. If so, the user confirms the authorization.

S309, the mobile phone application sends the controlled device ID list and/or the master control device ID after user confirmation to the access cloud, and authorization is confirmed.

S310, the access cloud generates a device-level token (if not stored) for the selected controlled device, and stores (updates) the token and a corresponding controlled device ID list and a master device ID list if the token is stored.

S311, the cloud issuing device-level token is accessed to all the confirmed controlled devices, and the device-level token and the controlled device ID list are issued to the confirmed master control device.

S312, the iot device sends the controlled device ID and the list of device service names to the access cloud, requesting a service level token.

S313, the access cloud sends the controlled device ID and the device service name list to the mobile phone application, and the device ID is controlled to request the authorization of the user.

S314, user authorization. For example, the user may select whether to request the service level token in a cell phone application. If so, the user confirms the authorization.

S315, the mobile phone application sends the controlled device ID and the service name list after user confirmation to the access cloud, and the master control device ID confirms authorization.

S316, the access cloud generates a service level token (if not stored) for the controlled device, stores (updates if so), a corresponding controlled device ID, a service name list and a main control device ID list.

S317, the cloud is accessed to send a service level token and a service name list to the confirmed controlled equipment; and issuing a service level token, a service name list and a controlled device ID to the confirmed master control device.

S318.iot device sends the controlled device ID, service name, attribute (differentiate read, write)/method/event name list to the access cloud, requesting attribute level token.

S319, the access cloud sends the ID of the controlled device, the service name, the attribute (read and write distinguishing)/method/event name list, the ID of the main control device and requests the authorization of the user to the mobile phone application.

S320, user authorization. For example, the user may select whether to request the attribute level token in a cell phone application. If so, the user confirms the authorization.

S321, the mobile phone application sends the controlled device ID, the service name, the attribute (read and write distinguishing)/method/event name list, the main control device ID and the authorization after user confirmation to the access cloud.

S322, the access cloud generates attribute level token (if not stored) for the controlled equipment, and stores the attribute level token; if so, updating the token and the corresponding controlled device ID, service name, attribute (read/write distinction)/method/event name list, and master device ID list.

S323, accessing a cloud issuing attribute level token, a service name and an attribute (distinguishing reading and writing)/method/event name list to the confirmed controlled equipment; and issuing an attribute level token, a controlled device ID, a service name and an attribute (read-write distinction)/method/event name list to the confirmed master device.

Update of 3-level access tokens

The update (at least one of validity period, authority range, and Token value) and distribution flow of the multi-level access Token (Token) are described as follows:

3.1 update token example 1 (cloud-to-device update token), the specific flow is as follows, see fig. 8:

s401, the mobile phone application acquires all token information under the account from the access cloud or acquires related token information according to the related equipment ID.

S402, a user can select one token from tokens displayed in mobile phone application, and the content to be modified is determined, for example: at least one of its validity period, scope of authority, token value is modified.

S403, the mobile phone application sends an access token identification token ID and modified content, such as at least one of a modified token validity period, a permission range and a token value, to the access cloud.

S404, the access cloud caches original information of the token corresponding to the token ID.

S405, the access cloud updates at least one of the corresponding token validity period, the corresponding authority range and the corresponding token value according to the token ID.

S406, the access cloud issues updated token information to all devices (main control devices and/or controlled devices) related to the token. For example, if a device is removed from the list, the device is notified to delete the token; if a certain device is newly added into the list, the token is newly issued to the device; if a device is already in the original list, the device is informed to update the token information.

In this example, the use of caching token original information may include: determining whether the device (master device and/or slave device) is removed from or newly added to the list; alternatively, the update message is retransmitted when the access cloud update token is unsuccessful (e.g., the device is briefly offline).

3.2 update token example 2 (cell phone to device update token), the specific flow is as follows, see fig. 9:

in this example, S501, S502 can be referred to as S401, S402 in the update token example 1.

S503, the mobile phone application caches the original information and the modified information of the token.

S504, the mobile phone application sends an access token identification token ID and modified content, such as at least one of a modified token validity period, a permission range and a token value, to the access cloud.

S505, the access cloud updates at least one of the corresponding token validity period, the corresponding authority range and the corresponding token value according to the token ID.

S506, the cloud end change is successful. The access cloud can send a message that the token is successfully updated in the cloud to the mobile phone application.

S507, the mobile phone application can send updated token information to all devices (master control and controlled) related to the token. For example, if a device is removed from the list, the device is notified to delete the token; if a certain device is newly added into the list, the token is newly issued to the device; if a device is already in the original list, the device is informed to update the token information.

In this example, the use of caching token original information may include: determining whether the device (master device and/or slave device) is removed from or newly added to the list; the handset application retransmits the update message when the update token is unsuccessful (e.g., the device is briefly offline).

Deletion of 4-level access tokens

The deletion flow of the multi-level access Token (Token) is described as follows:

4.1 delete token example 1 (cloud notification device delete token), the specific flow is as follows, see fig. 10:

s601, the mobile phone application acquires all token information under an account from the access cloud or acquires related token information according to the related equipment ID.

S602, a user can select one token from tokens displayed in the mobile phone application to request deletion.

S603, the mobile phone application can send a token ID of the access token to be deleted to the access cloud.

S604, accessing cloud to cache the information of the token corresponding to the token ID.

S605, the access cloud deletes the token information according to the token ID.

S606, the access cloud informs all devices (including a master device and/or a controlled device) related to the token to delete the token according to the token ID.

In this example, the purpose of caching token original information is: and retransmitting the deleting message when the access cloud deleting token is unsuccessful (for example, the device is offline for a short time).

4.2 delete token example 2 (cell phone notification device delete token), the specific flow is as follows, see fig. 11:

in this example, S701, S702 can be referred to as S601, S602 in the delete token example 1.

S703, the mobile phone application caches the original information of the token.

S704, the mobile phone application can send a token ID of the access token to be deleted to the access cloud.

S705, the access cloud deletes the token information according to the token ID.

S706, deleting successfully. The access cloud may send a message to the mobile application that the token deletion was successful.

S707, the mobile phone application informs all devices (master control device and/or controlled device) related to the token to delete the token according to the token ID.

Sharing of 5-level access tokens

5.1 sharing token example 1 (Mobile phone application sharing to other accounts with platform)

The mobile phone application programs of the user accounts A and B and the equipment under the accounts are both accessed to the same cloud platform C1. The mobile phone application implements an interface to search for devices and an interface that can be found as devices (an account ID may be used as a device ID for the mobile phone application, or a MAC/IMEI of the mobile phone may be used as a device ID for the mobile phone application). After the user searches the mobile phone application program using the account A and searches the mobile phone application program using the account B, one or more token(s) under the account A can be sent to the mobile phone application program of the account B, so that the mobile phone application program of the account B can also access the equipment under the account A. After the user searches the mobile phone application program using the account A and uses the mobile phone application program of the account B, the user can also request the application program of the account B to send one or more token(s) under the account B to the mobile phone application program of the account A, so that the mobile phone application program of the account A can also access the equipment under the account B. The Token request and message may be directly transmitted by the mobile application of account a and the mobile application of account B via local communication. However, since the legitimacy of the account cannot be checked, in order to improve the security, the legitimacy of the account can be checked on the cloud platform through the transfer of the cloud platform C1, so that higher security can be obtained.

5.2 sharing token example 2 (sharing devices to other accounts with platform)

The user account A and the device D1, and the user account B and the device D2 are connected to the same cloud platform C1. After the user searches the device D2 under the account B locally using the mobile phone application of the account a, one or more token under the account a may be sent to the D2, so that the D2 may also access the device under the account a. In the method, local communication transmission is adopted, and in order to improve the safety, the validity check can be performed through the transfer of the cloud platform C1 so as to obtain higher safety.

After the user searches the device D2 under the account B locally by using the mobile phone application program of the account a, the control authority of the D2 (or more devices under the account B to which the D2 belongs) can be requested to the cloud platform C1, the cloud platform C1 forwards the request to the application program of the B to apply for the authorization of the B, and after the authorization of the B, the cloud platform C1 sends one or more token under the account B to the mobile phone application program of the a and/or the device under the account a, so that the mobile phone application program of the a and/or the device under the account a can access the device under the account B. The method realizes higher security by carrying out validity check through the cloud platform.

5.3 sharing token example 3 (Mobile application sharing to other platform accounts)

The user account A and the device D1 are connected to the cloud platform C1, and the user account B and the device D2 are connected to the cloud platform C2. The mobile phone application implements an interface to search for devices and an interface that can be found as devices (an account ID may be used as a device ID for the mobile phone application, or a MAC/IMEI of the mobile phone may be used as a device ID for the mobile phone application). After the user searches the mobile phone application program using the account A and searches the mobile phone application program using the account B, one or more token(s) under the account A can be sent to the mobile phone application program of B, so that the mobile phone application program of B can also access the equipment under the account A. After the user searches the mobile phone application program using the account A and uses the mobile phone application program of the account B, the user can also request the application program of the account B to send one or more token(s) under the account B to the mobile phone application program of the account A, so that the mobile phone application program of the account A can also access the equipment under the account B. The request and the sending message of Token can be directly transmitted by the mobile phone application program of A and the mobile phone application program of B through local communication. However, since the legitimacy of the account cannot be checked, in order to improve the security, the legitimacy of the account can be checked on the cloud platform through the transfer between the cloud platform C1 and the cloud platform C2 so as to obtain higher security.

5.4 sharing token example 4 (device sharing to other platform accounts)

The user account A and the device D1 are connected to the cloud platform C1, and the user account B and the device D2 are connected to the cloud platform C2. After the user searches the device D2 under the account B locally using the mobile phone application of the account a, one or more token under the account a may be sent to the D2, so that the D2 may also access the device under the account a. In the method, local communication transmission is adopted, and in order to improve the safety, the validity check can be performed through the transfer of the cloud platform C1 so as to obtain higher safety.

After the user searches the device D2 under the account B locally by using the mobile phone application program of the account a, the control authority of the device D2 (or more devices under the account B to which the device D2 belongs) may also be requested to the cloud platform C1. Cloud platform C1 forwards the request to cloud platform C2. Cloud platform C2 forwards the request to the application of account B to apply for B authorization. After the account B is authorized, one or more token(s) under the account B are sent to the cloud platform C1 through the cloud platform C2. C1 is forwarded to the mobile phone application of A and/or the device under account A, so that the mobile phone application of A and/or the device under account A can also access the device under account B. The method realizes higher security by carrying out validity check through the cloud platform.

According to the embodiment of the application, the multi-level access token is set through security, the access right of the Internet of things equipment based on the OLA protocol can be controlled in a finer granularity, and the system security is improved.

Fig. 12 is a schematic block diagram of a first device 400 according to an embodiment of the present application. The first device 400 may include:

a receiving unit 410, configured to receive at least one level of access token from the second device.

an account-level access token;

a device-level access token;

a service level access token;

attribute-level access token.

a service level access token for the same device;

a cross-device service level access token.

an access token at the attribute level of the same service;

an access token across attribute levels of a service;

an access token across attribute levels of a device.

Alternatively, in embodiments of the present application,

Optionally, in an embodiment of the present application, the receiving unit is further configured to:

receiving a device-level access token from the second device in the case where the first device is a controlled device; or alternatively

And receiving a device-level access token and a controlled device identification list from the second device in the case that the first device is a master device.

receiving a service-level access token and a service name list from the second device in the case that the first device is a controlled device; or alternatively

And receiving a service-level access token, a service name list and a controlled device identifier from the second device under the condition that the first device is a master device.

receiving an access token of an attribute level, a service name and attribute related information from the second device in case the first device is a controlled device; or alternatively

Receiving a service-level access token, a service name, attribute-related information and a controlled device identifier from the second device under the condition that the first device is a master control device;

The attribute related information comprises at least one of an attribute name list, a read and/or write operation corresponding to the attribute, an addition, deletion or modification of an attribute value, a method name list and an event name list.

Optionally, in an embodiment of the present application, as shown in fig. 13, the first device 400 further includes:

a sending unit 420, configured to send a token issuing request to the second device.

Optionally, in an embodiment of the present application, the receiving unit is further configured to receive, from the second device, an identification of at least one level of access token that needs to be updated and content that needs to be updated;

The first device further comprises:

and the updating unit 430 is configured to update the access token corresponding to the identifier of the access token of at least one level that needs to be updated based on the content that needs to be updated.

Optionally, in an embodiment of the present application, the receiving unit is further configured to receive, from the second device, an identification of at least one level of access token that needs to be deleted;

the first device further comprises:

and a deleting unit 440, configured to delete the corresponding access token based on the identification of the access token of at least one level that needs to be deleted.

Optionally, in an embodiment of the present application, the first device further includes a sharing unit, configured to perform at least one of the following sharing modes:

sharing at least one level of access token to configuration equipment or internet of things equipment bound to other accounts of the same platform;

sharing at least one level of access token to configuration equipment or Internet of things equipment bound to other accounts of the same platform through the cloud equipment;

sharing at least one level of access token to configuration equipment or internet of things equipment bound to other accounts of different platforms;

And sharing at least one level of access token to configuration equipment or Internet of things equipment bound to other accounts of different platforms through the cloud equipment.

The first device 400 of the embodiment of the present application can implement the corresponding function of the first device in the foregoing method embodiment. The flow, function, implementation and beneficial effects corresponding to each module (sub-module, unit or assembly, etc.) in the first device 400 can be referred to the corresponding description in the above embodiment of the method 40, which is not repeated here. It should be noted that, the functions described in the respective modules (sub-modules, units, or components, etc.) in the first device 400 of the application embodiment may be implemented by different modules (sub-modules, units, or components, etc.), or may be implemented by the same module (sub-module, unit, component, etc.).

Fig. 14 is a schematic block diagram of a second device 500 according to an embodiment of the present application. The second device 500 may include:

a transmitting unit 510, configured to transmit at least one level of access token to the first device.

an account-level access token;

a device-level access token;

A service level access token;

attribute-level access token.

a service level access token for the same device;

a cross-device service level access token.

an access token at the attribute level of the same service;

an access token across attribute levels of a service;

an access token across attribute levels of a device.

Alternatively, in embodiments of the present application,

Optionally, in an embodiment of the present application, the sending unit is further configured to:

sending a service-level access token and a service name list to the first device under the condition that the first device is a controlled device; or alternatively

And sending a service-level access token, a service name list and a controlled device identifier to the first device under the condition that the first device is a master control device.

transmitting an access token of attribute level, a service name and attribute related information to the first device under the condition that the first device is a controlled device; or alternatively

If the first device is a master control device, sending a service-level access token, a service name, attribute related information and a controlled device identifier to the first device;

Optionally, in an embodiment of the present application, as shown in fig. 15, the second device further includes:

a first receiving unit 520, configured to receive a token issuing request from the first device.

Optionally, in an embodiment of the present application, the sending unit is further configured to send, to the first device, an identification of at least one level of access token that needs to be updated and content that needs to be updated.

Optionally, in an embodiment of the present application, the sending unit is further configured to send an identification of at least one level of access token that needs to be deleted to the first device.

Optionally, in an embodiment of the present application, the second device is a cloud device.

Optionally, in an embodiment of the present application, the second device further includes a sharing unit, configured to perform at least one of the following sharing modes:

sharing at least one level of access token from the first device to a configuration device or an internet of things device bound to other accounts on the same platform as the first device;

sharing at least one level of access token from the first device to a configuration device or an internet of things device bound to other accounts on different platforms than the first device.

Optionally, in an embodiment of the present application, the second device further includes:

a second receiving unit 530, configured to receive the selected master device identification list and/or the controlled device identification list from the configuration device;

The first generating unit 540 is configured to generate an access token at a device level, and store the access token at the device level and a corresponding master device identifier list and/or a controlled device identifier list.

a third receiving unit 550 for receiving the selected master device identification list, the controlled device identification and the service name list from the configuration device;

the second generating unit 560 is configured to generate a service-level access token, and store the service-level access token and a corresponding master device identifier list, a controlled device identifier, and a service name list.

a fourth receiving unit 570, configured to receive a selected master device identifier list, a controlled device identifier, a service name, and attribute related information from a configuration device, where the attribute related information includes at least one of an attribute name list, a read and/or write operation corresponding to an attribute, an addition, deletion, or modification of an attribute value, a method name list, and an event name list;

and the third generating unit 580 is configured to generate an access token of an attribute level, and store the access token of the attribute level and a corresponding master device identifier list, a controlled device identifier, a service name and attribute related information thereof.

Optionally, in an embodiment of the present application, the second device is a configuration device.

Optionally, in an embodiment of the present application, the sending unit is further configured to perform at least one of the following:

responding to the device selection operation, and sending a selected main control device identification list and/or a controlled device identification list to the cloud device;

responding to the service selection operation, and sending the selected main control equipment identification list, the controlled equipment identification and the service name list to the cloud equipment;

and responding to the attribute selection operation, sending the selected main control equipment identification list, the controlled equipment identification, the service name and attribute related information to the cloud equipment, wherein the attribute related information comprises at least one of an attribute name list, a read and/or write operation corresponding to the attribute, an addition, deletion or modification of an attribute value, a method name list and an event name list.

Optionally, in an embodiment of the present application, the second device further includes a fifth receiving unit 590 configured to perform at least one of:

receiving a device-level access token from a cloud device;

receiving a service-level access token from a cloud device;

an access token is received from a cloud device at an attribute level.

The second device 500 of the embodiment of the present application can implement the corresponding function of the second device in the foregoing method embodiment. The flow, function, implementation and beneficial effects corresponding to each module (sub-module, unit or assembly, etc.) in the second device 500 can be referred to the corresponding description in the above embodiment of the method 50, which is not repeated here. It should be noted that, the functions described in the respective modules (sub-modules, units, or components, etc.) in the second device 500 of the application embodiment may be implemented by different modules (sub-modules, units, or components, etc.), or may be implemented by the same module (sub-module, unit, component, etc.).

Fig. 16 is a schematic structural diagram of a communication device 600 according to an embodiment of the present application. The communication device 600 comprises a processor 610, which processor 610 may call and run a computer program from a memory to cause the communication device 600 to implement the methods in embodiments of the present application.

Optionally, the communication device 600 may further comprise a memory 620. Wherein the processor 610 may invoke and run a computer program from the memory 620 to cause the communication device 600 to implement the method in the embodiments of the present application.

The memory 620 may be a separate device from the processor 610 or may be integrated into the processor 610.

Optionally, the communication device 600 may further include a transceiver 630, and the processor 610 may control the transceiver 630 to communicate with other devices, and in particular, may send information or data to other devices, or receive information or data sent by other devices. For example, the transceiver 630 may implement the functions of a receiving unit, a transmitting unit of the first device. For another example, the transceiver 630 may implement the functions of each receiving unit and transmitting unit of the second device.

The transceiver 630 may include a transmitter and a receiver, among others. Transceiver 630 may further include antennas, the number of which may be one or more.

Optionally, the communication device 600 may be a second device in the embodiment of the present application, and the communication device 600 may implement a corresponding flow implemented by the second device in each method in the embodiment of the present application, which is not described herein for brevity.

Optionally, the communication device 600 may be a first device in the embodiments of the present application, and the communication device 600 may implement a corresponding flow implemented by the first device in each method in the embodiments of the present application, which is not described herein for brevity.

Fig. 17 is a schematic structural diagram of a chip 700 according to an embodiment of the present application. The chip 700 includes a processor 710, and the processor 710 may call and run a computer program from a memory to implement the methods of the embodiments of the present application.

Optionally, chip 700 may also include memory 720. The processor 710 may invoke and run a computer program from the memory 720 to implement the method performed by the first device or the second device in the embodiments of the present application.

Wherein the memory 720 may be a separate device from the processor 710 or may be integrated into the processor 710.

Optionally, the chip 700 may also include an input interface 730. The processor 710 may control the input interface 730 to communicate with other devices or chips, and in particular, may obtain information or data sent by other devices or chips.

Optionally, the chip 700 may further include an output interface 740. The processor 710 may control the output interface 740 to communicate with other devices or chips, and in particular, may output information or data to other devices or chips.

Optionally, the chip may be applied to the second device in the embodiment of the present application, and the chip may implement a corresponding flow implemented by the second device in each method in the embodiment of the present application, which is not described herein for brevity.

Optionally, the chip may be applied to the first device in the embodiment of the present application, and the chip may implement a corresponding flow implemented by the first device in each method in the embodiment of the present application, which is not described herein for brevity.

The chips applied to the second device and the first device may be the same chip or different chips.

It should be understood that the chips referred to in the embodiments of the present application may also be referred to as system-on-chip chips, or the like.

The processors mentioned above may be general purpose processors, digital signal processors (digital signal processor, DSP), off-the-shelf programmable gate arrays (field programmable gate array, FPGA), application specific integrated circuits (application specific integrated circuit, ASIC) or other programmable logic devices, transistor logic devices, discrete hardware components, etc. The general-purpose processor mentioned above may be a microprocessor or any conventional processor.

The memory mentioned above may be volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. The nonvolatile memory may be a read-only memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an electrically Erasable EPROM (EEPROM), or a flash memory. The volatile memory may be random access memory (random access memory, RAM).

It should be understood that the above memory is exemplary but not limiting, and for example, the memory in the embodiments of the present application may be Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (DDR SDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), direct RAM (DR RAM), and the like. That is, the memory in embodiments of the present application is intended to comprise, without being limited to, these and any other suitable types of memory.

Fig. 18 is a schematic block diagram of a communication system 800 according to an embodiment of the present application. The communication system 800 includes a first device 810 and a second device 820.

A first device for receiving at least one level of access tokens from a second device.

A second device for sending at least one level of access tokens to the first device.

Wherein the first device 810 may be configured to implement the corresponding functionality implemented by the first device, e.g., the Iot device, in the above-described method, and the second device 820 may be configured to implement the corresponding functionality implemented by the second device, e.g., the cloud device or the configuration device, in the above-described method. For brevity, the description is omitted here.

In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, the processes or functions in accordance with embodiments of the present application are produced in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by a wired (e.g., coaxial cable, fiber optic, digital subscriber line (Digital Subscriber Line, DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., a floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid State Disk (SSD)), or the like.

It should be understood that, in various embodiments of the present application, the sequence numbers of the foregoing processes do not mean the order of execution, and the order of execution of the processes should be determined by the functions and internal logic thereof, and should not constitute any limitation on the implementation process of the embodiments of the present application.

It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.

The foregoing is merely a specific embodiment of the present application, but the protection scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions should be covered in the protection scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims

An access token processing method, comprising: the first device receives at least one level of access token from the second device.
The method of claim 1, wherein the at least one level of access tokens comprises at least one of:

An account-level access token;

a device-level access token;

a service level access token;

attribute-level access token.
The method of claim 2, wherein the service level access token comprises:

a service level access token for the same device;

a cross-device service level access token.
The method of claim 2, wherein the attribute-level access token comprises:

an access token at the attribute level of the same service;

an access token across attribute levels of a service;

an access token across attribute levels of a device.
The method of claim 2, wherein the account-level access token is used to access at least one of unrestricted attributes, unrestricted methods, and unrestricted events of unrestricted services of devices under the same account.
The method of claim 2, wherein the device-level access token is used to access at least one of unrestricted attributes, unrestricted methods, and unrestricted events of unrestricted services of the same device or multiple devices under the same account.
The method of claim 3, wherein,

an access token at a service level of the same device for accessing at least one of an unrestricted attribute, an unrestricted method, and an unrestricted event of at least one restricted service of the same device;

An access token at a service level across devices is used to access at least one of unrestricted attributes, unrestricted methods, and unrestricted events of at least one restricted service of a plurality of devices.
The method of claim 4, wherein,

an access token of an attribute level of the same service is used to access at least one of at least one restricted attribute, a restricted method, and a restricted event of the same service of the same device;

an access token across attribute levels of a service is used to access at least one of a restricted attribute, a restricted method, and a restricted event of a plurality of services of the same device;

an access token across attribute levels of a device is used to access at least one of a restricted attribute, a restricted method, and a restricted event of a plurality of services of a plurality of devices.
The method of any of claims 1-8, wherein the first device receives at least one level of access token from a second device, further comprising:

in the case that the first device is a controlled device, the first device receives a device-level access token from the second device; or alternatively

In the case that the first device is a master device, the first device receives a device-level access token and a list of controlled device identities from the second device.
The method of any of claims 1-9, wherein the first device receives at least one level of access token from a second device, further comprising:

in the case that the first device is a controlled device, the first device receives a service-level access token and a service name list from the second device; or alternatively

And in the case that the first device is a master device, the first device receives a service-level access token, a service name list and a controlled device identifier from the second device.
The method of any of claims 1-10, wherein the first device receives at least one level of access token from a second device, further comprising:

receiving an access token, a service name and attribute related information of an attribute level from the second device by the first device under the condition that the first device is a controlled device; or alternatively

Receiving a service-level access token, a service name, attribute related information and a controlled device identifier from the second device by the first device under the condition that the first device is a master control device;

the attribute related information comprises at least one of an attribute name list, a read and/or write operation corresponding to the attribute, an addition, deletion or modification of an attribute value, a method name list and an event name list.
The method of any one of claims 1 to 11, wherein the method further comprises:

the first device sends a token issuing request to a second device.
The method of claim 12, wherein the token issuing request comprises one of:

a controlled device identification list, the token issuing a request for requesting a device-level access token;

a controlled device identifier and a list of service names, the token issuing a request for requesting a service level access token;

the controlled device identification, the service name and attribute related information, wherein the token issue request is used for requesting an access token of an attribute level, and the attribute related information comprises at least one of an attribute name list, a read and/or write operation corresponding to the attribute, an addition, deletion or modification of an attribute value, a method name list and an event name list.
The method of any one of claims 1 to 13, wherein the method further comprises:

the first device receives the identification of the access token of at least one level which needs to be updated and the content which needs to be updated from the second device;

and the first equipment updates the access token corresponding to the identification of the access token of at least one level which needs to be updated based on the content which needs to be updated.
The method of any one of claims 1 to 14, wherein the method further comprises:

the first device receives an identification of at least one level of access tokens to be deleted from the second device;

the first device deletes the corresponding access token based on the identification of the access token of at least one level which needs to be deleted.
The method of any one of claims 1 to 15, wherein the second device is a configuration device or a cloud device.
The method of claim 16, wherein the method further comprises at least one of the following sharing:

the first device shares at least one level of access token to configuration devices or internet of things devices bound to other accounts of the same platform;

the first device shares at least one level of access token to configuration devices or Internet of things devices bound to other accounts of the same platform through the cloud device;

the first device shares at least one level of access token to configuration devices or internet of things devices bound to other accounts of different platforms;

and the first device shares at least one level of access token with configuration devices or Internet of things devices bound to other accounts of different platforms through the cloud device.
An access token processing method, comprising: the second device sends at least one level of access token to the first device.
The method of claim 18, wherein the at least one level of access tokens comprises at least one of:

an account-level access token;

a device-level access token;

a service level access token;

attribute-level access token.
The method of claim 19, wherein the service level access token comprises:

a service level access token for the same device;

a cross-device service level access token.
The method of claim 19, wherein the attribute-level access token comprises:

an access token at the attribute level of the same service;

an access token across attribute levels of a service;

an access token across attribute levels of a device.
The method of claim 19, wherein the account-level access token is used to access at least one of unrestricted attributes, unrestricted methods, and unrestricted events of unrestricted services of devices under the same account.
The method of claim 19, wherein the device-level access token is used to access at least one of unrestricted attributes, unrestricted methods, and unrestricted events of unrestricted services of the same device or multiple devices under the same account.
The method of claim 20, wherein,

an access token at a service level of the same device for accessing at least one of an unrestricted attribute, an unrestricted method, and an unrestricted event of at least one restricted service of the same device;

an access token at a service level across devices is used to access at least one of unrestricted attributes, unrestricted methods, and unrestricted events of at least one restricted service of a plurality of devices.
The method of claim 21, wherein,

an access token of an attribute level of the same service is used to access at least one of at least one restricted attribute, a restricted method, and a restricted event of the same service of the same device;

an access token across attribute levels of a service is used to access at least one of a restricted attribute, a restricted method, and a restricted event of a plurality of services of the same device;

an access token across attribute levels of a device is used to access at least one of a restricted attribute, a restricted method, and a restricted event of a plurality of services of a plurality of devices.
The method of any of claims 18 to 25, wherein the second device sending at least one level of access token to the first device comprises:

in the case that the first device is a controlled device, the second device sends a service-level access token and a service name list to the first device; or alternatively

And under the condition that the first equipment is the main control equipment, the second equipment sends the service-level access token, the service name list and the controlled equipment identification to the first equipment.
The method of any of claims 18-26, wherein the first device receives at least one level of access token from a second device, further comprising:

the second device sends an attribute-level access token, a service name and attribute related information to the first device under the condition that the first device is a controlled device; or alternatively

In the case that the first device is a master control device, the second device sends a service-level access token, a service name, attribute related information and a controlled device identifier to the first device;

the attribute related information comprises at least one of an attribute name list, a read and/or write operation corresponding to the attribute, an addition, deletion or modification of an attribute value, a method name list and an event name list.
The method of any one of claims 18 to 27, wherein the method further comprises:

the second device receives a token issuing request from the first device.
The method of any of claims 18 to 28, wherein the token issuing request comprises one of:

A controlled device identification list, the token issuing a request for requesting a device-level access token;

a controlled device identifier and a list of service names, the token issuing a request for requesting a service level access token;

the controlled device identification, the service name and attribute related information, wherein the token issue request is used for requesting an access token of an attribute level, and the attribute related information comprises at least one of an attribute name list, a read and/or write operation corresponding to the attribute, an addition, deletion or modification of an attribute value, a method name list and an event name list.
The method of any one of claims 18 to 29, wherein the method further comprises:

the second device sends to the first device an identification of at least one level of access tokens that need to be updated and content that needs to be updated.
The method of any one of claims 18 to 30, wherein the method further comprises:

the second device sends to the first device an identification of at least one level of access tokens that need to be deleted.
The method of any one of claims 18 to 31, wherein the second device is a cloud device.
The method of claim 32, wherein the method further comprises at least one of the following sharing:

The cloud device shares at least one level of access token from the first device to configuration devices or internet of things devices bound with other accounts on the same platform as the first device;

and the cloud device shares at least one level of access token from the first device to configuration devices or Internet of things devices bound with other accounts of different platforms of the first device.
The method of claim 32 or 33, wherein the method further comprises:

the cloud device receives a selected main control device identification list and/or a controlled device identification list from configuration devices;

and the cloud device generates a device-level access token and stores the device-level access token and a corresponding main control device identification list and/or a controlled device identification list.
The method of any one of claims 32 to 34, wherein the method further comprises:

the cloud device receives a selected main control device identification list, a controlled device identification and a service name list from configuration devices;

and the cloud device generates a service-level access token and stores the service-level access token and a corresponding main control device identification list, a controlled device identification and a service name list.
The method of any one of claims 32 to 35, wherein the method further comprises:

the cloud device receives a selected main control device identification list, a controlled device identification, a service name and attribute related information from configuration devices, wherein the attribute related information comprises at least one of an attribute name list, a read and/or write operation corresponding to an attribute, an addition, deletion or modification of an attribute value, a method name list and an event name list;

and the cloud device generates an access token of an attribute level and stores the access token of the attribute level, a corresponding main control device identification list, a controlled device identification, a service name and attribute related information.
The method of any of claims 18 to 31, wherein the second device is a configuration device.
The method of claim 37, wherein the method further comprises at least one of:

the configuration equipment responds to the equipment selection operation and sends a selected main control equipment identification list and/or a controlled equipment identification list to the cloud equipment;

the configuration equipment responds to service selection operation and sends a selected main control equipment identification list, a controlled equipment identification and a service name list to the cloud equipment;

The configuration equipment responds to the attribute selection operation and sends a selected main control equipment identification list, a controlled equipment identification, a service name and attribute related information to the cloud equipment, wherein the attribute related information comprises at least one of an attribute name list, a read and/or write operation corresponding to the attribute, an addition, deletion or modification of an attribute value, a method name list and an event name list.
The method of claim 37 or 38, wherein the method further comprises at least one of:

the configuration device receives a device-level access token from the cloud device;

the configuration device receives a service-level access token from the cloud device;

the configuration device receives an access token from the cloud device at an attribute level.
A first device, comprising: a receiving unit for receiving at least one level of access tokens from the second device.
The first device of claim 40, wherein the at least one level of access token comprises at least one of:

an account-level access token;

a device-level access token;

a service level access token;

attribute-level access token.
The first device of claim 41, wherein the service level access token comprises:

A service level access token for the same device;

a cross-device service level access token.
The first device of claim 41, wherein the attribute-level access token comprises:

an access token at the attribute level of the same service;

an access token across attribute levels of a service;

an access token across attribute levels of a device.
The first device of claim 41, wherein the account-level access token is used to access at least one of unrestricted attributes, unrestricted methods, and unrestricted events of unrestricted services of devices under the same account.
The first device of claim 41, wherein the device-level access token is used to access at least one of unrestricted attributes, unrestricted methods, and unrestricted events of unrestricted services of the same device or a plurality of devices under the same account.
The first device of claim 42, wherein,

an access token at a service level of the same device for accessing at least one of an unrestricted attribute, an unrestricted method, and an unrestricted event of at least one restricted service of the same device;

an access token at a service level across devices is used to access at least one of unrestricted attributes, unrestricted methods, and unrestricted events of at least one restricted service of a plurality of devices.
The first device of claim 43, wherein,

an access token of an attribute level of the same service is used to access at least one of at least one restricted attribute, a restricted method, and a restricted event of the same service of the same device;

an access token across attribute levels of a service is used to access at least one of a restricted attribute, a restricted method, and a restricted event of a plurality of services of the same device;

an access token across attribute levels of a device is used to access at least one of a restricted attribute, a restricted method, and a restricted event of a plurality of services of a plurality of devices.
The first device of any of claims 40 to 47, wherein the receiving unit is further configured to:

receiving a device-level access token from the second device in the case where the first device is a controlled device; or alternatively

And receiving a device-level access token and a controlled device identification list from the second device in the case that the first device is a master device.
The first device of any of claims 40 to 48, wherein the receiving unit is further configured to:

receiving a service-level access token and a service name list from the second device in the case that the first device is a controlled device; or alternatively

And receiving a service-level access token, a service name list and a controlled device identifier from the second device under the condition that the first device is a master device.
The first device of any of claims 40 to 49, wherein the receiving unit is further configured to:

receiving an access token of an attribute level, a service name and attribute related information from the second device in case the first device is a controlled device; or alternatively

Receiving a service-level access token, a service name, attribute-related information and a controlled device identifier from the second device under the condition that the first device is a master control device;

the attribute related information comprises at least one of an attribute name list, a read and/or write operation corresponding to the attribute, an addition, deletion or modification of an attribute value, a method name list and an event name list.
The first device of any of claims 40 to 50, further comprising:

and the sending unit is used for sending a token issuing request to the second device.
The first device of claim 51, wherein the token issuing request comprises one of:

a controlled device identification list, the token issuing a request for requesting a device-level access token;

A controlled device identifier and a list of service names, the token issuing a request for requesting a service level access token;

the controlled device identification, the service name and attribute related information, wherein the token issue request is used for requesting an access token of an attribute level, and the attribute related information comprises at least one of an attribute name list, a read and/or write operation corresponding to the attribute, an addition, deletion or modification of an attribute value, a method name list and an event name list.
The first device of any of claims 40 to 52, wherein the receiving unit is further configured to receive, from the second device, an identification of at least one level of access tokens requiring updating and content requiring updating;

the first device further comprises:

and the updating unit is used for updating the access token corresponding to the identification of the access token of at least one level which needs to be updated based on the content which needs to be updated.
The first device of any of claims 40 to 53, wherein the receiving unit is further configured to receive, from the second device, an identification of at least one level of access tokens that need to be deleted;

the first device further comprises:

and the deleting unit is used for deleting the corresponding access token based on the identification of the access token of at least one level which needs to be deleted.
The first device of any of claims 40-54, wherein the second device is a configuration device or a cloud device.
The first device of claim 55, wherein the first device further comprises a sharing unit configured to perform at least one of the following sharing modes:

sharing at least one level of access token to configuration equipment or internet of things equipment bound to other accounts of the same platform;

sharing at least one level of access token to configuration equipment or Internet of things equipment bound to other accounts of the same platform through the cloud equipment;

sharing at least one level of access token to configuration equipment or internet of things equipment bound to other accounts of different platforms;

and sharing at least one level of access token to configuration equipment or Internet of things equipment bound to other accounts of different platforms through the cloud equipment.
A second device, comprising: and the sending unit is used for sending the at least one level of access token to the first device.
The second device of claim 57, wherein the at least one level of access tokens includes at least one of:

an account-level access token;

a device-level access token;

A service level access token;

attribute-level access token.
The second device of claim 58, wherein the service level access token comprises:

a service level access token for the same device;

a cross-device service level access token.
The second device of claim 58, wherein the attribute-level access token comprises:

an access token at the attribute level of the same service;

an access token across attribute levels of a service;

an access token across attribute levels of a device.
The second device of claim 58, wherein the account-level access token is used to access at least one of unrestricted attributes, unrestricted methods, and unrestricted events of unrestricted services of devices under the same account.
The second device of claim 58, wherein the device-level access token is used to access at least one of unrestricted attributes, unrestricted methods, and unrestricted events of unrestricted services of the same device or a plurality of devices under the same account.
The second device of claim 59, wherein,

an access token at a service level of the same device for accessing at least one of an unrestricted attribute, an unrestricted method, and an unrestricted event of at least one restricted service of the same device;

An access token at a service level across devices is used to access at least one of unrestricted attributes, unrestricted methods, and unrestricted events of at least one restricted service of a plurality of devices.
The second device of claim 61, wherein,

an access token of an attribute level of the same service is used to access at least one of at least one restricted attribute, a restricted method, and a restricted event of the same service of the same device;

an access token across attribute levels of a service is used to access at least one of a restricted attribute, a restricted method, and a restricted event of a plurality of services of the same device;

an access token across attribute levels of a device is used to access at least one of a restricted attribute, a restricted method, and a restricted event of a plurality of services of a plurality of devices.
The second device of any of claims 57-64, wherein the transmitting unit is further configured to:

sending a service-level access token and a service name list to the first device under the condition that the first device is a controlled device; or alternatively

And sending a service-level access token, a service name list and a controlled device identifier to the first device under the condition that the first device is a master control device.
The second device of any of claims 57-65, wherein the transmitting unit is further configured to:

transmitting an access token of attribute level, a service name and attribute related information to the first device under the condition that the first device is a controlled device; or alternatively

If the first device is a master control device, sending a service-level access token, a service name, attribute related information and a controlled device identifier to the first device;

the attribute related information comprises at least one of an attribute name list, a read and/or write operation corresponding to the attribute, an addition, deletion or modification of an attribute value, a method name list and an event name list.
The second device of any of claims 57-66, wherein the second device further comprises:

and the first receiving unit is used for receiving a token issuing request from the first equipment.
The second device of any of claims 57-67, wherein the token issuing request comprises one of:

a controlled device identification list, the token issuing a request for requesting a device-level access token;

a controlled device identifier and a list of service names, the token issuing a request for requesting a service level access token;

The controlled device identification, the service name and attribute related information, wherein the token issue request is used for requesting an access token of an attribute level, and the attribute related information comprises at least one of an attribute name list, a read and/or write operation corresponding to the attribute, an addition, deletion or modification of an attribute value, a method name list and an event name list.
The second device of any of claims 57 to 68, wherein the sending unit is further configured to send to the first device an identification of at least one level of access tokens requiring updating and content requiring updating.
The second device of any of claims 57 to 69, wherein the sending unit is further configured to send to the first device an identification of at least one level of access tokens that need to be deleted.
The second device of any of claims 57-70, wherein the second device is a cloud device.
The second device of claim 71, wherein the second device further comprises a sharing unit configured to perform at least one of the following sharing modes:

sharing at least one level of access token from the first device to a configuration device or an internet of things device bound to other accounts on the same platform as the first device;

Sharing at least one level of access token from the first device to a configuration device or an internet of things device bound to other accounts on different platforms than the first device.
The second device of claim 71 or 72, wherein the second device further comprises:

the second receiving unit is used for receiving the selected main control equipment identification list and/or the controlled equipment identification list from the configuration equipment;

the first generation unit is used for generating an equipment-level access token and storing the equipment-level access token and a corresponding main control equipment identification list and/or a controlled equipment identification list.
The second device of any of claims 71-73, wherein the second device further comprises:

a third receiving unit, configured to receive a selected master device identifier list, a controlled device identifier, and a service name list from the configuration device;

and the second generation unit is used for generating a service-level access token and storing the service-level access token and a corresponding main control equipment identification list, a controlled equipment identification and a service name list thereof.
The second device of any of claims 71-74, wherein the second device further comprises:

A fourth receiving unit, configured to receive a selected master device identifier list, a controlled device identifier, a service name, and attribute related information from a configuration device, where the attribute related information includes at least one of an attribute name list, a read and/or write operation corresponding to an attribute, an addition, deletion, or modification of an attribute value, a method name list, and an event name list;

and the third generation unit is used for generating an access token of the attribute level and storing the access token of the attribute level, a corresponding main control equipment identification list, a controlled equipment identification, a service name and attribute related information.
The second device of any of claims 57-70, wherein the second device is a configuration device.
The second device of claim 76, wherein the transmitting unit is further configured to perform at least one of:

responding to the device selection operation, and sending a selected main control device identification list and/or a controlled device identification list to the cloud device;

responding to the service selection operation, and sending the selected main control equipment identification list, the controlled equipment identification and the service name list to the cloud equipment;

and responding to the attribute selection operation, sending the selected main control equipment identification list, the controlled equipment identification, the service name and attribute related information to the cloud equipment, wherein the attribute related information comprises at least one of an attribute name list, a read and/or write operation corresponding to the attribute, an addition, deletion or modification of an attribute value, a method name list and an event name list.
The second device of claim 76 or 77, wherein the second device further comprises a fifth receiving unit for performing at least one of:

receiving a device-level access token from a cloud device;

receiving a service-level access token from a cloud device;

an access token is received from a cloud device at an attribute level.
A first device, comprising: a processor and a memory for storing a computer program, the processor being for invoking and running the computer program stored in the memory to cause the first device to perform the method of any of claims 1 to 18.
A second device, comprising: a processor and a memory for storing a computer program, the processor being for invoking and running the computer program stored in the memory to cause the second device to perform the method of any of claims 19 to 39.
A chip, comprising: a processor for calling and running a computer program from a memory, causing a device on which the chip is mounted to perform the method of any one of claims 1 to 18.
A chip, comprising: a processor for calling and running a computer program from a memory, causing a device on which the chip is mounted to perform the method of any of claims 19 to 39.
A computer readable storage medium storing a computer program which, when executed by a device, causes the device to perform the method of any one of claims 1 to 18.
A computer readable storage medium storing a computer program which, when executed by a device, causes the device to perform the method of any one of claims 19 to 39.
A computer program product comprising computer program instructions for causing a computer to perform the method of any one of claims 1 to 18.
A computer program product comprising computer program instructions for causing a computer to perform the method of any one of claims 19 to 39.
A computer program which causes a computer to perform the method of any one of claims 1 to 18.
A computer program which causes a computer to perform the method of any one of claims 19 to 39.