CN116232778B - Authority processing method and device, electronic equipment and storage medium - Google Patents
Authority processing method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN116232778B CN116232778B CN202310521351.6A CN202310521351A CN116232778B CN 116232778 B CN116232778 B CN 116232778B CN 202310521351 A CN202310521351 A CN 202310521351A CN 116232778 B CN116232778 B CN 116232778B
- Authority
- CN
- China
- Prior art keywords
- information
- application
- client
- delegation
- appointed
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000003672 processing method Methods 0.000 title abstract description 16
- 238000000034 method Methods 0.000 claims abstract description 39
- 230000000977 initiatory effect Effects 0.000 claims description 8
- 230000009191 jumping Effects 0.000 claims description 4
- 238000012545 processing Methods 0.000 abstract description 20
- 230000008569 process Effects 0.000 description 15
- 238000010586 diagram Methods 0.000 description 12
- 238000004891 communication Methods 0.000 description 8
- 238000004590 computer program Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 5
- 230000008901 benefit Effects 0.000 description 4
- 238000013475 authorization Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000003993 interaction Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
- 238000012800 visualization Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The application provides a permission processing method, a permission processing device, electronic equipment and a storage medium; the method comprises the following steps: receiving a delegation request of a first client to a second client based on a specified application, wherein the delegation request carries delegation information, and the delegation information comprises first client identification information, second client identification information and delegation authority information; and under a set condition, sending specified information to a specified application according to the entrusting information, so that the specified application authorizes the second client according to the specified information, wherein the specified information comprises the entrusting information or the entrusting authority information. Therefore, the appointed application authorizes the second client through the appointed information which is sent by the receiving platform and determined according to the delegation information sent by the first client, the authority granted to the second client is delegated for the first client, fine-grained management and control of the authority are realized, and the safety risk problem caused by the lack of authority control is avoided.
Description
Technical Field
The present application relates to the field of information technologies, and in particular, to a method and apparatus for processing rights, an electronic device, and a storage medium.
Background
The application system usually has a server and an account system of the application system, namely, if a user needs to access the application system, the user logs in the application system through an account and a password, and the server can enter the system after authentication.
If the system user needs to entrust other people to assist the business operation or request other people to assist, the system user is required to provide the account number and the password for the assisting person, but the way of entrusting the account number and the password directly entrusts the authority to be overlarge.
Disclosure of Invention
The embodiment of the application provides a permission processing method, a permission processing device, electronic equipment and a storage medium.
According to a first aspect of the present application, there is provided a rights handling method comprising: receiving a delegation request of a first client to a second client based on a specified application, wherein the delegation request carries delegation information, and the delegation information comprises first client identification information, second client identification information and delegation authority information; and under a set condition, sending appointed information to an appointed application according to the entrusting information, so that the appointed application performs authorization on the appointed application to the second client according to the appointed information, wherein the appointed information comprises the entrusting information or the entrusting authority information.
According to an embodiment of the present application, before the receiving the delegation request from the first client to the second client based on the specified application, the method further includes: receiving application data sent by the appointed application, wherein the application data comprises application permission and application account information; and displaying operation options for initiating a delegation request according to the application permission and the application account information, so that a user initiates the delegation request according to the operation options, wherein the operation options comprise the appointed application and a delegation model corresponding to the appointed application.
According to an embodiment of the present application, the receiving a delegation request from a first client to a second client based on a specified application includes: receiving a platform login request of the first client, wherein the platform login request carries platform login information of the first client; and receiving a delegation request sent by the first client based on the delegation model of the specified application.
According to an embodiment of the present application, the sending, under the set condition, the specified information to the specified application according to the delegate information includes: receiving a first application login request sent by the second client, wherein the first application login request is used for requesting single sign-on of the appointed application through a platform, and the first application login request carries platform login information; determining the appointed information corresponding to the first client according to the platform login information and the delegate information, wherein the appointed information comprises first delegate authority information corresponding to the first client; and jumping to the appointed application and transmitting the first delegation authority information to the appointed application.
According to an embodiment of the present application, the sending, under the set condition, the specified information to the specified application according to the delegate information includes: receiving a specified information acquisition request sent by the specified application, wherein the specified information acquisition request carries first client identification information and second client identification information, the specified information acquisition request is sent by the specified application under the condition that a second application login request sent by the second client is received, and the second application login request carries the first client identification information and the second client identification information; determining the appointed information corresponding to the second client according to the first client identification information, the second client identification information and the entrusting information, wherein the appointed information comprises second entrusting authority information corresponding to the second client; and sending the second delegation authority information to the appointed application.
According to an embodiment of the present application, the sending, under the set condition, the specified information to the specified application according to the delegate information includes: and sending the appointed information to the appointed application through an API interface under the condition that the consignment information is received, wherein the appointed information is the consignment information.
According to an embodiment of the present application, the designating application authorizes the second client according to the designating information, including: receiving a third application login request of the second client, wherein the third application login request carries the first client identification information and the second client identification information; determining third delegated authority information corresponding to the second client according to the first client identification information, the second client identification information and the delegated information; and authorizing the second client according to the third delegation authority information.
According to a second aspect of the present application there is provided an entitlement processing device comprising: the client comprises a receiving module, a sending module and a sending module, wherein the receiving module is used for receiving a delegation request of a first client to a second client based on a specified application, the delegation request carries delegation information, and the delegation information comprises first client identification information, second client identification information and delegation authority information; and the sending module is used for sending the appointed information to the appointed application according to the entrusting information under the set condition so that the appointed application authorizes the second client according to the appointed information, and the appointed information comprises the entrusting information or the entrusting authority information.
According to a third aspect of the present application, there is provided an electronic device comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the methods of the present application.
According to a fourth aspect of the present application there is provided a non-transitory computer readable storage medium storing computer instructions for causing a computer to perform the method of the present application.
The authority processing method of the embodiment of the application receives a delegation request of a first client to a second client based on a specified application, wherein the delegation request carries delegation information, and the delegation information comprises first client identification information, second client identification information and delegation authority information; and under a set condition, sending specified information to a specified application according to the entrusting information, so that the specified application authorizes the second client according to the specified information, wherein the specified information comprises the entrusting information or the entrusting authority information. Therefore, the appointed application authorizes the second client through the appointed information which is sent by the receiving platform and determined according to the entrusting information sent by the first client, and when the second client is authorized, the entrusting information entrusted by the first client through the platform is used, so that fine-grained management and control of the authority are realized, and the safety risk problem caused by the lack of authority control is avoided.
It should be understood that the teachings of the present application need not achieve all of the benefits set forth above, but rather that certain technical solutions may achieve certain technical effects, and that other embodiments of the present application may also achieve benefits not set forth above.
Drawings
The above, as well as additional purposes, features, and advantages of exemplary embodiments of the present application will become readily apparent from the following detailed description when read in conjunction with the accompanying drawings. Several embodiments of the present application are illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings and in which:
in the drawings, the same or corresponding reference numerals indicate the same or corresponding parts.
FIG. 1 illustrates a block diagram of a rights management system in accordance with an embodiment of the application;
FIG. 2 is a schematic diagram of an implementation flow of a rights processing method according to an embodiment of the present application;
FIG. 3 is a schematic diagram of an implementation flow of a specific information sending operation of the rights processing method according to an embodiment of the present application;
FIG. 4 is a schematic diagram showing a second implementation flow of the operation of sending the specified information in the rights processing method according to the embodiment of the present application;
FIG. 5 is a schematic diagram showing the configuration of a rights processing apparatus according to an embodiment of the present application;
fig. 6 shows a schematic diagram of a composition structure of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the objects, features and advantages of the present application more comprehensible, the technical solutions according to the embodiments of the present application will be clearly described in the following with reference to the accompanying drawings, and it is obvious that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
The technical scheme of the application is further elaborated below with reference to the drawings and specific embodiments.
FIG. 1 illustrates a block diagram of a rights processing system in accordance with an embodiment of the application.
The rights processing method of the embodiment of the application can be realized based on a rights processing system shown in figure 1. Referring to fig. 1, the rights processing system according to the embodiment of the present application includes a platform, a first client, a second client, and a designated application. The platform is internally registered with a plurality of applications, the application accounts of the applications are delegated, and a user can initiate online delegation of the application accounts to the platform through a first client. The first client represents a client which is required to be logged in by a entrusted user for delegation of application account numbers, the second client represents a client which is logged in by the entrusted user, and the first client can initiate a delegation request for delegating the application account numbers of the appointed applications to the second client to the platform through a network. The appointed application is registered in the platform in advance to support the platform to provide the delegation function of the application account number of the appointed application, the appointed application can refer to an application program or an application system, a single-point protocol exists between the appointed application and the platform to support a user to singly log in the appointed application through the platform, and the single-point protocol can be Cas, oauth, OIDC, SAML, JWT and the like.
The present application is not limited to the client that the client delegates to log in to is either the client that the client delegates to log in to or the client that the client delegates to log in to is any client.
Fig. 2 shows a schematic implementation flow chart of the rights processing method according to the embodiment of the application.
Referring to fig. 2, based on the above rights processing system, an embodiment of the present application provides a rights processing method, which includes: an operation 201, receiving a delegation request of a first client to a second client based on a specified application, wherein the delegation request carries delegation information, and the delegation information comprises first client identification information, second client identification information and delegation authority information; in operation 202, under the set condition, according to the delegation information, the designation information is sent to the designation application, so that the designation application authorizes the second client according to the designation information, and the designation information includes delegation information or delegation authority information.
In operation 201, a request for delegation by a first client to a second client based on a specified application is received, the request for delegation carrying delegation information including first client identification information, second client identification information, and delegation authority information.
Specifically, the designated application is registered in the platform in advance, the platform provides a function of delegating an application account of the designated application, and when a delegation user needs to delegate the application account of the designated application, the delegation user initiates a delegation request for delegating the application account to a delegated user associated with the second client to the platform through the first client. The delegation request carries delegation information submitted by a delegation user, and the delegation information comprises first client identification information, second client identification information and delegation authority information. It should be noted that, the process of registering the designated application on the platform may refer to the conventional process of registering the application on the website or the system, which is not described herein.
The first client identification information may include an application account of a delegated user associated with the first client, where the application account is an application account of a specific application that the delegated user needs to delegate. The second client identifying information may represent platform login information associated with the second client or information capable of referring to a delegated user identity. The delegate authority information indicates that a delegate user associated with the first client needs the second client to specify the authority possessed by the application when delegating the application account to a delegated user associated with the second client.
In operation 202, under the set condition, the specified information is sent to the specified application according to the delegated information, so that the specified application authorizes the second client according to the specified information, and the specified information includes the delegated information or the delegated authority information.
Specifically, after receiving the delegation information, the platform stores the delegation information, and when the second client needs to log in the appointed application, the appointed information is provided to the appointed application according to the delegation information, so that the appointed application completes the authorization of the second client according to the appointed information, and the login of the second client is completed.
Wherein the designation information may include delegation information or delegation authority information. The platform can determine the delegation authority information delegated to the second client by the first client according to the delegation information, and when receiving a request of the appointed application for the appointed information, send the delegation authority information to the appointed application so that the appointed application authorizes the second client according to the delegation authority information. Further, under the condition that the storage space of the designated application allows, when the platform receives the delegation request of the first client, the delegation information carried in the delegation request can be directly provided to the designated application at the first time after the delegation request is received, so that the designated application grants the right corresponding to the second client in the delegation information to the second client according to the delegation information.
Therefore, through the embodiment of the application, the entrusted user can submit the entrusted request to the platform through the first client, and submit specific entrusted information comprising the application account number, the second client identification information, the entrusted authority information and the like. Then, the platform may provide the designation information to the designation application according to the delegation information, and the designation application may authorize the second client according to delegation authority information in the designation information. In this way, in the process of delegation of the application account, delegation of both the application account and the password is not needed, fine-grained management and control of the authority are realized, and the safety risk problem caused by lack of authority control is avoided.
In an embodiment of the present application, before the above operation 201, application data sent by a specific application is further received, and an operation option for initiating a delegation request is displayed according to the application data, so that the first client initiates the delegation request according to the operation option. The application data comprises application permission and application account information, and the operation options comprise designated applications and delegation models corresponding to the designated applications.
Specifically, in the process of registering a specific application in the platform, the platform needs to be able to use application data of the specific application to provide a delegation function for the specific application according to the application data. The application data may be application account information already registered in the designated application, application rights supported by the designated application, and the like. After the platform receives the application data, the application data is stored in a database, wherein the platform also supports independent configuration of application rights and simultaneously supports visualization, deletion and modification of the application rights.
Further, the platform generates an operation option for initiating a delegation request of the specified application in the process of registering the specified application, and the first client can delegate an application account of the specified application through guidance of the operation option. The operation options can include a designated application and a delegation model corresponding to the designated application, and the platform configures the delegation model of the designated application according to the application data after receiving the application data of the designated application. The configuration delegation model may include a process of establishing a relationship of platform login information of the first client, first client identification information, delegation authority information, and the like, wherein the platform login information of the first client represents login information of a first client login platform.
Still further, after the platform registration of the designated application is successful, the platform displays the designated application and a delegation model corresponding to the designated application, wherein the delegation model is used for receiving input of delegation information.
Taking the appointed application as a financial system as an example, an application account number registered in the financial system is sent in the process of registering the financial system into a platform, and a plurality of application rights supported by the financial system, such as fund transfer, financial inquiry and the like, are sent. After the platform receives the related data sent by the financial system, the platform displays the financial system on the page and displays a delegation model of the financial system, and in the subsequent delegation process of the first client, delegation of an application account of the financial system can be performed based on the delegation model.
In an embodiment of the present application, the operation 201 specifically includes: and receiving a platform login request of the first client, and after determining that the first client logs in, receiving a delegation request sent by the first client based on a delegation model of a designated application. The platform login request of the first client carries platform login information of the first client.
Specifically, the first client performs platform login before initiating the delegation request based on the platform, and in the login process, platform login information is filled according to the login requirement of the platform, wherein the platform login information can comprise platform account password information or other forms of login information conforming to the platform login mode.
Further, the designated application and the delegation model of the designated application are displayed in the platform, and the delegation user associated with the first client can fill in delegation information based on the delegation model of the designated application, and the delegation request is initiated when the delegation information is filled in.
In this embodiment of the present application, the delegation model may include an application account number to be delegated by the first client, second client identification information of the second client to which the first client is to be delegated, and delegation authority information to which the second client is to be delegated.
Therefore, the appointed application of the embodiment of the application is registered in the platform, the platform can systematically provide the delegation of the application account number of the appointed application, the delegation user can finish the delegation of the application account number based on the platform, and the application account number and the authority are separated, so that the security is higher and the authority can be controlled in fine granularity compared with the existing mode of directly sharing the application account number and the password.
Fig. 3 is a schematic implementation flow diagram of a specific information sending operation of the rights processing method according to the embodiment of the present application.
In an embodiment of the present application, referring to fig. 3, the step 202 of sending the specification information to the specification application according to the request information under the set condition may include: operation 301, receiving a first application login request sent by a second client, where the first application login request is used for requesting to designate an application through platform single sign-on, and the first application login request carries platform login information; operation 302, determining, according to platform login information and delegation information, designation information corresponding to a first client, the designation information including first delegation authority information corresponding to the first client; operation 303, jump to the designated application and issue the first delegated authority information to the designated application.
In operation 301, a first application login request sent by a second client is received, where the first application login request is used for requesting to designate an application through platform single sign-on, and the first application login request carries platform login information.
Specifically, a single-point protocol is established between the platform and the application, after the first client submits the delegation request, the second client can send the first application login request to the platform through the platform login information of the first client so as to specify the application through single-point login of the platform. The platform login information comprises related information used by the first client when initiating the delegation request to login the platform, such as platform account password information or other forms of login information conforming to the platform login mode, and because the platform stores a record of the first client login for the first time, when the second client logs in the platform again by inputting the platform login information of the first client login, the platform authenticates the second client, and then the second client does not need to be authenticated again by the appointed application, and the second client can directly log in the appointed application through a single-point protocol.
In operation 302, designation information corresponding to a first client is determined based on platform login information and delegation information, the designation information including first delegation rights information corresponding to the first client.
Specifically, when the second client performs platform login by inputting the platform login information of the first client, the platform stores the delegation information of the first client, and can determine delegation information carried when the first client initiates a delegation request based on the platform login information of the first client.
Further, when the platform inquires the delegation information carried in the delegation request submitting process of the first client, the platform determines first delegation authority information of delegation of the first client to the second client from the delegation information, and determines the first delegation authority information as the appointed information.
In operation 303, the process jumps to the designated application and then issues the first delegated authority information to the designated application.
Specifically, under the condition that the first delegation authority information of the second client is determined, the platform completes the login of the second client to the appointed application by issuing a single-point protocol and synchronously follows the issuing of the first delegation authority information. And under the condition that the designated application receives the first authority information, the designated application endows the first delegation authority information to the second client to finish the login of the second client.
Therefore, in the embodiment of the application, under the condition that the second client side logs in the appointed application through the platform by single sign, the first delegation authority information delegated to the second client side through the platform by the first client side is issued, the problem that the authority owned by the second client side is overlarge due to the fact that the second client side logs in the appointed application through the mode that the first client side shares the application account number and the password of the appointed application is avoided, and the fine granularity control of the authority is realized.
Fig. 4 is a schematic diagram showing a second implementation flow of the operation of sending the specified information in the rights processing method according to the embodiment of the present application.
In an embodiment of the present application, referring to fig. 4, the step 202 of sending the specification information to the specification application according to the request information under the set condition may include: operation 401, receiving a specified information acquisition request sent by a specified application, where the specified information acquisition request carries first client identification information and second client identification information, where the specified information acquisition request is sent by the specified application when receiving a second application login request sent by a second client, and the second application login request carries the first client identification information and the second client identification information; operation 402, determining, according to the first client identification information, the second client identification information, and the delegation information, designation information corresponding to the second client, the designation information including second delegation authority information corresponding to the second client; in operation 403, the second delegated authority information is sent to the designated application.
In operation 401, a request for acquiring specific information sent by a specific application is received, where the request for acquiring specific information carries first client identification information and second client identification information, and the request for acquiring specific information is sent by the specific application when a request for logging in a second application sent by a second client is received, and the request for logging in the second application carries the first client identification information and the second client identification information.
Specifically, the second client may log in to the specified application by directly sending a second application login request to the specified application. After the appointed application receives a second application login request of the second client, the appointed application sends an appointed information acquisition request to the platform according to the first client identification information and the second client identification information carried by the second application login request, and the platform receives the appointed information acquisition request. The second application login request carries first client identification information and second client identification information, the first client identification information represents an application account number which needs to be commissioned by the first client, and the second client identification information represents platform login information of the second client and comprises a platform account number and a platform password.
In operation 402, designation information corresponding to the second client is determined according to the first client identification information, the second client identification information, and the delegation information, the designation information including second delegation authority information corresponding to the second client.
Specifically, the platform stores the delegation information when the first client performs delegation, and the platform matches the first client identification information and the second client identification information with the delegation information, so that the second delegation authority information of the second client can be determined.
For example, the first client saves the delegation information in the delegation process of the platform, wherein the delegation information comprises first client identification information, second client identification information and delegation authority information. After receiving a specified information acquisition request sent by a specified application, the platform matches first client identification information and second client identification information carried by the specified information acquisition request with the entrusting information to obtain second entrusting authority information associated with the first client identification information and the second client identification information.
In operation 403, the second delegated authority information is sent to the designated application.
Specifically, after determining the second delegated authority information related to the second client, the platform sends the second delegated authority information to the designated application, so that the designated application gives the second delegated authority information to the second client to complete the login of the second client.
Therefore, in the embodiment of the application, under the condition that the second client directly requests to log in through the appointed application, all the authorities of the application are not directly endowed to the second client, and the second delegated authority information of the second client is acquired from the platform, so that fine granularity management and control of the authorities are realized, and the risk problem caused by overlarge authority possession of the second client is avoided.
In an embodiment of the present application, the step 202 of sending the specified information to the specified application according to the delegated information under the set condition may further include: and after the platform receives the delegation request, the delegation information carried in the delegation request is directly sent to the appointed application through the API interface.
Specifically, after receiving the request of the first client, the platform stores the request information carried by the request, and directly sends the request information as the specified information to the specified application. In this way, when the second client requests login by the designated application, the designated application can itself have the capability of determining the delegation authority information associated with the second client.
In this embodiment of the present application, the designated application may authorize the second client according to the designation information using the following operations: receiving a third application login request of a second client, and determining third delegated authority information corresponding to the second client according to the delegated information and the first client identification information and the second client identification information carried by the third application login request; and authorizing the second client according to the third delegation authority information.
Specifically, after receiving the delegation information sent by the platform, the designated application stores the delegation information, and when receiving a third application login request of the second client, the designated application can determine third delegation authority information related to the second client by analyzing first client identification information and second client identification information carried by the third application login request and matching the first client identification information and the second client identification information with the delegation information. After determining the third delegation authority information related to the second client, the appointed application endows the third delegation authority information to the second client, and the authorization and login of the second client are completed. The first client identification information represents an application account number which needs to be commissioned by the first client, and the second client identification information represents platform account number password information of the second client, wherein the platform account number and the platform password are included.
Therefore, after receiving the delegation request of the first client, the platform in the embodiment of the application sends delegation information to the appointed application under the condition that the appointed application allows, so that the appointed application has double capabilities of authority determination and endowment of the second client, the processing capabilities of the platform and the appointed application are fully considered, and the appointed application can grant the authority to the second client according to the delegation information.
According to the embodiment of the application, the entrusting user submits an entrusting request to the platform through the first client, and submits specific entrusting information comprising an application account number, second client identification information, entrusting authority information and the like. Then, the platform may provide the designation information to the designation application according to the delegation information, and the designation application may authorize the second client according to delegation authority information in the designation information. In this way, in the process of delegation of the application account, delegation of both the application account and the password is not needed, fine-grained management and control of the authority are realized, the safety risk problem caused by lack of authority control is avoided, different login modes of the application when the delegated user associated with the second client logs in the appointed application are fully considered, various schemes are adaptively designed, and user experience is improved.
Fig. 5 shows a schematic structural diagram of an authority processing apparatus according to an embodiment of the present application.
Based on the above rights processing method, the present application also provides a rights processing device, where the device 50 includes: a receiving module 501, configured to receive a delegation request from a first client to a second client based on a specified application, where the delegation request carries delegation information, and the delegation information includes first client identification information, second client identification information, and delegation authority information; and the sending module 502 is configured to send the specified information to the specified application according to the delegated information under the set condition, so that the specified application authorizes the second client according to the specified information, where the specified information includes the delegated information or the delegated authority information.
According to an embodiment of the application, the device 50 further comprises: the data receiving module is used for receiving application data sent by a designated application, wherein the application data comprises application permission and application account information; the option generation module is used for displaying operation options for initiating the delegation request according to the application permission and the application account information, so that a user initiates the delegation request according to the operation options, and the operation options comprise a designated application and a delegation model corresponding to the designated application.
According to an embodiment of the present application, a receiving module includes: the first request receiving sub-module is used for receiving a platform login request of the first client, wherein the login request carries platform login information of the first client; and the second request receiving sub-module is used for receiving a delegation request sent by the first client based on a delegation model of the specified application.
According to an embodiment of the present application, a transmitting module includes: the third request receiving sub-module is used for receiving a first application login request sent by the second client, wherein the first application login request is used for requesting to specify an application through platform single sign-on, and the first application login request carries platform login information of the first client; the determining submodule is used for determining the specified information corresponding to the first client according to the platform login information and the delegate information, wherein the specified information comprises first delegate authority information corresponding to the first client; and the skip rotor module is used for skipping to the appointed application and transmitting the first delegation authority information to the appointed application.
According to an embodiment of the present application, a transmitting module includes: a fourth request receiving module, configured to receive a specific information acquisition request sent by a specific application, where the specific information acquisition request carries first client identification information and second client identification information, where the specific information acquisition request is sent by the specific application when receiving a second application login request sent by a second client, and the second application login request carries first client identification information and second client identification information; the information determination submodule is used for determining specified information corresponding to the second client according to the first client identification information, the second client identification information and the delegation information, wherein the specified information comprises second delegation authority information corresponding to the second client; and the sending sub-module is used for sending the second delegation authority information to the appointed application.
According to an embodiment of the present application, the sending module is configured to send the designation information to the designation application when the delegation information is received, where the designation information is the delegation information.
According to one embodiment of the present application, the designating application authorizes the second client according to the designating information, including: receiving a third application login request of the second client, wherein the third application login request carries the first client identification information and the second client identification information; determining third delegated authority information corresponding to the second client according to the first client identification information, the second client identification information and the delegated information; and authorizing the second client according to the third delegation authority information.
It should be noted that, the description of the apparatus in the embodiment of the present application, similar to the description of the embodiment of the method described above, has similar beneficial effects as the embodiment of the method, and therefore will not be repeated. The technical details of the rights processing apparatus provided in the embodiment of the present application may be understood from the descriptions of any of fig. 1 to 4 to the drawings.
In the technical scheme of the application, the related user is a virtual user or a user object with a network identifier. The login information, the platform login information, the first client identification information, the second client information identification, the delegation information, the application data and other relevant data information are all information of a network platform authorized by the user, the information is only used for providing more convenient and more convenient service for the user in a specific platform and a system authorized by the user, and the information acquisition, use and processing and other processes accord with the regulations of relevant laws and regulations and do not violate the public order colloquiality.
According to an embodiment of the present application, the present application also provides an electronic device and a non-transitory computer-readable storage medium.
FIG. 6 shows a schematic block diagram of an example electronic device 60 that may be used to implement an embodiment of the application. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the applications described and/or claimed herein.
As shown in fig. 6, the electronic device 60 includes a computing unit 601 that can perform various appropriate actions and processes according to a computer program stored in a Read Only Memory (ROM) 602 or a computer program loaded from a storage unit 608 into a Random Access Memory (RAM) 603. In the RAM 603, various programs and data required for the operation of the electronic device 60 can also be stored. The computing unit 601, ROM 602, and RAM 603 are connected to each other by a bus 604. An input/output (I/O) interface 605 is also connected to bus 604.
Various components in the electronic device 60 are connected to the I/O interface 605, including: an input unit 606 such as a keyboard, mouse, etc.; an output unit 607 such as various types of displays, speakers, and the like; a storage unit 608, such as a magnetic disk, optical disk, or the like; and a communication unit 609 such as a network card, modem, wireless communication transceiver, etc. The communication unit 609 allows the electronic device 600 to exchange information/data with other devices through a computer network, such as the internet, and/or various telecommunication networks.
The computing unit 601 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of computing unit 601 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various computing units running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, etc. The computing unit 601 performs the respective methods and processes described above, such as the authority processing method. For example, in some embodiments, the rights processing method may be implemented as a computer software program tangibly embodied on a machine-readable medium, such as storage unit 608. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 60 via the ROM 602 and/or the communication unit 609. When a computer program is loaded into the RAM 603 and executed by the computing unit 601, one or more steps of the rights handling method described above may be performed. Alternatively, in other embodiments, the computing unit 601 may be configured to perform the rights handling method by any other suitable means (e.g. by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for carrying out methods of the present application may be written in any combination of one or more programming languages. These program code may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus such that the program code, when executed by the processor or controller, causes the functions/operations specified in the flowchart and/or block diagram to be implemented. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present application, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. The machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and pointing device (e.g., a mouse or trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), and the internet.
The computer system may include a client and a server. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server may be a cloud server, a server of a distributed system, or a server incorporating a blockchain.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps described in the present application may be performed in parallel, sequentially, or in a different order, so long as the desired results of the technical solution disclosed in the present application can be achieved, and are not limited herein.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (7)
1. A rights handling method, the method comprising:
receiving application data sent by a designated application, wherein the application data comprises application permission and application account information;
according to the application permission and the application account information, displaying operation options for initiating a delegation request, so that a user initiates the delegation request according to the operation options, wherein the operation options comprise the appointed application and a delegation model corresponding to the appointed application;
Receiving a delegation request of a first client to a second client based on a specified application, wherein the delegation request carries delegation information, and the delegation information comprises first client identification information, second client identification information and delegation authority information;
transmitting appointed information to an appointed application according to the entrusting information under a set condition, so that the appointed application authorizes the second client according to the appointed information, wherein the appointed information comprises the entrusting information or the entrusting authority information;
wherein, under the set condition, sending the specified information to the specified application according to the entrusting information comprises:
receiving a first application login request sent by the second client, wherein the first application login request is used for requesting single sign-on of the appointed application through a platform, and the first application login request carries platform login information;
determining the appointed information corresponding to the first client according to the platform login information and the delegate information, wherein the appointed information comprises first delegate authority information corresponding to the first client;
jumping to the appointed application and transmitting the first delegated authority information to the appointed application;
And sending the appointed information to the appointed application according to the entrusting information under the set condition, wherein the method comprises the following steps:
and sending the appointed information to the appointed application through an API interface under the condition that the consignment information is received, wherein the appointed information is the consignment information.
2. The method of claim 1, wherein receiving a delegation request by the first client to the second client based on the specified application comprises:
receiving a platform login request of the first client, wherein the platform login request carries platform login information of the first client;
and receiving a delegation request sent by the first client based on the delegation model of the specified application.
3. The method according to claim 2, wherein said sending the designation information to the designation application based on the delegation information under the set condition includes:
receiving a specified information acquisition request sent by the specified application, wherein the specified information acquisition request carries first client identification information and second client identification information, the specified information acquisition request is sent by the specified application under the condition that a second application login request sent by the second client is received, and the second application login request carries the first client identification information and the second client identification information;
Determining the appointed information corresponding to the second client according to the first client identification information, the second client identification information and the entrusting information, wherein the appointed information comprises second entrusting authority information corresponding to the second client;
and sending the second delegation authority information to the appointed application.
4. The method of claim 1, wherein the designating application authorizes the second client according to the designating information, comprising:
receiving a third application login request of the second client, wherein the third application login request carries the first client identification information and the second client identification information;
determining third delegated authority information corresponding to the second client according to the first client identification information, the second client identification information and the delegated information;
and authorizing the second client according to the third delegation authority information.
5. A rights handling apparatus, the apparatus comprising:
the data receiving module is used for receiving application data sent by a designated application, wherein the application data comprises application permission and application account information;
The option generation module is used for displaying operation options for initiating a delegation request according to the application permission and the application account information, so that a user initiates the delegation request according to the operation options, wherein the operation options comprise the appointed application and a delegation model corresponding to the appointed application;
the client comprises a receiving module, a sending module and a sending module, wherein the receiving module is used for receiving a delegation request of a first client to a second client based on a specified application, the delegation request carries delegation information, and the delegation information comprises first client identification information, second client identification information and delegation authority information;
the sending module is used for sending appointed information to an appointed application according to the entrusting information under a set condition so that the appointed application authorizes the second client according to the appointed information, and the appointed information comprises the entrusting information or the entrusting authority information;
wherein, the sending module includes: the third request receiving sub-module is used for receiving a first application login request sent by the second client, wherein the first application login request is used for requesting to specify an application through platform single sign-on, and the first application login request carries platform login information of the first client; the determining submodule is used for determining the specified information corresponding to the first client according to the platform login information and the delegate information, wherein the specified information comprises first delegate authority information corresponding to the first client; the rotor jumping module is used for jumping to the appointed application and transmitting the first delegation authority information to the appointed application;
The sending module is used for sending the appointed information to the appointed application when the appointed information is received, and the appointed information is the appointed information.
6. An electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-4.
7. A non-transitory computer readable storage medium storing computer instructions for causing a computer to perform the method of any one of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310521351.6A CN116232778B (en) | 2023-05-10 | 2023-05-10 | Authority processing method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310521351.6A CN116232778B (en) | 2023-05-10 | 2023-05-10 | Authority processing method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116232778A CN116232778A (en) | 2023-06-06 |
| CN116232778B true CN116232778B (en) | 2023-09-12 |
Family
ID=86570094
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310521351.6A Active CN116232778B (en) | 2023-05-10 | 2023-05-10 | Authority processing method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116232778B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2008299702A (en) * | 2007-06-01 | 2008-12-11 | Fuji Xerox Co Ltd | Information processing program and information processing system |
| CN103685242A (en) * | 2013-11-27 | 2014-03-26 | 国家电网公司 | Electric power operation and maintenance security defending system |
| JP2015130028A (en) * | 2014-01-07 | 2015-07-16 | 日本電気株式会社 | Proxy log-in device, terminal, control method and program |
| CN109150804A (en) * | 2017-06-16 | 2019-01-04 | 中兴通讯股份有限公司 | Entrust login method, relevant device and computer readable storage medium |
| CN112529402A (en) * | 2020-12-09 | 2021-03-19 | 杭州趣链科技有限公司 | Task delegation method, system, device, equipment and storage medium |
| CN113519007A (en) * | 2018-12-31 | 2021-10-19 | 贝宝公司 | Credential storage manager for securing credentials during use of a delegated account |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130132232A1 (en) * | 2009-04-22 | 2013-05-23 | Florian Pestoni | System And Method For Digital Rights Management With Delegated Authorization For Content Access |
| JP5623234B2 (en) * | 2010-10-22 | 2014-11-12 | キヤノン株式会社 | Authority delegation system, authority delegation method, information processing apparatus, control method thereof, and program |
| DK2689372T3 (en) * | 2011-03-25 | 2020-03-02 | Thales Dis France Sa | USER-TO-USER DELEGATION SERVICE IN A FEDERAL IDENTITY MANAGEMENT ENVIRONMENT |
| KR20150020350A (en) * | 2013-08-12 | 2015-02-26 | 삼성전자주식회사 | Apparatus and method for delegating a multimedia content in communication system |
-
2023
- 2023-05-10 CN CN202310521351.6A patent/CN116232778B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2008299702A (en) * | 2007-06-01 | 2008-12-11 | Fuji Xerox Co Ltd | Information processing program and information processing system |
| CN103685242A (en) * | 2013-11-27 | 2014-03-26 | 国家电网公司 | Electric power operation and maintenance security defending system |
| JP2015130028A (en) * | 2014-01-07 | 2015-07-16 | 日本電気株式会社 | Proxy log-in device, terminal, control method and program |
| CN109150804A (en) * | 2017-06-16 | 2019-01-04 | 中兴通讯股份有限公司 | Entrust login method, relevant device and computer readable storage medium |
| CN113519007A (en) * | 2018-12-31 | 2021-10-19 | 贝宝公司 | Credential storage manager for securing credentials during use of a delegated account |
| CN112529402A (en) * | 2020-12-09 | 2021-03-19 | 杭州趣链科技有限公司 | Task delegation method, system, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116232778A (en) | 2023-06-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111131242B (en) | Authority control method, device and system | |
| US10951618B2 (en) | Refresh token for credential renewal | |
| CN107359996B (en) | Automatic login method and device among multiple network stations | |
| CN112136303B (en) | Secure delegation of refresh tokens for time-consuming operations | |
| US20210385222A1 (en) | Identity management connecting principal identities to alias identities having authorization scopes | |
| US20200412538A1 (en) | Serverless connected app design | |
| US10320773B2 (en) | Validation for requests | |
| US20160004857A1 (en) | Method and system for information authentication | |
| US20190229922A1 (en) | Authentication and authorization using tokens with action identification | |
| CN113239344A (en) | Access right control method and device | |
| US20180097793A1 (en) | Secondary authentication using user's login status | |
| EP3915026B1 (en) | Browser login sessions via non-extractable asymmetric keys | |
| CN112583834B (en) | Method and device for single sign-on through gateway | |
| CN113360882A (en) | Cluster access method, device, electronic equipment and medium | |
| US11265360B2 (en) | System for managing jointly accessible data | |
| CN112905990A (en) | Access method, client, server and access system | |
| CN112653673A (en) | Multi-factor authentication method and system based on single sign-on | |
| CN116232778B (en) | Authority processing method and device, electronic equipment and storage medium | |
| CN114641767A (en) | Managing user identities in managed multi-tenant services | |
| CN111858089A (en) | Method and device for calling Ether house node | |
| CN114448715B (en) | Authentication method, device, equipment and storage medium based on token | |
| CN113704723B (en) | Block chain-based digital identity verification method and device and storage medium | |
| CN112926044A (en) | Identity verification method and device | |
| CN115758303A (en) | Authority control method, device, equipment and storage medium | |
| CN114710295A (en) | Token updating method, device, electronic equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |