CN116248338A - Single sign-on authentication method, device and medium based on OAuth2.0 protocol - Google Patents
Single sign-on authentication method, device and medium based on OAuth2.0 protocol Download PDFInfo
- Publication number
- CN116248338A CN116248338A CN202211669503.9A CN202211669503A CN116248338A CN 116248338 A CN116248338 A CN 116248338A CN 202211669503 A CN202211669503 A CN 202211669503A CN 116248338 A CN116248338 A CN 116248338A
- Authority
- CN
- China
- Prior art keywords
- authentication
- login
- application system
- user
- center
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 50
- 238000012795 verification Methods 0.000 claims abstract description 28
- 238000013475 authorization Methods 0.000 claims description 17
- 238000004590 computer program Methods 0.000 claims description 9
- 230000000977 initiatory effect Effects 0.000 claims description 2
- 238000011161 development Methods 0.000 description 5
- 230000018109 developmental process Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 238000012545 processing Methods 0.000 description 5
- 230000008901 benefit Effects 0.000 description 4
- 230000000694 effects Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 206010063385 Intellectualisation Diseases 0.000 description 1
- 238000007792 addition Methods 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000000354 decomposition reaction Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 230000008140 language development Effects 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000006798 recombination Effects 0.000 description 1
- 238000005215 recombination Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/082—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying multi-factor authentication
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a single sign-on authentication method, device and medium based on an OAuth2.0 protocol. The method comprises the following steps: the user side initiates a login request to the application system, and the application system checks the login request; under the condition that verification is passed, sending redirection authentication to an authentication center, and dynamically displaying a single-factor or multi-factor login authentication page or a secondary authentication page to a user side by the authentication center according to an authentication mode and an authentication security level configured by an application system; the user selects an authentication mode at the user side to authenticate, and login authentication is completed at an authentication center; and under the condition that the authentication is passed, the user completes the login of the application system at the user side.
Description
Technical Field
The present invention relates to the field of login authentication technologies, and in particular, to a single sign-on authentication method, device, and medium based on oauth2.0 protocol.
Background
With the informatization development of each industry, the application systems are built up in the years, and the safety treatment process is complicated and complicated due to the limitation of understanding safety problems in the initial stage of construction and the commonality and individuality of the safety requirements of various systems, which directly leads to the difference of the safety system structure and the safety strategy of each application, and the main problems are as follows:
1. user identity authentication: the user needs to memorize multiple user names and passwords of multiple systems, and the user often confuses the passwords, which finally results in that most users either set the passwords of all the systems to be identical or record the passwords on paper and electronic texts, so that the risk of password leakage is increased.
2. Secure information sharing problem: when a plurality of service systems with heterogeneous authentication mechanisms cooperatively complete tasks, authentication results cannot be transmitted, repeated login and frequent authentication are carried out, authentication information is easy to leak or forget, and most people usually establish the same account passwords under the multi-service system.
3. Authentication security problem: the authentication modes of all business systems are account authentication with lower security, the requirements can be met by carrying out customized development on the systems with high security requirements, and the more the systems are subjected to customized development, the more the development workload is, and the higher the enterprise cost is.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides a single sign-on authentication method, device and medium based on an OAuth2.0 protocol.
According to one aspect of the present invention, there is provided a single sign-on authentication method based on oauth2.0 protocol, including:
the user side initiates a login request to the application system, and the application system checks the login request;
under the condition that verification is passed, sending redirection authentication to an authentication center, and dynamically displaying a single-factor or multi-factor login authentication page or a secondary authentication page to a user side by the authentication center according to an authentication mode and an authentication security level configured by an application system;
the user selects an authentication mode at the user side to authenticate, and login authentication is completed at an authentication center;
and under the condition that the authentication is passed, the user completes the login of the application system at the user side.
Optionally, in the case that the authentication is passed, the user completes the operation of logging in the application system at the user end, including:
under the condition that the authentication passes, the authentication center redirects the carrying Code back to the application system and returns to the user side;
the user side carries a Code to access an application system, and the application system acquires a user token from an authentication center according to the authorization Code;
the application system acquires user information from the authentication center according to the user token;
the application system completes the login of the application system according to the user information returned from the authentication center.
Optionally, the method further comprises:
and if the authentication is not passed, the authentication center returns an error prompt to the user side.
Optionally, the user selects an authentication mode at the user end to perform authentication, and the operation of logging in and authentication is completed at the authentication center, including:
after the single factor passes the verification, judging whether the whole login authentication is finished according to the setting of the authentication mode;
creating a login state to finish login authentication when the whole authentication is finished, generating a random verification code and caching authentication information of the current authentication factor when other authentication factors are needed to be checked, and returning the random verification code to a login authentication page by an authentication center;
the login authentication page continues to display the authentication page of the next authentication factor, and the single factor authentication check rule is repeated until all authentication factors are checked in the authentication mode, and a login state is created to finish login authentication.
Optionally, the authentication method provided by the authentication center includes: five basic authentication factors of account and password authentication, short message authentication, digital certificate authentication, collaborative signature authentication and face verification authentication, wherein the authentication factors can be freely combined to realize multi-factor authentication.
According to another aspect of the present invention, there is provided a single sign-on authentication apparatus based on oauth2.0 protocol, including:
the request module is used for initiating a login request to the application system by the user side, and checking the login request by the application system;
the sending module is used for sending redirection authentication to the authentication center under the condition that verification is passed, and the authentication center dynamically displays a single-factor or multi-factor login authentication page or a secondary authentication page to the user side according to an authentication mode and an authentication security level configured by the application system;
the login authentication module is used for a user to select an authentication mode at a user side to perform authentication, and login authentication is completed at an authentication center;
and the login module is used for enabling the user to finish the login of the application system at the user side under the condition that the authentication is passed.
According to a further aspect of the present invention there is provided a computer readable storage medium storing a computer program for performing the method according to any one of the above aspects of the present invention.
According to still another aspect of the present invention, there is provided an electronic device including: a processor; a memory for storing the processor-executable instructions; the processor is configured to read the executable instructions from the memory and execute the instructions to implement the method according to any of the above aspects of the present invention.
Therefore, the single sign-on authentication issuing method and device can effectively solve the trouble that staff memorizes a plurality of user names and passwords, relieve repeated labor of using a plurality of application systems to perform multiple authentications, improve working efficiency, enable staff to throw more effort into business work, reduce enterprise security risks caused by staff password leakage, realize the effects of one-time authentication and multi-business passing by the plurality of application systems, and truly improve office efficiency. The authentication center dynamically provides various authentication modes and authentication security level service capability, so that the requirements of each application system on different authentication modes can be met, the login authentication security and session information sharing security are enhanced, and the security protection which cannot be provided by the traditional information security is made up.
Drawings
Exemplary embodiments of the present invention may be more completely understood in consideration of the following drawings:
FIG. 1 is a flow chart of a single sign-on authentication method based on the OAuth2.0 protocol according to an exemplary embodiment of the present invention;
FIG. 2 is another flow chart of a single sign-on authentication method based on the OAuth2.0 protocol according to an exemplary embodiment of the present invention;
fig. 3 is a schematic diagram of a terminal flow of a single sign-on authentication method based on oauth2.0 protocol according to an exemplary embodiment of the present invention;
fig. 4 is a schematic structural diagram of a single sign-on authentication device based on oauth2.0 protocol according to an exemplary embodiment of the present invention;
fig. 5 is a structure of an electronic device provided in an exemplary embodiment of the present invention.
Detailed Description
Hereinafter, exemplary embodiments according to the present invention will be described in detail with reference to the accompanying drawings. It should be apparent that the described embodiments are only some embodiments of the present invention and not all embodiments of the present invention, and it should be understood that the present invention is not limited by the example embodiments described herein.
It should be noted that: the relative arrangement of the components and steps, numerical expressions and numerical values set forth in these embodiments do not limit the scope of the present invention unless it is specifically stated otherwise.
It will be appreciated by those of skill in the art that the terms "first," "second," etc. in embodiments of the present invention are used merely to distinguish between different steps, devices or modules, etc., and do not represent any particular technical meaning nor necessarily logical order between them.
It should also be understood that in embodiments of the present invention, "plurality" may refer to two or more, and "at least one" may refer to one, two or more.
It should also be appreciated that any component, data, or structure referred to in an embodiment of the invention may be generally understood as one or more without explicit limitation or the contrary in the context.
In addition, the term "and/or" in the present invention is merely an association relationship describing the association object, and indicates that three relationships may exist, for example, a and/or B may indicate: a exists alone, A and B exist together, and B exists alone. In the present invention, the character "/" generally indicates that the front and rear related objects are an or relationship.
It should also be understood that the description of the embodiments of the present invention emphasizes the differences between the embodiments, and that the same or similar features may be referred to each other, and for brevity, will not be described in detail.
Meanwhile, it should be understood that the sizes of the respective parts shown in the drawings are not drawn in actual scale for convenience of description.
The following description of at least one exemplary embodiment is merely exemplary in nature and is in no way intended to limit the invention, its application, or uses.
Techniques, methods, and apparatus known to one of ordinary skill in the relevant art may not be discussed in detail, but where appropriate, the techniques, methods, and apparatus should be considered part of the specification.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further discussion thereof is necessary in subsequent figures.
Embodiments of the invention are operational with numerous other general purpose or special purpose computing system environments or configurations with electronic devices, such as terminal devices, computer systems, servers, etc. Examples of well known terminal devices, computing systems, environments, and/or configurations that may be suitable for use with the terminal device, computer system, server, or other electronic device include, but are not limited to: personal computer systems, server computer systems, thin clients, thick clients, hand-held or laptop devices, microprocessor-based systems, set-top boxes, programmable consumer electronics, network personal computers, small computer systems, mainframe computer systems, and distributed cloud computing technology environments that include any of the foregoing, and the like.
Electronic devices such as terminal devices, computer systems, servers, etc. may be described in the general context of computer system-executable instructions, such as program modules, being executed by a computer system. Generally, program modules may include routines, programs, objects, components, logic, data structures, etc., that perform particular tasks or implement particular abstract data types. The computer system/server may be implemented in a distributed cloud computing environment in which tasks are performed by remote processing devices that are linked through a communications network. In a distributed cloud computing environment, program modules may be located in both local and remote computing system storage media including memory storage devices.
Exemplary method
Fig. 1 is a flowchart of a single sign-on authentication method based on oauth2.0 protocol according to an exemplary embodiment of the present invention. The embodiment can be applied to an electronic device, as shown in fig. 1, the single sign-on authentication method 100 based on oauth2.0 protocol includes the following steps:
Optionally, in the case that the authentication is passed, the user completes the operation of logging in the application system at the user end, including:
under the condition that the authentication passes, the authentication center redirects the carrying Code back to the application system and returns to the user side;
the user side carries a Code to access an application system, and the application system acquires a user token from an authentication center according to the authorization Code;
the application system acquires user information from the authentication center according to the user token;
the application system completes the login of the application system according to the user information returned from the authentication center.
Optionally, the method further comprises:
and if the authentication is not passed, the authentication center returns an error prompt to the user side.
Optionally, the user selects an authentication mode at the user end to perform authentication, and the operation of logging in and authentication is completed at the authentication center, including:
after the single factor passes the verification, judging whether the whole login authentication is finished according to the setting of the authentication mode;
creating a login state to finish login authentication when the whole authentication is finished, generating a random verification code and caching authentication information of the current authentication factor when other authentication factors are needed to be checked, and returning the random verification code to a login authentication page by an authentication center;
the login authentication page continues to display the authentication page of the next authentication factor, and the single factor authentication check rule is repeated until all authentication factors are checked in the authentication mode, and a login state is created to finish login authentication.
Optionally, the authentication method provided by the authentication center includes: five basic authentication factors of account and password authentication, short message authentication, digital certificate authentication, collaborative signature authentication and face verification authentication, wherein the authentication factors can be freely combined to realize multi-factor authentication.
Specifically, referring to fig. 2 and 3, the present invention aims to construct a set of unified, efficient and safe authentication center under the existing security system, so as to realize standardization, precision, convenience, platfonn and collaboration of internal and external services. The method effectively solves the trouble that staff memorizes a plurality of user names and passwords, eliminates repeated labor of multiple authentications by using a plurality of application systems, reduces enterprise security risks caused by staff password leakage, realizes authentication modes which can provide different security levels for different systems, compensates for security protection which cannot be provided by traditional information security, realizes digitization, networking and intellectualization of the service systems while solving the existing problems, and helps information development and protects navigation.
The invention adopts JAVA language development and uses OAuth2.0 as an authentication protocol of an authentication center.
The design scheme of the authentication center is as follows:
1. authentication factor: the authentication center provides five basic authentication factors including account authentication, short message authentication, digital certificate authentication, collaborative signature authentication and face verification authentication, each authentication factor provides the most basic factor verification for the authentication mode and does not participate in business processing; the authentication factor only checks whether the authentication information passes authentication, if the authentication passes, the true is returned, and if the authentication fails, the false is returned.
2. Application system registration: setting information such as a domain name address, an authentication mode, an authentication security level (primary account, secondary short message, tertiary digital certificate, collaborative signature, quaternary face verification) corresponding to the application when the application system is registered, an application icon, a home page address and the like, and automatically generating authorization information of the application such as client_id, client_secret and the like corresponding to the application system by an authentication center after the registration is completed. The application system and the authentication mode are one-to-many, namely, each application mode can be provided with a plurality of authentication modes; each authentication mode can be freely combined by a single authentication factor or a plurality of authentication factors and set an authentication sequence, such as account password, short message, human face and the like, and authentication services of single factor and multi-factor combination are externally provided.
3. Authentication protocol: the authentication protocol is based on oauth2.0, and provides three interfaces for obtaining authorization codes, obtaining user tokens according to the authorization codes and obtaining user information according to the user tokens. The authorization code interface is a redirection interface, the application system acquires an authorization code in the access authentication in a client_id and callback address redirection mode, the authentication center creates the authorization code and then redirects the authorization code to the callback address corresponding to the application system, the authorization code is effective in a short time and is effective once, and the effective time of the authorization code is supported to be configured in the configuration file; the application system receives the authorization code, then the background mode calls the authentication center to obtain a user token interface according to the authorization code, and the authentication center verifies the authorization code, creates a user token after passing, and returns the user token to the application system; the application system acquires the user token and invokes the authentication center in a background mode to acquire a user information interface according to the user token, after the authentication center verifies that the user token passes, the complete current login personnel information is returned to the application system, and the application system can establish session information of a self login state according to the user information.
4. Login authentication: when an application system carries out login authentication to an authentication center, the authentication center acquires an authentication mode and an authentication security level corresponding to the application system according to a requested service system, and if the authentication center has no login state, a corresponding login authentication page is displayed according to the set authentication mode; if the authentication center has the login state, judging whether the current login state meets the authentication security level, if so, directly completing authentication, and if not, displaying a corresponding secondary authentication page according to the authentication security level, and performing secondary authentication. After the user inputs the authentication information, the authentication center checks whether the authority calls the authentication factor according to different request information, if the authority does not exist, an error prompt is returned, if the authority exists, the corresponding authentication factor check is called, after the verification is passed, whether the whole login authentication is finished is judged according to the setting of the authentication mode, if the whole login authentication is finished, the login authentication is finished in a created state, if the verification of other authentication factors is also required, a random authentication code is generated and the authentication information of the current authentication factor is cached, the authentication center returns the random authentication code to the login authentication page, the login authentication page continues to display the authentication page of the next authentication factor, and a single factor authentication check rule is repeated until all authentication factors under the authentication mode are checked, and the login authentication is finished in the created state.
The key points of the invention are as follows:
1. the authentication factor is extracted from the service and serves as basic public service to provide authentication capability;
2. the authentication mode can be freely combined by a single factor or a plurality of factors in the basic authentication factors, and the rich authentication mode is dynamically provided;
3. different authentication modes and authentication security levels can be dynamically configured for different application systems, so that different requirements of each application system are met.
Therefore, the single sign-on authentication issuing method and device can effectively solve the trouble that staff memorizes a plurality of user names and passwords, relieve repeated labor of using a plurality of application systems to perform multiple authentications, improve working efficiency, enable staff to throw more effort into business work, reduce enterprise security risks caused by staff password leakage, realize the effects of one-time authentication and multi-business passing by the plurality of application systems, and truly improve office efficiency. The authentication center dynamically provides various authentication modes and authentication security level service capability, so that the requirements of each application system on different authentication modes can be met, the login authentication security and session information sharing security are enhanced, and the security protection which cannot be provided by the traditional information security is made up.
Exemplary apparatus
Fig. 4 is a schematic structural diagram of a single sign-on authentication device based on oauth2.0 protocol according to an exemplary embodiment of the present invention. As shown in fig. 4, the apparatus 400 includes:
a request module 410, configured to initiate a login request to an application system by the user side, where the application system verifies the login request;
the sending module 420 is configured to send a redirection authentication to an authentication center when the verification passes, where the authentication center dynamically displays a single-factor, multi-factor login authentication page or a secondary authentication page to the user according to an authentication mode and an authentication security level configured by the application system;
the login authentication module 430 is configured to perform authentication by selecting an authentication mode at a user end, and complete login authentication at an authentication center;
the login module 440 is configured to complete the login of the application system at the user end when the authentication is passed.
Optionally, the login module 440 includes:
the return sub-module is used for redirecting the carrying Code back to the application system and returning the application system to the user side by the authentication center under the condition that the authentication passes;
the first acquisition sub-module is used for the user side to carry the Code to access the application system, and the application system acquires the user token from the authentication center according to the authorization Code;
the second acquisition sub-module is used for the application system to acquire the user information from the authentication center according to the user token;
and the login sub-module is used for the application system to complete the login of the application system according to the user information returned from the authentication center.
Optionally, the apparatus 400 further comprises:
and the error prompt module is used for returning an error prompt to the user side by the authentication center under the condition that the authentication is not passed.
Optionally, the login authentication module 430 includes:
the judging sub-module is used for judging whether the whole login authentication is finished according to the setting of the authentication mode after the single factor passes the verification;
the random sub-module is returned to be used for creating a login state to finish login authentication when the whole authentication is finished, generating a random verification code and caching authentication information of the current authentication factor when other authentication factors are needed to be checked, and returning the random verification code to a login authentication page by the authentication center;
and the display sub-module is used for continuously displaying the authentication page of the next authentication factor on the login authentication page, repeating the single factor authentication check rule until all authentication factors are checked in the authentication mode, and creating a login state to finish login authentication.
Optionally, the authentication method provided by the authentication center includes: five basic authentication factors of account and password authentication, short message authentication, digital certificate authentication, collaborative signature authentication and face verification authentication, wherein the authentication factors can be freely combined to realize multi-factor authentication.
Exemplary electronic device
Fig. 5 is a structure of an electronic device provided in an exemplary embodiment of the present invention. As shown in fig. 5, the electronic device 50 includes one or more processors 51 and memory 52.
The processor 51 may be a Central Processing Unit (CPU) or other form of processing unit having data processing and/or instruction execution capabilities, and may control other components in the electronic device to perform desired functions.
In addition, the input device 53 may also include, for example, a keyboard, a mouse, and the like.
The output device 54 can output various information to the outside. The output device 54 may include, for example, a display, speakers, a printer, and a communication network and remote output devices connected thereto, etc.
Of course, only some of the components of the electronic device that are relevant to the present invention are shown in fig. 5 for simplicity, components such as buses, input/output interfaces, etc. being omitted. In addition, the electronic device may include any other suitable components depending on the particular application.
Exemplary computer program product and computer readable storage Medium
In addition to the methods and apparatus described above, embodiments of the invention may also be a computer program product comprising computer program instructions which, when executed by a processor, cause the processor to perform steps in a method according to various embodiments of the invention described in the "exemplary methods" section of this specification.
The computer program product may write program code for performing operations of embodiments of the present invention in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server.
Furthermore, embodiments of the present invention may also be a computer-readable storage medium, having stored thereon computer program instructions which, when executed by a processor, cause the processor to perform the steps in a method of mining history change records according to various embodiments of the present invention described in the "exemplary methods" section above in this specification.
The computer readable storage medium may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium can include, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The basic principles of the present invention have been described above in connection with specific embodiments, however, it should be noted that the advantages, benefits, effects, etc. mentioned in the present invention are merely examples and not intended to be limiting, and these advantages, benefits, effects, etc. are not to be considered as essential to the various embodiments of the present invention. Furthermore, the specific details disclosed herein are for purposes of illustration and understanding only, and are not intended to be limiting, as the invention is not necessarily limited to practice with the above described specific details.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different manner from other embodiments, so that the same or similar parts between the embodiments are mutually referred to. For system embodiments, the description is relatively simple as it essentially corresponds to method embodiments, and reference should be made to the description of method embodiments for relevant points.
The block diagrams of the devices, systems, apparatuses, systems according to the present invention are merely illustrative examples and are not intended to require or imply that the connections, arrangements, configurations must be made in the manner shown in the block diagrams. As will be appreciated by one of skill in the art, the devices, systems, apparatuses, systems may be connected, arranged, configured in any manner. Words such as "including," "comprising," "having," and the like are words of openness and mean "including but not limited to," and are used interchangeably therewith. The terms "or" and "as used herein refer to and are used interchangeably with the term" and/or "unless the context clearly indicates otherwise. The term "such as" as used herein refers to, and is used interchangeably with, the phrase "such as, but not limited to.
The method and system of the present invention may be implemented in a number of ways. For example, the methods and systems of the present invention may be implemented by software, hardware, firmware, or any combination of software, hardware, firmware. The above-described sequence of steps for the method is for illustration only, and the steps of the method of the present invention are not limited to the sequence specifically described above unless specifically stated otherwise. Furthermore, in some embodiments, the present invention may also be embodied as programs recorded in a recording medium, the programs including machine-readable instructions for implementing the methods according to the present invention. Thus, the present invention also covers a recording medium storing a program for executing the method according to the present invention.
It is also noted that in the systems, devices and methods of the present invention, components or steps may be disassembled and/or assembled. Such decomposition and/or recombination should be considered as equivalent aspects of the present invention. The previous description of the disclosed aspects is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these aspects will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other aspects without departing from the scope of the invention. Thus, the present invention is not intended to be limited to the aspects shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
The foregoing description has been presented for purposes of illustration and description. Furthermore, this description is not intended to limit embodiments of the invention to the form disclosed herein. Although a number of example aspects and embodiments have been discussed above, a person of ordinary skill in the art will recognize certain variations, modifications, alterations, additions, and subcombinations thereof.
Claims (10)
1. A single sign-on authentication method based on oauth2.0 protocol, comprising:
the user side initiates a login request to an application system, and the application system checks the login request;
under the condition that the verification is passed, sending redirection authentication to an authentication center, and dynamically displaying a single-factor, multi-factor login authentication page or a secondary authentication page to the user side by the authentication center according to an authentication mode and an authentication security level configured by the application system;
the user selects an authentication mode to authenticate at the user end, and login authentication is completed at the authentication center;
and under the condition that the authentication is passed, the user completes the login of the application system at the user side.
2. The method according to claim 1, wherein the user completing the operation of the application system login at the user side in the case that the authentication is passed comprises:
under the condition that authentication is passed, the authentication center redirects the carrying Code back to the application system and returns the carrying Code to the user side;
the user side carries a Code to access the application system, and the application system acquires a user token from the authentication center according to the authorization Code;
the application system acquires user information from the authentication center according to the user token;
and the application system completes the login of the application system according to the user information returned from the authentication center.
3. The method as recited in claim 1, further comprising:
and under the condition that the authentication is not passed, the authentication center returns an error prompt to the user side.
4. The method according to claim 1, wherein the user selects an authentication mode at the user terminal to perform authentication, and the operation of logging in and authentication is completed at the authentication center includes:
after the single factor passes the verification, judging whether the whole login authentication is finished according to the setting of the authentication mode;
creating a login state to finish login authentication when the whole authentication is finished, generating a random verification code and caching authentication information of a current authentication factor when other authentication factors are needed to be checked, and returning the random verification code to a login authentication page by the authentication center;
and the login authentication page continues to display the authentication page of the next authentication factor, and repeats the single factor authentication check rule until all authentication factors are checked in the authentication mode, and a login state is created to finish login authentication.
5. The method of claim 1, wherein the authentication means provided by the authentication center comprises: five basic authentication factors of account and password authentication, short message authentication, digital certificate authentication, collaborative signature authentication and face verification authentication, wherein the authentication factors can be freely combined to realize multi-factor authentication.
6. A single sign-on authentication device based on oauth2.0 protocol, comprising:
the request module is used for initiating a login request to an application system by a user side, and the application system checks the login request;
the sending module is used for sending redirection authentication to an authentication center under the condition that the verification is passed, and the authentication center dynamically displays a single-factor, multi-factor login authentication page or a secondary authentication page to the user side according to an authentication mode and an authentication security level configured by the application system;
the login authentication module is used for a user to select an authentication mode at the user side to perform authentication, and login authentication is completed at the authentication center;
and the login module is used for enabling the user to finish the login of the application system at the user side under the condition that the authentication is passed.
7. The apparatus of claim 6, wherein the login module comprises:
the return sub-module is used for redirecting the carrying Code back to the application system and returning the carrying Code to the user side under the condition that the authentication is passed;
the first acquisition sub-module is used for the user side to carry the Code to access the application system, and the application system acquires a user token from the authentication center according to the authorization Code;
the second acquisition sub-module is used for the application system to acquire user information from the authentication center according to the user token;
and the login sub-module is used for the application system to complete the login of the application system according to the user information returned from the authentication center.
8. The apparatus as recited in claim 6, further comprising:
and the error prompt module is used for returning an error prompt to the user side by the authentication center under the condition that the authentication is not passed.
9. A computer readable storage medium, characterized in that the storage medium stores a computer program for executing the method of any of the preceding claims 1-5.
10. An electronic device, the electronic device comprising:
a processor;
a memory for storing the processor-executable instructions;
the processor is configured to read the executable instructions from the memory and execute the instructions to implement the method of any of the preceding claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211669503.9A CN116248338A (en) | 2022-12-24 | 2022-12-24 | Single sign-on authentication method, device and medium based on OAuth2.0 protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211669503.9A CN116248338A (en) | 2022-12-24 | 2022-12-24 | Single sign-on authentication method, device and medium based on OAuth2.0 protocol |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116248338A true CN116248338A (en) | 2023-06-09 |
Family
ID=86628665
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211669503.9A Pending CN116248338A (en) | 2022-12-24 | 2022-12-24 | Single sign-on authentication method, device and medium based on OAuth2.0 protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116248338A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118200058A (en) * | 2024-05-17 | 2024-06-14 | 广东省电信规划设计院有限公司 | Multi-factor authentication method and system based on physical isolation channel |
-
2022
- 2022-12-24 CN CN202211669503.9A patent/CN116248338A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118200058A (en) * | 2024-05-17 | 2024-06-14 | 广东省电信规划设计院有限公司 | Multi-factor authentication method and system based on physical isolation channel |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10728235B2 (en) | System and method for mobile single sign-on integration | |
| US11374934B2 (en) | Systems and methods for accessing cloud resources from a local development environment | |
| US10880292B2 (en) | Seamless transition between WEB and API resource access | |
| AU2010258680B2 (en) | Access control to secured application features using client trust levels | |
| US9246897B2 (en) | Method and system of login authentication | |
| US20160277390A1 (en) | Multi-domain applications with authorization and authentication in cloud environment | |
| US20150304301A1 (en) | Systems and Methods for Login and Authorization | |
| US9225744B1 (en) | Constrained credentialed impersonation | |
| US20210377252A1 (en) | Application integration using multiple user identities | |
| US10701053B2 (en) | Authentication and approval control system for distributed ledger platform | |
| US20160350751A1 (en) | Provisioning a Mobile Device with a Code Generation Key to Enable Generation of One-Time Passcodes | |
| CN113742676B (en) | Login management method, login management device, login management server, login management system and storage medium | |
| US20140096190A1 (en) | Dynamic flow control for access managers | |
| US10057249B2 (en) | Preventing unauthorized access to secured information systems using tokenized authentication techniques | |
| CN116170234B (en) | Single sign-on method and system based on virtual account authentication | |
| CN111191200B (en) | Three-party linkage authentication page display method and device and electronic equipment | |
| CN116248338A (en) | Single sign-on authentication method, device and medium based on OAuth2.0 protocol | |
| US20220337584A1 (en) | Information processing device, information processing method, and non-transitory computer readable storage medium | |
| US20240244057A1 (en) | Systems and methods for accessing cloud resources from a local development environment | |
| US20230388311A1 (en) | Network system and control method thereof | |
| Alsulami | Towards a Federated Identity and Access Management Across Universities | |
| CN113051545A (en) | User authentication method and device | |
| CN114189558A (en) | Information system communication method, device, computer equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |