CN116248628A - Third party account information management method and user authentication method - Google Patents

Third party account information management method and user authentication method Download PDF

Info

Publication number
CN116248628A
CN116248628A CN202211625870.9A CN202211625870A CN116248628A CN 116248628 A CN116248628 A CN 116248628A CN 202211625870 A CN202211625870 A CN 202211625870A CN 116248628 A CN116248628 A CN 116248628A
Authority
CN
China
Prior art keywords
user
platform
target
identity
target user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211625870.9A
Other languages
Chinese (zh)
Inventor
孔剑平
胡楠
王琪
李炳博
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Nanometer Technology Co ltd
Original Assignee
Zhejiang Nanometer Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Nanometer Technology Co ltd filed Critical Zhejiang Nanometer Technology Co ltd
Priority to CN202211625870.9A priority Critical patent/CN116248628A/en
Publication of CN116248628A publication Critical patent/CN116248628A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/30Managing network names, e.g. use of aliases or nicknames
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a third party account information management method and a user authentication method. Wherein the method comprises the following steps: transmitting a session ID corresponding to a user identity of a target user to an application front end corresponding to the target user; receiving a message to be bound sent by the application front end, wherein the message to be bound comprises the session ID, the user identity and a target platform; receiving account data sent by an application back end corresponding to the target platform, wherein the account data comprises third party account information of the target user and a platform identity of the target platform; binding and registering the user identity, the third party account information and the platform domain name of the target platform to obtain the platform account domain name of the target user; and storing the platform account domain name into a registrar of the identification domain. The invention solves the technical problem that the data such as user account information and the like cannot be managed in a centralized way because the application program system and the distributed identity identification system are incompatible in the related technology.

Description

Third party account information management method and user authentication method
Technical Field
The invention relates to the technical field of information management, in particular to a third party account information management method and a user authentication method.
Background
The DID is Decentralized Identifiers, i.e., the de-centralized identity, and the user generates, manages, and controls his own identity independent of the organization or government, with global uniqueness, high availability, resolvable and cryptographically verifiable properties. DID can be used to identify people, organizations, and things, and implement many security and privacy protection guarantees.
The user agent unit is an application by which a real user can use identification of his off-center avatar, through which the user can generate DID, manage data and permissions, issue/verify a DID identity-related statement.
At present, a large number of stock systems exist on the Internet, such as WeChat, microblog and the like, and the systems use a centralized user identity management mode and a user name/password verification mode, are incompatible with a distributed identity identification system, and have huge reconstruction cost.
Disclosure of Invention
The embodiment of the invention provides a third party account information management method and a user authentication method, which at least solve the technical problem that data such as user account information cannot be managed in a centralized way due to incompatibility of an application program system and a distributed identity identification system in the related technology.
According to a first aspect of an embodiment of the present invention, there is provided a third party account information management method applied to an identification domain, the method including: transmitting a session ID corresponding to a user identity of a target user to an application front end corresponding to the target user; receiving a message to be bound sent by the application front end, wherein the message to be bound comprises the session ID, the user identity and a target platform; receiving account data sent by an application back end corresponding to the target platform, wherein the account data comprises third party account information of the target user and a platform identity of the target platform; binding and registering the user identity, the third party account information and the platform domain name of the target platform to obtain the platform account domain name of the target user; and storing the platform account domain name into a registrar of the identification domain.
Further, before the receiving the message to be bound sent by the application front end, the method further includes: encrypting the third party account information according to the user private key of the target user through the application front end to obtain first encrypted data; and sending the first encrypted data and the session ID to the application back end through the application front end.
Further, before receiving the account data sent by the application back end corresponding to the target platform, the method further includes: decrypting, by the application backend, the first encrypted data according to the user public key of the target user, so as to obtain the third party account information; if the third party account information is matched with the stored account information, encrypting the third party account information and the platform domain name of the target platform according to the platform private key of the target platform through the application back end to obtain second encrypted data; and sending the second encrypted data and the session ID to the identification domain through the application back end.
Further, the receiving the account data sent by the application back end corresponding to the target platform includes: and decrypting the second encrypted data according to the platform public key of the target platform to obtain the account data.
Further, the storing the platform account domain name in the registrar of the identification domain includes: converting the platform account domain name into a hash value with a preset length; and storing the hash value into the register.
According to a second aspect of an embodiment of the present invention, there is provided a user authentication method applied to an application backend of a target platform, the method including: a login request sent by an application front end corresponding to a target user is sent to a user identity service of an identity domain, wherein the login request carries a user identity corresponding to the target user; receiving an encrypted public key corresponding to the target user returned by the user identity identification service; carrying out identity verification on the target user according to the encryption public key; and if the target user passes the verification, acquiring account information of the target user according to the user identity, and logging in the target user according to the account information.
Further, before the login request sent by the application front end corresponding to the target user is sent to the user identification service of the identification domain, the method further includes: displaying a target login link and a login ID of the target platform in an application interface corresponding to the application front end; and receiving the login request, wherein the login request comprises the user identity, the login ID and the target login link.
Further, the receiving the encrypted public key corresponding to the target user returned by the user identification service includes: receiving an identification document corresponding to the target user returned by the user identification service, wherein the identification document is obtained after the user identification is analyzed by the user identification service; and acquiring the encrypted public key from the identification document.
Further, the authenticating the target user according to the encrypted public key includes: encrypting the preset verification code according to the encryption public key to obtain an encryption verification code; the encrypted verification code is sent to a user identity platform, so that the user identity platform decrypts the encrypted verification code to obtain a decrypted verification code; and matching the decryption verification code with the preset verification code, wherein the decryption verification code is obtained by decrypting the encryption verification code by the application front end.
Further, if the target user passes the verification, acquiring the account information of the target user according to the user identity, including: if the decryption verification code is matched with the preset verification code, determining that the user identity is a valid identity; transmitting the user identity to an identity domain; and receiving a platform account domain name returned by the identification domain, wherein the platform account domain name comprises the account information.
According to a third aspect of an embodiment of the present invention, there is provided a third party account information management apparatus for application to an identification domain, the apparatus comprising: the sending module is used for sending the session ID corresponding to the user identity of the target user to the application front end corresponding to the target user; the first receiving module is used for receiving a message to be bound sent by the application front end, wherein the message to be bound comprises the session ID, the user identity and a target platform; the second receiving module is used for receiving account data sent by the application back end corresponding to the target platform, wherein the account data comprises third party account information of the target user and a platform identity of the target platform; the processing module is used for binding and registering the user identity, the third party account information and the platform domain name of the target platform so as to obtain the platform account domain name of the target user; and the storage module is used for storing the platform account domain name into a register of the identity identification domain.
According to a fourth aspect of an embodiment of the present invention, there is provided a user authentication apparatus applied to an application backend of a target platform, the apparatus including: the system comprises a sending module, a receiving module and a receiving module, wherein the sending module is used for sending a login request sent by an application front end corresponding to a target user to a user identity service of an identity domain, and the login request carries a user identity corresponding to the target user; the receiving module is used for receiving the encrypted public key corresponding to the target user returned by the user identity identification service; the verification module is used for carrying out identity verification on the target user according to the encrypted public key; and the acquisition module is used for acquiring the account information of the target user according to the user identity if the target user passes the verification, and logging in the target user according to the account information.
According to a fifth aspect of embodiments of the present invention, there is also provided an electronic device comprising a processor, a memory and a program or instructions stored on the memory and executable on the processor, which when executed by the processor implements the steps of the third party account information management method as described in the first aspect or the user authentication method as described in the second aspect.
According to a sixth aspect of embodiments of the present invention, there is also provided a readable storage medium having stored thereon a program or instructions which, when executed by a processor, implement the steps of the third party account information management method as described in the first aspect or the user authentication method as described in the second aspect.
In the embodiment of the invention, a session ID corresponding to a user identity of a target user is sent to an application front end corresponding to the target user; receiving a message to be bound sent by an application front end, wherein the message to be bound comprises a session ID, a user identity and a target platform; receiving account data sent by an application back end corresponding to a target platform, wherein the account data comprises third party account information of a target user and a platform identity of the target platform; binding and registering the user identity, the third party account information and the platform domain name of the target platform to obtain the platform account domain name of the target user; and storing the platform account domain name into a register of the identity domain. And binding and registering the user identity, the third party account information and the platform domain name through the to-be-bound information sent by the application front end and the account data sent by the target platform to obtain the platform account domain name, and storing the platform account domain name in a registrar of the identity domain. The method and the system can realize the management through the user identity and the use of the platform account domain name stored in the identity domain, and manage the third party account information of the target user through the platform account domain name, thereby solving the technical problem that the data such as the user account information and the like cannot be managed in a centralized way because an application program system is incompatible with a distributed identity system in the related technology.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiments of the invention and together with the description serve to explain the invention and do not constitute a limitation on the invention. In the drawings:
FIG. 1 is a schematic illustration of an alternative application scenario in accordance with an embodiment of the present invention;
FIG. 2 is a flow chart of an alternative third party account information management method according to an embodiment of the invention;
FIG. 3 is a flow chart of an alternative user authentication method according to an embodiment of the present invention;
FIG. 4 is a flow chart of yet another alternative user authentication method according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of a framework of an alternative third party account information management device according to an embodiment of the invention;
fig. 6 is a schematic diagram of a framework of an alternative user authentication device according to an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
Before introducing a third party account information management method of the present embodiment, an application scenario of the third party account information management method of the present embodiment is first described, as shown in fig. 1, and is a schematic diagram of an application scenario of an alternative third party account information management method of the present embodiment. The application scene comprises the following steps: the application front-end 10, the application back-end 20, the identification domain DIDNS30, the identification service DID service 40 and the identification application end 50. Wherein the application scenario exists in a network including, but not limited to, a wide area network or a local area network.
The application front end 10 is a terminal device including an application program of a preset service, for example, a mobile terminal, a PC, a microcomputer, and the like. The application backend 20 is a server or cloud end supporting a preset service. The DIDNS30 is used for storing a platform account domain name corresponding to the third party account information of the target user; the DID service is used for managing and resolving the platform account domain name of the target user 40; the id application 50 is configured to assign and manage corresponding ids DID to the target user and the target platform.
In this embodiment, the identifier domain dns30 sends a session ID corresponding to a user identifier of the target user to the application front end 10 corresponding to the target user; receiving a message to be bound sent by an application front end 10, wherein the message to be bound comprises a session ID, a user identity and a target platform; receiving account data sent by an application back end 20 corresponding to a target platform, wherein the account data comprises third party account information of a target user and a platform identity of the target platform; binding and registering the user identity, the third party account information and the platform domain name of the target platform to obtain the platform account domain name of the target user; the platform account domain name is stored in the registrar of the identification domain 30.
In the above embodiment, binding registration is performed on the user identity, the third party account information and the platform domain name through the to-be-bound message sent by the application front end and the account data sent by the target platform, so as to obtain the platform account domain name, and the platform account domain name is stored in the registrar of the identity domain. The method can realize the management through the user identity and the management of the third party account information of the target user through the platform account domain name by using the platform account domain name stored in the identity domain.
According to an embodiment of the present invention, there is provided a third party account information management method, which is applied to an identification domain, as shown in fig. 2, and specifically includes the following steps:
s202, transmitting a session ID corresponding to a user identity of a target user to an application front end corresponding to the target user;
s204, receiving a message to be bound sent by an application front end, wherein the message to be bound comprises a session ID, a user identity and a target platform;
s206, receiving account data sent by an application back end corresponding to a target platform, wherein the account data comprises third party account information of a target user and a platform identity of the target platform;
S208, binding and registering the user identity, the third party account information and the platform domain name of the target platform to obtain the platform account domain name of the target user;
s210, storing the platform account domain name into a registrar of the identity domain.
In this embodiment, the application front end includes, but is not limited to, a mobile terminal, a PC, a microcomputer, and other user terminals that install an application program of a preset service. The application back end is a server or cloud end supporting preset services. The target platform is a platform corresponding to a preset service, and is supported by hardware by the front end and the back end of the application.
In addition, the identity domain in the embodiment is used for storing the platform account domain name corresponding to the third party account information of the target user; the identification service (DID service) is used for managing, analyzing and other services of the platform account domain name of the target user; the identification application end is used for distributing and managing the corresponding identification DID to the target user and the target platform.
In this embodiment, the identification application end includes, but is not limited to, a digital wallet application, which is used for generating, managing, and controlling the identification of the target user, the target platform, and the like. The DID of the target user or target platform has global uniqueness, resolvable, and cryptographically verifiable. DIDs are used to identify people, organizations, and things, providing security and privacy protection guarantees.
In this embodiment, the target user and the target platform have corresponding DID respectively, specifically, the target user has a corresponding user identity, and the target platform has a corresponding identity. In one application scenario of this embodiment, the user presence may be mapped to a machine-readable distributed identity, and the user identity of the target user is a string of characters in a specific format that is used to represent the digital identity of an entity.
Illustratively, as DID identification "sample: 123456789abcdefghijk ", in this DID identification," example "is identification Method DID Method, and" 123456789abcdefghijk "is identification Method special string DID Method Specific String.
Further, the domain name of the platform account is a domain name system of a hierarchical structure, points are used as separators among different hierarchical domain names, the hierarchical name is called a domain, and an owner of one domain can fully control the subdomain. The owner of the top-level domain name (".di") is an intelligent contract named "registry" within which rules governing the assignment of sub-domain names are specified. Any person can obtain ownership of a domain name and use it by himself according to the rules specified by these contracts. The subdomain below is an organization or platform (e.g., IBM or WeChat). The user can configure sub-domain names for himself or herself or others as desired, such as "alice.weixin.did".
Specifically, the DIDNS architecture in this embodiment includes a registry and a resolver. The registry records the owner of each domain name, the resolver of the domain name, and the TTL (buffer survival time of all records under the domain name). The dns maps a domain name to a resolver that is responsible for resolving this domain name. The parser is responsible for converting the domain name to DID. The registry and the parser of the DIDNS are blockchain intelligence contracts that meet the relevant standards.
In the process of registering the third party account information of the target user to the target platform, a session with the target platform is initiated by the target user, wherein the session comprises a corresponding session ID. The identity domain carries out binding registration with the platform domain name of the target platform according to the session ID, the user identity, the platform identity and the corresponding account data, so as to obtain the platform account domain name of the target user on the target platform.
For example, the DIDNS manager registers "username.platform.fid" with the DID binding to obtain the platform account domain name for the target user.
In the process, a manager in the identity domain generates a session ID of user authentication, and the session ID is returned to the user, wherein the session ID corresponds to the user identity of the target user. And then the target user sends the account data in the target platform to the target platform, and simultaneously returns the session ID and the platform information of the target platform to the manager of the identification domain.
And then, the target platform verifies the account data of the target user, and after the account data passes the verification, the platform domain name, the account data and the session ID of the target platform are sent to a manager of the identity domain. After receiving the platform domain name, account data and session ID of the target platform, the manager of the identity domain carries out binding registration on the account data and the platform domain name of the target user by using the user identity, so that the management and registration of the third party account information of the user based on the user identity are realized.
On the other hand, when the account data of the target user is verified by the target platform, but the account data does not pass the verification, no information is sent to the manager of the identity domain or notification information of failure in verification of the account data is sent, and the manager of the identity domain does not perform binding registration on the account data of the target user and the target platform.
In an example, taking the target platform a as an example, the user identity B corresponding to the target user B, the platform identity a of the target platform a, and account data C of the target user B in the target platform a, the method specifically may include the following steps:
S21, the manager of the identity domain sends a session ID corresponding to the user identity B to the application front end corresponding to the target user B;
s22, the target user B sends account data of the login target platform A and the session ID to the target platform;
s23, the target user A sends the session ID and platform information of the target platform to a manager of an identity domain;
s24, verifying account data of the target user A by the target platform B;
s25, under the condition that account data verification is passed, sending a platform domain name (network address information corresponding to a platform identity a), account data and a session ID of a target platform A to a manager of an identity domain;
s26, the manager of the identity domain carries out binding registration on the platform domain name (network address information corresponding to the platform identity mark a), account data and the user identity mark b.
It should be noted that, through the embodiment of the present invention, a session ID corresponding to a user ID of a target user is sent to an application front end corresponding to the target user; receiving a message to be bound sent by an application front end, wherein the message to be bound comprises a session ID, a user identity and a target platform; receiving account data sent by an application back end corresponding to a target platform, wherein the account data comprises third party account information of a target user and a platform identity of the target platform; binding and registering the user identity, the third party account information and the platform domain name of the target platform to obtain the platform account domain name of the target user; and storing the platform account domain name into a register of the identity domain. And binding and registering the user identity, the third party account information and the platform domain name through the to-be-bound information sent by the application front end and the account data sent by the target platform to obtain the platform account domain name, and storing the platform account domain name in a registrar of the identity domain. The method and the system can realize the management through the user identity and the use of the platform account domain name stored in the identity domain, and manage the third party account information of the target user through the platform account domain name, thereby solving the technical problem that the data such as the user account information and the like cannot be managed in a centralized way because an application program system is incompatible with a distributed identity system in the related technology.
Optionally, in this embodiment, before receiving the message to be bound sent by the application front end, the method further includes, but is not limited to: encrypting the third party account information according to a user private key of the target user through the application front end to obtain first encrypted data; the first encrypted data and the session ID are sent to the application backend by the application front end.
Specifically, in this embodiment, after the manager of the ID domain sends the session ID corresponding to the ID of the target user to the application front end, the application front end encrypts the third party account information according to the user private key of the target user, where the third party account information includes, but is not limited to, the account name username/password of the target user in the target platform, and the like. After the DID private key of the target user is encrypted, first encrypted data is obtained, and then the first encrypted data and the session ID are sent to the application back end of the target platform through the application front end.
Optionally, in this embodiment, before receiving the account data sent by the application backend corresponding to the target platform, the method further includes, but is not limited to: decrypting the first encrypted data according to the user public key of the target user through the application back end to obtain third party account information; if the third party account information is matched with the stored account information, encrypting the third party account information and the platform domain name of the target platform according to the platform private key of the target platform through the application back end to obtain second encrypted data; and sending the second encrypted data and the session ID to the identification domain through the application back end.
Specifically, in this embodiment, after receiving the first encrypted data and the session ID sent by the application front end, the application back end corresponding to the target platform decrypts the first encrypted data according to the user public key of the target user, so as to obtain the third party account information of the target user.
And after the application back end corresponding to the target platform acquires the third party account information of the target user, checking the third party account information. And if the third party account information is matched with the account information stored in the application back end, the third party account information is checked to pass, and the third party account information and the platform domain name of the target platform are encrypted according to the platform private key of the target platform so as to obtain second encrypted data. The platform domain name of the target platform includes, but is not limited to, a name, a platform ID, a network address, etc. corresponding to the target platform.
The application backend then sends the second encrypted data and session ID package to the manager of the identification domain.
In addition, if the third party account information is not matched with the account information stored in the application back end, the third party account information is not checked and is not processed. In another example, in the event that the third party account information verification fails, the verification failed hint information along with the session ID is sent to the manager of the identification domain.
It should be noted that, in this embodiment, the user public key of the target user is sent to the application back end of the target platform in advance, and is stored in the application back end, and the platform public key of the target platform is sent to the manager of the identity domain in advance, and is stored in the manager of the identity domain.
Through the above example, verification of the target platform to the third party account information of the target user is achieved.
Optionally, in this embodiment, account data sent by the application backend corresponding to the target platform is received, including but not limited to: and decrypting the second encrypted data according to the platform public key of the target platform to obtain account data.
Specifically, after receiving the second encrypted data and the session ID sent by the application back end, the manager of the identity identification domain obtains a platform public key corresponding to the target platform according to the session ID, and then connects the second encrypted data according to the platform public key to obtain third party account information corresponding to the target user.
Optionally, in this embodiment, the platform account domain name is stored in a registrar of the identification domain, including but not limited to: converting the platform account domain name into a hash value with a preset length; the hash value is stored in the registrar.
Specifically, in this embodiment, the platform account domain name is stored in a hash value with a preset length, and the hash value is then stored in the registrar of the identity domain by converting the platform account domain name into the hash value with the preset length.
By the above example, the storage space occupied by the platform account domain name can be reduced, the search speed of the registrar in the identity domain for the platform account domain name can be improved, and the system resources required for managing the platform account domain name can be reduced.
Based on the third party account information management method, based on the same inventive concept and the same application scenario, the embodiment also provides a user authentication method, which is applied to the application back end of the target platform, as shown in fig. 3, and the method specifically may include the following steps:
s302, a login request sent by an application front end corresponding to a target user is sent to a user identity service of an identity domain, wherein the login request carries a user identity corresponding to the target user;
s304, receiving an encrypted public key corresponding to a target user returned by the user identity identification service;
s306, carrying out identity verification on the target user according to the encrypted public key;
And S308, if the target user passes the verification, acquiring account information of the target user according to the user identity, and logging in the target user according to the account information.
Specifically, the application back end corresponding to the target platform receives a login request sent by the application front end, the login request is sent to a user identity service corresponding to the identity domain, a parser in the user identity service parses the user identity, and a DID document corresponding to the user identity DID is obtained from the blockchain.
Next, the application back end obtains an encrypted public key in the DID document; then, the application back end initiates a challenge according to the decryption public key, and performs identity verification on the target user; thus, the account information of the target user is acquired according to the authentication result of the authentication of the target user.
Specifically, if the target user passes the verification, the application back end sends the user identity to the manager of the identity domain, the manager of the identity domain queries the user name matched with the user identity DID, and then a corresponding query result is returned to the application back end.
On the other hand, the application front end polls the verification result to the application back end at preset time intervals, if the query is successful, the application back end sends a session token to the application front end, and the table name login is successful; if the inquiry fails, the application back end sends prompt information of the inquiry failure to the application front end.
Optionally, in this embodiment, before sending the login request sent by the application front end corresponding to the target user to the user identification service of the identification domain, the method further includes, but is not limited to: displaying a target login link and a login ID of a target platform in an application interface corresponding to the application front end; a login request is received, wherein the login request includes a user identification, a login ID, and a target login link.
In an example, in an application interface corresponding to the application front end, a two-dimensional code is displayed, wherein the two-dimensional code comprises a target login link and a login ID of a target platform. A login request generated by a target user based on a target login link is received. For example, a target user scans a two-dimensional code to generate a login request.
In one example, a target user selects DID login authentication on an APP login interface at the front end of an application, obtains a session identifier (loginID) and an APP back end login address (LoginURL) from the APP back end, and displays a two-dimensional code at the APP front end, where the two-dimensional code carries information such as the loginID and the LoginURL (or carries the information in other forms, such as corresponding 16-ary codes), and the APP front end carries the loginID to initiate asynchronous polling to the application back end at a preset frequency. The target user uses the mobile terminal's digital wallet (digital wallet as a user agent application that holds and manages the DID) to identify the two-dimensional code to obtain the loginld and the loginlurl (or obtain the above information in other forms), and to authorize the login.
Through the above example, in the application interface corresponding to the application front end, the target login link and the login ID of the target platform are displayed; and receiving a login request, and logging in the target platform by the target user by means of the user identity, so that the login operation of the target user is simple and safe.
Optionally, in this embodiment, the encrypted public key corresponding to the target user returned by the user identification service is received, including but not limited to: receiving an identification document corresponding to a target user returned by the user identification service, wherein the identification document is obtained after the user identification is analyzed by the user identification service; the encrypted public key is obtained from the identification document.
Specifically, in this embodiment, the front end of the mobile digital wallet APP sends a loginID and a DID to the LoginURL, and after the rear end of the APP receives the loginID and the DID, the front end of the mobile digital wallet APP sends the DID to a resolver of the dns in the DID service; then, according to the analysis result, obtaining a DID document corresponding to the DID from the blockchain (and comparing and checking the integrity of the document through a hash value); next, the APP backend obtains the encrypted public key in the DID document.
Optionally, in this embodiment, the target user is authenticated according to an encrypted public key, including but not limited to: encrypting the preset verification code according to the encryption public key to obtain an encryption verification code; the encrypted verification code is sent to the user identity identification platform, so that the user identity identification platform decrypts the encrypted verification code to obtain a decrypted verification code; and matching the decryption verification code with a preset verification code, wherein the decryption verification code is obtained by decrypting the encryption verification code by the application front end.
Specifically, in this embodiment, the APP back end uses the public key to initiate a challenge, for example, encrypts an initial random number (preset verification code) using an encrypted public key, obtains an encrypted verification code, and sends the encrypted verification code to a mobile digital wallet (user identity platform), the mobile digital wallet uses an encrypted private key corresponding to the DID to decrypt the encryption result to obtain a decrypted verification code of the random number, and the mobile digital wallet sends the decrypted verification code and the loginID to the APP back end. Then, the APP back end verifies the challenge result, namely, compares the received decryption verification code with the initial random number (preset verification code).
Optionally, in this embodiment, if the target user passes the verification, the account information of the target user is obtained according to the user identity, including but not limited to: if the decryption verification code is matched with the preset verification code, determining that the user identity is a valid identity; transmitting the user identity to an identity domain; and receiving a platform account domain name returned by the identity identification domain, wherein the platform account domain name comprises account information.
Specifically, if the decryption verification code is matched with the initial random number (preset verification code), the challenge response is successful, the DID is an effective identity identifier, and the identity authentication is successful; if the decryption verification code is not matched with the initial random number (preset verification code), the challenge response failure is indicated, the DID is an invalid identity identifier, and the identity authentication fails.
In this embodiment, after determining that the user identity is a valid identity, the user identity is sent to the identity domain; and receiving the platform account domain name returned by the identification domain. Specifically, the APP back end sends the DID to the DIDNS, the DIDNS inquires the user name matched with the DID, and the DIDNS returns an inquiry result to the APP back end.
Through the above example, on one hand, the autonomous storage of the identity information of the target user is realized; on the other hand, the application of the identity verification system of the target user is separated from the verification component, the preset application can obtain the user use information but cannot obtain the user identity information, and the aggregation of the preset application to the user identity information is avoided.
As a specific embodiment, as shown in fig. 4, the user authentication method may specifically include the steps of:
s401, selecting DID login authentication on an APP login interface by a user;
specifically, a session identifier (loginID) and an APP background login address (loginURL) are obtained from the APP rear end, a two-dimensional code is displayed at the APP front end, the two-dimensional code carries the loginID and the loginURL (or other forms carry the information, such as corresponding 16-system codes), and the APP front end carries the loginID and initiates asynchronous polling to the APP rear end at a preset frequency;
S402, acquiring loginID and loginURL through a digital wallet;
specifically, the user uses a digital wallet of the mobile terminal (digital wallet as a user agent application that holds and manages the DID) to identify the two-dimensional code to acquire the loginld and the loginlurl (or acquire the above information by other forms), and to authorize login.
S403, the mobile terminal digital wallet sends loginID and DID to the loginURL;
s404, sending the DID to a DID service;
specifically, after receiving the loginID and the DID, the APP back end sends the DID to a DID parser in the DID service.
S405, obtaining a DID document;
specifically, according to the parsing result, the DID document corresponding to this DID is acquired from the blockchain (and document integrity is checked by hash value comparison).
S406, the APP back end obtains a public key in the document;
s407, sending the encryption result to a digital wallet;
specifically, the APP backend uses this public key to initiate a challenge, for example, encrypts a random number using the public key, and sends the encrypted result to the digital wallet.
S408, decrypting the encryption result;
specifically, the mobile digital wallet uses a private key corresponding to the DID to decrypt the encryption result to obtain the plaintext of the random number;
s409, the digital wallet sends the plaintext and the loginID to the back end of the APP;
S410, performing identity authentication on the APP rear end;
specifically, the APP backend verifies the challenge result, that is, compares the received plaintext with the initial random number, and if the challenge-response success is equal, the DID is a valid identity identifier, and the identity authentication is successful.
S411, the APP back end sends the DID to the DIDNS;
s412, inquiring the user name matched with the DID by the DIDNS;
s413, returning a query result to the back end of the APP by the DIDNS;
s414, polling the rear end of the APP front end to obtain an authentication result;
specifically, if the inquiry is successful, the APP back end sends a session token to the front end, which indicates that the login is successful; otherwise, the inquiry failure indicates the login failure.
Through the embodiment, the session ID corresponding to the user identity of the target user is sent to the application front end corresponding to the target user; receiving a message to be bound sent by an application front end, wherein the message to be bound comprises a session ID, a user identity and a target platform; receiving account data sent by an application back end corresponding to a target platform, wherein the account data comprises third party account information of a target user and a platform identity of the target platform; binding and registering the user identity, the third party account information and the platform domain name of the target platform to obtain the platform account domain name of the target user; and storing the platform account domain name into a register of the identity domain. And binding and registering the user identity, the third party account information and the platform domain name through the to-be-bound information sent by the application front end and the account data sent by the target platform to obtain the platform account domain name, and storing the platform account domain name in a registrar of the identity domain. The method and the system can realize the management through the user identity and the use of the platform account domain name stored in the identity domain, and manage the third party account information of the target user through the platform account domain name, thereby solving the technical problem that the data such as the user account information and the like cannot be managed in a centralized way because an application program system is incompatible with a distributed identity system in the related technology.
It should be noted that, for simplicity of description, the foregoing method embodiments are all described as a series of acts, but it should be understood by those skilled in the art that the present invention is not limited by the order of acts described, as some steps may be performed in other orders or concurrently in accordance with the present invention. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily required for the present invention.
From the description of the above embodiments, it will be clear to a person skilled in the art that the method according to the above embodiments may be implemented by means of software plus the necessary general hardware platform, but of course also by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) comprising instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method according to the embodiments of the present invention.
Example 2
According to an embodiment of the present invention, there is also provided a third party account information management apparatus for implementing the above third party account information management method, applied to an identification domain, as shown in fig. 5, the apparatus including:
1) The sending module 50 is configured to send, to an application front end corresponding to a target user, a session ID corresponding to a user identity of the target user;
2) A first receiving module 52, configured to receive a message to be bound sent by the application front end, where the message to be bound includes the session ID, the user identity, and a target platform;
3) The second receiving module 54 is configured to receive account data sent by an application back end corresponding to the target platform, where the account data includes third party account information of the target user and a platform identity of the target platform;
4) The processing module 56 is configured to perform binding registration on the user identifier, the third party account information, and the platform domain name of the target platform, so as to obtain a platform account domain name of the target user;
5) And the storage module 58 is used for storing the platform account domain name into the registrar of the identification domain.
Alternatively, the specific example in this embodiment may refer to the example described in embodiment 1, and this embodiment is not described herein.
According to an embodiment of the present invention, there is also provided a user authentication device for implementing the user authentication method, applied to an application back end of a target platform, as shown in fig. 6, the device including:
a sending module 60, configured to send a login request sent by an application front end corresponding to a target user to a user identity service in an identity domain, where the login request carries a user identity corresponding to the target user;
a receiving module 62, configured to receive an encrypted public key corresponding to the target user returned by the user identification service;
a verification module 64, configured to perform identity verification on the target user according to the encrypted public key;
and the obtaining module 66 is configured to obtain account information of the target user according to the user identity if the target user passes the verification, and log in the target user according to the account information.
Alternatively, the specific example in this embodiment may refer to the example described in embodiment 1, and this embodiment is not described herein.
Example 3
According to an embodiment of the present invention, there is also provided an electronic device including a processor, a memory, and a program or instructions stored on the memory and executable on the processor, the program or instructions implementing the steps of the third party account information management method or the user authentication method as described above when executed by the processor.
Optionally, in the present embodiment, the memory is arranged to store program code for performing the steps of:
s1, sending a session ID corresponding to a user identity of a target user to an application front end corresponding to the target user;
s2, receiving a message to be bound sent by the application front end, wherein the message to be bound comprises the session ID, the user identity and a target platform;
s3, receiving account data sent by an application back end corresponding to the target platform, wherein the account data comprises third party account information of the target user and a platform identity of the target platform;
s4, binding and registering the user identity, the third party account information and the platform domain name of the target platform to obtain the platform account domain name of the target user;
S5, storing the platform account domain name into a register of the identity domain.
Optionally, in the present embodiment, the memory is arranged to store program code for performing the steps of:
s1, a login request sent by an application front end corresponding to a target user is sent to a user identity service of an identity domain, wherein the login request carries a user identity corresponding to the target user;
s2, receiving an encrypted public key corresponding to the target user returned by the user identity identification service;
s3, carrying out identity authentication on the target user according to the encrypted public key;
and S4, if the target user passes the verification, acquiring account information of the target user according to the user identity, and logging in the target user according to the account information.
Alternatively, the specific example in this embodiment may refer to the example described in embodiment 1, and this embodiment is not described herein.
Example 4
Embodiments of the present invention also provide a readable storage medium having stored thereon a program or instructions which, when executed by a processor, implement the steps of the third party account information management method or user authentication method as described above.
Optionally, in the present embodiment, the readable storage medium is configured to store program code for performing the steps of:
s1, sending a session ID corresponding to a user identity of a target user to an application front end corresponding to the target user;
s2, receiving a message to be bound sent by the application front end, wherein the message to be bound comprises the session ID, the user identity and a target platform;
s3, receiving account data sent by an application back end corresponding to the target platform, wherein the account data comprises third party account information of the target user and a platform identity of the target platform;
s4, binding and registering the user identity, the third party account information and the platform domain name of the target platform to obtain the platform account domain name of the target user;
s5, storing the platform account domain name into a register of the identity domain.
Optionally, in the present embodiment, the readable storage medium is configured to store program code for performing the steps of:
s1, a login request sent by an application front end corresponding to a target user is sent to a user identity service of an identity domain, wherein the login request carries a user identity corresponding to the target user;
S2, receiving an encrypted public key corresponding to the target user returned by the user identity identification service;
s3, carrying out identity authentication on the target user according to the encrypted public key;
and S4, if the target user passes the verification, acquiring account information of the target user according to the user identity, and logging in the target user according to the account information.
Optionally, the readable storage medium is further configured to store program codes for performing the steps included in the method in the above embodiment 1, which is not described in detail in this embodiment.
Alternatively, in the present embodiment, the readable storage medium may include, but is not limited to: a U-disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing program codes.
Alternatively, the specific example in this embodiment may refer to the example described in embodiment 1, and this embodiment is not described herein.
The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
The integrated units in the above embodiments may be stored in the above-described computer-readable storage medium if implemented in the form of software functional units and sold or used as separate products. Based on such understanding, the technical solution of the present invention may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a storage medium, comprising several instructions for causing one or more computer devices (which may be personal computers, servers or network devices, etc.) to perform all or part of the steps of the method described in the embodiments of the present invention.
In the foregoing embodiments of the present invention, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments.
In several embodiments provided in the present application, it should be understood that the disclosed client may be implemented in other manners. The above-described embodiments of the apparatus are merely exemplary, and the division of the units, such as the division of the units, is merely a logical function division, and may be implemented in another manner, for example, multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interfaces, units or modules, or may be in electrical or other forms.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The foregoing is merely a preferred embodiment of the present invention and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present invention, which are intended to be comprehended within the scope of the present invention.

Claims (14)

1. A method for managing third party account information, applied to an identification domain, the method comprising:
transmitting a session ID corresponding to a user identity of a target user to an application front end corresponding to the target user;
receiving a message to be bound sent by the application front end, wherein the message to be bound comprises the session ID, the user identity and a target platform;
receiving account data sent by an application back end corresponding to the target platform, wherein the account data comprises third party account information of the target user and a platform identity of the target platform;
Binding and registering the user identity, the third party account information and the platform domain name of the target platform to obtain the platform account domain name of the target user;
and storing the platform account domain name into a registrar of the identification domain.
2. The method of claim 1, further comprising, prior to said receiving the message to be bound sent by the application front end:
encrypting the third party account information according to the user private key of the target user through the application front end to obtain first encrypted data;
and sending the first encrypted data and the session ID to the application back end through the application front end.
3. The method of claim 2, further comprising, prior to receiving account data sent by an application backend corresponding to the target platform:
decrypting, by the application backend, the first encrypted data according to the user public key of the target user, so as to obtain the third party account information;
if the third party account information is matched with the stored account information, encrypting the third party account information and the platform domain name of the target platform according to the platform private key of the target platform through the application back end to obtain second encrypted data;
And sending the second encrypted data and the session ID to the identification domain through the application back end.
4. The method of claim 3, wherein the receiving account data sent by the application backend corresponding to the target platform comprises:
and decrypting the second encrypted data according to the platform public key of the target platform to obtain the account data.
5. The method of claim 1, wherein the storing the platform account domain name in the registrar of the identification domain comprises:
converting the platform account domain name into a hash value with a preset length;
and storing the hash value into the register.
6. A user authentication method, applied to an application backend of a target platform, the method comprising:
a login request sent by an application front end corresponding to a target user is sent to a user identity service of an identity domain, wherein the login request carries a user identity corresponding to the target user;
receiving an encrypted public key corresponding to the target user returned by the user identity identification service;
carrying out identity verification on the target user according to the encryption public key;
And if the target user passes the verification, acquiring account information of the target user according to the user identity, and logging in the target user according to the account information.
7. The method of claim 6, further comprising, prior to sending the login request sent by the application front end corresponding to the target user to the user identification service of the identification domain:
displaying a target login link and a login ID of the target platform in an application interface corresponding to the application front end;
and receiving the login request, wherein the login request comprises the user identity, the login ID and the target login link.
8. The method according to claim 6, wherein said receiving the encrypted public key corresponding to the target user returned by the user identification service comprises:
receiving an identification document corresponding to the target user returned by the user identification service, wherein the identification document is obtained after the user identification is analyzed by the user identification service;
and acquiring the encrypted public key from the identification document.
9. The method of claim 6, wherein said authenticating said target user based on said encrypted public key comprises:
encrypting the preset verification code according to the encryption public key to obtain an encryption verification code;
the encrypted verification code is sent to a user identity platform, so that the user identity platform decrypts the encrypted verification code to obtain a decrypted verification code;
and matching the decryption verification code with the preset verification code, wherein the decryption verification code is obtained by decrypting the encryption verification code by the application front end.
10. The method according to claim 9, wherein if the target user passes the verification, obtaining the account information of the target user according to the user identity, comprises:
if the decryption verification code is matched with the preset verification code, determining that the user identity is a valid identity;
transmitting the user identity to an identity domain;
and receiving a platform account domain name returned by the identification domain, wherein the platform account domain name comprises the account information.
11. A third party account information management apparatus for application to an identification domain, the apparatus comprising:
The sending module is used for sending the session ID corresponding to the user identity of the target user to the application front end corresponding to the target user;
the first receiving module is used for receiving a message to be bound sent by the application front end, wherein the message to be bound comprises the session ID, the user identity and a target platform;
the second receiving module is used for receiving account data sent by the application back end corresponding to the target platform, wherein the account data comprises third party account information of the target user and a platform identity of the target platform;
the processing module is used for binding and registering the user identity, the third party account information and the platform domain name of the target platform so as to obtain the platform account domain name of the target user;
and the storage module is used for storing the platform account domain name into a register of the identity identification domain.
12. A user authentication device, for application to an application backend of a target platform, the device comprising:
the system comprises a sending module, a receiving module and a receiving module, wherein the sending module is used for sending a login request sent by an application front end corresponding to a target user to a user identity service of an identity domain, and the login request carries a user identity corresponding to the target user;
The receiving module is used for receiving the encrypted public key corresponding to the target user returned by the user identity identification service;
the verification module is used for carrying out identity verification on the target user according to the encrypted public key;
and the acquisition module is used for acquiring the account information of the target user according to the user identity if the target user passes the verification, and logging in the target user according to the account information.
13. An electronic device comprising a processor, a memory and a program or instruction stored on the memory and executable on the processor, which when executed by the processor, implements the steps of the third party account information management method of claims 1-5 or the user authentication method of claims 6-10.
14. A readable storage medium, wherein a program or instructions is stored on the readable storage medium, which when executed by a processor, implements the steps of the third party account information management method of claims 1-5 or the user authentication method of claims 6-10.
CN202211625870.9A 2022-12-16 2022-12-16 Third party account information management method and user authentication method Pending CN116248628A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211625870.9A CN116248628A (en) 2022-12-16 2022-12-16 Third party account information management method and user authentication method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211625870.9A CN116248628A (en) 2022-12-16 2022-12-16 Third party account information management method and user authentication method

Publications (1)

Publication Number Publication Date
CN116248628A true CN116248628A (en) 2023-06-09

Family

ID=86632108

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211625870.9A Pending CN116248628A (en) 2022-12-16 2022-12-16 Third party account information management method and user authentication method

Country Status (1)

Country Link
CN (1) CN116248628A (en)

Similar Documents

Publication Publication Date Title
CN107332808B (en) Cloud desktop authentication method, server and terminal
CN107302539B (en) Electronic identity registration and authentication login method and system
JP2020080530A (en) Data processing method, device, terminal, and access point computer
US20030070068A1 (en) Method and system for providing client privacy when requesting content from a public server
CN105991614B (en) It is a kind of it is open authorization, resource access method and device, server
CN106657014B (en) Method, device and system for accessing data
CN109492424B (en) Data asset management method, data asset management device, and computer-readable medium
CN106790209B (en) Login authentication method and system
CN112543166B (en) Real name login method and device
WO2011088658A1 (en) Method, server and system for authenticating identification information in domain name system (dns) messages
CN111447220B (en) Authentication information management method, server of application system and computer storage medium
CN104836782B (en) Server, client and data access method and system
KR20210095093A (en) Method for providing authentification service by using decentralized identity and server using the same
CN103906052A (en) Mobile terminal authentication method, service access method and equipment
CN104247485A (en) Network application function authorisation in a generic bootstrapping architecture
KR102372503B1 (en) Method for providing authentification service by using decentralized identity and server using the same
JP2024501326A (en) Access control methods, devices, network equipment, terminals and blockchain nodes
CN108418679B (en) Method and device for processing secret key under multiple data centers and electronic equipment
CN114390524B (en) Method and device for realizing one-key login service
CN110351254B (en) Access operation execution method and device
RU2698424C1 (en) Authorization control method
US20190149991A1 (en) Technique for authenticating a user device
CN111723347B (en) Identity authentication method, identity authentication device, electronic equipment and storage medium
CN116248628A (en) Third party account information management method and user authentication method
US8522031B2 (en) Method and apparatus for establishing a trusted and secure relationship between two parties connected to a network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination