CN116305321A - Authority verification method and device - Google Patents

Authority verification method and device Download PDF

Info

Publication number
CN116305321A
CN116305321A CN202310170991.7A CN202310170991A CN116305321A CN 116305321 A CN116305321 A CN 116305321A CN 202310170991 A CN202310170991 A CN 202310170991A CN 116305321 A CN116305321 A CN 116305321A
Authority
CN
China
Prior art keywords
authorization
request
party application
resource provider
token
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310170991.7A
Other languages
Chinese (zh)
Inventor
陈春璋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Construction Bank Corp
CCB Finetech Co Ltd
Original Assignee
China Construction Bank Corp
CCB Finetech Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Construction Bank Corp, CCB Finetech Co Ltd filed Critical China Construction Bank Corp
Priority to CN202310170991.7A priority Critical patent/CN116305321A/en
Publication of CN116305321A publication Critical patent/CN116305321A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • G06F21/645Protecting data integrity, e.g. using checksums, certificates or signatures using a third party
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Bioethics (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a permission verification method and device, and relates to the technical field of information security. One embodiment of the method comprises the following steps: receiving a data access request sent by a third party application; forwarding the data access request to the resource provider in response to the data access request passing the authorization check; receiving a granularity check request returned by a resource provider for the data access request, wherein the granularity check request is used for verifying whether a third party application has access rights to target data, and the target data is request data of the data access request; and acquiring an authorization protocol of the third-party application for the resource provider, verifying the granularity verification request according to the authorization protocol, and returning a verification result to the resource provider. When the third party application accesses the resource provider, the embodiment can control the access authority of the third party application and ensure the information security of the user.

Description

Authority verification method and device
Technical Field
The present invention relates to the field of information security technologies, and in particular, to a method and an apparatus for verifying authority.
Background
In some business scenarios, a third party application needs to invoke the services of a resource provider to complete a job that meets the business requirements. Thus, the third party application may access user privacy data in the resource provider. If the account information of the user is completely delivered to the third party application, the third party application may read the personal information, account information and other data of the user, which causes hidden danger to the information security of the user.
Disclosure of Invention
In view of the above, the embodiments of the present invention provide a method and an apparatus for verifying authority, where a third party application accesses a resource provider, so that access authority of the third party application can be controlled, and information security of a user is ensured.
In a first aspect, an embodiment of the present invention provides a method for verifying authority, including:
receiving a data access request sent by a third party application, wherein the data access request comprises the following steps: the application identifier of the third party application, the provider identifier of the resource provider and the authorized access token;
performing authorization verification on the data access request according to the application identifier, the provider identifier and the authorization access token;
forwarding the data access request to the resource provider in response to the data access request passing an authorization check;
receiving a granularity check request returned by the resource provider for the data access request, wherein the granularity check request is used for verifying whether the third party application has access rights to target data, and the target data is request data of the data access request;
and acquiring an authorization protocol of the third party application for the resource provider, verifying the granularity verification request according to the authorization protocol, and returning a verification result to the resource provider.
Optionally, before receiving the data access request, the method further includes:
receiving a token acquisition request of the third party application for the resource provider, wherein the token acquisition request comprises the following components: an authorization code;
and generating the authorized access token and returning the authorized access token to the third party application in response to the authorization code passing verification.
Optionally, before receiving the token acquisition request of the third party application for the resource provider, the method further includes:
receiving an authorization creation request of the third party application for the resource provider;
generating an authorization number corresponding to the authorization creation request, and returning the authorization number to the third party application;
receiving an authorization interface display request, wherein the authorization interface display request comprises the following steps: the authorization number;
responding to the authorization number in the validity period, displaying an authorization interface, and acquiring input information in the authorization interface;
generating an authorization protocol and the authorization code of the third party application for the resource provider according to the input information;
and returning the authorization code to the third party application.
Optionally, after the authorization code is returned to the third party application, the method further includes:
Receiving an authorization code refreshing request of the third party application for the resource provider;
acquiring an authorization number corresponding to the authorization code refreshing request;
regenerating an authorization code of the third party application for the resource provider in the validity period in response to the authorization number corresponding to the authorization code refreshing request;
and returning the regenerated authorization code to the third party application.
Optionally, after the authorization code is returned, the method further includes:
receiving an authorization code revocation request of the third party application for the resource provider;
acquiring an authorization number corresponding to the authorization code revocation request;
and responding to the authorization number corresponding to the authorization code revocation request, and performing revocation processing on the authorization protocol and the authorization code of the third party application aiming at the resource provider in the validity period.
Optionally, the generating, according to the input information, an authorization protocol and the authorization code of the third party application for the resource provider includes:
acquiring login user information corresponding to the authorization interface display request;
and responding to the login user information to pass identity verification, and generating an authorization protocol and the authorization code of the third party application for the resource provider according to the input information.
Optionally, the generating the authorized access token and returning the authorized access token to the third party application in response to the authorization code being verified includes:
generating the authorized access token and the authorized refresh token in response to the authorization code passing verification, and returning the authorized access token and the authorized refresh token to the third party application;
after receiving the data access request sent by the third party application, the method comprises the following steps:
responding to the data access request not passing the authorized verification, and returning prompt information of verification failure to the third party application;
receiving a token refreshing request sent by the third party application, wherein the token refreshing request comprises the following steps: the authorization refresh token;
and in response to the authorization refresh token passing the validity verification, regenerating the authorization access token of the third party application for the resource provider, and returning the regenerated authorization access token to the third party application.
In a second aspect, an embodiment of the present invention provides a rights verification apparatus, including:
the first receiving module is configured to receive a data access request sent by a third party application, where the data access request includes: the application identifier of the third party application, the provider identifier of the resource provider and the authorized access token;
The authorization verification module is used for carrying out authorization verification on the data access request according to the application identifier, the provider identifier and the authorization access token;
the request forwarding module is used for forwarding the data access request to the resource provider in response to the data access request passing the authorization check;
the second receiving module is used for receiving a granularity check request returned by the resource provider for the data access request, wherein the granularity check request is used for verifying whether the third party application has access authority of target data, and the target data is request data of the data access request;
the granularity verification module is used for acquiring an authorization protocol of the third party application for the resource provider, verifying the granularity verification request according to the authorization protocol, and returning a verification result to the resource provider.
Optionally, the method further comprises:
the token return module is configured to receive a token acquisition request for the resource provider by the third party application, where the token acquisition request includes: an authorization code;
and generating the authorized access token and returning the authorized access token to the third party application in response to the authorization code passing verification.
Optionally, the method further comprises:
an authorization creation module, configured to receive an authorization creation request of the third party application for the resource provider;
generating an authorization number corresponding to the authorization creation request, and returning the authorization number to the third party application;
receiving an authorization interface display request, wherein the authorization interface display request comprises the following steps: the authorization number;
responding to the authorization number in the validity period, displaying an authorization interface, and acquiring input information in the authorization interface;
generating an authorization protocol and the authorization code of the third party application for the resource provider according to the input information;
and returning the authorization code to the third party application.
Optionally, the method further comprises:
the authorization refreshing module is used for receiving an authorization code refreshing request of the third party application for the resource provider;
acquiring an authorization number corresponding to the authorization code refreshing request;
regenerating an authorization code of the third party application for the resource provider in the validity period in response to the authorization number corresponding to the authorization code refreshing request;
and returning the regenerated authorization code to the third party application.
Optionally, the method further comprises:
An authorization revocation module, configured to receive an authorization code revocation request of the third party application for the resource provider;
acquiring an authorization number corresponding to the authorization code revocation request;
and responding to the authorization number corresponding to the authorization code revocation request, and performing revocation processing on the authorization protocol and the authorization code of the third party application aiming at the resource provider in the validity period.
In a third aspect, an embodiment of the present invention provides an electronic device, including:
one or more processors;
storage means for storing one or more programs,
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the methods of any of the embodiments described above.
In a fourth aspect, embodiments of the present invention provide a computer readable medium having stored thereon a computer program which, when executed by a processor, implements a method as described in any of the above embodiments.
In a fifth aspect, embodiments of the present invention provide a computer program product comprising a computer program which, when executed by a processor, implements a method as described in any of the above embodiments.
One embodiment of the above invention has the following advantages or benefits: and receiving a data access request sent by the third-party application, and performing authorization verification on the data access request. If the data access request passes the authorization check, forwarding the data access request to the resource provider, and receiving a granularity check request returned by the resource provider for the data access request, wherein the granularity check request is used for verifying whether the third party application has the access right of the request data of the data access request. And verifying the granularity verification request according to an authorization protocol of the third party application for the resource provider, and returning a verification result to the resource provider. The resource provider determines whether to allow the third party application to access the request data according to the verification result. Therefore, by carrying out authorization check and granularity check on the data access request, the access authority of the third party application to the data in the resource provider can be accurately controlled, and the information security of the user is ensured.
Further effects of the above-described non-conventional alternatives are described below in connection with the embodiments.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
FIG. 1 is a flowchart of a method for verifying authority according to a first embodiment of the present invention;
FIG. 2 is a schematic diagram of information interaction of a rights verification method according to a first embodiment of the present invention;
FIG. 3 is a schematic diagram of an authorization creation method according to a second embodiment of the present invention;
FIG. 4 is a schematic diagram of information interaction of an authorization creation method according to a second embodiment of the present invention;
fig. 5 is a schematic diagram of information interaction of an authorization code refreshing method according to a third embodiment of the present invention;
fig. 6a is a schematic diagram of information interaction of an authorization revocation method by an authorization server according to a fourth embodiment of the present invention;
FIG. 6b is a schematic diagram of information interaction through a resource provider with an authorization revocation method according to a fourth embodiment of the present invention;
fig. 7 is a schematic structural diagram of a rights verification apparatus according to an embodiment of the present invention;
fig. 8 is a schematic diagram of a computer system suitable for use in implementing an embodiment of the invention.
Detailed Description
Exemplary embodiments of the present invention will now be described with reference to the accompanying drawings, in which various details of the embodiments of the present invention are included to facilitate understanding, and are to be considered merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
In the technical scheme of the invention, the aspects of acquisition, analysis, use, transmission, storage and the like of the related user personal information all meet the requirements of related laws and regulations, are used for legal and reasonable purposes, are not shared, leaked or sold outside the aspects of legal use and the like, and are subjected to supervision and management of a supervision department. Necessary measures should be taken for the personal information of the user to prevent illegal access to such personal information data, ensure that personnel having access to the personal information data comply with the regulations of the relevant laws and regulations, and ensure the personal information of the user. Once these user personal information data are no longer needed, the risk should be minimized by limiting or even prohibiting the data collection and/or deletion.
Fig. 1 is a flow chart of a rights verification method according to a first embodiment of the present invention, as shown in fig. 1, the method includes:
step 101: receiving a data access request sent by a third party application, wherein the data access request comprises: an application identification of the third party application, a provider identification of the resource provider, and an authorization access token.
The scheme of the embodiment of the invention is applied to the authorization server, and the authorization server is a server side for providing authorization creation, maintenance and token verification. The authorization server may be disposed in the open platform or may be independent of the open platform. An open platform is a system that integrates resource provider out-of-service. The resource provider is a called party for providing resources such as services, data and the like. The third party application is a system that invokes a resource servicer service through an open platform.
And after the third party application is accessed to the open platform, accessing the service of the resource provider through the open platform. The scheme of the embodiment of the invention can be executed by utilizing the authorization server to control the access authority of the third party application.
Step 102: and carrying out authorization verification on the data access request according to the application identifier, the provider identifier and the authorization access token.
Determining whether the authorized access token is a legal token or not, if the authorized access token is the legal token, determining whether the authorized access token is in the validity period, and if the authorized access token is in the validity period, determining that the data access request passes the authorized verification.
It should be noted that, the third party application may place the authorized access token in the request header of the data access request, which may be the request header of the HTTP packet or may be the public request header of the custom request packet. When the request passes through the open platform, the open platform forwards the request to the authorization service, and the authorization server checks whether the request is authorized according to the authorization access token in the request header, and does not analyze specific request content in the data access request. Therefore, in the whole business process, the open platform and the authorization server realize the privacy authorization of the user under the condition that the user information cannot be invaded.
Step 103: and forwarding the data access request to the resource provider in response to the data access request passing the authorization check.
The resource provider analyzes the data access request and acquires the related information of the target data. The target data is request data of a data access request. The related information may include: user information corresponding to the target data, data type of the target data, service information of the target data, authority information of the target data and the like. The resource provider generates a granularity check request corresponding to the data access request according to the related information of the target data, wherein the granularity check request can comprise: request identification of data access request, application identification, provider identification, related information of target data, etc.
Step 104: and receiving a granularity check request returned by the resource provider for the data access request, wherein the granularity check request is used for verifying whether the third party application has access authority of target data, and the target data is request data of the data access request.
Step 105: and acquiring an authorization protocol of the third-party application for the resource provider, verifying the granularity verification request according to the authorization protocol, and returning a verification result to the resource provider.
The authorization protocol is used to preserve the scope of authorization of the third party application for the resource provider. The authorization protocol may include: rights information of the third party application, data types that the third party application is allowed to access, business information that the third party application is allowed to access, etc.
And if the related information of the target data in the granularity verification request accords with the information in the authorization protocol, generating a verification result which represents that the third party application has the access right of the target data. If the related information of the target data in the granularity checking request does not accord with the information in the authorization protocol, generating a verification result which represents that the third party application does not have the access right of the target data. The resource provider determines whether to allow the third party application to access the request data according to the verification result.
In the embodiment of the invention, the data access request sent by the third party application is received, and the authorization check is carried out on the data access request. If the data access request passes the authorization check, forwarding the data access request to the resource provider, and receiving a granularity check request returned by the resource provider for the data access request, wherein the granularity check request is used for verifying whether the third party application has the access right of the request data of the data access request. And verifying the granularity verification request according to an authorization protocol of the third party application for the resource provider, and returning a verification result to the resource provider. The resource provider determines whether to allow the third party application to access the request data according to the verification result. Therefore, by carrying out authorization check and granularity check on the data access request, the access authority of the third party application to the data in the resource provider can be accurately controlled, and the information security of the user is ensured.
In one embodiment of the present invention, before receiving the data access request, the method further comprises: receiving a token acquisition request of a third party application for a resource provider, wherein the token acquisition request comprises the following steps: an authorization code; in response to the authorization code passing verification, an authorized access token is generated and returned to the third party application. Since the authorized access token is valid only for a short period of validity, an authorization code for the resource provider by the third party application can be generated first, the period of validity of the authorization code being longer than the authorized access token. The third party application may first obtain the authorized access token by sending a token acquisition request containing an authorization code to the authorization server before logging into the resource provider.
In one embodiment of the invention, generating an authorized access token in response to the authorization code being verified, and returning the authorized access token to the third party application, comprises: and generating an authorized access token and an authorized refresh token in response to the authorization code passing verification, and returning the authorized access token and the authorized refresh token to the third party application.
After receiving the data access request sent by the third party application, the method comprises the following steps: responding to the data access request failing the authorization verification, and returning prompt information of verification failure to the third party application; receiving a token refresh request sent by a third party application, wherein the token refresh request comprises: authorizing a refresh token; and in response to the authorization refresh token passing the validity verification, regenerating the authorization access token of the third party application for the resource provider, and returning the regenerated authorization access token to the third party application.
Because the authorized access token is valid only in a short validity period, the authorized server can simultaneously return the authorized access token and the authorized refreshing token, and when the authorized access token expires, the authorized access token of the third party application for the resource provider is refreshed through the authorized refreshing token, so that the third party application can smoothly access the resource provider.
Fig. 2 is a schematic diagram of information interaction of a rights verification method according to a first embodiment of the present invention, and as shown in fig. 2, after a third party application completes creating an authorization protocol, a user may use the third party application to access private information. The third party application carries a token acquisition request of an authorization code (AuthCode), accesses an authorization server through an open platform, and applies for an authorization access token (AccessToken) and an authorization refresh token (RefreshToken).
The authorization server validates the AuthCode and generates an AccessToken and a RefreshToken. The validity periods of the Access token and the Refreshtoken can be set according to the service requirements. For example, the Access token has a 20 minute expiration date and the Refreshtoken has a 90 day expiration date.
The third party application places the AccessToken in a request header, which can be a request header of an HTTP message or a public request header of a user-defined request message, and requests access to user privacy data provided by a resource provider through an open platform. When a request passes through the open platform, the open platform can acquire an Access token from the request header, access the authorization server and carry out privacy authorization verification.
If the Access token is valid, the request is allowed to continue to access the resource provider. After the resource provider receives the request, the resource provider analyzes the request content, accesses the authorization server, and verifies the authorization granularity, namely, the access authorization server is used for verifying whether the privacy data of the request access is in the range permitted by the authorization protocol.
If the Access token fails, the request is intercepted, and a third party request failure reason is returned to the third party application. The third party application carries a token refreshing request of the RefreshToken, and the corresponding interface of the authorization server is called through the open platform to refresh the Access Token. The flow is then identical to when the AccessToken is valid as described above. And the third party application places the refreshed Access token with a request head and requests to access the user privacy data provided by the resource provider through the open platform.
The third party application creates authorization prior to accessing the data in the resource provider. Fig. 3 is a flow chart of a rights creation method according to a second embodiment of the present invention, as shown in fig. 3, the method includes:
step 301: an authorization creation request for a resource provider by a third party application is received.
Step 302: and generating an authorization number corresponding to the authorization creation request, and returning the authorization number to the third party application.
The authorization number may have a longer validity period, such as 2 years, 1 year, half a year, etc. When the authorization server generates the authorization number, the authorization number is bound with the third party application information, and then in the process of creating the authorization, the authorization server verifies the relevance between the authorization number and the third party application.
Step 303: receiving an authorization interface display request, wherein the authorization interface display request comprises the following steps: and (5) authorizing the number.
Step 304: and responding to the authorization number in the validity period, displaying the authorization interface, and acquiring input information in the authorization interface.
It is first determined whether the authorization number has an association with the third party application. If the authorization number has relevance with the third party application, determining whether the authorization number is in the validity period, and if the authorization number is in the validity period, displaying the authorization interface. The user creates an authorization protocol in the authorization interface, which allows the user to customize the scope of authorization, such as authorizing access to accounts and account information, etc.
Step 305: and generating an authorization protocol and an authorization code of the third party application aiming at the resource provider according to the input information, and returning the authorization code to the third party application.
The login user information corresponding to the authorization interface display request can be acquired first, if the login user information passes the identity verification, an authorization protocol and an authorization code of the third party application for the resource provider are generated according to the input information, so that unauthorized creation of the authorization protocol of the third party application for the resource provider by a user without permission is prevented.
In the scheme of the embodiment of the invention, when the authorization protocol is created, a user can customize the authorization range, and when the user accesses the private data, the resource provider analyzes the request content and checks whether the private data accessed by the request is in the authorization range, so that the authorization granularity is controlled. In addition, the user can customize the refreshing authorization and change the authorization scope, so that the granularity of the privacy authorization is controlled at the client.
Fig. 4 is a schematic diagram of information interaction of an authorization creation method according to a second embodiment of the present invention, where as shown in fig. 4, a user authorizes a third party application to access private data, and the third party application accesses an authorization server through an open platform and applies for an authorization number (presentid) as a primary key of the present authorization protocol. And setting a validity period for the ConsendID according to the service requirement, and invalidating the authorization protocol after the validity period is exceeded.
When the authorization server generates the ConsitID, the ConsitID is bound with the third party application information, and then in the process of creating the authorization, the authorization server verifies the association between the ConsitID and the third party application.
And after the third party application acquires the ConsentID, sending an authorization interface display request carrying the ConsentID. Responding to the authorization interface display request, jumping to an authorization interface provided by an authorization server, and creating an authorization protocol on the page by a user, wherein the authorization protocol allows the user to define an authorization range, such as an account and account information which are authorized to access. After verifying the user identity, the authorization server generates an authorization code (AuthCode) in response to the authorization interface presentation request.
After the user completes the creation of the privacy authorization protocol for the first time, the user needs to change the scope of privacy authorization, i.e. the granularity of privacy authorization, such as changing the account list authorized to access, etc. Or after the user creates the authorization, if the authorization is still valid, but the refresh authorization access token function is invalid, if the valid authorization access token cannot be obtained, the privacy authorization protocol needs to be refreshed within a certain time range.
Based on this, the embodiment of the invention also provides a method for refreshing the authorization code, which comprises the following steps: receiving an authorization code refreshing request of a third party application for a resource provider; acquiring an authorization number corresponding to the authorization code refreshing request; responding to the authorization number corresponding to the authorization code refreshing request, and regenerating the authorization code of the third party application for the resource provider in the validity period; the regenerated authorization code is returned to the third party application.
Fig. 5 is a schematic diagram of information interaction of an authorization code refreshing method according to a third embodiment of the present invention, where, as shown in fig. 5, an authorization code refreshing process is similar to an authorization creating process, a user initiates an authorization code refreshing instruction in a third party application, the third party application sends an authorization code refreshing request carrying a presentid, and jumps to an authorization interface provided by an authorization server in response to the authorization code refreshing request. After the user authenticates the user identity, the authorization server regenerates an authorization code (AuthCode) in response to the request, and the subsequent process is the same as the process flow of the authority verification method.
The embodiment of the invention also provides an authorization cancellation method, which comprises the following steps: receiving an authorization code revocation request of a third party application for a resource provider; acquiring an authorization number corresponding to the authorization code revocation request; and responding to the authorization number corresponding to the authorization code revocation request, and performing revocation processing on the authorization protocol and the authorization code of the resource provider by the third party application in the validity period.
The user may revoke an authorization protocol that has been created and is still valid, and the system supports the user to revoke authorization through an authorization server, or through an interface provided by the resource provider. Fig. 6a is a schematic diagram of information interaction of an authorization revocation method through an authorization server according to a fourth embodiment of the present invention. As shown in fig. 6a, when the authorization is revoked by the third party application, the third party application sends an authorization code revocation request carrying the presentid, and requests the corresponding interface of the authorization server through the open platform to revoke the user privacy authorization.
Fig. 6b is a schematic diagram of information interaction through a resource provider performing an authorization revocation method according to a fourth embodiment of the present invention. As shown in fig. 6b, when the authorization is revoked through the interface provided by the resource provider, the user may directly revoke the authorization after querying the authorization record on the interface provided by the resource provider.
When the scheme of the embodiment of the invention is used for creating the authorization protocol, a user can customize the authorization range, the resource provider can analyze the request content when accessing the private data, and whether the private data accessed by the request is in the authorization range is checked, so that the authorization granularity is controlled. In addition, the user can customize the refreshing authorization and change the authorization scope, so that the granularity of the privacy authorization is controlled at the client.
In using the authorized access to the private data, the third party application may place the authorized access token in the request header of the data access request. The open platform will verify whether the data access request is authorized based on the authorized access token in the request header and will not analyze the specific request content. Therefore, in the whole business process, the open platform realizes the privacy authorization of the user without invading the user information.
When the authorized access privacy data is used, the authorized access token and the authorized refresh token are refreshed by using the authorized number, and the authorized access token is refreshed by using the authorized refresh token. Privacy authorization is controlled using three granularity tokens: the privacy authorization is more flexible on the premise of ensuring the security by long-term authorization number, medium-term authorization refreshing token and short-term authorization access token.
Fig. 7 is a schematic structural diagram of a rights verification apparatus according to an embodiment of the present invention, as shown in fig. 7, the apparatus includes:
the first receiving module 701 is configured to receive a data access request sent by a third party application, where the data access request includes: an application identifier of the third party application, a provider identifier of the resource provider, and an authorized access token;
The authorization verification module 702 is configured to perform authorization verification on the data access request according to the application identifier, the provider identifier, and the authorization access token;
a request forwarding module 703, configured to forward the data access request to the resource provider in response to the data access request passing the authorization check;
a second receiving module 704, configured to receive a granularity check request returned by the resource provider for the data access request, where the granularity check request is used to verify whether the third party application has access rights to target data, and the target data is request data of the data access request;
the granularity verification module 705 is configured to obtain an authorization protocol of the third party application for the resource provider, verify the granularity verification request according to the authorization protocol, and return a verification result to the resource provider.
Optionally, the method further comprises:
the token return module 706 is configured to receive a token acquisition request for the resource provider by the third party application, where the token acquisition request includes: an authorization code;
in response to the authorization code passing verification, an authorized access token is generated and returned to the third party application.
Optionally, the method further comprises:
an authorization creation module 707 for receiving an authorization creation request for a resource provider by a third party application;
Generating an authorization number corresponding to the authorization creation request, and returning the authorization number to the third party application;
receiving an authorization interface display request, wherein the authorization interface display request comprises the following steps: an authorization number;
responding to the authorization number in the validity period, displaying an authorization interface, and acquiring input information in the authorization interface;
generating an authorization protocol and an authorization code of the third party application for the resource provider according to the input information;
the feedback weight is returned to the third party application.
Optionally, the method further comprises:
an authorization refresh module 708, configured to receive an authorization code refresh request for a resource provider from a third party application;
acquiring an authorization number corresponding to the authorization code refreshing request;
responding to the authorization number corresponding to the authorization code refreshing request, and regenerating the authorization code of the third party application for the resource provider in the validity period;
the regenerated authorization code is returned to the third party application.
Optionally, the method further comprises:
an authorization revocation module 709 for receiving an authorization code revocation request of a third party application for a resource provider;
acquiring an authorization number corresponding to the authorization code revocation request;
and responding to the authorization number corresponding to the authorization code revocation request, and performing revocation processing on the authorization protocol and the authorization code of the resource provider by the third party application in the validity period.
Optionally, the authorization creation module 707 is further configured to:
acquiring login user information corresponding to an authorization interface display request;
and responding to the login user information to pass the identity verification, and generating an authorization protocol and an authorization code of the third party application for the resource provider according to the input information.
Optionally, the token return module 706 is specifically configured to:
generating an authorized access token and an authorized refresh token in response to the authorization code passing verification, and returning the authorized access token and the authorized refresh token to the third party application;
responding to the data access request failing the authorization verification, and returning prompt information of verification failure to the third party application;
receiving a token refresh request sent by a third party application, wherein the token refresh request comprises: authorizing a refresh token;
and in response to the authorization refresh token passing the validity verification, regenerating the authorization access token of the third party application for the resource provider, and returning the regenerated authorization access token to the third party application.
The embodiment of the invention provides electronic equipment, which comprises:
one or more processors;
storage means for storing one or more programs,
when the one or more programs are executed by the one or more processors, the one or more processors are caused to implement the methods of any of the embodiments described above.
The embodiment of the invention provides a computer program product, which comprises a computer program, wherein the computer program realizes the enterprise risk assessment method in the embodiment of the invention when being executed by a processor.
Referring now to FIG. 8, there is illustrated a schematic diagram of a computer system 800 suitable for use in implementing an embodiment of the present invention. The terminal device shown in fig. 8 is only an example, and should not impose any limitation on the functions and the scope of use of the embodiment of the present invention.
As shown in fig. 8, the computer system 800 includes a Central Processing Unit (CPU) 801 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 802 or a program loaded from a storage section 808 into a Random Access Memory (RAM) 803. In the RAM 803, various programs and data required for the operation of the system 800 are also stored. The CPU 801, ROM 802, and RAM 803 are connected to each other by a bus 804. An input/output (I/O) interface 805 is also connected to the bus 804.
The following components are connected to the I/O interface 805: an input portion 806 including a keyboard, mouse, etc.; an output portion 807 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and a speaker; a storage section 808 including a hard disk or the like; and a communication section 809 including a network interface card such as a LAN card, a modem, or the like. The communication section 809 performs communication processing via a network such as the internet. The drive 810 is also connected to the I/O interface 805 as needed. A removable medium 811 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 810 as needed so that a computer program read out therefrom is mounted into the storage section 808 as needed.
In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via the communication section 809, and/or installed from the removable media 811. The above-described functions defined in the system of the present invention are performed when the computer program is executed by a Central Processing Unit (CPU) 801.
The computer readable medium shown in the present invention may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules involved in the embodiments of the present invention may be implemented in software or in hardware. The described modules may also be provided in a processor, for example, as: the system comprises a first receiving module, an authorization checking module, a request forwarding module, a second receiving module and a granularity checking module. The names of these modules do not in some cases limit the module itself, for example, the first receiving module may also be described as "receiving a data access request sent by a third party application, where the data access request includes: and the module of the application identifier of the third party application, the provider identifier of the resource provider and the authorized access token.
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be present alone without being fitted into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to include:
receiving a data access request sent by a third party application, wherein the data access request comprises the following steps: the application identifier of the third party application, the provider identifier of the resource provider and the authorized access token;
performing authorization verification on the data access request according to the application identifier, the provider identifier and the authorization access token;
forwarding the data access request to the resource provider in response to the data access request passing an authorization check;
receiving a granularity check request returned by the resource provider for the data access request, wherein the granularity check request is used for verifying whether the third party application has access rights to target data, and the target data is request data of the data access request;
And acquiring an authorization protocol of the third party application for the resource provider, verifying the granularity verification request according to the authorization protocol, and returning a verification result to the resource provider.
According to the technical scheme of the embodiment of the invention, the data access request sent by the third party application is received, and the authorization verification is carried out on the data access request. If the data access request passes the authorization check, forwarding the data access request to the resource provider, and receiving a granularity check request returned by the resource provider for the data access request, wherein the granularity check request is used for verifying whether the third party application has the access right of the request data of the data access request. And verifying the granularity verification request according to an authorization protocol of the third party application for the resource provider, and returning a verification result to the resource provider. The resource provider determines whether to allow the third party application to access the request data according to the verification result. Therefore, by carrying out authorization check and granularity check on the data access request, the access authority of the third party application to the data in the resource provider can be accurately controlled, and the information security of the user is ensured.
The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives can occur depending upon design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.

Claims (15)

1. A rights verification method, comprising:
receiving a data access request sent by a third party application, wherein the data access request comprises the following steps: the application identifier of the third party application, the provider identifier of the resource provider and the authorized access token;
performing authorization verification on the data access request according to the application identifier, the provider identifier and the authorization access token;
forwarding the data access request to the resource provider in response to the data access request passing an authorization check;
receiving a granularity check request returned by the resource provider for the data access request, wherein the granularity check request is used for verifying whether the third party application has access rights to target data, and the target data is request data of the data access request;
and acquiring an authorization protocol of the third party application for the resource provider, verifying the granularity verification request according to the authorization protocol, and returning a verification result to the resource provider.
2. The method of claim 1, wherein prior to receiving the data access request, further comprising:
Receiving a token acquisition request of the third party application for the resource provider, wherein the token acquisition request comprises the following components: an authorization code;
and generating the authorized access token and returning the authorized access token to the third party application in response to the authorization code passing verification.
3. The method of claim 2, wherein prior to receiving the token acquisition request for the resource provider by the third party application, further comprising:
receiving an authorization creation request of the third party application for the resource provider;
generating an authorization number corresponding to the authorization creation request, and returning the authorization number to the third party application;
receiving an authorization interface display request, wherein the authorization interface display request comprises the following steps: the authorization number;
responding to the authorization number in the validity period, displaying an authorization interface, and acquiring input information in the authorization interface;
generating an authorization protocol and the authorization code of the third party application for the resource provider according to the input information;
and returning the authorization code to the third party application.
4. A method according to claim 3, wherein after the return of the authorization code to the third party application, further comprising:
Receiving an authorization code refreshing request of the third party application for the resource provider;
acquiring an authorization number corresponding to the authorization code refreshing request;
regenerating an authorization code of the third party application for the resource provider in the validity period in response to the authorization number corresponding to the authorization code refreshing request;
and returning the regenerated authorization code to the third party application.
5. A method according to claim 3, wherein after said returning said authorization code, further comprising:
receiving an authorization code revocation request of the third party application for the resource provider;
acquiring an authorization number corresponding to the authorization code revocation request;
and responding to the authorization number corresponding to the authorization code revocation request, and performing revocation processing on the authorization protocol and the authorization code of the third party application aiming at the resource provider in the validity period.
6. The method of claim 3, wherein generating the authorization protocol and the authorization code for the resource provider by the third party application based on the input information comprises:
acquiring login user information corresponding to the authorization interface display request;
And responding to the login user information to pass identity verification, and generating an authorization protocol and the authorization code of the third party application for the resource provider according to the input information.
7. The method of claim 2, wherein the generating the authorized access token and returning the authorized access token to the third party application in response to the authorization code being verified comprises:
generating the authorized access token and the authorized refresh token in response to the authorization code passing verification, and returning the authorized access token and the authorized refresh token to the third party application;
after receiving the data access request sent by the third party application, the method comprises the following steps:
responding to the data access request not passing the authorized verification, and returning prompt information of verification failure to the third party application;
receiving a token refreshing request sent by the third party application, wherein the token refreshing request comprises the following steps: the authorization refresh token;
and in response to the authorization refresh token passing the validity verification, regenerating the authorization access token of the third party application for the resource provider, and returning the regenerated authorization access token to the third party application.
8. A rights verification apparatus, characterized by comprising:
the first receiving module is configured to receive a data access request sent by a third party application, where the data access request includes: the application identifier of the third party application, the provider identifier of the resource provider and the authorized access token;
the authorization verification module is used for carrying out authorization verification on the data access request according to the application identifier, the provider identifier and the authorization access token;
the request forwarding module is used for forwarding the data access request to the resource provider in response to the data access request passing the authorization check;
the second receiving module is used for receiving a granularity check request returned by the resource provider for the data access request, wherein the granularity check request is used for verifying whether the third party application has access authority of target data, and the target data is request data of the data access request;
the granularity verification module is used for acquiring an authorization protocol of the third party application for the resource provider, verifying the granularity verification request according to the authorization protocol, and returning a verification result to the resource provider.
9. The apparatus as recited in claim 8, further comprising:
the token return module is configured to receive a token acquisition request for the resource provider by the third party application, where the token acquisition request includes: an authorization code;
and generating the authorized access token and returning the authorized access token to the third party application in response to the authorization code passing verification.
10. The apparatus as recited in claim 9, further comprising:
an authorization creation module, configured to receive an authorization creation request of the third party application for the resource provider;
generating an authorization number corresponding to the authorization creation request, and returning the authorization number to the third party application;
receiving an authorization interface display request, wherein the authorization interface display request comprises the following steps: the authorization number;
responding to the authorization number in the validity period, displaying an authorization interface, and acquiring input information in the authorization interface;
generating an authorization protocol and the authorization code of the third party application for the resource provider according to the input information;
and returning the authorization code to the third party application.
11. The apparatus as recited in claim 10, further comprising:
The authorization refreshing module is used for receiving an authorization code refreshing request of the third party application for the resource provider;
acquiring an authorization number corresponding to the authorization code refreshing request;
regenerating an authorization code of the third party application for the resource provider in the validity period in response to the authorization number corresponding to the authorization code refreshing request;
and returning the regenerated authorization code to the third party application.
12. The apparatus as recited in claim 10, further comprising:
an authorization revocation module, configured to receive an authorization code revocation request of the third party application for the resource provider;
acquiring an authorization number corresponding to the authorization code revocation request;
and responding to the authorization number corresponding to the authorization code revocation request, and performing revocation processing on the authorization protocol and the authorization code of the third party application aiming at the resource provider in the validity period.
13. An electronic device, comprising:
one or more processors;
storage means for storing one or more programs,
when executed by the one or more processors, causes the one or more processors to implement the method of any of claims 1-7.
14. A computer readable medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the method according to any of claims 1-7.
15. A computer program product comprising a computer program which, when executed by a processor, implements the method according to any of claims 1-7.
CN202310170991.7A 2023-02-27 2023-02-27 Authority verification method and device Pending CN116305321A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310170991.7A CN116305321A (en) 2023-02-27 2023-02-27 Authority verification method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310170991.7A CN116305321A (en) 2023-02-27 2023-02-27 Authority verification method and device

Publications (1)

Publication Number Publication Date
CN116305321A true CN116305321A (en) 2023-06-23

Family

ID=86793489

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310170991.7A Pending CN116305321A (en) 2023-02-27 2023-02-27 Authority verification method and device

Country Status (1)

Country Link
CN (1) CN116305321A (en)

Similar Documents

Publication Publication Date Title
CN110809011B (en) Access control method and system, and storage medium
CN106487774B (en) A kind of cloud host services authority control method, device and system
US10162982B2 (en) End user control of personal data in the cloud
US9996679B2 (en) Methods and apparatus for device authentication and secure data exchange between a server application and a device
CN106953831B (en) User resource authorization method, device and system
US10581806B2 (en) Service providing method, service requesting method, information processing device, and client device
CN104954330A (en) Method of accessing data resources, device and system
CN109388937B (en) Single sign-on method and sign-on system for multi-factor identity authentication
CN111143822A (en) Application system access method and device
CN112583834A (en) Method and device for single sign-on through gateway
US9600810B2 (en) License management for device management system
CN110944021A (en) Method and system for campus unified authentication and single sign-on
CN112039878A (en) Equipment registration method and device, computer equipment and storage medium
CN114372254B (en) Multi-authentication authorization method under big data environment
CN115102744A (en) Data access method and device
CN112243007B (en) Single-user login method, equipment and storage medium
CN105656856A (en) Resource management method and device
CN114969707A (en) Single sign-on method, device, equipment and medium
CN111030816A (en) Authentication method and device for access platform of evidence obtaining equipment and storage medium
US11695779B2 (en) User management system for computing support
CN113765876B (en) Report processing software access method and device
CN116305321A (en) Authority verification method and device
CN113536365A (en) File access method, device, equipment and medium
CN114764507A (en) Method and device for realizing resource access, electronic equipment and storage medium
CN114500031B (en) System, method, electronic equipment and medium for acquiring BI report based on single sign-on

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination