CN116318746A

CN116318746A - Method and device for realizing one-key login service

Info

Publication number: CN116318746A
Application number: CN202211088775.XA
Authority: CN
Inventors: 张婉桥; 黄琳; 施尚成; 陈薇婷
Original assignee: Alipay Hangzhou Information Technology Co Ltd
Current assignee: Alipay Hangzhou Information Technology Co Ltd
Priority date: 2022-09-07
Filing date: 2022-09-07
Publication date: 2023-06-23

Abstract

The embodiment of the specification provides a method and a device for realizing one-key login service. In the method, in the first stage, the terminal device running the application client, sending the terminal device association information to the application server and obtaining the first device code is a legal terminal device, and in the second stage, if the generated first device code of the application server and the second device code obtained from the one-key login confirmation request are different, it can be determined that the terminal device running the application client in the second stage and sending the one-key login confirmation request carrying the second device code to the application server is not a legal terminal device, but is a terminal device of an attacker, so that the mobile phone number of the terminal device is prevented from being provided to the terminal device of the attacker. According to the embodiment of the specification, the safety of the one-key login service can be improved, and the disclosure of private data of a user can be avoided.

Description

Method and device for realizing one-key login service

Technical Field

One or more embodiments of the present disclosure relate to network information technology, and in particular, to a method and apparatus for implementing a push-to-talk service.

Background

With the rapid development of networks, various business applications are generated based on the networks. The user can enjoy the corresponding business application, such as watching a movie or purchasing goods, by only downloading an application client, i.e., an application program (APP), of the corresponding business application in the terminal device and registering and logging in through the application client.

In order to facilitate the use of users, a new method for logging in the APP, namely a one-key login method, is currently presented. In the one-key login method, a terminal device such as a mobile phone where an application client is located is embedded with an authentication SDK in advance, when a user requests login, the user communicates with an operator server through the SDK so as to collect a mobile phone number of the user, after the user agrees to authorization, the application client obtains a token (token) called by an interface, the token is transmitted to the application server, and the application server obtains information such as the mobile phone number of the current authorized user from the operator server by using the token, so that the login of the APP is completed.

Referring to fig. 1, in the one-key login service, the user only needs to click the related key of one-key login, and does not need to input a mobile phone number, a user name, a password, a short message verification code and the like, so that the user can complete the login and login process more conveniently and rapidly, the process which may need about 20 seconds originally is shortened to about 2 seconds, and great convenience is brought to the user.

However, the security of the current one-key login service is relatively low, which easily causes disclosure of private data of the user, so a more secure implementation method of the one-key login service is needed.

Disclosure of Invention

One or more embodiments of the present disclosure describe a method and an apparatus for implementing a one-touch login service, which can improve the security of the one-touch login service.

According to a first aspect, a method for implementing a push-to-login service is provided, including:

before a number-taking login process between an application client and an operator server is started, receiving associated information of terminal equipment which is sent by the application client and currently runs the application client;

generating a first equipment code according to the currently received associated information of the terminal equipment, and sending the first equipment code to the terminal equipment currently running the application client;

receiving a one-key login confirmation request sent by an application client; the one-key login confirmation request carries a second equipment code obtained according to the association information of the terminal equipment of the current running application client;

acquiring the second equipment code from a one-key login confirmation request;

and executing one-key login service verification processing by using the second equipment code.

The receiving, before the number-taking login process between the application client and the operator server is started, the associated information of the terminal device currently running the application client sent by the application client, including:

Receiving a one-key login initialization request sent by an application client;

and acquiring the associated information of the terminal equipment currently running the application client from the one-key login initialization request.

The step of executing one-key login service verification processing by using the second equipment code comprises the following steps: judging whether the generated first equipment code is the same as the second equipment code carried in the one-key login confirmation request in the one-key login service, if so, successfully verifying the one-key login service, and sending a number acquisition request carrying the token to an operator server; if not, the one-key login service fails to verify, and the process is ended;

or alternatively, the process may be performed,

the one-key login confirmation request further carries a token and a first operation value; the first operation value is calculated by the operator server by using the first equipment code and the token and is sent to the application client; correspondingly, the step of executing the one-key login service verification processing by using the second equipment code comprises the following steps:

calculating the second equipment code and token carried in the one-key login confirmation request by utilizing a shared symmetric key agreed with an operator server in advance, calculating a second operation value, judging whether the first operation value carried in the one-key login confirmation request is identical to the calculated second operation value, if so, successfully verifying one-key login service, and sending a number acquisition request carrying the token to the operator server; if not, the one-key login service fails to verify, and the process is ended.

Wherein after the first operation value is determined to be the same as the second operation value, the method further comprises: and carrying a second equipment code in the number acquisition request sent to the operator server so as to carry out one-key login service verification by the operator server.

The calculating the second device code and token carried in the one-key login confirmation request includes:

acquiring a token, an IP address of terminal equipment and an APP ID of the application client from a one-key login confirmation request;

and calculating the acquired token, the second equipment code, the IP address and the APP ID by utilizing a shared symmetric key which is agreed with an operator server in advance.

The association information of the terminal device includes at least one of: the method comprises the steps of a public network IP address of the terminal equipment, an intranet IP address of the terminal equipment, an identifier of a local area network used by the terminal equipment and an identification code of the terminal equipment; and/or the number of the groups of groups,

generating a device code according to the association information of the terminal device, including: and carrying out hash calculation on the associated information of the terminal equipment to obtain the equipment code.

According to a second aspect, there is provided a method for implementing a push-to-login service, including:

before the number-taking login process between an application client and an operator server is started, the associated information of terminal equipment currently running the application client is sent to the application server;

Receiving a device code, which corresponds to a terminal device currently running the application client, sent by an application server;

after the token sent by the operator server is obtained, a one-key login confirmation request is sent to the application server, wherein the one-key login confirmation request carries the token and a device code corresponding to the terminal device of the current running application client;

if the login authorization sent by the application server is received, the one-key login is successful.

After receiving the device code sent by the application server and before acquiring the token sent by the operator server, the method further comprises the following steps: carrying the equipment code of the terminal equipment corresponding to the current running application client in a newly defined message, a one-key login request or an identity verification request and sending the newly defined message, the one-key login request or the identity verification request to an operator server;

before sending the one-touch login confirmation request to the application server, the method further comprises: receiving a first operation value sent by an operator; the first operation value is calculated by using a token and a device code carried in the newly defined message, the one-key login request or the identity verification request;

the sending the one-touch login confirmation request to the application server further comprises: and carrying the received first operation value in the one-key login confirmation request and sending the first operation value to an application server.

According to a third aspect, a method for implementing a push-to-login service is provided, including:

before a token corresponding to a one-key login service is generated, a first device code sent by an application client is received;

after the token is generated, calculating a first equipment code and the generated token by utilizing a shared symmetric key which is agreed with an application server in advance so as to calculate a first operation value;

and sending the generated token and the first operation value to the application client.

The method further comprises the steps of: receiving an authentication request sent by an application client, and acquiring an IP address of a terminal device and an APP ID of the application client from the authentication request;

the calculating the first device code and the generated token includes:

and calculating the generated token, the first equipment code, the IP address of the terminal equipment and the APP ID by utilizing the shared symmetric key agreed with the application server in advance.

After the token is generated, further comprising:

establishing a first corresponding relation between the first equipment code and the generated token;

receiving a number acquisition request carrying a token and a second device code sent by an application server;

establishing a second corresponding relation between a token obtained from the number acquisition request and a second equipment code;

And judging whether the first corresponding relation is consistent with the second corresponding relation, if so, successfully verifying the one-key login service, and otherwise, failing to verify the one-key login service.

According to a fourth aspect, there is provided an apparatus for implementing a push-to-login service, the apparatus comprising:

the system comprises an associated information receiving module, a server and a server, wherein the associated information receiving module is configured to receive associated information of terminal equipment which is transmitted by an application client and is used for running the application client currently before a number taking login process between the application client and an operator server is started;

the first-stage equipment code processing module is configured to generate a first equipment code according to the currently received associated information of the terminal equipment, and send the first equipment code to the terminal equipment currently running the application client;

the second-stage equipment code processing module is configured to receive a one-key login confirmation request sent by the application client; the one-key login confirmation request carries a second equipment code obtained according to the association information of the terminal equipment of the current running application client; acquiring the second equipment code from a one-key login confirmation request;

and the verification execution module is configured to execute one-key login service verification processing by using the second equipment code.

According to a fifth aspect, there is provided an apparatus for implementing a push-to-login service, the apparatus comprising:

the system comprises an associated information sending module, a server and a server, wherein the associated information sending module is configured to send associated information of terminal equipment currently running an application client to the application server before a number taking login process between the application client and an operator server is started;

the device code acquisition module is configured to receive a device code, which corresponds to the terminal device currently running the application client, sent by the application server;

the login request module is used for sending a one-key login confirmation request to the application server after the token sent by the operator server is acquired, wherein the one-key login confirmation request carries the token and a device code corresponding to the terminal device of the current running application client; if the login authorization sent by the application server is received, the one-key login is successful.

According to a sixth aspect, there is provided an implementation apparatus of a push-to-login service, including:

the receiving module is configured to receive a first device code sent by an application client before generating a token corresponding to one-key login service;

the computing module is configured to utilize a shared symmetric key agreed with the application server in advance to compute the first equipment code and the generated token after the token is generated so as to compute a first operation value;

And the certificate issuing module is configured to send the generated token and the first operation value to the application client.

According to a seventh aspect, there is provided a computing device comprising a memory having executable code stored therein and a processor which, when executing the executable code, implements a method as described in any of the embodiments of the present specification.

The implementation method and device of the one-key login service provided by any embodiment or combination of multiple embodiments of the present disclosure have at least the following beneficial effects:

1. in the embodiment of the present disclosure, device codes of terminal devices are obtained at the application server end at different stages (a stage before the number-taking login process between the application client and the operator server is started, and a stage after the number-taking login process between the application client and the operator server is started), and verification is performed by using the device codes, so that whether a one-key login confirmation request sent by the terminal device X of an attacker is verified, the application server is prevented from providing application services corresponding to the application client for the terminal device X of the attacker, and security is improved.

2. After the number taking login process between the application client and the operator server is started, the application client does not need to send the associated information of the terminal equipment to the operator server, does not need to send the associated information of the terminal equipment to the application server, and sends the equipment codes.

3. In practical service implementation, since the sdk authority of the operator is limited and no front end exists, it is difficult to do the job of authenticating the identity of the application client, so before the application client initiates the number-taking login to the operator server, the application server authenticates the identity of the application client, and issues a dynamic equipment code (hcode), and even if hcode is lost, the user information is not leaked. The method is characterized in that the number taking of the operator server is based on gateway number taking, after an attacker steals the hcode, the operator server takes the number of the attacker, and finally the corresponding relation between the hcode and the token is inconsistent, so that the failure of number taking does not cause information leakage of legal users.

4. The one-key login service can be verified in the operator server and the application server, and the security is further improved through double verification.

Drawings

In order to more clearly illustrate the embodiments of the present description or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, and it is obvious that the drawings in the following description are some embodiments of the present description, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

Fig. 1 is a schematic diagram of an operation of a push-to-login service.

Fig. 2 is a schematic diagram of a system architecture to which an embodiment of the present specification applies.

Fig. 3 is a flow chart of a method of implementing a push-to-login service in an application server according to one embodiment of the present description.

Fig. 4 is a flowchart of a method for implementing a push-to-login service in an application client according to one embodiment of the present description.

Fig. 5 is a flow chart of a method of implementing a push to login service in an operator server according to one embodiment of the present description.

Fig. 6 is a flowchart of information interaction between an operator server, an application client, and an application server in cooperation with implementing a one-touch login service according to an embodiment of the present disclosure.

Fig. 7 is a schematic structural diagram of an implementation device of a one-touch login service in an embodiment of the present disclosure.

Fig. 8 is a schematic structural diagram of an implementation device of a one-touch login service according to another embodiment of the present disclosure.

Fig. 9 is a schematic structural diagram of an implementation device of a one-touch login service according to another embodiment of the present disclosure.

Detailed Description

The following describes the scheme provided in the present specification with reference to the drawings.

For ease of understanding the methods provided in this specification, a description of the system architecture to which this specification relates and applies is first provided. As shown in fig. 2, the system architecture mainly includes three network nodes: application clients, application servers and operator servers.

Wherein the application client is installed and running in a terminal device, which may include, but is not limited to, such as: intelligent mobile terminals, intelligent home devices, network devices, wearable devices, intelligent medical devices, PCs (personal computers), etc. The smart mobile terminal may include, for example, a mobile phone, a tablet computer, a notebook computer, a PDA (personal digital assistant), an internet car, etc. The smart home devices may include smart home devices such as smart televisions, smart air conditioners, smart water heaters, smart refrigerators, smart air cleaners, etc., and may also include smart door locks, smart sockets, smart lights, smart cameras, etc. The network devices may include, for example, switches, wireless APs, servers, etc. Wearable devices may include devices such as smart watches, smart glasses, smart bracelets, virtual reality devices, augmented reality devices, mixed reality devices (i.e., devices that can support virtual reality and augmented reality), and so forth. Smart medical devices may include devices such as smart thermometers, smart blood pressure meters, smart blood glucose meters, and the like.

The application client may be various types of applications including, but not limited to, applications such as payment type applications, multimedia play type applications, map type applications, text editing type applications, financial type applications, browser type applications, instant messaging type applications, and the like.

The operator server refers to a service end device of a provider providing network services, and may be a single server or a server group formed by a plurality of servers. The operator server is responsible for providing network services for various applications, such as security authentication, providing a one-touch login to a mobile phone number, etc.

An application server is a server of a specific application, and is specially used for providing corresponding application services for application clients, for example, for application clients such as payment treasures, and is a server for providing payment treasures services.

It should be understood that the number of application clients, application servers, operator servers in fig. 2 is merely illustrative. Any number may be selected and deployed as desired for implementation.

Referring to fig. 2, an application client, an application server, and an operator server interact through a network. The network may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.

Because the implementation method of the one-touch login service provided in the present specification relates to 3 network nodes shown in fig. 2, the following describes the processing of the operator server, the application client, and the application server in the one-touch login service respectively through different embodiments.

First, a process of the application server in the one-touch login service will be described.

Fig. 3 is a flow chart of a method of implementing a push-to-login service in an application server according to one embodiment of the present description. Referring to fig. 3, the method includes:

step 301: before a number-taking login process between an application client and an operator server is started, the application server receives associated information of terminal equipment which is sent by the application client and currently runs the application client; the association information of different terminal devices is not the same.

Step 303: and the application server generates a first equipment code according to the currently received associated information of the terminal equipment, and sends the first equipment code to the terminal equipment currently running the application client.

Step 305: the application server receives a one-key login confirmation request sent by an application client; the one-key login confirmation request carries: and obtaining a second device code according to the association information of the terminal device currently running the application client.

Step 307: the application server performs a one-touch login service authentication process using the second device code.

In existing one-touch login services, situations such as: an attacker will often monitor and attack the link from the operator server to the application client, thereby stealing the token issued by the operator server to the application client by means of its own terminal device X. Then, the attacker can send the token to the application server through the terminal device X by impersonating the legal terminal device Y where the application client is located, because the utilized token is correct, the application server can take the mobile phone number of the terminal device Y where the application client is located from the operator server, thereby causing the application server to misunderstand that the terminal device X from which the token is sent is the terminal device Y where the application client is located, namely, consider the attacker to be the legal user of the application client, thereby providing the corresponding application service for the attacker, such as playing the video data which the legal user has authority to watch or completing the transfer, and the like, thereby bringing security problems to the use of the user and possibly causing the leakage of the private data of the user.

As can be seen from the above procedure shown in fig. 3, in the flow of the one-touch login service executed by the application server, a process of generating a device code using the associated information of the terminal device is added to perform authentication using the device code. Because the association information of different terminal devices is different, the device codes obtained according to the association information of different terminal devices are different. Therefore, there are cases where:

if the situation that the attacker imitates the legal terminal device Y by using the terminal device X does not occur, in the process shown in fig. 3, in a first stage (wherein the first stage refers to a stage before the initiation of the number-taking login process between the application client and the operator server, for example, a stage before the application client sends a one-key login request to the operator server), the terminal device running the application client, sending terminal device association information to the application server and obtaining a first device code is the legal terminal device Y, and in a second stage (the second stage refers to a stage after the initiation of the number-taking login process between the application client and the operator server, for example, a stage after the application client obtains a token), the terminal device running the application client, sending a one-key login confirmation request carrying a second device code to the application server is also the legal terminal device Y, then, in the first stage, the first device code generated by the application server and the second device code acquired by the application server from the one-key login request are both legal terminal device Y, and the association information of the same terminal device Y is generated by using the same terminal device code;

In contrast, if the situation that the attacker steals the token with the terminal device X and impersonates the legal terminal device Y occurs, in the first stage, the terminal device that runs the application client, sends the terminal device association information to the application server and obtains the first device code is the legal terminal device Y, and in the second stage, the terminal device that runs the application client, sends the one-key login confirmation request carrying the second device code to the application server is the terminal device X of the attacker, because the device codes of different terminal devices are different, the first device code and the second device code respectively obtained by the application server in different stages are different.

The flow shown in fig. 3 uses this feature to perform verification, so as to verify whether the request is a one-key login confirmation request sent by the terminal device X of the attacker, avoid that the application server provides the application service corresponding to the application client for the terminal device X of the attacker, and improve security.

The processing procedure of the application server shown in fig. 3 will be described in detail with reference to specific embodiments, the processing of the operator server, and the processing of the application client.

First for step 301: before the number-taking login process between the application client and the operator server is started, the application server receives the associated information of the terminal equipment which is sent by the application client and currently runs the application client.

Before the number-taking login process between the application client and the operator server is started, for example, before the application client requests the token from the operator server, the application client sends a one-key login initialization request to the application server so as to perform one-key login initialization operation with the application server. In this way, the application client may send the association information of the terminal device currently running the application client to the application server in the one-key login initialization request, and accordingly, in step 301, the application server may obtain the association information of the terminal device currently running the application client from the one-key login initialization request.

Optionally, in this embodiment of the present disclosure, before the number registration process between the application client and the operator server is started, the application client may also send the association information of the terminal device currently running the application client to the application server, where the association information of the terminal device currently running the application client is obtained from the newly defined message by the application server in step 301.

In the embodiment of the present specification, the association information of the terminal device may be any one or a combination of several kinds of information capable of identifying the terminal device, for example, including at least one of the following: the method comprises the steps of a public network IP address of the terminal equipment, an intranet IP address of the terminal equipment, an identification of a local area network used by the terminal equipment and an identification code of the terminal equipment. The terminal device identification code may be, for example, an international mobile equipment identification code (International Mobile Equipment Identity, IMEI), an international mobile subscriber identification code (International Mobile Subscriber Identity, IMSI), etc.

Next, for step 303: and the application server generates a first equipment code according to the currently received associated information of the terminal equipment, and sends the first equipment code to the terminal equipment currently running the application client.

Here, the application server may calculate the association information of the currently received terminal device using a preset algorithm such as a hash algorithm, thereby calculating the first device code.

In the embodiment of the present specification, the manner of performing verification using the device code includes two types:

in the first mode, the verification is completed only by the application server according to the device codes obtained in two stages.

In the first mode, the application server compares whether the two device codes are identical or not, so that the application server can verify in advance, and the workload of the operator server is reduced.

And secondly, the application server and the operator server respectively finish verification according to the equipment codes obtained in the two stages.

In the second mode, the operator server performs authentication based on the two device codes, which is more than the first mode, so that the situation of authentication errors caused by the application server being clamped by an attack can be further prevented. For example, after the application server is attacked and held by an attacker, the application server directly sends the first device code generated in the first stage to the operator server in the second stage, instead of sending the second device code obtained in the second stage to the operator server, so that an error is caused in the authentication process of the operator server. The second mode further improves the safety of the one-key login service.

After step 303, the application client and the terminal device running the application client store the received first device code. It can be seen that one terminal device corresponds to one device code, and the device codes corresponding to different terminal devices are different. And then, the application client sends the first equipment code to the operator server through the terminal equipment where the application client is located.

In the one-touch login service, after step 303, the application client sends a one-touch login request to the operator server to obtain the session key from the operator server. And then, the application client side sends an identity verification request carrying the session key to the operator server so as to request the operator server to generate a token corresponding to the one-key login service. That is, after the number-taking login process between the application client and the operator server is started, the application client sends two requests, a one-touch login request and an authentication request to the operator server. Therefore, the application client may send the first device code to the operator server in the one-key login request, or may send the first device code to the operator server in the authentication request.

Then, the operator server obtains the device code corresponding to the terminal device running the application client in the first stage of the one-key login service, and marks the device code as the first device code. After the operator server generates the token according to the received authentication request, the operator server may store a correspondence between the first device code and the token generated by the operator server as a correspondence 1.

In one embodiment of the present specification, the method may further include process 1: the operator server calculates, for example, hashes, by using the shared symmetric key and the first device code, which are pre-agreed with the application server, so as to calculate a first operation value, and sends the generated first operation value and token to the application client.

In one embodiment of the present specification, the implementation method of the process 1 includes: the check of the one-key login service may be based on the check of the integrity of the server, that is, in the operator server, the IP address of the terminal device and the APP ID of the application client are further obtained from the authentication request sent from the application client; accordingly, in process 1, the method for calculating the first operand by the operator server includes:

The operator server calculates the generated token, the first device code, the IP address of the terminal device and the APP ID by using a shared symmetric key agreed with the application server in advance, thereby calculating a first operation value.

At this time, an attacker may monitor the link from the operator server to the application client, and steal the token with its terminal device X.

After the application client acquires the token sent by the operator server, the application client sends a one-key login confirmation request to the application server, wherein the one-key login confirmation request carries the token and a device code corresponding to the terminal device currently running the application client, and the device code is recorded as a second device code. The one-touch login confirmation request also carries a first operand corresponding to the process 1 executed by the operator server.

The second device code is a device code corresponding to the terminal device currently running the application client, and is obtained according to the association information of the terminal device currently running the application client. If an attacker steals the token with its own terminal device X, the terminal device X sends a one-key login confirmation request to the application server. Because the device codes corresponding to different terminal devices are different, the second device code carried by the terminal device X in the one-key login confirmation request is the device code corresponding to the terminal device X (the terminal device X sends the association information of the terminal device X to the application server, and the application server calculates the device code corresponding to the terminal device X according to the association information and sends the device code to the terminal device X), instead of the first device code corresponding to the legal terminal device Y generated by the application server in the first stage, that is, the second device code is different from the first device code. If the attacker does not steal the token, the legal terminal device Y sends a one-key login confirmation request to the application server, and the second device code carried by the terminal device Y in the one-key login confirmation request is the device code corresponding to the terminal device Y, that is, the second device code is identical to the first device code.

Next for step 305: the application server receives a one-key login confirmation request sent by an application client; the one-key login confirmation request carries a second device code, and the application server acquires the second device code from the one-key login confirmation request.

In one embodiment of the present disclosure, the first operand is further carried in the one-touch login confirmation request, and then the application server further obtains the first operand from the one-touch login confirmation request.

Next for step 307: the application server performs a one-touch login service authentication process using the second device code.

In one embodiment of the present disclosure, the implementation procedure of step 307 includes:

step 307A1: the application server determines whether the calculated first device code is identical to the second device code obtained from the one-touch login confirmation request,

step 307A3: if the first equipment code is the same as the second equipment code, the one-key login service is successfully verified, the application server sends a number acquisition request carrying a token to the operator server, and after the telephone number of the terminal equipment is acquired from the operator server, login authorization is sent to the application client;

step 307A5: if the first equipment code is different from the second equipment code, the one-key login service fails to verify, and the process is ended.

In another embodiment of the present disclosure, the implementation procedure of this step 307 includes, corresponding to the process 1 performed by the operator server:

step 307B1: the application server calculates a second equipment code and a token carried in the one-key login confirmation request by utilizing a shared symmetric key agreed with the operator server in advance, and calculates a second operation value;

in step 307B1, the application server obtains the token, the IP address of the terminal device, and the APP ID of the application client from the one-touch login confirmation request; and calculating the acquired token, the second equipment code, the IP address and the APP ID by using a shared symmetric key appointed with the operator server in advance, and calculating a second operation value.

Step 307B3: the application server judges whether the first operation value carried in the one-key login confirmation request is the same as the calculated second operation value;

step 307B5: if the first operation value is the same as the second operation value, the one-key login service is successfully verified, a number acquisition request carrying a token is sent to an operator server, and after the telephone number of the terminal equipment is acquired from the operator server, login authorization is sent to an application client;

In the embodiment of the present disclosure, if the second mode is adopted, in step 307B5, the application server sends the token and the second device code carried in the number acquisition request to the operator server, so that the operator server performs verification of the one-touch login service (see the related description of the flow shown in fig. 5 specifically). Subsequently, if the operator server passes the authentication, the application server acquires the telephone number of the terminal device from the operator server, and then sends login authorization to the application client, and if the operator server fails the authentication, the application server cannot acquire the telephone number of the terminal device from the operator server.

Step 307B7: if the first operation value is different from the second operation value, the one-key login service fails to verify, and the process is ended.

The following describes the relevant processing of an application client in a push-to-talk service in the embodiment of the present specification.

Fig. 4 is a flowchart of a method for implementing a push-to-login service in an application client according to one embodiment of the present description. Referring to fig. 4, the method includes:

step 401: before a number-taking login process between an application client and an operator server is started, the application client sends association information of terminal equipment currently running the application client to the application server.

Referring to the above description of step 301, in step 401, the application client may send the association information of the terminal device currently running the application client to the application server in the one-touch login initialization request, or the application client may send the association information of the terminal device currently running the application client to the application server in the newly defined request.

Step 403: the application client receives the device code, which corresponds to the terminal device currently running the application client, sent by the application server and records the device code as a first device code.

Referring to the above description, between step 403 and step 405, a number-taking login process between the application client and the operator server is performed, the application client sends the operator server with the first device code carried in the newly defined message, the one-key login request or the authentication request, and the operator server stores the correspondence 1 between the first device code and the token, and further calculates the first operation value. And then, the application client receives the token issued by the operator server and the first operation value calculated by using the first equipment code.

Step 405: after the application client acquires the token sent by the operator server, the application client sends a one-key login confirmation request to the application server, wherein the one-key login confirmation request carries the token and a device code corresponding to the terminal device of the current running application client, and the device code is recorded as a second device code.

Referring to the above description, the first operand may be further carried in the one-touch login confirmation request corresponding to the process 1 performed by the operator server.

Step 405: and if the application client receives the login authorization sent by the application server, the one-key login is successful.

The following describes the relevant processing of the operator server in the one-touch login service in the embodiment of the present specification.

Fig. 5 is a flow chart of a method of implementing a push to login service in an operator server according to one embodiment of the present description. Referring to fig. 5, the method corresponds to process 1 performed by an operator server, the method comprising:

step 501: before generating a token corresponding to the one-key login service, the operator server receives a first device code sent by an application client.

Step 503: after the token is generated, the operator server calculates the first device code and the generated token by using the shared symmetric key agreed with the application server in advance to calculate a first operation value.

The operator server receives an authentication request sent by an application client, and acquires an IP address of a terminal device and an APP ID of the application client from the authentication request; thus, the implementation of this step 503 includes: the operator server calculates the generated token, the first device code, the IP address of the terminal device and the APP ID by using a shared symmetric key agreed with the application server in advance, so as to calculate a first operation value.

Step 505: and the operator server sends the generated token and the first operation value to the application client.

In the embodiment of the present disclosure, if the verification process is performed in the second mode, in step 503, the operator server further establishes a correspondence between the first device code and the generated token, and records the correspondence as a correspondence 1 after generating the token. Accordingly, step 505 further comprises, after:

step 507: the operator server receives a number acquisition request carrying a token and a second device code sent by an application server;

step 509: the operator server establishes a corresponding relation between the token obtained from the number acquisition request and the second equipment code, and records the corresponding relation as a corresponding relation 2.

Step 511: and the operator server judges whether the corresponding relation 1 is consistent with the corresponding relation 2, if so, the verification of the one-key login service is successful, and if not, the verification of the one-key login service is failed.

The implementation method of the one-key login service is described below in combination with the cooperation of the application client, the application server and the operator server. In this method, the process 1 executed by the corresponding operator server and described by taking the verification in the second mode as an example, see fig. 6, includes:

Step 601: the application client sends a one-key login initialization request to an application server to which the application client belongs through a special link, wherein the request carries the associated information of the terminal equipment currently running the application client.

Step 603: the application server acquires the associated information of the terminal equipment from the one-key login initialization request, carries out hash calculation on the associated information, and calculates a first equipment code.

Step 605: and the application server sends the first equipment code to the application client, and the application client obtains the equipment code corresponding to the terminal equipment currently running the application client, namely the first equipment code.

Step 607: the application client sends a one-key login request to the operator server, wherein the one-key login request carries the APP ID and the first equipment code.

Step 609: the operator server obtains the first device code from the one-key login request and then sends the generated session key to the application client.

Step 611: the application client gets the user authorization, i.e. the user clicks a one-touch login key on the screen.

Step 613: the application client sends an authentication request carrying the APP ID, the timestamp and the IP address of the terminal equipment to the operator server by using the session key so as to request the token.

Here, the IP address carried in the authentication request is: the IP address of the terminal device where the application client is located may include an IPv4 address and an IPv6 address.

Step 615: after receiving the authentication request, the operator server generates a token, and establishes and stores a corresponding relation 1 between the first device code and the generated token.

Step 617: the operator server calculates the generated token, the first device code, the IP address of the terminal device and the APP ID by using a shared symmetric key agreed with the application server in advance, so as to calculate a first operation value.

Step 619: and the operator server transmits the token and the first operation value to the application client.

Step 621: the application client sends a one-key login confirmation request to the application server, wherein the request carries a token, a first operation value, an IP address of terminal equipment, an APP ID and a device code corresponding to the terminal equipment currently running the application client, and the device code is recorded as a second device code.

Step 623: the application server calculates a token, a second device code, an IP address of the terminal device and an APP ID carried in the one-key login confirmation request by utilizing a shared symmetric key agreed with the operator server in advance so as to calculate a second operation value.

Step 625: the application server judges whether the first operation value carried in the one-key login confirmation request is the same as the calculated second operation value, if so, step 627 is executed, otherwise, the one-key login verification fails, and the current flow is ended.

Step 627: the application server sends a number acquisition request to the operator server, wherein the number acquisition request carries the APP ID, the token and the second equipment code.

Step 629: the operator server establishes a corresponding relation 2 of the token acquired from the number acquisition request and the second equipment code, judges whether the corresponding relation 1 is consistent with the corresponding relation 2, if not, the one-key login verification fails, the mobile phone number of the terminal equipment is not sent to the application server, and the current flow is ended; if so, step 631 is performed.

Step 631: the one-key login verification is successful, and the operator server sends the mobile phone number of the terminal equipment to the application server.

Step 633: and if the application server receives the mobile phone number of the terminal equipment sent by the operator server, carrying out login authorization on the application client, otherwise, carrying out one-key login failure.

In one embodiment of the present disclosure, a device for implementing a one-touch login service is provided, where the device is disposed in an application server, and referring to fig. 7, the device includes:

The association information receiving module 701 is configured to receive association information of a terminal device currently running the application client sent by the application client before a number taking login process between the application client and an operator server is started;

a first stage device code processing module 702, configured to generate a first device code according to the currently received association information of the terminal device, and send the first device code to the terminal device currently running the application client;

a second stage device code processing module 703 configured to receive a one-touch login confirmation request sent from the application client; the one-key login confirmation request carries a second equipment code obtained according to the association information of the terminal equipment of the current running application client; acquiring the second equipment code from a one-key login confirmation request;

and the verification execution module 704 is configured to execute one-key login service verification processing by using the second device code.

In the embodiment of the present description apparatus shown in fig. 7, the association information receiving module 701 is configured to perform:

receiving a one-key login initialization request sent by an application client;

In the embodiment of the present description apparatus shown in fig. 7, the verification execution module 704 is configured to execute: judging whether the generated first equipment code is the same as the second equipment code carried in the one-key login confirmation request in the one-key login service, if so, successfully verifying the one-key login service, and sending a number acquisition request carrying the token to an operator server; if not, the one-key login service fails to verify, and the process is ended.

In the embodiment of the present disclosure shown in fig. 7, the token and the first operand are further carried in the one-touch login confirmation request; the first operation value is calculated by the operator server by using the first equipment code and the token and is sent to the application client; accordingly, the verification execution module 704 is configured to execute:

In the embodiment of the present description apparatus shown in fig. 7, the verification execution module 704 is configured to execute:

after the first operation value is judged to be the same as the second operation value, the second equipment code is further carried in the number acquisition request sent to the operator server, so that the operator server performs one-key login service verification.

In the embodiment of the apparatus of this specification shown in fig. 7, the association information of the terminal device includes at least one of the following: the method comprises the steps of a public network IP address of the terminal equipment, an intranet IP address of the terminal equipment, an identification of a local area network used by the terminal equipment and an identification code of the terminal equipment.

In the embodiment of the apparatus of this specification shown in fig. 7, the first stage device code processing module 702 is configured to perform hash computation on the association information of the terminal device to obtain the device code.

In one embodiment of the apparatus of the present specification, an implementation apparatus of a one-touch login service is provided, where the apparatus is applied to an application client, and referring to fig. 8, the apparatus includes:

a related information sending module 801 configured to send related information of a terminal device currently running the application client to the application server before a number taking login process between the application client and the operator server is started;

a device code obtaining module 802, configured to receive a device code corresponding to a terminal device currently running the application client sent by the application server;

a login request module 802, after obtaining a token sent by an operator server, sends a one-key login confirmation request to an application server, where the one-key login confirmation request carries the token and a device code corresponding to a terminal device currently running the application client; if the login authorization sent by the application server is received, the one-key login is successful.

In one embodiment of the apparatus of the present specification shown in fig. 8, the apparatus further includes a number-taking login initiation module configured to send, after the device code obtaining module 802 receives the device code sent by the application server and before obtaining the token sent by the operator server, a device code corresponding to the terminal device currently running the application client to the operator server in a newly defined message, a one-key login request, or an authentication request;

Accordingly, the login request module 803 is further configured to receive the first operand sent by the operator before sending a push-to-login confirmation request to the application server; the first operation value is calculated by using a token and a device code carried in the newly defined message, the one-key login request or the identity verification request; and carrying the received first operation value in a one-key login confirmation request and sending the first operation value to the application server.

In one embodiment of the present disclosure, a device for implementing a push-to-talk service is provided, which is applied to an operator server, and includes:

a receiving module 901, configured to receive a first device code sent by an application client before generating a token corresponding to a one-key login service;

a calculation module 902 configured to calculate, after the token is generated, the first device code and the generated token by using the shared symmetric key agreed in advance with the application server, so as to calculate a first operation value;

the credential issuing module 903 is configured to send the generated token and the first operand to the application client.

In one embodiment of the present description apparatus shown in fig. 9, the receiving module 901 is further configured to perform: receiving an authentication request sent by an application client, and acquiring an IP address of a terminal device and an APP ID of the application client from the authentication request;

Accordingly, the computing module 902 is configured to perform: and calculating the generated token, the first equipment code, the IP address of the terminal equipment and the APP ID by utilizing the shared symmetric key agreed with the application server in advance.

In the embodiment of the present description apparatus shown in fig. 9, further comprising a verification processing module 904 configured to perform:

after the token is generated by the credential issuing module 903, a first correspondence between the first device code and the generated token is established;

An embodiment of the present specification provides a computer-readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method of any of the embodiments of the specification. An embodiment of the present specification provides a computing device including a memory having executable code stored therein and a processor that, when executing the executable code, performs a method of any of the embodiments of the present specification.

It should be understood that the structures illustrated in the embodiments of the present specification do not constitute a particular limitation on the apparatus of the embodiments of the present specification. In other embodiments of the specification, the apparatus may include more or less components than illustrated, or certain components may be combined, or certain components may be split, or different arrangements of components. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.

The content of information interaction and execution process between the modules in the device and the system is based on the same concept as the method embodiment of the present specification, and specific content can be referred to the description in the method embodiment of the present specification, which is not repeated herein.

In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for the device embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference is made to the description of the method embodiments in part.

Those skilled in the art will appreciate that in one or more of the examples described above, the functions described in the present invention may be implemented in hardware, software, a pendant, or any combination thereof. When implemented in software, these functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium.

The foregoing embodiments have been provided for the purpose of illustrating the general principles of the present invention in further detail, and are not to be construed as limiting the scope of the invention, but are merely intended to cover any modifications, equivalents, improvements, etc. based on the teachings of the invention.

Claims

1. The implementation method of the one-key login service comprises the following steps:

acquiring the second equipment code from a one-key login confirmation request;

2. The method of claim 1, wherein the receiving, before the number registration process between the application client and the operator server is started, the association information of the terminal device currently running the application client from the application client includes:

receiving a one-key login initialization request sent by an application client;

3. The method according to claim 1,

or alternatively, the process may be performed,

4. The method of claim 3, wherein after determining that the first operand is the same as the second operand, further comprising: and carrying a second equipment code in the number acquisition request sent to the operator server so as to carry out one-key login service verification by the operator server.

5. The method of claim 3, wherein the computing the second device code and token carried in the one-touch login confirmation request comprises:

and calculating the acquired token, the second equipment code, the IP address and the APPID by utilizing a shared symmetric key which is agreed with the operator server in advance.

6. The method of claim 1, the association information of the terminal device comprising at least one of: the method comprises the steps of a public network IP address of the terminal equipment, an intranet IP address of the terminal equipment, an identifier of a local area network used by the terminal equipment and an identification code of the terminal equipment;

and/or the number of the groups of groups,

7. The implementation method of the one-key login service comprises the following steps:

8. The method of claim 7, wherein,

9. The implementation method of the one-key login service comprises the following steps:

10. The method of claim 9, the method further comprising: receiving an authentication request sent by an application client, and acquiring an IP address of a terminal device and an APP ID of the application client from the authentication request;

the calculating the first device code and the generated token includes:

11. The method of claim 9, further comprising, after the generating token:

12. An implementation device of one-key login service, the device comprising:

13. An implementation device of one-key login service, the device comprising:

14. The implementation device of the one-key login service comprises:

15. A computing device comprising a memory having executable code stored therein and a processor, which when executing the executable code, implements the method of any of claims 1-11.