CN116502201A - OIDC-based robot identity verification and authorization system and method - Google Patents

OIDC-based robot identity verification and authorization system and method Download PDF

Info

Publication number
CN116502201A
CN116502201A CN202310603759.8A CN202310603759A CN116502201A CN 116502201 A CN116502201 A CN 116502201A CN 202310603759 A CN202310603759 A CN 202310603759A CN 116502201 A CN116502201 A CN 116502201A
Authority
CN
China
Prior art keywords
robot
user
oidc
authorization
resource
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310603759.8A
Other languages
Chinese (zh)
Inventor
谢超
马辰
王本强
李洪生
李朝铭
程瑶
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong New Generation Information Industry Technology Research Institute Co Ltd
Original Assignee
Shandong New Generation Information Industry Technology Research Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong New Generation Information Industry Technology Research Institute Co Ltd filed Critical Shandong New Generation Information Industry Technology Research Institute Co Ltd
Priority to CN202310603759.8A priority Critical patent/CN116502201A/en
Publication of CN116502201A publication Critical patent/CN116502201A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/30Computing systems specially adapted for manufacturing

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Automation & Control Theory (AREA)
  • Safety Devices In Control Systems (AREA)

Abstract

The invention discloses a robot identity authentication and authorization system and a method based on OIDC, which belong to the technical field of robots and information security, and the technical problem to be solved by the invention is how to carry out safe identity authentication and authorization on a user using the robot, and the safety of the robot is improved, and the adopted technical scheme is as follows: the system comprises a building module, a registration module, a robot end authentication assembly and a robot end resource assembly; the building module is used for building the OIDC provider based on Keycloak; the registration module is used for registering information of the user on the OIDC provider; the robot end authentication component is used for registering with the OIDC provider to obtain the ClientID distributed by the OIDC provider as a trusted client end, and is also used for holding an ROS node and issuing Token information; the robot resource component is deployed at one ROS node of the robot and is used for receiving Token information.

Description

OIDC-based robot identity verification and authorization system and method
Technical Field
The invention relates to the technical field of robots and information security, in particular to a robot identity verification and authorization system and method based on OIDC.
Background
As applications of robots in various fields continue to expand, interactions between robots and users are more and more frequent. For the scenario where authentication and authorization is required, conventional usernames and passwords have failed to meet security requirements.
Existing robot identity verification and authorization techniques rely primarily on traditional usernames and passwords, or Role-based access control (RBAC for short). The user name and the password are easy to guess and crack, and the RBAC method needs to manage a large number of roles and authorities, so that the workload is large and the error is easy to occur.
Therefore, how to perform safe identity authentication and authorization on a user using a robot and improve the safety of the robot is a technical problem to be solved in the prior art.
Disclosure of Invention
The invention aims to provide a robot identity verification and authorization system and method based on OIDC, which are used for solving the problem of how to carry out safe identity authentication and authorization on a user using a robot and improving the safety of the robot.
The technical task of the invention is realized in the following way, a robot identity verification and authorization system based on OIDC comprises a building module, a registration module, a robot end authentication component (Robot Relying Party, RP for short) and a robot end resource component (Robot Resource Node);
the building module is used for building an OIDC Provider (OP) based on Kelcloak;
the registration module is used for registering information of the user on the OIDC provider; registration information includes user name, gender, email, telephone number and other resources, such as location information;
the robot end authentication component is used for registering with the OIDC provider to obtain the ClientID distributed by the OIDC provider as a trusted client end, and is also used for holding an ROS node and issuing Token information;
the robot resource component is deployed at one ROS node of the robot and is used for receiving Token information.
Preferably, the registration information includes a user name, gender, email, telephone number, and other resources, such as location information.
Preferably, the robot end authentication component is deployed at the robot end and provides a resource interface accessible by a third party in the form of a RestAPI; the resource interface accessible by the third party comprises a control robot moving interface and a control robot rotating interface.
More preferably, when a User (End User) accesses a robot-side resource, the following is specific:
sending a request to a RestAPI provided by a robot authentication component;
the robot authentication component initiates a user authorization request by redirecting the browser to the authorization page of the OIDC provider, which checks the session of the current authorized user:
if the session is not available, a login frame is popped up to enable the user to login, and after the login is successful, the user performs authorization selection, for example, the robot is allowed to access the position information of the user.
Preferably, after the authorization is completed, the OIDC provider continues to Access a callback page provided by the robot-side authentication component and is attached with an authorization Code, and the robot-side authentication component accesses an interface provided by the OIDC provider through the authorization Code to obtain an ID Token and an Access Token;
the robot authentication component jumps to an authorization success page, prompts the user that the robot successfully authenticates the user and can access the user resource.
More preferably, the robot terminal authentication component issues an Access Token through the ROS Node, and after receiving the Access Token, the robot terminal resource component submits a resource application to the OIDC provider by using the Access Token, and after the OIDC provider passes the authentication, returns user resources (such as position information) to the robot terminal; the robot side uses the user resource to perform a corresponding operation, such as navigating to a specified location.
A robot identity verification and authorization method based on OIDC comprises the following steps:
constructing an OIDC Provider (OP) based on Keycloak;
the user and robot authentication component registers on an OIDC Provider (OP) as a trusted client;
the robot end authentication component is deployed at the robot end and provides a resource interface accessible by a third party in the form of a RestAPI;
when a user needs to access a robot resource, for example, when controlling the movement of a robot, a request is sent to a restAPI provided by a robot authentication component, the robot authentication component initiates a user authorization request by redirecting a browser to an authorization page of an OIDC provider, and the OIDC provider checks the session of the current authorized user:
if no session exists, a login frame is popped up to enable the user to login, and after login is successful, the user performs authorization selection, for example, the robot is allowed to access the position information of the user;
after the authorization is completed, the OIDC provider continues to Access a callback page provided by the robot-side authentication component and is attached with an authorization Code, and the robot-side authentication component accesses an interface provided by the OIDC provider through the authorization Code to obtain an ID Token and an Access Token; the robot authentication component jumps to an authorization success page, prompts the user that the robot successfully authenticates the user and can access the user resource;
the robot terminal authentication component issues an Access Token through the ROS Node, and after receiving the Access Token, the robot terminal resource component submits a resource application to an OIDC provider by using the Access Token, and after the OIDC provider passes the authentication, user resources (such as position information) are returned to the robot terminal; the robot uses the user resources to perform corresponding operations, such as navigating to a specified location.
Preferably, the registration information includes a user name, gender, email, telephone number, and other resources, such as location information;
the third accessible resource interface includes a control robot movement interface and a control robot rotation interface.
Preferably, the robot authentication component holds a ROS node for issuing Token information.
Preferably, the resource component of the robot end is an ROS node deployed at the robot end, and is configured to receive Token information.
OIDC is a simple identity protocol and open standard built using the OAuth 2.0 protocol, supporting client applications to verify the identity of a user in dependence on authentication performed by the OpenID Connect provider (OP).
OP: openID Connect provider.
RP: and a trusted client for applying for the trusted information by the olying Party.
ROS: robot Operating System robot operating system.
ID Token: JWTs containing authentication information.
Access Token: token for accessing a resource.
JWT: JSON Web Token, an open standard (RFC 7519), defines a compact, self-contained way to securely transfer information between parties as JSON objects.
OAuth: open authorization is an open standard that allows a user to have a third party application access to a private resource that the user stores on a website without providing the third party application with a user name and password.
RBAC, role-Based Access Control Role-based access control.
Kelcloak: an open source software product is intended to provide a single sign-on tool containing identity management and access management functions for modern applications and services.
The robot identity verification and authorization system and method based on OIDC has the following advantages:
the invention has been widely used based on open authentication and authorization (OIDC for short), and has the advantages of safety, reliability, easy realization, etc.;
secondly, the ID Token and the Access Token acquired by the robot authentication component fail in a short time, so that the safety is ensured;
the invention is based on OIDC technology, has higher security and reliability, avoids the defects of traditional user name and password and RBAC method, uses open standard at the same time, is easy to realize and expand, has wide applicability, and can be applied to various scenes of robot business;
fourthly, the invention uses the OIDC technology to carry out identity authentication and authorization, and the OIDC technology provides a unified identity authentication and authorization method, so that the robot can carry out identity authentication and authorization rapidly and accurately;
the robot authentication component can rapidly and accurately process the authentication and authorization requests from the users and execute corresponding operations according to the requests;
the robot resource component can authorize access to user resources according to user requirements, so that the safety of both parties is ensured;
the invention has high safety, the robot end uses OIDC protocol to carry out identity verification and authorization, so that the robot can rapidly and accurately complete verification and authorization, and the safety of verification and authorization is ensured;
and (eight) the robot based on the OIDC technology performs identity authentication and authorization on the user, so that the user using the robot can be subjected to safe identity authentication and authorization, and the safety of the robot is improved.
Drawings
The invention is further described below with reference to the accompanying drawings.
Fig. 1 is a flow diagram of an OIDC-based robot authentication and authorization method.
Detailed Description
The robot authentication and authorization system and method based on OIDC of the present invention will be described in detail with reference to the accompanying drawings and specific embodiments.
Example 1:
the embodiment provides a robot identity verification and authorization system based on OIDC, which comprises a building module, a registration module, a robot end authentication component (Robot Relying Party, RP for short) and a robot end resource component (Robot Resource Node);
the building module is used for building an OIDC Provider (OP) based on Kelcloak;
the registration module is used for registering information of the user on the OIDC provider; registration information includes user name, gender, email, telephone number and other resources, such as location information;
the robot end authentication component is used for registering with the OIDC provider to obtain the ClientID distributed by the OIDC provider as a trusted client end, and is also used for holding an ROS node and issuing Token information;
the robot resource component is deployed at one ROS node of the robot and is used for receiving Token information.
The registration information in this embodiment includes a user name, gender, email, telephone number, and other resources such as location information.
The robot end authentication component in the embodiment is deployed at the robot end and provides a resource interface accessible by a third party in the form of a RestAPI; the resource interface accessible by the third party comprises a control robot moving interface and a control robot rotating interface.
In this embodiment, when a User (End User) accesses a robot resource, the following is specific:
(1) Transmitting a request to a RestAPI provided by the robot authentication component;
(2) The robot-side authentication component initiates a user authorization request by redirecting the browser to the authorization page of the OIDC provider, which checks the session of the current authorized user:
if the session is not available, a login frame is popped up to enable the user to login, and after the login is successful, the user performs authorization selection, for example, the robot is allowed to access the position information of the user.
(3) After the authorization is completed, the OIDC provider continues to Access a callback page provided by the robot end authentication component and is attached with an authorization Code, and the robot end authentication component accesses an interface provided by the OIDC provider through the authorization Code to obtain an ID Token and an Access Token; the robot authentication component jumps to an authorization success page, prompts the user that the robot successfully authenticates the user and can access the user resource;
(4) The robot terminal authentication component issues an Access Token through the ROS Node, and after receiving the Access Token, the robot terminal resource component submits a resource application to an OIDC provider by using the Access Token, and after the OIDC provider passes the authentication, user resources (such as position information) are returned to the robot terminal; the robot side uses the user resource to perform a corresponding operation, such as navigating to a specified location.
Example 2:
as shown in fig. 1, this embodiment provides a robot identity verification and authorization method based on OIDC, which specifically includes the following steps:
s1, constructing an OIDC Provider (OP) based on Kelcloak;
s2, a user and robot authentication component registers on an OIDC Provider (OP) as a trusted client;
s3, the robot end authentication component is deployed at the robot end and provides a resource interface accessible by a third party in the form of a RestAPI;
s4, when a user needs to access the robot resource, for example, when controlling the robot to move, a request is sent to a RestAPI provided by a robot authentication component, the robot authentication component initiates a user authorization request by redirecting a browser to an authorization page of an OIDC provider, and the OIDC provider checks the session of the current authorized user:
if no session exists, a login frame is popped up to enable the user to login, and after login is successful, the user performs authorization selection, for example, the robot is allowed to access the position information of the user;
s5, after the authorization is completed, the OIDC provider continues to Access a callback page provided by the robot-side authentication component and is attached with an authorization Code, and the robot-side authentication component accesses an interface provided by the OIDC provider through the authorization Code to obtain an ID Token and an Access Token; the robot authentication component jumps to an authorization success page, prompts the user that the robot successfully authenticates the user and can access the user resource;
s6, the robot terminal authentication component issues an Access Token through the ROS Node, after receiving the Access Token, the robot terminal resource component submits a resource application to an OIDC provider by using the Access Token, and after the OIDC provider passes the authentication, user resources (such as position information) are returned to the robot terminal; the robot uses the user resources to perform corresponding operations, such as navigating to a specified location.
The registration information in step S2 of the present embodiment includes a user name, a gender, an Email, a telephone number, and other resources, such as location information.
The third accessible resource interface in step S3 of the present embodiment includes a control robot moving interface and a control robot rotating interface.
In step S3 of this embodiment, the robot authentication component holds a ROS node for issuing Token information.
In step S6 of this embodiment, the resource component at the robot end is a ROS node deployed at the robot end, and is configured to receive Token information.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and not for limiting the same; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the invention.

Claims (10)

1. The robot identity verification and authorization system based on OIDC is characterized by comprising a building module, a registration module, a robot end authentication component and a robot end resource component;
the building module is used for building the OIDC provider based on Keycloak;
the registration module is used for registering information of the user on the OIDC provider; registration information includes user name, gender, email, telephone number, and other resources;
the robot end authentication component is used for registering with the OIDC provider to obtain the ClientID distributed by the OIDC provider as a trusted client end, and is also used for holding an ROS node and issuing Token information;
the robot resource component is deployed at one ROS node of the robot and is used for receiving Token information.
2. The OIDC-based robot identity verification and authorization system of claim 1, wherein the registration information includes a user name, gender, email, telephone number, and other resources.
3. The OIDC-based robot identity verification and authorization system according to claim 1 or 2, wherein the robot-side authentication component is deployed at a robot-side and provides a resource interface accessible to a third party in the form of a RestAPI; the resource interface accessible by the third party comprises a control robot moving interface and a control robot rotating interface.
4. The OIDC-based robot identity verification and authorization system of claim 3, wherein when a user accesses a robot-side resource, the system is specifically as follows:
sending a request to a RestAPI provided by a robot authentication component;
the robot authentication component initiates a user authorization request by redirecting the browser to the authorization page of the OIDC provider, which checks the session of the current authorized user:
if no session exists, a login frame is popped up to enable the user to login, and after login is successful, the user performs authorization selection.
5. The system of claim 4, wherein after the authorization is completed, the OIDC provider continues to Access the callback page provided by the robot-side authentication component, and attaches an authorization Code, and the robot-side authentication component accesses the interface provided by the OIDC provider through the authorization Code to obtain the ID Token and the Access Token;
the robot authentication component jumps to an authorization success page, prompts the user that the robot successfully authenticates the user and can access the user resource.
6. The system of claim 5, wherein the robot authentication component issues an Access Token through the ROS Node, the robot resource component submits a resource application to the OIDC provider using the Access Token after receiving the Access Token, and the OIDC provider returns the user resource to the robot after the authentication is passed; and the robot end uses the user resource to execute corresponding operation.
7. The robot identity verification and authorization method based on OIDC is characterized by comprising the following steps:
constructing an OIDC provider based on Kelcloak;
the user and robot authentication component registers on the OIDC provider as a trusted client;
the robot end authentication component is deployed at the robot end and provides a resource interface accessible by a third party in the form of a RestAPI;
when a user needs to access a robot resource, a request is sent to a RestAPI provided by a robot authentication component, the robot authentication component initiates a user authorization request by redirecting a browser to an authorization page of an OIDC provider, and the OIDC provider checks the session of the current authorized user:
if no session exists, a login frame is popped up to enable the user to login, and after login is successful, the user performs authorization selection;
after the authorization is completed, the OIDC provider continues to Access a callback page provided by the robot-side authentication component and is attached with an authorization Code, and the robot-side authentication component accesses an interface provided by the OIDC provider through the authorization Code to obtain an ID Token and an Access Token; the robot authentication component jumps to an authorization success page, prompts the user that the robot successfully authenticates the user and can access the user resource;
the robot terminal authentication component issues an Access Token through the ROS Node, and after receiving the Access Token, the robot terminal resource component submits a resource application to an OIDC provider by using the Access Token, and after the OIDC provider passes the authentication, the robot terminal returns the user resource to the robot terminal; the robot performs a corresponding operation using the user resource.
8. The OIDC-based robot identity verification and authorization method of claim 7, wherein the registration information includes a user name, gender, email, phone number, and other resources;
the third accessible resource interface includes a control robot movement interface and a control robot rotation interface.
9. The OIDC-based robot identity verification and authorization method of claim 7, wherein the robot-side authentication component holds a ROS node for issuing Token information.
10. The method of any one of claims 7-9, wherein the robot-side resource component is a ROS node deployed at the robot-side for receiving Token information.
CN202310603759.8A 2023-05-25 2023-05-25 OIDC-based robot identity verification and authorization system and method Pending CN116502201A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310603759.8A CN116502201A (en) 2023-05-25 2023-05-25 OIDC-based robot identity verification and authorization system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310603759.8A CN116502201A (en) 2023-05-25 2023-05-25 OIDC-based robot identity verification and authorization system and method

Publications (1)

Publication Number Publication Date
CN116502201A true CN116502201A (en) 2023-07-28

Family

ID=87326741

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310603759.8A Pending CN116502201A (en) 2023-05-25 2023-05-25 OIDC-based robot identity verification and authorization system and method

Country Status (1)

Country Link
CN (1) CN116502201A (en)

Similar Documents

Publication Publication Date Title
CN112136303B (en) Secure delegation of refresh tokens for time-consuming operations
US9787664B1 (en) Methods systems and articles of manufacture for implementing user access to remote resources
CN108293053B (en) Single sign-on authentication of client applications via a browser
US10305882B2 (en) Using a service-provider password to simulate F-SSO functionality
US20190173871A1 (en) Using application level authentication for network login
US9038138B2 (en) Device token protocol for authorization and persistent authentication shared across applications
US8646057B2 (en) Authentication and authorization of user and access to network resources using openid
US7631346B2 (en) Method and system for a runtime user account creation operation within a single-sign-on process in a federated computing environment
US11196739B2 (en) Authorization activation
US8978100B2 (en) Policy-based authentication
EP2984589B1 (en) System and method for mobile single sign-on integration
US8671444B2 (en) Single-party, secure multi-channel authentication for access to a resource
US9143502B2 (en) Method and system for secure binding register name identifier profile
EP3455762B1 (en) Unified vpn and identity based authentication to cloud-based services
EP3942775B1 (en) Application integration using multiple user identities
CN105991614B (en) It is a kind of it is open authorization, resource access method and device, server
WO2008132023A1 (en) External user lifecycle management for federated environments
EP3182672B1 (en) Result reporting for authentication, authorization and accounting protocols
US20220014359A1 (en) Login and consent methodology that follows rest principles and uses the oauth protocol with attested clients
EP4193568B1 (en) Tenant aware mutual tls authentication
CN116502201A (en) OIDC-based robot identity verification and authorization system and method
CN115913568A (en) Authorization authentication method and device, gateway, medium and computer equipment
Shah et al. User-oriented identity management model for web-services

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination