CN116662968A

CN116662968A - Single-point log-out method, device, system, electronic equipment and storage medium

Info

Publication number: CN116662968A
Application number: CN202310356755.4A
Authority: CN
Inventors: 闫超毅; 彭扬威
Original assignee: Dingtalk China Information Technology Co Ltd
Current assignee: Dingtalk China Information Technology Co Ltd
Priority date: 2023-04-04
Filing date: 2023-04-04
Publication date: 2023-08-29

Abstract

The embodiment of the specification provides a single sign-out method, which is applied to a client and comprises the following steps: responding to the logout operation of a user, sending a logout request aiming at the user account to an authentication center corresponding to the single sign-on, inquiring a logout address of the at least one application by the authentication center based on the logout request, and deleting a login state of the user at the client maintained by the authentication center; receiving a log-out address of the at least one application returned by the authentication center; and initiating an access request aiming at the logout address of the at least one application, wherein the content type of the access request is a preset cross-domain accessible file format so as to trigger the deletion of the login state of the user corresponding to the at least one application, which is maintained by the client. In the process, the login state of each application can be deleted uniformly, so that real-time uniform login is realized, the high timeliness of login is ensured, the requirement of strong safety is met, and data leakage caused by delayed login is avoided.

Description

Single-point log-out method, device, system, electronic equipment and storage medium

Technical Field

The present disclosure relates to the field of account security technologies, and in particular, to a method, an apparatus, a system, an electronic device, and a storage medium for single sign-on.

Background

With the popularization of information technology, more and more application systems are appeared, and the application systems provide rich functional services for users, but users need to frequently log in and verify when using the functional services, which is very tedious, so that single sign-on requirements are met, and correspondingly, single sign-out requirements are also met.

Single Sign On (SSO) refers to that, among a plurality of application systems, a user only needs to perform a login operation once, so as to access all application systems that are trusted by each other in the Single Sign On system. The single sign-on is a concept corresponding to single sign-on, and the single sign-on means that the user can log-off all logged-on application systems only once.

In general, in order to implement single sign-on, an authentication center (Identity Provider, IDP) through which a login authentication is performed may be provided in the single sign-on system, and after the login authentication is passed, a user may simultaneously log in to a function service associated with the authentication center. And when the single point is logged out, the authentication center can log out the user account.

How to ensure the safety of the user account when a single point is logged out is a focus of attention.

Disclosure of Invention

In view of the foregoing, one or more embodiments of the present disclosure provide a single sign-out method, apparatus, system, electronic device, and storage medium to solve the problems in the related art.

In order to achieve the above object, one or more embodiments of the present disclosure provide the following technical solutions:

according to a first aspect of embodiments of the present disclosure, a single sign-on method is provided, which is applied to a client; the user logs in at least one application through the client based on a single sign-on mode of a user account, and the method comprises the following steps:

responding to the logout operation of a user, sending a logout request aiming at the user account to an authentication center corresponding to the single sign-on, inquiring a logout address of the at least one application by the authentication center based on the logout request, and deleting a login state of the user at the client maintained by the authentication center;

receiving a log-out address of the at least one application returned by the authentication center;

and initiating an access request aiming at the logout address of the at least one application, wherein the content type of the access request is a preset cross-domain accessible file format so as to trigger the deletion of the login state of the user corresponding to the at least one application, which is maintained by the client.

According to a second aspect of embodiments of the present disclosure, there is provided a single sign-out method applied to an authentication center, including:

receiving a log-out request for a user account sent by a client in response to a log-out operation of a user; the user logs in at least one application through the client side in a single sign-on mode based on the user account;

inquiring a log-out address of the at least one application based on the log-out request, and deleting the login state of the user at the client maintained by the authentication center;

and returning the logout address of the at least one application to the client so as to initiate an access request aiming at the logout address of the at least one application by the client, wherein the content type of the access request is a preset file format which can be accessed in a cross-domain mode, so as to trigger the deletion of the login state of the user corresponding to the at least one application, which is maintained by the client.

According to a third aspect of embodiments of the present specification, there is provided a single sign-out system comprising: a client and an authentication center; wherein,,

the user logs in at least one application through the client based on a single sign-on mode of a user account;

The client is used for responding to the logout operation of the user and sending a logout request aiming at the user account to the authentication center corresponding to the single sign-on; receiving a logout address of the at least one application returned by the authentication center; and initiating an access request aiming at the logout address of the at least one application, wherein the content type of the access request is a preset file format which can be accessed in a cross-domain manner, so as to trigger the deletion of the login state of the user corresponding to the at least one application, which is maintained by the client;

the authentication center is used for inquiring the login address of the at least one application based on the login request and deleting the login state of the user at the client maintained by the authentication center; and returning the logout address of the at least one application.

According to a fourth aspect of embodiments of the present disclosure, there is provided a single sign-out device applied to a client; the user logs in at least one application through the client based on a single sign-on mode of a user account, and the method comprises the following steps:

a log-out request module, which responds to the log-out operation of a user, sends a log-out request for the user account to an authentication center corresponding to the single sign-on, so that the authentication center queries the log-out address of the at least one application based on the log-out request, and deletes the log-in state of the user at the client maintained by the authentication center;

A log-out address receiving module for receiving the log-out address of the at least one application returned by the authentication center;

and the access request module initiates an access request aiming at the logout address of the at least one application, wherein the content type of the access request is a preset file format which can be accessed in a cross-domain manner, so as to trigger the deletion of the login state of the user corresponding to the at least one application, which is maintained by the client.

According to a fifth aspect of embodiments of the present specification, there is provided a single sign-out device applied to an authentication center, including:

the login request receiving module is used for receiving a login request aiming at a user account sent by a client in response to login operation of a user; the user logs in at least one application through the client side in a single sign-on mode based on the user account;

the deleting module is used for inquiring the login address of the at least one application based on the login request and deleting the login state of the user at the client maintained by the authentication center;

and the return module returns the logout address of the at least one application to the client so as to initiate an access request aiming at the logout address of the at least one application by the client, wherein the content type of the access request is a preset file format which can be accessed in a cross-domain mode, so as to trigger the deletion of the login state of the user corresponding to the at least one application, which is maintained by the client.

According to a sixth aspect of embodiments of the present specification, there is provided an electronic device comprising a communication interface, a processor, a memory and a bus, the communication interface, the processor and the memory being interconnected by the bus;

the memory stores machine readable instructions and the processor performs the method by invoking the machine readable instructions.

According to a seventh aspect of embodiments of the present description, there is provided a machine-readable storage medium storing machine-readable instructions which, when invoked and executed by a processor, implement the above-described method.

The technical scheme provided by the embodiment of the specification can comprise the following beneficial effects:

according to the technical scheme, through the access request with the preset cross-domain accessible file format based on the content type, the cross-domain request can be realized by utilizing the characteristic that the cross-domain accessible file format is not limited by the homologous strategy, so that after the login address of the application returned by the authentication center is received, the login state of each application can be triggered and deleted by initiating the access request to the login address of the application. In the process, the access request to the login address of each application can be uniformly initiated, so that the login state of each application can be uniformly deleted, real-time uniform login is realized, the high timeliness of login is ensured, the strong security requirement is met, and the risk of data leakage caused by delayed login is avoided.

Drawings

FIG. 1 is a flow chart of a single sign-on method according to an exemplary embodiment of the present disclosure;

FIG. 2 is an interaction diagram of a single sign-on provided in an exemplary embodiment of the present disclosure;

FIG. 3 is an interaction diagram of yet another single sign-on provided in an exemplary embodiment of the present disclosure;

FIG. 4 is a flowchart of yet another single sign-on method provided by an exemplary embodiment of the present disclosure;

FIG. 5 is a block diagram of a single sign-on system according to an exemplary embodiment of the present disclosure;

fig. 6 is a schematic structural diagram of an electronic device in which a single sign-out device according to an exemplary embodiment of the present disclosure is located;

FIG. 7 is a block diagram of a single sign-on device provided in an exemplary embodiment of the present disclosure;

fig. 8 is a block diagram of yet another single sign-out device provided in an exemplary embodiment of the present disclosure.

Detailed Description

Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary embodiments do not represent all implementations consistent with one or more embodiments of the present specification. Rather, they are merely examples of apparatus and methods consistent with aspects of one or more embodiments of the present description as detailed in the accompanying claims.

It should be noted that: in other embodiments, the steps of the corresponding method are not necessarily performed in the order shown and described in this specification. In some other embodiments, the method may include more or fewer steps than described in this specification. Furthermore, individual steps described in this specification, in other embodiments, may be described as being split into multiple steps; while various steps described in this specification may be combined into a single step in other embodiments.

In the single sign-on scene, when a user logs in a target application through a client based on a user account single sign-on mode, an authentication center will issue a sign-on state of the user corresponding to the target application, so that the target application can be accessed without logging in again after the user logs in once on the authentication center.

Although the maintenance of the login state can be carried out by the authentication center during single sign-on, the unified issuance of the login state is responsible. However, when the user logs out, the authentication center can only delete the login state maintained by the user and cannot delete the login state corresponding to each application. And each application maintains the login state and is independent.

For example, each application may determine the validity of the login state maintained by the authentication center through regular heartbeat detection, and when the authentication center deletes the login state of the user account based on receiving a login request for the user account during login, each application may detect that the login state maintained by the authentication center is invalid, and then delete the login state of the user account maintained by each application, and exit the user account logged in by the current user.

However, since the heartbeat detection is performed periodically, there is a delay from the timing of deleting the login state by the authentication center, and the login state cannot be deleted at the first time, which is inefficient. And if the heartbeat detection period is set longer, before the heartbeat detection, even if the user logs out the user account on the authentication center, the user account can still be used for normally accessing the application on the client, and the security problem is obvious.

Therefore, when a user needs to log out the user account in a unified way, that is, log-out the user account, the login states corresponding to the applications are likely to be unable to be cleared in a unified way, so that dislocation occurs between different user accounts, and even risk of user data leakage occurs.

In view of this, the present disclosure provides a technical solution that, by using a content type as a preset access request with a cross-domain accessible file format, the cross-domain request can be implemented by using the feature that the cross-domain accessible file with the file format is not limited by a homology policy, so that after receiving a logout address of an application returned by an authentication center, the logon state of each application may be triggered and deleted by initiating an access request to the logout address of the application.

When the method is realized, a logout request aiming at the user account is sent to an authentication center corresponding to the single sign-on in response to the logout operation of the user, so that the authentication center queries the logout address of the at least one application based on the logout request, and the login state of the user at the client maintained by the authentication center is deleted; the user logs in at least one application through the client based on a user account single sign-on mode.

For example, after the user logs in N applications through the client based on the single sign-on mode of the user account, when the user needs to log out the user account, the client may respond to the log-out operation of the user and send a log-out request for the user account to the authentication center corresponding to the single sign-on. The authentication center may then query the logout addresses of the N applications based on the logout request and delete the login state of the user at the client maintained by the authentication center.

The client may then receive a logout address of the at least one application returned by the authentication center.

For example, the authentication center may return the checked out logout addresses of the N applications to the client in the form of a logout address list.

And then, the client can initiate an access request aiming at the logout address of the at least one application, wherein the content type of the access request is a preset file format which can be accessed in a cross-domain manner, so as to trigger the deletion of the login state of the user corresponding to the at least one application, which is maintained by the client.

For example, the client may uniformly initiate an access request corresponding to each of the login addresses in the login address list according to the received login addresses of the N applications, and mark, in the request header, that the content type that is expected to be returned at this time is a preset file format that can be accessed across domains when initiating the request, so as to trigger deletion of login states of the N applications corresponding to the user maintained by the client.

The single sign-on method of the present specification will be described in detail with reference to the accompanying drawings.

Referring to fig. 1, fig. 1 is a flowchart of a single sign-on method provided in an exemplary embodiment of the present disclosure, which is applied to a client; the user logs in at least one application through the client based on a user account single sign-on mode.

As shown in fig. 1, the method comprises the following steps:

step 101, responding to a log-out operation of a user, sending a log-out request aiming at the user account to an authentication center corresponding to the single sign-on, so that the authentication center queries a log-out address of the at least one application based on the log-out request, and deletes a log-in state of the user at the client maintained by the authentication center;

step 102, receiving a logout address of the at least one application returned by the authentication center;

step 103, initiating an access request aiming at a logout address of the at least one application, wherein the content type of the access request is a preset file format which can be accessed in a cross-domain manner, so as to trigger deletion of a login state of the user corresponding to the at least one application, which is maintained by the client.

When a user logs in an application by a client based on a single sign-on mode of a user account, the user can log in and verify by modes of an account password, a biological feature, a certificate and the like, which is not limited in the specification.

In this embodiment, the client may respond to the logout operation of the user, send a logout request for the user account to the authentication center corresponding to the single sign-on, so that the authentication center queries the logout address of at least one application based on the logout request, and deletes the login state of the user maintained by the authentication center at the client.

For example, assuming that the user logs in N applications, the client may send a log-out request for the user account to the authentication center corresponding to the single sign-on in response to the log-out operation of the user. The authentication center may then query the logout addresses of the N applications based on the logout request and delete the login state of the user at the client maintained by the authentication center.

Taking fig. 2 as an example, please refer to fig. 2, fig. 2 is an interaction diagram of a single sign-on provided in an exemplary embodiment of the present disclosure. As shown in fig. 2, the method may include the steps of:

s201, the client responds to the logout operation of the user and sends a logout request for the user account to an authentication center corresponding to single sign-on.

S202, the authentication center queries the logout addresses of N applications based on the logout request.

And S203, the authentication center deletes the login state of the user at the client maintained by the authentication center.

In this embodiment, the client may receive the logout address of the at least one application returned by the authentication center.

For example, after determining the logout addresses of the N applications, the authentication center may return the logout addresses of the N applications to the client.

Taking fig. 2 as an example, the following steps may be performed:

s204, the client receives the logout addresses of the N applications returned by the authentication center.

In one embodiment shown, the log-out request includes a session identifier corresponding to a session used by the authentication center to maintain the logged-in state;

further, the authentication center may query the application identifier of the at least one application by matching a mapping table maintained by the authentication center according to the session identifier in the logout request, so as to determine a logout address of the at least one application;

taking fig. 2 as an example, when executing the step S202, the authentication center may match the mapping table maintained by itself according to the session identifier corresponding to the session used by the authentication center to maintain the login state and included in the received login request.

The mapping table can be generated by the authentication center when the user logs in each application, so that the mapping table at least comprises session identifications, user identifications and application identifications of N applications logged in by the user for N applications logged in by the user.

In one example, the mapping table may be as shown in table 1 below:

TABLE 1

Assuming that the applications that the user has logged in to are APP1, APP2 and APP3, the user may determine to match to the above-mentioned mapping table 1 according to the session identifier Sessionid1, and then may query that the applications that the user has logged in to are APP1, APP2 and APP3. Then, the authentication center can determine the logout address of the application through the binding relationship between the application identifier and the logout address of the application maintained in the database of the authentication center.

In yet another example, the mapping table may be further shown in the following table 2:

TABLE 2

Assuming that the applications logged in by the user are APP1, APP2 and APP3, the authentication center may determine that the applications are matched with the mapping table 1 according to the session identifier Sessionid1, and then the authentication center may query that the applications logged in by the user are APP1, APP2 and APP3, and determine that the logout addresses corresponding to these applications are logo 1, logo 2 and logo 3, respectively.

In addition, when receiving the logout addresses of the N applications, the client may also receive application identifiers of the N applications.

In this embodiment, the client may initiate an access request for a logout address of the at least one application, where a content type of the access request is a preset cross-domain accessible file format, so as to trigger deletion of a login state of the user corresponding to the at least one application, which is maintained by the client.

For example, the client may uniformly initiate an access request corresponding to each of the N applications in the login address list according to the received login addresses of the N applications, and mark, in the request header, that the content type that is expected to be returned at this time is a preset file format that can be accessed in a cross-domain manner when initiating the request, so as to trigger deletion of login states of the user corresponding to the N applications maintained by the client.

In one embodiment, the preset cross-domain accessible file format includes at least a preset cross-domain accessible picture file format, a document file format, an audio file format, or a video file format.

Taking a picture file format as an example, assuming that the logout addresses received by the client are the logout addresses of the application a, the application B and the application C respectively, the client can uniformly initiate an access request to the logout address of the application a, an access request to the logout address of the application B and an access request to the logout address of the application C, and when the three access requests are initiated, the content types expected to be returned at this time are marked as the picture file format in each access request, so that the login state, corresponding to the application a, the login state of the application B and the login state of the application C, maintained by the client are triggered to be deleted.

It should be noted that, the image file format of the access request may be image file formats such as JPEG (Joint Photographic Experts Group ), PNG (Portable Network Graphics, portable network image), SVG (Scalable Vector Graphics ), etc.; the Document File format may be a Document File format such as TXT (Text File), DOC (Document), PDF (Portable Document Format, portable File format), etc.; the audio file format may be MP3 (MPEG-1 audio Layer 3, moving picture expert compression standard audio Layer 3), WMA (Windows Media Audio ) or the like; the video file format may be RMVB (RealMedia Variable Bitrate, real time media play variable bit rate), AVI (Audio Video Interleaved, audio video interleave), or the like. This is not limited in this specification as to what extension or what naming format is specific.

In one embodiment shown, the client comprises a browser; the session identifier comprises a sessionId; the at least one application comprises at least one cross-domain application;

Further, the client may send an access request for the logout address to a server of the at least one application, where a content type of the access request is a preset file format capable of being accessed in a cross-domain manner, so that the server determines, in response to the access request, whether the content type in the access request is the preset file format capable of being accessed in the cross-domain manner; if yes, setting a mark value corresponding to a login state of the user corresponding to the at least one application and contained in a message header of a response message to be returned to be null, and returning the response message to the browser;

and the client can respond to the received response message and delete the login state of the user corresponding to the at least one application stored in the Cookie of the browser based on the mark value in the message header of the response message.

For example, the application may be an application page that is opened in a browser, such as a tab page or a plug-in interface. Taking the example that the user account is a company account, the application may be a reimbursement application, an approval application, a schedule management application, or the like of the company. Taking the example that the user account is a personal account, the application may be a music application of the operator a, a video application of the operator B, or a social application of the operator C. The present description is not limited to what specific type of application is.

It should be noted that, when a user logs in to the authentication center, the authentication center may allocate a Session for maintaining the login state of the user to store user data, and return a Session id to the browser, and the browser may store the Session id through a local Cookie (small text file), so as to carry the Session id to enable the authentication center to execute subsequent steps based on the Session id when sending a login request to the authentication center.

Generally, for the first party application, because the homologous policy can be used between the first party applications, the login states of the first party applications can be removed uniformly by deleting the login states stored in the homologous Cookie, so as to achieve the purpose of login.

Among them, the homology policy (Same Origin Policy, SOP) is a convention that is the most core of the browser and the most basic security function, and if the homology policy is absent, the browser is easily attacked. Specifically, two URLs are said to be homologous if their protocols, domain names, and port numbers are the same. In other words, when any one of the protocol, domain name and port number of one URL is different from the URL of the current page, the cross-domain is obtained.

In this way, the browser can "reject" the returned data based on the homology policy, so that the third party applications cannot interact with each other, and there is a problem of cross-domain, and therefore, the third party applications can also be called cross-domain applications.

In one example, assuming that the user opens application a in page 1 and application B in page 2 in the browser, where application a and application B are different sources, when the user initiates a log-out request for application B through page 1, the browser will prohibit initiating the log-out request due to the effect of the log-out request homology policy at this time, resulting in the inability of application B to log-out.

Therefore, in the specification, the characteristic that the file in the file format which can be accessed in a cross-domain mode is not limited by a homologous strategy and the characteristic that the file in the file format which can be accessed in a cross-domain mode can transmit information such as Cookie in a request are utilized, so that a plurality of applications can be logged out in the same page of a browser in a cross-domain mode.

Taking fig. 2 as an example, when the log-out is performed based on the picture, the following steps may be performed:

S205, for the N applications, the client may send, to the server of each application, an access request for a logout address corresponding to the application.

Wherein, when requesting, the type of the content expected to be returned needs to be marked in the request head as a preset file format which can be accessed in a cross-domain mode.

For example, assuming that the preset cross-domain accessible file format is an SVG picture format, for application a, the browser may send an access request for the logout address corresponding to application a to the server side of application a, and mark the content type desired to be returned in the request header of the access request as the SVG picture format.

S206, the server side responds to the access request and determines whether the content type in the access request is in a preset file format which can be accessed in a cross-domain mode.

For example, for the server of the application a, it may be determined, in response to the above access request, whether the content type in the access request is in SVG picture format.

S207, if yes, the server sets the mark value corresponding to the login state of the user corresponding to the N applications in the message header of the response message to be returned to be null.

For example, the server side of the application a may set the flag value corresponding to the login state of the application a, which is included in the header of the response message to be returned, to be null. Correspondingly, the user corresponds to the mark value corresponding to the login state of other applications, and the server corresponding to the other applications is set to be empty.

In addition to setting the flag value corresponding to the login state of the user corresponding to the application a to be null, the server of the application a may also return according to the file format specified in the access request.

S208, the server returns the response message to the client.

For example, the server side of the application a returns a response message to the browser.

S209, the client responds to the received response message, and deletes the login state of the user corresponding to the at least one application stored in the Cookie of the client based on the mark value in the message header of the response message.

For example, after receiving the response message, the browser may delete the login state of the user corresponding to the application a stored in the Cookie of the browser based on the flag value corresponding to the login state of the user corresponding to the application a in the header of the response message.

As can be seen from the foregoing, when the server side of the application receives an access request for the login address, where the access request is a preset cross-domain accessible file format, a specific response message is returned, and a flag value corresponding to a login state of the user corresponding to the application is set to be null in the header, so that the login state of the user corresponding to the application maintained in the browser is deleted.

It can be understood that the browser can uniformly initiate access requests to the login addresses of the N applications, so that the login states of the users corresponding to the applications maintained by the browser are triggered to be uniformly deleted.

In one embodiment, the browser provides the user with a single sign-on function of logging in at least one application based on the single sign-on mode of the user account through a user account management interface, and a single sign-out function for the at least one application;

further, a log-out request for the user account may be sent to an authentication center corresponding to the single sign-on in response to the log-out operation triggered by the single sign-out function on the user account management interface.

According to the method, the device and the system, through marking that the content type expected to be returned is a preset cross-domain accessible file format in the access request aiming at the log-out address, the cross-domain problem can be solved by utilizing the characteristic that files in the cross-domain accessible file format are not limited by a homology strategy, so that a browser can provide a single sign-on function of logging in at least one application in a single sign-on mode based on a user account for a user account management interface, and can further provide the single sign-out function aiming at least one application.

For example, a user can send a log-out request for a user account to a corresponding authentication center of single sign-on based on a single sign-out function triggering log-out operation only through a single page of a user account management interface, so that cross-domain limitation is broken through, log-out for applications opened on a plurality of pages is realized, and user experience is greatly improved.

In one embodiment shown, the user may also, prior to logging out the user account:

responding to the login operation of the user for the user account, sending a login request for the user account to an authentication center corresponding to the single sign-on by the client so as to verify the login request by the authentication center, and generating a login state of the user at the client, maintained by the authentication center, for the login request of the user account when the verification passes;

responding to single sign-on operation of the user for a target application, and sending a single sign-on request for the target application to the authentication center through a server side of the target application so as to generate a sign-on state of the user corresponding to the target application in the client side by the authentication center;

And receiving and maintaining the login state of the user corresponding to the target application.

Taking fig. 3 as an example, please refer to fig. 3, fig. 3 is an interaction diagram of another single sign-out according to an exemplary embodiment of the present disclosure. As shown in fig. 3, the method may include the steps of:

s301, the client side responds to the login operation of the user for the user account, and sends a login request for the user account to an authentication center corresponding to single sign-on.

For example, a user may perform a login operation through a user account login interface provided by a browser, and send a login request for the user account to an authentication center corresponding to single sign-on.

S302, the authentication center verifies the login request.

For example, the authentication center may perform verification based on an account number and a password input by a user and carried in the login request.

S303, when the authentication center passes the verification, the login state of the user at the client maintained by the authentication center is generated aiming at the login request of the user account.

From the foregoing, when a user logs into the authentication center, the authentication center may allocate a Session for maintaining the user in the client login state to store user data.

S304, the client can respond to the single sign-on operation of the user for the target application, and send a single sign-on request for the target application to the authentication center through the server of the target application.

For example, after the user logs into the authentication center, the user may log into the supported application in a login-free manner. The browser can respond to the single sign-on operation of the user for the target application, and send a single sign-on request for the target application to the authentication center through the server side of the target application.

S305, the authentication center generates a login state of the user corresponding to the target application in the client.

From the foregoing, the authentication center can determine that the user has logged in to the user account according to the login state of the user maintained by the authentication center, so that the user can be allowed to avoid logging in the target application, and the login state of the user corresponding to the target application in the client can be generated. At this time, the authentication center may generate a mapping table as shown in table 2 based on the SessionId, the user identification, the target application identification, and the logout address corresponding to the target application. The target application identifier and the logout address corresponding to the target application may be provided as basic information of the target application when the target application is registered in the authentication center for the first time.

S306, the client receives and maintains the login state of the user corresponding to the target application.

For example, the browser may store the user in the Cookie after receiving the login state corresponding to the target application.

In the above process, when the user logs in the application in a single sign-on mode based on the user account, the authentication center generates the corresponding mapping table, so that when the user logs out the logged-in application, the user can determine the login address corresponding to the application by matching the mapping table, and further, the operation of deleting the login state of the application is triggered by initiating the access request to the login address.

Referring to fig. 4, fig. 4 is a flowchart of yet another single sign-on method provided in an exemplary embodiment of the present disclosure, applied to an authentication center, the method includes the following steps:

step 401, receiving a logout request for a user account sent by a client in response to a logout operation of a user; the user logs in at least one application through the client side in a single sign-on mode based on the user account;

step 402, inquiring a log-out address of the at least one application based on the log-out request, and deleting a login state of the user at the client maintained by the authentication center;

step 403, returning the logout address of the at least one application to the client, so as to initiate an access request for the logout address of the at least one application by the client, where the content type of the access request is a preset file format that can be accessed in a cross-domain manner, so as to trigger deletion of the login state of the user corresponding to the at least one application, which is maintained by the client.

The implementation process of the steps 401 to 403 is specifically described in the implementation process of the corresponding steps in the single sign-out method applied to the client, and the relevant parts refer to the part of the description of the method implementation mode, which is not repeated here.

Referring to fig. 5, fig. 5 is a schematic diagram of a single sign-out system according to an exemplary embodiment of the present disclosure. As shown in fig. 5, the single sign-out system includes: client 501, authentication center 502, and application a's server 503A and application B's server 503B.

From the foregoing, the client 501 may be configured to send a login request for a user account to the authentication center 502 corresponding to single sign-on in response to a login operation for the user account.

Authentication center 502 may be used to verify a login request and generate a login status of the user at client 501 maintained by the authentication center for the login request of the user account when the verification passes.

The client 501 may be configured to send a single sign-on request for an application a to an authentication center through a server 503A of the application a in response to a single sign-on operation of a user for a target application (such as the application a).

The authentication center 502 may be used to generate a login state of the user corresponding to the application a in the client 501, and send the login state to the client 501.

Correspondingly, the generation process of the login state of the application B is referred to the above process, and will not be described herein.

With continued reference to fig. 5, when a user needs to log out a user account uniformly, based on the system architecture of fig. 5, the client 501 may be configured to send a log-out request for the user account to the authentication center 502 corresponding to single sign-on in response to a log-out operation of the user.

The authentication center 502 may be configured to query the logout address of at least one application that is logged in, such as the logout address of application a and the logout address of application B in fig. 5, based on the logout request, and delete the login state of the user at the client 501 maintained by the authentication center.

The client 501 may be configured to receive the logout address of application a and the logout address of application B returned by the authentication center 502.

The client 501 may then be configured to initiate an access request for a logout address of at least one application, where a content type of the access request is a preset cross-domain accessible file format, so as to trigger deletion of a login state of the user maintained by the client corresponding to the at least one application.

For example, the client 501 may be a browser, and the at least one application includes at least one cross-domain application;

at this time, the client 501 may be configured to send an access request for a logout address to a server of at least one application, for example, the client 501 may send an access request for a logout address of the application a to the server 503A of the application a, and may also send an access request for a logout address of the application B to the server 503B of the application B.

The server 503A of the application a may be configured to determine, in response to the above access request, whether the content type in the access request is in a preset file format that can be accessed across domains; if so, the flag value corresponding to the login state of the user corresponding to the application a contained in the header of the response message to be returned is set to be null, and the response message is returned to the client 501. The same applies to the server 503B of the application B, and a detailed description is omitted here.

The client 501 may be configured to, in response to a received response message returned by the server 503A of the application a, delete a login state of the user corresponding to the application a stored in the Cookie based on a flag value in a header of the response message. Similarly, the client 501 may be further configured to delete the login state of the user corresponding to the application B stored in the Cookie based on the tag value in the header of the response message in response to the received response message returned by the server 503B of the application B.

In an exemplary embodiment of the present specification, there is also provided an apparatus capable of implementing the above method.

Fig. 6 is a schematic block diagram of an apparatus provided in an exemplary embodiment. Referring to fig. 6, at the hardware level, the device includes a processor 602, an internal bus 604, a network interface 606, a memory 608, and a non-volatile storage 610, although other hardware requirements are possible. One or more embodiments of the present description may be implemented in a software-based manner, such as by the processor 602 reading a corresponding computer program from the non-volatile memory 610 into the memory 608 and then running. Of course, in addition to software implementation, one or more embodiments of the present disclosure do not exclude other implementation manners, such as a logic device or a combination of software and hardware, etc., that is, the execution subject of the following processing flow is not limited to each logic unit, but may also be hardware or a logic device.

Referring to fig. 7, in a software embodiment, a single sign-on device 700 is provided for application to a client; the user logs in at least one application through the client based on a single sign-on mode of a user account, and the device comprises:

A log-out request module 701, responsive to a log-out operation of a user, for sending a log-out request for the user account to an authentication center corresponding to the single sign-on, so that the authentication center queries a log-out address of the at least one application based on the log-out request, and deletes a log-in state of the user at the client maintained by the authentication center;

a log-out address receiving module 702, configured to receive a log-out address of the at least one application returned by the authentication center;

an access request module 703, configured to initiate an access request for a logout address of the at least one application, where a content type of the access request is a preset cross-domain accessible file format, so as to trigger deletion of a login state of the user corresponding to the at least one application, where the login state is maintained by the client.

Optionally, the log-out request includes a session identifier corresponding to a session used by the authentication center to maintain the login state;

the authentication center querying a logout address of the at least one application based on the logout request, comprising:

the authentication center queries the application identifier of the at least one application according to the session identifier in the logout request by matching a mapping table maintained by the authentication center so as to determine the logout address of the at least one application;

Wherein the mapping table is generated by the authentication center when the user logs in the at least one application, and the mapping table at least comprises the session identifier, the user identifier of the user and the application identifier of the at least one application.

Optionally, the client comprises a browser; the session identifier comprises a sessionId; the at least one application comprises at least one cross-domain application;

the triggering of deleting the login state of the user maintained by the client corresponding to the at least one application includes:

sending an access request aiming at the log-out address to a server side of the at least one application, wherein the content type of the access request is a preset file format capable of being accessed in a cross-domain manner, so that the server side responds to the access request to determine whether the content type in the access request is the preset file format capable of being accessed in the cross-domain manner; if yes, setting a mark value corresponding to a login state of the user corresponding to the at least one application and contained in a message header of a response message to be returned to be null, and returning the response message to the browser;

and responding to the received response message, and deleting the login state of the user corresponding to the at least one application, which is stored in the Cookie of the browser, based on the mark value in the message header of the response message.

Optionally, the browser provides the single sign-on function of logging in at least one application based on the single sign-on mode of the user account to the user through a user account management interface, and the single sign-off function of the at least one application;

the log-out request module 701 further:

responding to the log-out operation triggered by the user based on the single-point log-out function on the user account management interface, and sending a log-out request for the user account to an authentication center corresponding to the single-point log-in.

Optionally, the apparatus 700 further includes:

a login request module 704 (not shown in the figure), responsive to a login operation of the user with respect to the user account, the client sends a login request with respect to the user account to an authentication center corresponding to the single sign-on, so that the authentication center verifies the login request, and generates a login state of the user at the client maintained by the authentication center with respect to the login request of the user account when the verification passes;

a single sign-on request module 705 (not shown in the figure), responsive to a single sign-on operation of the user for a target application, for sending, by a server side of the target application, a single sign-on request for the target application to the authentication center, so as to generate, by the authentication center, a sign-on state of the user in the client side corresponding to the target application;

A receiving module 706 (not shown in the figure) receives and maintains a login status of the user corresponding to the target application.

Optionally, the preset cross-domain accessible file format at least includes a preset cross-domain accessible picture file format, a document file format, an audio file format or a video file format.

The implementation process of the functions and roles of each module in the above apparatus 700 is specifically described in detail in the implementation process of the corresponding steps in the single sign-out method applied to the client, and relevant parts refer to part of the description of the method implementation mode, which is not repeated here.

Referring to fig. 8, in a software embodiment, another single sign-on device 800 is provided for use in an authentication center, the device comprising:

a log-out request receiving module 801 receives a log-out request for a user account sent by a client in response to a log-out operation of a user; the user logs in at least one application through the client side in a single sign-on mode based on the user account;

a deletion module 802, configured to query a log-out address of the at least one application based on the log-out request, and delete a log-in state of the user at the client maintained by the authentication center;

A return module 803, configured to return a logout address of the at least one application to the client, so that an access request for the logout address of the at least one application is initiated by the client, where a content type of the access request is a preset file format that can be accessed across domains, so as to trigger deletion of a login state of the user corresponding to the at least one application, which is maintained by the client; the extension name of the logout address returned by the authentication center is a picture extension name.

The implementation process of the functions and roles of each module in the apparatus 800 specifically refers to the implementation process of the corresponding steps in the single sign-on method applied to the authentication center, and the relevant parts refer to the part of the description of the method implementation manner, which is not repeated here.

The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical modules, i.e., may be located in one place, or may be distributed over a plurality of network modules. Some or all of the units or modules may be selected according to actual needs to achieve the purposes of the present description. Those of ordinary skill in the art will understand and implement the present invention without undue burden.

The system, apparatus, module or unit set forth in the above embodiments may be implemented in particular by a computer chip or entity, or by a product having a certain function. A typical implementation device is a computer, which may be in the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email device, game console, tablet computer, wearable device, or a combination of any of these devices.

In a typical configuration, a computer includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.

Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, read only compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic disk storage, quantum memory, graphene-based storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by the computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.

The user information (including but not limited to user equipment information, user personal information, etc.) and data (including but not limited to data for analysis, stored data, presented data, etc.) related to the present application are information and data authorized by the user or fully authorized by each party, and the collection, use and processing of related data is required to comply with the relevant laws and regulations and standards of the relevant country and region, and is provided with corresponding operation entries for the user to select authorization or rejection.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.

The foregoing describes specific embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.

The terminology used in the one or more embodiments of the specification is for the purpose of describing particular embodiments only and is not intended to be limiting of the one or more embodiments of the specification. As used in this specification, one or more embodiments and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the associated listed items.

It should be understood that although the terms first, second, third, etc. may be used in one or more embodiments of the present description to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of one or more embodiments of the present description. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "responsive to a determination", depending on the context.

The foregoing description of the preferred embodiment(s) is (are) merely intended to illustrate the embodiment(s) of the present invention, and it is not intended to limit the embodiment(s) of the present invention to the particular embodiment(s) described.

Claims

1. A single-point log-out method is applied to a client; the user logs in at least one application through the client based on a single sign-on mode of a user account, and the method comprises the following steps:

2. The method of claim 1, the log-out request comprising a session identification corresponding to a session for which the authentication center is configured to maintain the logged-in state;

3. The method of claim 2, the client comprising a browser; the session identifier comprises a sessionId; the at least one application comprises at least one cross-domain application;

the initiating an access request for the logout address of the at least one application, wherein the content type of the access request is a preset file format which can be accessed in a cross-domain manner, so as to trigger deleting the login state of the user corresponding to the at least one application, which is maintained by the client, and the method comprises the following steps:

4. The method of claim 3, wherein the browser provides the user with a single sign-on function for logging in at least one application based on the single sign-on of the user account, and a single sign-off function for the at least one application, through a user account management interface;

the step of responding to the log-out operation of the user, sending a log-out request for the user account to the authentication center corresponding to the single sign-on, comprises the following steps:

5. The method of claim 1, the method further comprising:

6. The method of claim 1, the preset cross-domain accessible file format comprising at least a preset cross-domain accessible picture file format, a document file format, an audio file format, or a video file format.

7. A single-point log-out method is applied to an authentication center and comprises the following steps of;

8. A single sign-on system comprising: a client and an authentication center; wherein,,

9. The system of claim 8, further comprising a server of an application; wherein the client comprises a browser; the at least one application comprises at least one cross-domain application;

the browser is configured to send an access request for the logout address to a server of the at least one application, where a content type of the access request is a preset file format capable of being accessed across domains; and deleting the login state of the user corresponding to the at least one application stored in the Cookie of the browser based on the mark value in the message header of the response message in response to the received response message;

the server side of the at least one application is used for responding to the access request and determining whether the content type in the access request is in a preset file format which can be accessed in a cross-domain mode; if yes, setting a mark value corresponding to the login state of the user corresponding to the at least one application and contained in a message header of the response message to be returned to be null, and returning the response message to the browser.

10. The system of claim 8, the client further configured to send a login request for the user account to the authentication center corresponding to the single sign-on in response to a login operation of the user for the user account; responding to single sign-on operation of the user for a target application, and sending a single sign-on request for the target application to the authentication center through a server side of the target application; and receiving and maintaining a login state of the user corresponding to the target application;

the authentication center is further used for verifying the login request and generating a login state of the user at the client maintained by the authentication center aiming at the login request of the user account when the verification passes; and generating a login state of the user corresponding to the target application in the client and sending the login state to the client.

11. The single-point log-out device is applied to a client; the user logs in at least one application through the client based on a single sign-on mode of a user account, and the method comprises the following steps:

12. A single sign-on device applied to an authentication center, comprising;

13. An electronic device, comprising:

a processor;

a memory for storing processor-executable instructions;

wherein the processor is configured to implement the method of any of claims 1-7 by executing the executable instructions.

14. A machine-readable storage medium having stored thereon machine-readable instructions which, when executed by a processor, implement the steps of the method of any of claims 1-7.