CN118174874A - Token generation method and device for unified authentication - Google Patents
Token generation method and device for unified authentication Download PDFInfo
- Publication number
- CN118174874A CN118174874A CN202410313866.1A CN202410313866A CN118174874A CN 118174874 A CN118174874 A CN 118174874A CN 202410313866 A CN202410313866 A CN 202410313866A CN 118174874 A CN118174874 A CN 118174874A
- Authority
- CN
- China
- Prior art keywords
- token
- request information
- user request
- user
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 58
- 238000012795 verification Methods 0.000 claims abstract description 33
- 230000015654 memory Effects 0.000 claims description 27
- 238000004590 computer program Methods 0.000 claims description 6
- 230000005540 biological transmission Effects 0.000 abstract description 10
- 238000010586 diagram Methods 0.000 description 13
- 230000008569 process Effects 0.000 description 8
- 230000007246 mechanism Effects 0.000 description 6
- 238000013475 authorization Methods 0.000 description 5
- 238000012545 processing Methods 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 238000010276 construction Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- 230000003416 augmentation Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the technical field of data encryption, and discloses a method and a device for generating a unified authentication token, wherein the method comprises the following steps: the gateway receives user request information sent by the client, when judging that the user request information is a user login request, the gateway sends the user request information to the authentication server, and when user storage information corresponding to the login information exists in a database, the authentication server encrypts the login information into an initial token at one time; the gateway performs secondary encryption on the initial token to generate a final token, and returns the final token to the client corresponding to the user request information. The scheme generates the final token through twice encryption, ensures the safety of data transmission, adds verification of some safety parameters in the twice encryption algorithm parameters, effectively prevents the attack of an external system, more ensures the safety of data, compresses the size and the duty ratio of the token, and reduces unnecessary flow overhead.
Description
Technical Field
The invention relates to the technical field of data encryption, in particular to a method and a device for generating a unified authentication token.
Background
With the continuous popularization of digitization, application systems of enterprises are increasing, and management of user identity and authentication information is a particularly critical part in the construction of the application systems.
Because the scattered user management mode can prevent the enterprise application from evolving to the platform, the construction of a unified authentication standardized account management system is a trend, and can bring about unified account management, identity authentication, user authorization and other basic capabilities for the platform, bring about single sign-on of a cross-system, third party authorization and other basic capabilities for the enterprise, and the unified authentication of the current internet system not only improves the efficiency of developers, but also reduces the operation burden of users.
In a unified authentication mechanism, once a user logs in once, all authorized application systems theoretically have access to the user's identity information. This design does facilitate the user's operational experience, but also presents a potential security risk, so it is critical to improve the security of unified login authentication.
Disclosure of Invention
In view of this, the present invention provides a method for generating a unified authentication token to solve the problem that the existing unified authentication mechanism may cause some important information leakage.
In a first aspect, the present invention provides a method for generating a unified authentication token, which is applied to a unified authentication token generating system, where the system includes a client, a gateway, an authentication server, and a database, the method is executed by the gateway, and the method includes:
Receiving user request information sent by the client and judging the user request information;
When the user request information is judged to be a user login request, the user request information is sent to the authentication server, so that the authentication server compares login information in the user request information with user storage information in the database, and when the user storage information corresponding to the login information exists in the database, the login information is encrypted into an initial token at one time;
receiving the initial token sent by the authentication server, and performing secondary encryption on the initial token to generate a final token;
and returning the final token to the client corresponding to the user request information.
The scheme adds the primary encryption and the secondary encryption modes on the basis of unified login verification, so that the complexity of a token generation algorithm is enhanced, and the security during authentication is ensured. In addition, since the encryption algorithm of the self-encapsulation is used by the primary encryption and the secondary encryption when the token is generated, the traffic overhead is not excessively large even if the token stores a lot of information.
In an alternative embodiment, the twice encrypting the initial token to generate a final token includes:
generating security parameters according to the user request information; the security parameters comprise client IP, client model and token valid time period;
And carrying out secondary encryption on the initial token according to the security parameters to generate a final token.
The scheme realizes the secondary encryption of the token through the security parameters, effectively prevents the attack of an external system, ensures the security of data, compresses the size duty ratio of the token through the verification of the security parameters, and reduces unnecessary flow overhead.
In an optional implementation manner, the receiving the user request information sent by the client and judging the user request information include:
When the user request information comprises the login information, judging the user request information as a user login request; the login information comprises a user name and a password;
And when the user request information comprises a login token, judging that the user request information is a non-user login request.
According to the scheme, the gateway receives the user request information sent by the client, and judges the request type of the user request information based on the data information in the user request information, so that data distribution is realized, and the authentication efficiency is improved.
In an alternative embodiment, the system further comprises a business system; when the user request information is judged to be non-user login request information, the method further comprises the following steps:
Analyzing the login token in the user request information once to acquire security parameters in the login token;
And carrying out primary verification on the login token according to the security parameters in the login token, and after the verification is passed, sending the user request information to a corresponding service system so as to enable the service system to carry out secondary verification on the login token.
According to the scheme, the token in the user request information is authenticated through the security parameters, the size ratio of the token is compressed through verification of the security parameters, and unnecessary flow overhead is reduced.
In a second aspect, the present invention provides a method for generating a token for unified authentication, which is applied to a token generating system for unified authentication, where the system includes a client, a gateway, an authentication server, and a database, and the method is executed by the authentication server, and the method includes:
When the gateway judges that the user request information sent by the client is a user login request, the gateway receives the user request information;
Comparing the login information in the user request information with the user storage information in the database, encrypting the login information once into an initial token when the user storage information corresponding to the login information exists in the database, and sending the initial token to the gateway so that the gateway carries out secondary encryption on the initial token, and generating a final authentication command and sending the final authentication command to a client corresponding to the user request information.
In an alternative embodiment, the encrypting the login information once into the initial token includes:
obtaining a target encryption format of the token;
encrypting the login information into an initial token according to the target encryption format.
In a third aspect, the present invention provides a token generation device for unified authentication, which is applied to a token generation system for unified authentication, the system includes a client, a gateway, an authentication server, and a database, the device is executed by the gateway, and the device includes:
The user request information judging module is used for receiving the user request information sent by the client and judging the user request information;
The user request information forwarding module is used for sending the user request information to the authentication server when judging that the user request information is a user login request, so that the authentication server compares login information in the user request information with user storage information in the database, and encrypts the login information into an initial token once when the user storage information corresponding to the login information exists in the database;
The secondary encryption module is used for receiving the initial token sent by the authentication server and carrying out secondary encryption on the initial token so as to generate a final token;
and the final token sending module is used for returning the final token to the client corresponding to the user request information.
In a fourth aspect, the present invention provides a token generation device for unified authentication, which is applied to a token generation system for unified authentication, the system includes a client, a gateway, an authentication server, and a database, the device is executed by the authentication server, and the device includes:
the user request information receiving module is used for receiving user request information sent by the client through the gateway; the user request information is judged to be a user login request by the gateway;
The primary encryption module is used for comparing the login information in the user request information with the user storage information in the database, encrypting the login information into an initial token once when the user storage information corresponding to the login information exists in the database, and sending the initial token to the gateway so that the gateway carries out secondary encryption on the initial token, and generating a final authentication order and sending the final authentication order to a client corresponding to the user request information.
In a fifth aspect, the present invention provides a token generation system for unified authentication, the system comprising a client, a gateway, an authentication server and a database;
The client is used for sending out user request information;
The gateway is used for receiving the user request information sent by the client, judging the user request information, and sending the user request information to the authentication server when judging that the user request information is a user login request;
The authentication server is used for comparing the login information in the user request information with the user storage information in the database, encrypting the login information into an initial token once when the user storage information corresponding to the login information exists in the database, and sending the initial token to the gateway;
the gateway is further configured to receive the initial token sent by the authentication server, and perform secondary encryption on the initial token to generate a final token; and returning the final token to the client corresponding to the user request information.
In a sixth aspect, the present invention provides a computer device comprising: the memory and the processor are in communication connection, computer instructions are stored in the memory, and the processor executes the computer instructions, so that the token generation method of the first aspect or any implementation manner corresponding to the first aspect is executed.
In a seventh aspect, the present invention provides a computer readable storage medium having stored thereon computer instructions for causing a computer to perform a token generation method for unified authentication of the first aspect or any of its corresponding embodiments.
In an eighth aspect, the present invention provides a computer program product comprising computer instructions for causing a computer to perform a method of token generation for unified authentication of the first aspect or any of its corresponding embodiments.
The technical scheme provided by the invention can comprise the following beneficial effects:
The gateway receives user request information sent by the client and judges the user request information, when judging that the user request information is a user login request, the user request information is sent to the authentication server, so that the authentication server compares login information in the user request information with user storage information in the database, and when user storage information corresponding to the login information exists in the database, the authentication server encrypts the login information into an initial token at one time; the gateway performs secondary encryption on the initial token to generate a final token, and returns the final token to the client corresponding to the user request information. The scheme generates the final token through twice encryption, ensures the safety of data transmission, adds verification of some safety parameters in the twice encryption algorithm parameters, effectively prevents the attack of an external system, more ensures the safety of data, compresses the size and the duty ratio of the token, and reduces unnecessary flow overhead.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a unified authenticated token generation system according to an embodiment of the invention;
FIG. 2 is a flow diagram of a unified authenticated token generation method according to an embodiment of the invention;
FIG. 3 is a flow diagram of another unified authenticated token generation method according to an embodiment of the invention;
FIG. 4 is a flow diagram of yet another unified authenticated token generation method according to an embodiment of the invention;
FIG. 5 is a flow diagram of yet another unified authenticated token generation method according to an embodiment of the invention;
FIG. 6 is a block diagram of a unified authenticated token generation device according to an embodiment of the invention;
FIG. 7 is a block diagram of another unified authenticated token generation device according to an embodiment of the invention;
fig. 8 is a schematic diagram of a hardware structure of a computer device according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The present unified authentication mechanism is designed initially to simplify the login process of the user and improve the use experience. This mechanism allows a user to access all authorized applications by logging in only once, which is known as single sign On (SINGLE SIGN-On, SSO for short). In SSO systems, a user can obtain a token by one authentication (e.g., entering a user name and a password), and then when the user accesses other authorized application systems, the user only needs to present the token, without entering the user name and the password again. However, this mechanism also presents some potential safety hazards and performance issues:
risk of information leakage: once a user's token is maliciously acquired, an attacker can use this token to access all applications that the user has authorized, potentially resulting in leakage of important information.
Token storage overhead and traffic overhead: tokens on the market often contain a lot of information such as identity information of the user, rights information, validity period of the token, etc. The storage and transmission of such information requires the consumption of certain resources.
To address the above, a more efficient token validation mechanism may be used and the structure of the token optimized to reduce the risk of the token being hacked or stolen. Therefore, the embodiment of the invention provides a token generation method for unified authentication, which achieves the effect of improving the security of unified login verification through twice encryption processing and reference of security parameters.
Fig. 1 is a schematic diagram of a token generation system for unified authentication according to an embodiment of the present invention. As shown in fig. 1, the system includes a client 10, a gateway 20, an authentication server 30, and a database 40;
The client 10 is configured to send out user request information;
The gateway 20 is configured to receive user request information sent by the client 10, determine the user request information, and send the user request information to the authentication server 30 when determining that the user request information is a user login request;
The authentication server 30 is configured to compare the login information in the user request information with the user storage information in the database 40, encrypt the login information once into an initial token when the user storage information corresponding to the login information exists in the database 40, and send the initial token to the gateway 20;
The gateway 20 is further configured to receive the initial token issued by the authentication server 30, and perform secondary encryption on the initial token to generate a final token; the final token is returned to the client 10 to which the user request information corresponds.
Optionally, the database 40 is used to store user-stored information, the primary source of which is user registration or administrator augmentation, including user names and passwords, in response to query requests by the authentication server 30 and other services.
Alternatively, there may be a plurality of clients 10, and the clients 10 provide an interactive interface, such as a web page, a mobile application, etc., for a user to initiate a request by the client 10 when the user attempts to access a certain application or service.
Optionally, the gateway 20 serves as an external service, which includes a request route, and is responsible for receiving the user request information sent by the client 10 first, and routing the user request information to the corresponding backend service (such as the authentication server 30 and the business system 50) according to the target of the request. In this embodiment, the gateway 20 is further configured to perform authentication and authorization, determine a request type of user request information sent by the client 10, verify whether the user request information includes valid authentication information, such as a token (token), and further determine whether the user request information is a user login request, send the user request information to the authentication server 30 when the user request information is a user login request, and perform secondary encryption on the user request information after the authentication server 30 completes primary encryption; when the user request information is non-user login request information, the token (token) in the user request information is verified, and the token is transmitted to the corresponding service system 50 after the verification is passed.
Optionally, the gateway 20 may include firewall, DDoS protection, API rate limiting, etc. functions.
Specifically, the authentication server 30 is mainly used for verifying whether the login information in the user request information matches with the user storage information existing in the database 40, and the authentication server 30 can also implement token management, generate, verify and update tokens, and encrypt the login information into an initial token once when the user storage information corresponding to the login information exists in the database 40, and send the initial token to the gateway 20.
Alternatively, the business system 50 refers to a system or platform within an organization or enterprise for supporting its core business activities, such a system is typically complex and highly integrated, with the aim of improving business efficiency, reducing costs, and ensuring smooth operation of the business. In this embodiment, the service system 50 is configured to perform the second verification on the user request information after the first verification by the gateway 20 when the user request information is the non-user login request information.
In summary, the gateway receives the user request information sent by the client, determines the user request information, and when determining that the user request information is a user login request, sends the user request information to the authentication server, so that the authentication server compares the login information in the user request information with the user storage information in the database, and when the user storage information corresponding to the login information exists in the database, the authentication server encrypts the login information into an initial token at one time; the gateway performs secondary encryption on the initial token to generate a final token, and returns the final token to the client corresponding to the user request information. The scheme generates the final token through twice encryption, ensures the safety of data transmission, adds verification of some safety parameters in the twice encryption algorithm parameters, effectively prevents the attack of an external system, more ensures the safety of data, compresses the size and the duty ratio of the token, and reduces unnecessary flow overhead.
According to an embodiment of the present invention, there is provided a token generation method embodiment for unified authentication, it should be noted that the steps shown in the flowchart of the drawings may be performed in a computer system such as a set of computer executable instructions, and that although a logical order is shown in the flowchart, in some cases, the steps shown or described may be performed in an order different from that shown or described herein.
In this embodiment, a method for generating a unified authentication token is provided, which is applied to a unified authentication token generating system shown in fig. 1, the system includes a client 10, a gateway 20, an authentication server 30 and a database 40, the following method is executed by the gateway 20, fig. 2 is a schematic flow diagram of a unified authentication token generating method according to an embodiment of the present invention, and as shown in fig. 2, the flow includes the following steps:
step S201, receiving user request information sent by the client and judging the user request information.
Specifically, since the user request information sent by the client is not necessarily a user login request, but may be other request information, for example, an attempt is made to access a corresponding service system to perform corresponding data processing, so that when the user inputs the user request information through the client, the gateway determines the request type of the user request information (the request type includes a user login request and a non-user login request) and determines whether the user request information is a user login request or a non-user login request.
Step S202, when the user request information is judged to be a user login request, the user request information is sent to the authentication server, so that the authentication server compares login information in the user request information with user storage information in the database, and when the user storage information corresponding to the login information exists in the database, the login information is encrypted into an initial token at one time.
Specifically, when the gateway judges that the user request information is a user login request, the gateway does not directly process the user request information, but forwards the user request information to an authentication server at the back end, wherein the authentication server is a component specially responsible for processing user authentication logic and comprises the capability of interacting with a database so as to verify the user request information forwarded by the gateway, and in the authentication process of the authentication server, the authentication server firstly compares login information in the user request information with user storage information in the database, and if the login information and the user storage information are matched, the authentication is successful; at this time, the authentication server encrypts the login information in the user request information once, and generates an initial token.
Step S203, the initial token sent by the authentication server is received, and the initial token is encrypted for the second time, so as to generate a final token.
Specifically, after the authentication server generates the initial Token, the initial Token is sent to the gateway, the gateway receives the initial Token, and in order to improve security, the gateway performs secondary encryption on the initial Token to generate a final Token, so as to increase complexity and confidentiality of the Token (Token) and prevent unauthorized access and tampering.
And step S204, returning the final token to the client corresponding to the user request information.
Specifically, after the gateway generates the final token, the gateway returns the generated final token to the client corresponding to the user request information, and after the client receives the final token, the gateway can directly log in according to the final token in a subsequent log-in process.
In summary, the gateway receives the user request information sent by the client, determines the user request information, and when determining that the user request information is a user login request, sends the user request information to the authentication server, so that the authentication server compares the login information in the user request information with the user storage information in the database, and when the user storage information corresponding to the login information exists in the database, the authentication server encrypts the login information into an initial token at one time; the gateway performs secondary encryption on the initial token to generate a final token, and returns the final token to the client corresponding to the user request information. The scheme generates the final token through twice encryption, ensures the safety of data transmission, adds verification of some safety parameters in the twice encryption algorithm parameters, effectively prevents the attack of an external system, more ensures the safety of data, compresses the size and the duty ratio of the token, and reduces unnecessary flow overhead.
In this embodiment, a method for generating a token for unified authentication is provided, which is applied to a token generating system for unified authentication shown in fig. 1, the system includes a client 10, a gateway 20, an authentication server 30 and a database 40, the following method is executed by the gateway 20, fig. 3 is a schematic flow diagram of another method for generating a token for unified authentication according to an embodiment of the present invention, as shown in fig. 3, the flow includes the following steps:
step S301, receiving user request information sent by the client, and determining the user request information.
Specifically, the step S301 includes:
Step S3011, when the user request information includes the login information, judging the user request information as a user login request; the login information comprises a user name and a password;
In step S3012, when the user request information includes a login token, the user request information is determined to be a non-user login request.
Specifically, after a user inputs a request through a client and submits the request, user request information is generated and sent to a server, the user request information firstly reaches a gateway, the gateway is positioned between a front end service and a rear end service and is an entry point of a traffic entering system, the gateway firstly judges whether the user request information is user login request information, the user login request information comprises login information such as a user name and a password, and the user login request information needs to be processed through a specific authentication flow. Therefore, the gateway judges the type of the user request information according to the specific information included in the user request information, so that when the user request information includes the login information, the gateway judges the user request information as a user login request, and when the user request information includes a login token, the gateway judges the user request information as a non-user login request.
Step S302, when judging that the user request information is non-user login request information, carrying out primary verification on the login token according to the security parameters in the login token, and after the verification is passed, sending the user request information to a corresponding service system so as to enable the service system to carry out secondary verification on the login token.
Specifically, if the user request information is non-user login request information, which means that the user has successfully logged in and is now attempting to access a certain protected resource, in this case, the user request information will include a login token, which is used to prove the identity and authorization information of the user, and the gateway will parse the login token once to extract the user information and security parameters contained therein. After one resolution is complete, the gateway will verify the authenticity of the login token once using the extracted security parameters, which may include signature of the token, issuer, validity period, etc., with the purpose of ensuring that the login token is issued by a trusted system (e.g. authentication server) and has not been tampered with during the validity period.
If one pass of verification is made, the gateway distributes the request to corresponding service systems, which are responsible for handling the specific service logic, based on information in the user request information (such as API path or service identification). After receiving the user request information, the service system again performs secondary verification on the login token, wherein the secondary verification is used for ensuring that the service system can again verify the validity of the login token even if the gateway performs primary verification, so that the security of the system can be further enhanced, and potential security holes or misoperation can be prevented. If the secondary verification of the login token is also passed (meaning that the login token is the final token sent to the client by the gateway), the service system executes corresponding service logic according to the requested content and returns the result to the client.
In the whole flow, verification of the login token and distribution of the request are key steps, so that only legal and trusted user request information can access system resources, the safety of the system is improved, and meanwhile, the user request information can be monitored, logged, flow controlled and other operations more conveniently through centralized management of a gateway.
Step S303, when the user request information is judged to be a user login request, the user request information is sent to the authentication server, so that the authentication server compares login information in the user request information with user storage information in the database, and when the user storage information corresponding to the login information exists in the database, the login information is encrypted into an initial token at one time.
Specifically, referring to fig. 4, as shown in the flow chart of another unified authentication token generation method, a user inputs login information including a user name and a password through a client and submits user request information, which means that the user request information is a user login request, the user request information first reaches a gateway (i.e. a gateway service in fig. 4), the gateway recognizes that the user request is a user login request, and the gateway does not directly process the user request information, but forwards the user request information to an authentication server in the back end (i.e. the authentication service in fig. 4). The authentication server has the capability of interacting with the database, compares the login information in the user request information with the user storage information in the database to verify the login information provided by the user, and encrypts the login information into an initial token once when the login information is consistent with the user storage information in the database.
Step S304, the initial token sent by the authentication server is received, and the initial token is encrypted for the second time to generate a final token.
Specifically, the step S304 includes:
Step S3041, generating security parameters according to the user request information; the security parameters include client IP, client model number, and token validity time period.
Step S3042, performing secondary encryption on the initial token according to the security parameters to generate a final token.
And step S3043, compressing the final token to obtain a compressed final token.
Specifically, as shown in fig. 4, the authentication server returns the generated initial token to the gateway, and the gateway does not directly return the initial token to the client after receiving the initial token, but performs further processing, namely, secondary encryption. In order to improve security, the gateway may perform secondary encryption on the received initial token according to some security parameters (such as client IP, client model, and token valid time period), where the secondary encryption is used to increase complexity and confidentiality of the initial token and prevent unauthorized access and tampering.
And step S305, returning the final token to the client corresponding to the user request information.
Specifically, the gateway returns the final token generated after the secondary encryption to the client, and the client carries the final token after the encryption in the subsequent access request so as to prove the identity and the authorization information of the user. Through the process, the fact that only authenticated users can obtain effective final tokens is ensured, the final tokens are subjected to additional encryption processing in the transmission process, the safety is further enhanced, the client needs to use the encrypted final tokens to access protected resources in subsequent requests, and a service system can verify and decrypt the final tokens to ensure the validity and the safety of the requests.
In summary, the gateway receives the user request information sent by the client, determines the user request information, and when determining that the user request information is a user login request, sends the user request information to the authentication server, so that the authentication server compares the login information in the user request information with the user storage information in the database, and when the user storage information corresponding to the login information exists in the database, the authentication server encrypts the login information into an initial token at one time; the gateway performs secondary encryption on the initial token to generate a final token, and returns the final token to the client corresponding to the user request information. The scheme generates the final token through twice encryption, ensures the safety of data transmission, adds verification of some safety parameters in the twice encryption algorithm parameters, effectively prevents the attack of an external system, more ensures the safety of data, compresses the size and the duty ratio of the token, and reduces unnecessary flow overhead.
In this embodiment, a method for generating a unified authentication token is provided, which is applied to a unified authentication token generating system shown in fig. 1, the system includes a client 10, a gateway 20, an authentication server 30 and a database 40, the following method is executed by the authentication server 30, fig. 5 is a schematic flow diagram of another unified authentication token generating method according to an embodiment of the present invention, and as shown in fig. 5, the flow includes the following steps:
in step S501, when the gateway determines that the user request information sent by the client is a user login request, the gateway receives the user request information.
Step S502, comparing the login information in the user request information with the user storage information in the database, encrypting the login information once to form an initial token when the user storage information corresponding to the login information exists in the database, and sending the initial token to the gateway, so that the gateway carries out secondary encryption on the initial token, and generates a final authentication command to be sent to a client corresponding to the user request information.
Specifically, the "encrypt the login information into the initial token once and send it to the gateway" in the above step S502 includes:
And obtaining a target encryption format of the token, and encrypting the login information into an initial token according to the target encryption format.
Alternatively, the target encryption format is JWT (JSON Web Token)'s format, JWT is an open standard (RFC 7519) that defines a compact, self-contained way to securely transfer information between parties as JSON objects.
Specifically, the login information in the user request information is encrypted and encoded in JWT (JSON Web Token) format, and an initial token is generated, where the initial token may include the identity information, validity period, and other possible custom claims of the user.
In summary, the gateway receives the user request information sent by the client, determines the user request information, and when determining that the user request information is a user login request, sends the user request information to the authentication server, so that the authentication server compares the login information in the user request information with the user storage information in the database, and when the user storage information corresponding to the login information exists in the database, the authentication server encrypts the login information into an initial token at one time; the gateway performs secondary encryption on the initial token to generate a final token, and returns the final token to the client corresponding to the user request information. The scheme generates the final token through twice encryption, ensures the safety of data transmission, adds verification of some safety parameters in the twice encryption algorithm parameters, effectively prevents the attack of an external system, more ensures the safety of data, compresses the size and the duty ratio of the token, and reduces unnecessary flow overhead.
The embodiment also provides a token generation device for unified authentication, which is used for implementing the foregoing embodiments and preferred embodiments, and is not described in detail. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
The present embodiment provides a token generation device for unified authentication, which is applied to a token generation system for unified authentication as shown in fig. 1, the system includes a client 10, a gateway 20, an authentication server 30, and a database 40, the following devices are executed by the gateway 20, as shown in fig. 6, the device includes:
The user request information judging module 601 is configured to receive user request information sent by the client, and judge the user request information;
The user request information forwarding module 602 is configured to send the user request information to the authentication server when the user request information is determined to be a user login request, so that the authentication server compares login information in the user request information with user storage information in the database, and encrypts the login information into an initial token once when user storage information corresponding to the login information exists in the database;
A secondary encryption module 603, configured to receive the initial token sent by the authentication server, and perform secondary encryption on the initial token to generate a final token;
and the final token sending module 604 is configured to return the final token to the client corresponding to the user request information.
In some alternative embodiments, the secondary encryption module 603 is further configured to:
Generating security parameters according to the user request information; the security parameters include client IP, client model and token valid time period;
and carrying out secondary encryption on the initial token according to the security parameters to generate a final token.
In some alternative embodiments, the user request information determining module 601 is further configured to:
when the user request information comprises the login information, judging the user request information as a user login request; the login information comprises a user name and a password;
when the user request information includes a login token, the user request information is judged to be a non-user login request.
In some alternative embodiments, the apparatus is further for:
When judging that the user request information is non-user login request information, analyzing the login token in the user request information once to acquire security parameters in the login token;
and carrying out primary verification on the login token according to the security parameters in the login token, and after the verification is passed, sending the user request information to a corresponding service system so as to enable the service system to carry out secondary verification on the login token.
The more specific functional description of the above respective modules and units is the same as that of the above corresponding embodiments, and will not be repeated here.
A token generation apparatus for unified authentication in this embodiment is presented as a functional unit, where the unit refers to an ASIC (Application SPECIFIC INTEGRATED Circuit) Circuit, a processor and a memory that execute one or more software or firmware programs, and/or other devices that can provide the above functions.
In summary, the gateway receives the user request information sent by the client, determines the user request information, and when determining that the user request information is a user login request, sends the user request information to the authentication server, so that the authentication server compares the login information in the user request information with the user storage information in the database, and when the user storage information corresponding to the login information exists in the database, the authentication server encrypts the login information into an initial token at one time; the gateway performs secondary encryption on the initial token to generate a final token, and returns the final token to the client corresponding to the user request information. The scheme generates the final token through twice encryption, ensures the safety of data transmission, adds verification of some safety parameters in the twice encryption algorithm parameters, effectively prevents the attack of an external system, more ensures the safety of data, compresses the size and the duty ratio of the token, and reduces unnecessary flow overhead.
The present embodiment provides another token generation apparatus for unified authentication, which is applied to a token generation system for unified authentication as shown in fig. 1, the system including a client 10, a gateway 20, an authentication server 30, and a database 40, the following apparatus being executed by the authentication server 30, as shown in fig. 7, the apparatus including:
A user request information receiving module 701, configured to receive, through the gateway, user request information sent by the client; the user request information is judged as a user login request by the gateway;
The primary encryption module 702 is configured to compare the login information in the user request information with the user storage information in the database, encrypt the login information once to an initial token when the user storage information corresponding to the login information exists in the database, and send the initial token to the gateway, so that the gateway performs secondary encryption on the initial token, and generate a final authentication command to be sent to the client corresponding to the user request information.
In some alternative embodiments, the one-time encryption module 702 is further configured to:
obtaining a target encryption format of the token;
encrypting the login information into an initial token according to the target encryption format.
The more specific functional description of the above respective modules and units is the same as that of the above corresponding embodiments, and will not be repeated here.
Another unified authenticated token generation device in this embodiment is in the form of a functional unit, where the unit refers to an ASIC (Application SPECIFIC INTEGRATED Circuit) Circuit, a processor and memory that execute one or more software or firmware programs, and/or other devices that can provide the above functions.
In summary, the gateway receives the user request information sent by the client, determines the user request information, and when determining that the user request information is a user login request, sends the user request information to the authentication server, so that the authentication server compares the login information in the user request information with the user storage information in the database, and when the user storage information corresponding to the login information exists in the database, the authentication server encrypts the login information into an initial token at one time; the gateway performs secondary encryption on the initial token to generate a final token, and returns the final token to the client corresponding to the user request information. The scheme generates the final token through twice encryption, ensures the safety of data transmission, adds verification of some safety parameters in the twice encryption algorithm parameters, effectively prevents the attack of an external system, more ensures the safety of data, compresses the size and the duty ratio of the token, and reduces unnecessary flow overhead.
The embodiment of the invention also provides computer equipment, which is provided with the token generation device with the unified authentication shown in the figure 6 and the token generation device with the other unified authentication shown in the figure 7.
Referring to fig. 8, fig. 8 is a schematic structural diagram of a computer device according to an alternative embodiment of the present invention, as shown in fig. 8, the computer device includes: one or more processors 810, a memory 820, and interfaces for connecting the components, including high-speed interfaces and low-speed interfaces. The various components are communicatively coupled to each other using different buses and may be mounted on a common motherboard or in other manners as desired. The processor may process instructions executing within the computer device, including instructions stored in or on memory to display graphical information of the GUI on an external input/output device, such as a display device coupled to the interface. In some alternative embodiments, multiple processors and/or multiple buses may be used, if desired, along with multiple memories and multiple memories. Also, multiple computer devices may be connected, each providing a portion of the necessary operations (e.g., as a server array, a set of blade servers, or a multiprocessor system). One processor 810 is illustrated in fig. 8.
The processor 810 may be a central processor, a network processor, or a combination thereof. The processor 810 may further include a hardware chip, among other things. The hardware chip may be an application specific integrated circuit, a programmable logic device, or a combination thereof. The programmable logic device may be a complex programmable logic device, a field programmable gate array, a general-purpose array logic, or any combination thereof.
Wherein the memory 820 stores instructions executable by the at least one processor 810 to cause the at least one processor 810 to perform the methods shown in implementing the above embodiments.
Memory 820 may include a storage program area that may store an operating system, at least one application program required for functionality, and a storage data area; the storage data area may store data created according to the use of the computer device, etc. In addition, memory 820 may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid-state storage device. In some alternative embodiments, memory 820 may optionally include memory located remotely from processor 810, which may be connected to the computer device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
Memory 820 may include volatile memory, such as random access memory; the memory may also include non-volatile memory, such as flash memory, hard disk, or solid state disk; memory 820 may also include a combination of the above types of memory.
The computer device also includes a communication interface 830 for the computer device to communicate with other devices or communication networks.
The embodiments of the present invention also provide a computer readable storage medium, and the method according to the embodiments of the present invention described above may be implemented in hardware, firmware, or as a computer code which may be recorded on a storage medium, or as original stored in a remote storage medium or a non-transitory machine readable storage medium downloaded through a network and to be stored in a local storage medium, so that the method described herein may be stored on such software process on a storage medium using a general purpose computer, a special purpose processor, or programmable or special purpose hardware. The storage medium can be a magnetic disk, an optical disk, a read-only memory, a random access memory, a flash memory, a hard disk, a solid state disk or the like; further, the storage medium may also comprise a combination of memories of the kind described above. It will be appreciated that a computer, processor, microprocessor controller or programmable hardware includes a storage element that can store or receive software or computer code that, when accessed and executed by the computer, processor or hardware, implements the methods illustrated by the above embodiments.
Portions of the present invention may be implemented as a computer program product, such as computer program instructions, which when executed by a computer, may invoke or provide methods and/or aspects in accordance with the present invention by way of operation of the computer. Those skilled in the art will appreciate that the form of computer program instructions present in a computer readable medium includes, but is not limited to, source files, executable files, installation package files, etc., and accordingly, the manner in which the computer program instructions are executed by a computer includes, but is not limited to: the computer directly executes the instruction, or the computer compiles the instruction and then executes the corresponding compiled program, or the computer reads and executes the instruction, or the computer reads and installs the instruction and then executes the corresponding installed program. Herein, a computer-readable medium may be any available computer-readable storage medium or communication medium that can be accessed by a computer.
Although embodiments of the present invention have been described in connection with the accompanying drawings, various modifications and variations may be made by those skilled in the art without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope of the invention as defined by the appended claims.
Claims (12)
1. A method for generating a unified authenticated token, which is applied to a unified authenticated token generation system, wherein the system comprises a client, a gateway, an authentication server and a database, the method is executed by the gateway, and the method comprises the following steps:
Receiving user request information sent by the client and judging the user request information;
When the user request information is judged to be a user login request, the user request information is sent to the authentication server, so that the authentication server compares login information in the user request information with user storage information in the database, and when the user storage information corresponding to the login information exists in the database, the login information is encrypted into an initial token at one time;
receiving the initial token sent by the authentication server, and performing secondary encryption on the initial token to generate a final token;
and returning the final token to the client corresponding to the user request information.
2. The method of claim 1, wherein the secondarily encrypting the initial token to generate a final token comprises:
generating security parameters according to the user request information; the security parameters comprise client IP, client model and token valid time period;
And carrying out secondary encryption on the initial token according to the security parameters to generate a final token.
3. The method of claim 1, wherein the receiving the user request information sent by the client and determining the user request information include:
When the user request information comprises the login information, judging the user request information as a user login request; the login information comprises a user name and a password;
And when the user request information comprises a login token, judging that the user request information is a non-user login request.
4. A method according to claim 3, wherein the system further comprises a business system; when the user request information is judged to be non-user login request information, the method further comprises the following steps:
Analyzing the login token in the user request information once to acquire security parameters in the login token;
And carrying out primary verification on the login token according to the security parameters in the login token, and after the verification is passed, sending the user request information to a corresponding service system so as to enable the service system to carry out secondary verification on the login token.
5. A method for generating a unified authenticated token, which is applied to a unified authenticated token generation system, wherein the system comprises a client, a gateway, an authentication server and a database, the method is executed by the authentication server, and the method comprises the following steps:
When the gateway judges that the user request information sent by the client is a user login request, the gateway receives the user request information;
Comparing the login information in the user request information with the user storage information in the database, encrypting the login information once into an initial token when the user storage information corresponding to the login information exists in the database, and sending the initial token to the gateway so that the gateway carries out secondary encryption on the initial token, and generating a final authentication command and sending the final authentication command to a client corresponding to the user request information.
6. The method of claim 5, wherein encrypting the login information once into an initial token comprises:
obtaining a target encryption format of the token;
encrypting the login information into an initial token according to the target encryption format.
7. A token generation device for unified authentication, which is applied to a token generation system for unified authentication, the system comprising a client, a gateway, an authentication server and a database, the device being executed by the gateway, the device comprising:
The user request information judging module is used for receiving the user request information sent by the client and judging the user request information;
The user request information forwarding module is used for sending the user request information to the authentication server when judging that the user request information is a user login request, so that the authentication server compares login information in the user request information with user storage information in the database, and encrypts the login information into an initial token once when the user storage information corresponding to the login information exists in the database;
The secondary encryption module is used for receiving the initial token sent by the authentication server and carrying out secondary encryption on the initial token so as to generate a final token;
and the final token sending module is used for returning the final token to the client corresponding to the user request information.
8. A token generation device for unified authentication, which is applied to a token generation system for unified authentication, the system comprising a client, a gateway, an authentication server and a database, the device being executed by the authentication server, the device comprising:
the user request information receiving module is used for receiving user request information sent by the client through the gateway; the user request information is judged to be a user login request by the gateway;
The primary encryption module is used for comparing the login information in the user request information with the user storage information in the database, encrypting the login information into an initial token once when the user storage information corresponding to the login information exists in the database, and sending the initial token to the gateway so that the gateway carries out secondary encryption on the initial token, and generating a final authentication order and sending the final authentication order to a client corresponding to the user request information.
9. A token generation system for unified authentication, which is characterized by comprising a client, a gateway, an authentication server and a database;
The client is used for sending out user request information;
The gateway is used for receiving the user request information sent by the client, judging the user request information, and sending the user request information to the authentication server when judging that the user request information is a user login request;
The authentication server is used for comparing the login information in the user request information with the user storage information in the database, encrypting the login information into an initial token once when the user storage information corresponding to the login information exists in the database, and sending the initial token to the gateway;
the gateway is further configured to receive the initial token sent by the authentication server, and perform secondary encryption on the initial token to generate a final token; and returning the final token to the client corresponding to the user request information.
10. A computer device, comprising:
A memory and a processor, the memory and the processor being communicatively connected to each other, the memory having stored therein computer instructions, the processor executing the computer instructions to perform a unified authentication token generation method according to any one of claims 1 to 6.
11. A computer-readable storage medium having stored thereon computer instructions for causing a computer to perform a unified authentication token generation method according to any of claims 1 to 6.
12. A computer program product comprising computer instructions for causing a computer to perform a unified authenticated token generation method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410313866.1A CN118174874A (en) | 2024-03-19 | 2024-03-19 | Token generation method and device for unified authentication |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410313866.1A CN118174874A (en) | 2024-03-19 | 2024-03-19 | Token generation method and device for unified authentication |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118174874A true CN118174874A (en) | 2024-06-11 |
Family
ID=91358139
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410313866.1A Pending CN118174874A (en) | 2024-03-19 | 2024-03-19 | Token generation method and device for unified authentication |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118174874A (en) |
-
2024
- 2024-03-19 CN CN202410313866.1A patent/CN118174874A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10382426B2 (en) | Authentication context transfer for accessing computing resources via single sign-on with single use access tokens | |
| US9443084B2 (en) | Authentication in a network using client health enforcement framework | |
| WO2016188256A1 (en) | Application access authentication method, system, apparatus and terminal | |
| EP1914658B1 (en) | Identity controlled data center | |
| CN111416822B (en) | Method for access control, electronic device and storage medium | |
| CN112000951B (en) | Access method, device, system, electronic equipment and storage medium | |
| CN111865882B (en) | Micro-service authentication method and system | |
| CN112532599B (en) | Dynamic authentication method, device, electronic equipment and storage medium | |
| CN109040079A (en) | The establishment of live streaming chained address and verification method and related device | |
| CN111147525A (en) | Authentication method, system, server and storage medium based on API gateway | |
| CN111669351A (en) | Authentication method and related equipment | |
| CN116319024A (en) | Access control method and device of zero trust system and zero trust system | |
| CN113225351A (en) | Request processing method and device, storage medium and electronic equipment | |
| CN111814186B (en) | Menu authority access control method of intelligent equipment operation platform | |
| KR20090054774A (en) | Method of integrated security management in distribution network | |
| CN112699404A (en) | Method, device and equipment for verifying authority and storage medium | |
| CN112560102A (en) | Resource sharing method, resource accessing method, resource sharing equipment and computer readable storage medium | |
| CN116996305A (en) | Multi-level security authentication method, system, equipment, storage medium and entry gateway | |
| US11177958B2 (en) | Protection of authentication tokens | |
| US8250649B2 (en) | Securing system and method using a security device | |
| KR100545676B1 (en) | Authentication Method And Authentication System Using Information About Computer System's State | |
| CN114024682A (en) | Cross-domain single sign-on method, service equipment and authentication equipment | |
| CN114500074A (en) | Single-point system security access method, device and related equipment | |
| CN118174874A (en) | Token generation method and device for unified authentication | |
| CN112511565B (en) | Request response method and device, computer readable storage medium and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination |