KR20220136650A - Method and apparatus for handling user certification information - Google Patents

Abstract

Provided are a user authentication information processing method and device. The user authentication information processing method according to one embodiment may comprise the steps of: after performing a user authentication procedure between a first application executed on a user terminal and a server, in response to the acquisition of a token transmitted from the server to the user terminal, automatically executing a second application different from the first application in the user terminal; and acquiring, by the second application, authentication information from the server using the token.

Description

Method and device for processing user authentication information

The present invention relates to a method and apparatus for processing user authentication information. More particularly, it relates to a user authentication information processing method and apparatus for obtaining authentication information of a user used between a first application and a server and processing it to be used as authentication information of another application.

A user terminal such as a smart phone or a personal computer is equipped with a browser for viewing a web page. A user accesses the Internet using the browser and uses a web service. In addition, after a user accesses a portal site using a web browser and logs in, the user is provided with various services such as a mail service, a messenger service, an Internet shopping service, and the like.

Meanwhile, when a user logs in to a portal site using a web browser, a program has been developed that automatically executes other applications associated with the portal site. For example, when a user logs in to a portal site using a web browser, a program has been developed in which a messenger application associated with the portal site is automatically executed.

However, the existing program is only capable of automatically executing the associated application, and does not perform automatic authentication of the associated application. That is, in order to perform authentication through the associated application, the user must re-enter authentication information. In other words, the existing program that automatically executes the linked application automatically executes the application related to the portal site and requires a separate user input for authentication.

In addition, the existing program that automatically runs the linked application only considers running the application in a uniform environment (that is, a single browser and a single account environment), but in a variety of environments (different browsers or different account environments) is not considering managing the application in .

Korean Patent Registration 10-1262073 (2013.05.02)

The technical problem to be solved by the present invention is to provide a method and apparatus for acquiring and processing user's authentication information so that the authentication information used in the first application can be used in other applications.

Another technical problem to be solved by the present invention is to provide a user authentication information processing method and apparatus for automatically performing authentication of a linked application without input of authentication information.

Another technical problem to be solved by the present invention is to provide a user authentication information processing method and apparatus capable of managing the authentication status of a linked application in various environments.

Another technical problem to be solved by the present invention is to provide a user authentication information processing method and apparatus for improving security through token modulation or encryption of authentication information.

The technical problems of the present invention are not limited to the technical problems mentioned above, and other technical problems not mentioned will be clearly understood by those skilled in the art from the following description.

In a user authentication information processing method in a user terminal according to an embodiment of the present invention for solving the above technical problem, after performing a user authentication procedure between a first application executed in the user terminal and the server, the server In response to obtaining the token transmitted to the user terminal, automatically executing a second application different from the first application in the user terminal, and the second application obtains authentication information from the server by using the token may include the step of

In an embodiment, the first application transmits a user authentication request to the server according to a first protocol, and the server is designated to access the processing result of the user authentication request according to a second protocol different from the first protocol. It can be transmitted to the user terminal through the URL string.

In an embodiment, the method for processing user authentication information may further include the step of the second application communicating with the server or a computing device sharing authentication information with the server based on the authentication information.

In one embodiment, the user authentication information processing method includes the steps of executing a third application in the user terminal, the third application obtaining the authentication information from the second application, and the third application using the authentication information The method may further include communicating with the server or a computing device sharing authentication information with the server based on the .

In one embodiment, the method for processing user authentication information includes the steps of terminating and restarting the third application, and if the authentication state is maintained between the first application and the server, acquiring the authentication information again from the second application and the third application communicating back to the server or the computing device based on the authentication information.

In the user authentication information processing method, after the user state between the first application and the server is released, the third application releases the authentication state with the server or the computing device according to an instruction of the second application It may include further steps.

In an embodiment, the method for processing user authentication information includes, when an authentication procedure of another user is performed between the first application and the server, the second application acquiring authentication information of the other user, and the third The method may further include, by the application, communicating with the server or a computing device sharing authentication information with the server based on the authentication information of the other user.

In an embodiment, the method for processing user authentication information includes transmitting another token from the server to the user terminal after the user's authentication procedure is performed between the server and a fourth application executed in the user terminal; and updating the token with the other token.

For solving the above technical problem, a computing device according to another embodiment of the present invention includes one or more processors, a memory for loading a computer program executed by the processor, and a storage for storing the computer program , the computer program, in response to obtaining a token transmitted from the server to the user terminal after performing a user authentication procedure between the server and the first application executed in the user terminal, the first application in the user terminal and It may include instructions for performing an operation of automatically executing a different second application and an operation of the second application obtaining authentication information from the server using the token.

In order to solve the above technical problem, a computer-readable recording medium according to another embodiment of the present invention is a process of obtaining a token transmitted from a server to a first application that has succeeded in user authentication, the server using the token a process of obtaining the authentication information of the user from A program for controlling the third application to release the authentication state between the third application and the server may be recorded.

1 is a diagram illustrating a user authentication information processing system according to an embodiment of the present invention.
FIG. 2 is a diagram illustrating a block diagram of a user's terminal illustrated in FIG. 1 .
3 is a signal flow diagram illustrating a method of processing user authentication information according to another embodiment of the present invention.
4 to 8 are signal flow diagrams for explaining a method of processing user authentication information, according to various embodiments of the present disclosure.
9 is an exemplary hardware configuration diagram that may implement a computing device in various embodiments.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings. Advantages and features of the present invention, and a method of achieving them will become apparent with reference to the embodiments described below in detail in conjunction with the accompanying drawings. However, the present invention is not limited to the embodiments published below, but may be implemented in various different forms, and only these embodiments allow the publication of the present invention to be complete, and common knowledge in the technical field to which the present invention pertains. It is provided to fully inform the possessor of the scope of the invention, and the present invention is only defined by the scope of the claims. Like reference numerals refer to like elements throughout.

Unless otherwise defined, all terms (including technical and scientific terms) used herein may be used with the meaning commonly understood by those of ordinary skill in the art to which the present invention belongs. In addition, terms defined in a commonly used dictionary are not to be interpreted ideally or excessively unless clearly defined in particular. The terminology used herein is for the purpose of describing the embodiments and is not intended to limit the present invention. In this specification, the singular also includes the plural, unless specifically stated otherwise in the phrase.

Hereinafter, some embodiments of the present invention will be described with reference to the drawings.

1 is a diagram illustrating a user authentication information processing system according to an embodiment of the present invention.

Referring to FIG. 1 , the user authentication information processing system according to an embodiment of the present invention may include a user terminal 100 and a server 200 .

The server 200 may provide a portal service such as a mail service, a messenger service, a video conference service, a web drive service, and the like. The server 200 may store user authentication information. The authentication information may be a login ID and password, or biometric information or the like. In an embodiment, the server 200 may provide a plurality of types of services to the user terminal 100 . For example, the server 200 may simultaneously provide a plurality of services among a mail service, a messenger service, a video conference service, and a web drive service to the user terminal 100 . The server 200 may provide a specific type of service (eg, a messenger service, a video conference service, a web drive service, etc.) to the user terminal 100 through an application mounted on the user terminal 100 . In addition, the server 200 may share the user's authentication information with other computing devices (eg, a linked server).

In an embodiment, the server 200 receives authentication information from the first application 110-1 of the user terminal 100, performs authentication, and when authentication is successful, the first application 110 of the user terminal 100 You can form a session with -1). In an embodiment, the server 200 may perform authentication with the first application 110 - 1 of the user terminal 100 using the first protocol. The first protocol may be a protocol used as a standard, such as HyperText Transfer Protocol (HTTP) or HyperText Transfer Protocol over Secure Socket Layer (HTTPS). If the user authentication is successful, the server 200 may generate a token for accessing the session identification information and the user's authentication information, and then transmit the session identification information and the token to the user terminal 100 . The token may be a character string, and each token may be expressed as a different character string.

In one embodiment, when the server 200 transmits the token and the session identification information to the first application 110-1 of the user terminal 100, the identifier indicating the second protocol, the session identification information and the token are included. The URL string may be transmitted to the user terminal 100 . The second protocol is different from the first protocol, and may be a protocol designated by a user. The URL string may be accessed according to the second protocol. After setting the expiration time of the session, the server 200 may release the session when the expiration time elapses.

The user terminal 100 is a computing device capable of receiving a portal service from the server 200 , and may mount a plurality of different applications 110 -N. When the first application 110-1 mounted on the user terminal 100 accesses the server 200 and successfully authenticates to obtain a token, the second application 110-2 is automatically executed and the server 200 ) to obtain the user's authentication information.

FIG. 2 is a diagram illustrating a block diagram of a user's terminal illustrated in FIG. 1 .

Referring to FIG. 2 , the user terminal 100 according to an embodiment of the present invention may include a plurality of applications 110-N, a registry 120 and a protocol handler 130 . The components may be implemented in software or may be implemented through a combination of hardware and software.

Each of the first application 110-1 and the fourth application 110-4 is an application that allows access to the Internet to use a web service, and may be a web browser that supports the reading of HTML documents, but is not limited thereto. . The first application 110 - 1 and the fourth application 110 - 4 may be different web browsers. Each of the first application 110 - 1 and the fourth application 110 - 4 may perform user authentication with the server 200 using the first protocol.

The registry 120 is a type of database for storing system configuration information, and may store application information called for each protocol. In an embodiment, the registry 120 may store a custom protocol and information of the second application 110 - 2 called by the custom protocol. As will be described later, the second application 110 - 2 may be an application for processing user authentication information.

The protocol handler 130 may call a corresponding application when a specific protocol is used in the user terminal 100 based on application information for each protocol stored in the registry 120 , and control the application to be automatically executed. The protocol handler 130 may transmit a message related to an authentication processing result, session expiration, authentication release, etc. occurring between the server 200 and the first application 110 - 1 to the second application 110 - 2 . In an embodiment, the protocol handler 130 may transmit an authentication processing result, session expiration, authentication release, and the like, as a URL string related to the second application 110 - 2 .

The second application 110 - 2 may be an application registered in advance to process the second protocol (ie, a user-specified protocol). When the second application 110-2 is installed in the user terminal 100, the second application 110- as an application for processing the second protocol (ie, a user-specified protocol) in the user terminal 100 The information of 2) may be registered in the registry 120 .

The second application 110 - 2 may process user's authentication information and may also be an application for providing a specific service. For example, the second application 110 - 2 may perform one or more services among a financial transaction service, a video conference service, a messenger service, an in-house electronic payment service, an online shopping service, and the like. The second application 110 - 2 performs authentication between the first application 110 - 1 and the server 200 , and then starts the first application 110 - 1 of the user terminal 100 from the server 200 . When the authentication processing result including the token and the identifier of the second protocol (that is, the user-specified protocol) is transmitted, it may be automatically executed by the call of the protocol handler 130 . The second application 110 - 2 may obtain and store the user's authentication information from the server 200 using the token. The user's authentication information may be encrypted, and in this case, the second application 110 - 2 may decrypt the user's authentication information using a pre-stored decryption key. For normal encryption and decryption, the second application 110 - 2 may share an encryption key and a decryption key with the server 200 in advance. In addition, the second application 110-2 shares the modulation/demodulation rule for the token with the server 200, and can demodulate the modulated token using the modulation/demodulation rule, and also modulates the token to the server 200 can also be sent to

In an embodiment, the second application 110 - 2 may communicate with the server 200 using the obtained authentication information. In another embodiment, the second application 110-2 provides the acquired user's authentication information to the third application 110-3 associated with the first application 110-2, and together with the third application 110 -3) to automatically execute the third application 110-3. In this case, the second application 110-2 provides the user's authentication information to the third application 110-3, and the third application 110-3 uses the authentication information to the server 200 or the The server 200 may communicate with a computing device that shares authentication information. When the session between the first application 110-1 and the server 200 expires, the second application 110-2 may release the authentication state of the third application 110-3.

The third application 110 - 3 may be an application associated with the first application 110 - 1 . The third application 110 - 3 may be called and executed under the control of the second application 110 - 2 . Also, the third application 110 - 3 may communicate with the server 200 or the computing device using the user's authentication information provided from the second application 110 - 2 .

According to this embodiment, without requiring user input, the third application 110-3 communicates with the server 200 or other computing device using the user's authentication information provided from the second application 110-2. By automatically performing authentication, the effect of improving user convenience in the authentication process may be exhibited.

3 is a signal flow diagram illustrating a method of processing user authentication information according to another embodiment of the present invention.

Referring to FIG. 3 , the first application 110 - 1 of the user terminal 100 may transmit an authentication request message including the authentication information to the server 200 after receiving authentication information from the first user. (S101). In this case, the first application 110 - 1 may transmit an authentication request message to the server 200 using a first protocol (eg, HTPP or HTPPS). The authentication information of the first user may be one or more of an ID, a password, and biometric information of the user.

Then, the server 200 performs authentication of the first user by using the authentication information of the first user included in the authentication request message (S103). That is, the server 200 may perform authentication of the first user by checking whether the authentication information of the first user matches pre-stored authentication information. Next, if the server 200 succeeds in the authentication of the first user, it generates a first token that can access the authentication information of the first user (S105), and the generated first token and the first user You can map and store authentication information.

Next, the server 200 may transmit the authentication processing result of the first user to the first application 110 - 1 of the user terminal 100 ( S107 ). When the authentication of the first user fails, the server 200 may transmit an authentication processing result including authentication failure information without including the first token to the first application 110 - 1 . On the other hand, if the server 200 succeeds in authentication of the first user, authentication success information, an identifier indicating the second protocol designated by the first user, the generated first token, and identification information of the first user (eg, log in) ID) may be transmitted to the first application 110 - 1 of the user terminal 100 . In this case, the server 200 may transmit the authentication processing result to the first application 110-1 in the form of a URL string designated to be accessed according to the second protocol. For example, the authentication processing result of the URL string behavior such as "myprotocol://www.samsungsds.com/login?mode=success%%user1+token#1" is the first application 110-1 of the user terminal 100 can be transmitted to Here, 'myprotocol' may be the identifier of the second protocol specified by the user, 'login?mode=success' may indicate successful login, and 'user1' may be the identification information of the first user," token#1' may be the first token issued by the server 200 .

The server 200 may modulate the first token using a preset modulation rule and transmit it to the user terminal 100 . In addition, when forming a session with the first application 110 - 1 , the server 200 may include the session ID in the authentication processing result and transmit it to the user terminal 100 .

When the first application 110-1 receives the authentication processing result, the first application 110-1 may transmit the authentication processing result to the protocol handler 130 (S109). That is, the protocol handler 130 may monitor messages transmitted/received between the first application 110 - 1 and the server 200 to obtain various messages such as authentication processing results. The protocol handler 130 may analyze the character string of the authentication processing result to determine whether a user-specified second protocol identifier is included in the authentication processing result. When the identifier of the second protocol is detected in the authentication processing result as a result of the determination (S111), the protocol handler 130 determines that the application called according to the second protocol is the second application 110-2 in the registry 120. By checking, the second application 110-2 may be called (S113).

By calling the protocol handler 130 , the second application 110 - 2 is executed, and the second application 110 - 2 can receive the authentication processing result from the protocol handler 130 ( S115 ). , S117).

The second application 110-2 may parse the URL string representing the authentication processing result, extract the first token and the identification information of the first user from the URL string, and store it (S119). When the first token is tampered with, the second application 110 - 2 may demodulate and store the first token using a preset demodulation rule. Also, the second application 110 - 2 may parse the URL string representing the authentication processing result, extract a session ID from the URL string, and store it together with the first token. Next, the second application 110 - 2 may transmit an authentication information request message including the first token to the server 200 ( S121 ). In an embodiment, the second application 110 - 2 modulates the first token using a preset modulation rule, and then transmits the modulated first token to the server 200 .

Subsequently, the server 200 may extract the authentication information of the first user mapped to the first token and transmit the authentication information of the first user to the second application 110 - 2 ( S123 ). When the first token is modulated, the server 200 may demodulate the modulated token using a demodulation rule. Also, the server 200 may encrypt the authentication information of the first user using an encryption key, and then transmit the encrypted authentication information of the first user to the second application 110 - 2 .

Next, the second application 110 - 2 may store the authentication information of the first user received from the server 200 ( S125 ). When the authentication information is encrypted through the server 200, the second application 110-2 decrypts the authentication information of the first user using the previously stored decryption key, and then decrypts the authentication information of the first user. can be saved.

According to the present embodiment, the second application 110 - 2 is automatically executed according to the second protocol, which is a protocol designated by the user, so that the user's authentication information can be obtained from the server 200 without user intervention. The obtained user's authentication information may be used in the second application 110-2 or in the third application 110-3, as will be described later.

4 is a signal flow diagram illustrating a method of processing user authentication information according to another embodiment of the present invention.

The method according to FIG. 4 can be performed after the method according to FIG. 3 .

Referring to FIG. 4 , the second application 110 - 2 shares the authentication information with the server 200 or the server 200 with an authentication request message including the authentication information of the first user obtained from the server 200 . It can be transmitted to the computing device (S201).

Subsequently, the server 200 or the computing device may perform authentication of the first user by checking the authentication information of the first user included in the authentication information request message and authenticating whether the authentication information is correct (S203). ). Next, the server 200 or the computing device may transmit the authentication processing result to the second application 110 - 2 ( S205 ).

If the authentication processing result is successful, the second application 110-2 may communicate with the server 200 or the computing device to provide a corresponding service to the user (S207).

While the second application 110-2, which has succeeded in authentication, communicates with the server 200 or the computing device, the first application 110-1 receives an authentication release request message (eg, a logout message) according to the input of the first user. ) can be transmitted to the server 200 (S209). Next, the server 200 may release the authentication state of the first user and transmit an authentication release notification message to the first application 110 - 1 ( S211 , S213 ). The server 200 may transmit the authentication release notification message to the first application 110-1 in the form of a URL string. Also, if a session with the first application 110 - 1 is established, the server 200 may also release the session.

When the second application 110-2 detects that the authentication state between the first application 110-1 and the server 200 is released (S215), the stored first token and the authentication information of the first user can be discarded. There is (S217). In one embodiment, the second application 110-2 receives the URL string indicating that the authentication state with the server 200 has been released from the first application 110-1 or the protocol handler 130, It may be detected that the authentication state between the 110 - 1 and the server 200 is released. In some embodiments, the server 200 may transmit an authentication release notification message to the first application 110-1 in the form of the URL string, and the second application 110-2 transmits the URL string to the protocol handler 130 ), it is possible to determine the authentication release state between the first application 110-1 and the server 200 based on the URL string. In another embodiment, the second application 110-2 monitors whether the session between the first application 110-1 and the server 200 is continuously maintained, and the session expires or early. When it is released, it may be determined that the authentication state between the first application 110 - 1 and the server 200 is released.

Next, the second application 110 - 2 may transmit the authentication release request message (eg, logout message) of the first user to the server 200 or the computing device sharing authentication information with the server 200 ( S219). Next, the server 200 may release the authentication state of the first user and transmit an authentication release notification message to the second application 110 - 2 ( S221 , S223 ). When a session is established with the second application 110 - 2 , the server 200 may also release the session.

According to the present embodiment, authentication is performed automatically between the second application 110 - 2 and the server 200 without a user's manual input, thereby improving user convenience in the authentication process. In addition, when the authentication state between the first application 110-1 and the server 200 is released, the authentication state of the second application 110-2 is also released in a chain, which may occur by continuously maintaining the authentication state. Unpleasant situations can be prevented.

5 is a signal flow diagram illustrating a method of processing user authentication information according to another embodiment of the present invention.

The method according to FIG. 5 can be performed after the method according to FIG. 3 .

Referring to FIG. 5 , when authentication information of the first user is obtained, the second application 110-2 may call a third application 110-3 associated with the first application 110-1. There is (S301).

Subsequently, the third application 110-3 called by the second application 110-2 is automatically executed (S303), and the second application 110-2 receives the obtained authentication information of the first user. It may be provided to the third application 110-3 (S305).

The third application 110-3 transmits an authentication request message including authentication information of the first user provided from the second application 110-2 to the server 200 or a computing device that shares authentication information with the server 200 can be transmitted to (S307).

Subsequently, the server 200 or the computing device may perform authentication of the first user by checking the authentication information of the first user included in the authentication information request message and authenticating whether the authentication information is correct (S309). ). Next, the server 200 or the computing device may transmit the authentication processing result for the first user to the third application 110 - 3 ( S311 ).

If the authentication processing result is successful, the third application 110-3 may communicate with the server 200 or the computing device to provide a corresponding service to the first user (S313).

While the third application 110-3 that has succeeded in authentication performs communication with the server 200 or the computing device, the first application 110-1 receives an authentication release request message (eg, based on the input of the first user) logout message) to the server 200 (S315). Next, the server 200 may release the authentication state of the first user and transmit an authentication release notification message to the first application 110 - 1 ( S317 and S319 ). The authentication release notification message may be in the form of a URL string. Also, if a session with the first application 110 - 1 is established, the server 200 may also release the session.

The second application 110-2 detects that the authentication state between the first application 110-1 and the server 200 is released (S321), and may discard the stored first token and the authentication information of the first user. There is (S323). The second application 110-2 receives a URL string indicating that the authentication state with the server 200 has been released from the first application 110-1 or the protocol handler 130, thereby causing the first application 110-1 It can be detected that the authentication state between the and the server 200 is released. In another embodiment, the second application 110-2 monitors whether the session between the first application 110-1 and the server 200 is continuously maintained, and the session expires or early. When it is released, it may be determined that the authentication state between the first application 110 - 1 and the server 200 is released.

Next, the second application 110 - 2 detecting the release of the authentication state between the first application 110 - 1 and the server 200 may instruct the third application 110 - 3 to release the authentication. (S325).

According to the instruction, the third application 110-3 may transmit an authentication release request message (eg, logout message) for the first user to the server 200 or the computing device sharing authentication information (S327). . Next, the server 200 may release the authentication state of the first user and transmit an authentication release notification message to the third application 110-3 (S329, S331). When a session is established with the third application 110 - 3 , the server 200 may release the session as well.

According to the present embodiment, the third application 110-3 associated with the first application 110-1 automatically performs authentication with the server 200 without manual input by the user, and the authentication information is repeatedly transmitted. You can remove situations that require the user. In addition, when the authentication state is released between the first application 110-1 and the server 200, the authentication state of the third application 110-3 is also released in a chain, which may occur by continuously maintaining the authentication state. Unpleasant situations can be prevented in advance.

6 is a signal flow diagram illustrating a method of processing user authentication information according to another embodiment of the present invention.

The method according to FIG. 6 may be performed after the third application 110 - 3 communicates with the server 200 using the user's authentication information provided from the second application 110 - 2 .

Referring to FIG. 6 , the execution of the third application 110 - 3 communicating with the server 200 may be terminated according to the input of the first user ( S401 ). When the execution of the third application 110 - 3 ends, the authentication state with the server 200 may be released. Subsequently, the third application 110 - 3 may receive a restart command from the first user and be executed again ( S403 ). Next, the third application 110-3 may request authentication information of the first user from the second application 110-2 (S405).

If the authentication information of the first user is not discarded and is still being stored, the second application 110-2 may extract the authentication information of the first user and provide it to the third application 110-3 (S407, S409). On the other hand, the second application 110-2 is the third application ( 110-3) to notify the failure to provide authentication information. In this case, the third application 110 - 3 may receive authentication information from the first user.

The third application 110-3 receiving the authentication information may transmit an authentication request message including the authentication information of the first user to the server 200 or a computing device sharing authentication information with the server 200 ( S411).

Subsequently, the server 200 or the computing device may check the authentication information of the first user included in the authentication information request message and perform authentication of the first user again by authenticating whether the authentication information is correct ( S413). Next, the server 200 or the computing device may transmit the authentication processing result for the first user to the third application 110-3 (S415).

If the authentication processing result is successful, the third application 110 - 3 may communicate with the server 200 or the computing device to provide the corresponding service to the first user again ( S417 ).

According to the present embodiment, if the authentication state is maintained between the first application 110-1 and the server 200, even if the third application 110-3 associated with the first application 110-1 is executed again It is possible to quickly and conveniently perform authentication again using the previously acquired authentication information of the user.

7 is a signal flow diagram illustrating a method of processing user authentication information according to another embodiment of the present invention.

The method according to FIG. 7 may be performed after the third application 110 - 3 communicates with the server 200 using the user's authentication information provided from the second application 110 - 2 .

Referring to FIG. 7 , the first application 110-1 of the user terminal 100 receives authentication information from the second user while maintaining the authentication state with the server 200 using the authentication information of the first user. can receive Subsequently, the first application 110 - 1 of the user terminal 100 may transmit an authentication request message including the authentication information of the second user to the server 200 ( S501 ). In this case, the first application 110 - 1 may transmit the authentication request message to the server 200 using a first protocol (eg, HTPP or HTPPS).

Next, the server 200 performs second user authentication using the authentication information of the second user included in the authentication request message (S503). Next, when the second user authentication is successful, the server 200 generates a second token that can access the authentication information of the second user (S505), and authenticates the second user with the generated second token (S505). Information can be mapped and stored.

Next, the server 200 may transmit the authentication processing result for the second user to the first application 110 - 1 of the user terminal 100 ( S507 ). When the second user authentication is successful, the server 200 sends an authentication processing result including authentication success information, an identifier indicating the second protocol, the second token, and the second user's identification information (eg, login ID) to the user. It can be transmitted to the first application 110 - 1 of the terminal 100 . In this case, the server 200 may transmit the authentication processing result to the first application 110-1 in the form of a URL string. The server 200 may encrypt the second token using a preset modulation rule and transmit it to the user terminal 100 . In addition, when forming a session with the first application 110 - 1 , the server 200 may include the session ID in the authentication processing result and transmit it to the user terminal 100 .

When the first application 110-1 receives the authentication processing result, the first application 110-1 may transmit the authentication processing result to the protocol handler 130 (S509). The protocol handler 130 may analyze the character string of the authentication processing result to determine whether a predetermined second protocol identifier is included in the authentication processing result. As a result of the determination, when the second protocol identifier is detected from the authentication processing result, the protocol handler 130 may transmit the authentication processing result to the second application 110 - 2 ( S511 ). Here, since the second application 110-2 is already running, the protocol handler 130 does not separately call the second application 110-2, but processes the authentication with the second application 110-2. results can be communicated.

The second application 110 - 2 may parse the URL string representing the authentication processing result, and extract the second user's identification information (eg, login ID) from the URL string. Next, the second application 110-2 compares the extracted identification information of the second user with the identification information of the first user included in the pre-stored authentication information of the first user, whether the two identification information is the same can be determined. The second application 110-2 may detect that the user using the first application 110-1 is changed as the identification information of the first user and the second user identification information do not match (S513).

Subsequently, the second application 110 - 2 may discard the previously stored authentication information and token of the first user as the user change is detected ( S515 ). Next, the second application 110-2 may parse the URL string representing the authentication processing result, extract a second token from the URL string, and store the second token and the identification information of the second user. There is (S517). When the second token is tampered with, the second application 110 - 2 may demodulate and store the token using a preset demodulation rule. Also, the second application 110 - 2 may parse the URL string representing the authentication processing result, extract a session ID from the URL string, and store it together with the second token.

The second application 110-2 outputs a message inquiring whether to change from the first user to the second user, and when an affirmative is input as a response to the message, discards the authentication information of the first user, and You can extract 2 tokens. On the other hand, when a negative is input as a response to the inquiry message, the second application 110 - 2 may maintain the authentication information of the first user without discarding it. In this case, the second application 110-2 provides the authentication information of the first user to the first application 110-1, and the first application 110-1 uses the authentication information of the first user again. An authentication state may be established with the server 200 . That is, when a negative response to the transition from the first user to the second user is inputted, the second application 110-2 controls the first application 110-1 to be authenticated with the account of the first user again. can

Meanwhile, the second application 110 - 2 storing the second token may transmit an authentication information request message including the second token to the server 200 ( S519 ). In some embodiments, the second application 110 - 2 modulates the second token using a preset modulation rule, and then transmits the modulated second token to the server 200 .

Subsequently, the server 200 may extract the authentication information of the second user mapped to the second token and transmit the authentication information of the second user to the second application 110 - 2 ( S521 ). When the second token is modulated, the server 200 may demodulate the modulated second token using a demodulation rule. Also, the server 200 may encrypt the authentication information of the second user using an encryption key, and then transmit the encrypted authentication information of the user to the second application 110 - 2 .

Next, the second application 110 - 2 may store the authentication information of the second user received from the server 200 ( S523 ). When the authentication information of the second user is encrypted, the server 200 may store the decrypted authentication information of the second user after decrypting the authentication information of the second user using a decryption key. Next, the second application 110 - 2 may provide authentication information of the second user to the third application 110 - 3 in order to proceed with the transition from the first user to the second user ( S525 ). .

Subsequently, the third application 110-3 shares the authentication information with the server 200 or the server 200 with the authentication request message including the authentication information of the second user provided from the second application 110-2. It can be transmitted to the computing device (S527). That is, the third application 110 - 3 may use the authentication information of the second user instead of the authentication information of the first user to perform authentication again.

Subsequently, the server 200 or the computing device may verify the authentication information of the second user included in the authentication information request message, and may perform authentication of the second user by determining whether the authentication information is correct (S529). ). Next, the server 200 or the computing device may transmit the authentication processing result for the second user to the third application 110 - 3 ( S531 ).

If the authentication processing result is successful, the third application 110 - 3 may communicate with the server 200 or the computing device to provide a corresponding service to the second user ( S533 ).

On the other hand, when the second application 110-2 is an application that needs to perform user authentication as shown in FIG. 4, the second application 110-2 uses the stored authentication information of the second user to the server 200 ) or another computing device sharing authentication information with the server 200 may perform authentication. When the second application 110 - 2 succeeds in authentication using the authentication information of the second user, the second application 110 - 2 may communicate with the server 200 or the computing device to provide a corresponding service to the second user.

According to the present embodiment, when a user switch is made in the first application 110 - 1 , an effect of promptly performing authentication according to user change and user change can be exhibited in other associated applications.

8 is a signal flow diagram illustrating a method of processing user authentication information according to another embodiment of the present invention.

The method according to FIG. 8 may proceed after the method according to FIG. 3 .

The fourth application 110-4 different from the first application 110-1 receives authentication information from the first user, and sends an authentication request message including the received authentication information of the first user to the server 200 can be transmitted to (S601). In this case, the fourth application 110 - 4 may transmit an authentication request message to the server 200 using the first protocol (eg, HTPP or HTPPS) ( S101 ). In other words, while the authentication state is maintained between the first application 110-1 and the server 200, the fourth application 110-4 receives the same authentication information from the first user and includes the authentication information. may transmit an authentication request message to the server 200 .

Subsequently, the server 200 may perform authentication of the first user by using the authentication information of the first user included in the authentication request message ( S603 ). Next, when the first user authentication is successful, the server 200 generates a third token that can access the authentication information of the first user (S605), and the generated third token and the authentication of the first user Information can be mapped and stored.

Next, the server 200 may transmit the authentication processing result to the fourth application 110-4 of the user terminal 100 (S607). When the first user authentication is successful, the server 200 transmits the authentication processing result including authentication success information, the first user's identification information, the identifier indicating the second protocol designated by the user, and the third token to the user terminal 100 . It can be transmitted to the fourth application (110-4) of. The authentication processing result may be a URL string. The server 200 may establish a session with the fourth application 110 - 4 , and in this case, the session ID may be included in the authentication processing result.

Next, the fourth application 110-4 transmits the authentication processing result to the protocol handler 130 (S609), and the protocol handler 130 sends the authentication processing result to the second application 110-2 currently running. can be transmitted (S611).

Next, the second application 110 - 2 parses the URL string representing the authentication processing result, and extracts the identification information (eg, account) of the first user from the URL string, whereby the authentication is successful for the first user can be identified (S613).

Next, the second application 110-2 compares the extracted identification information of the first user with the identification information of the first user included in the pre-stored authentication information of the first user, whether the two identification information is the same can be determined. As the second application 110-2 has the same identification information of the first user, the first user uses the fourth application 110-4 different from the existing first application 110-1 to the server 200 ) can be detected. In this case, the existing authentication information is the same, but since the token and the session ID have been changed, the second application 110 - 2 changes the previously stored first token and session ID to the newly acquired third token and session ID. By doing so, the token and the session ID may be updated (S615).

According to the present embodiment, when the same user performs new authentication using another application, the user's authentication information can be managed more reliably by updating a token that can access the user's authentication information.

The methods according to the embodiments of the present invention described so far may be performed by executing a computer program implemented as computer readable code. The computer program may be transmitted from the first computing device to the second computing device through a network such as the Internet and installed in the second computing device, thereby being used in the second computing device. The first computing device and the second computing device include all of a server device, a physical server belonging to a server pool for cloud services, and a stationary computing device such as a desktop PC.

The computer program may be stored in a recording medium such as a DVD-ROM or a flash memory device.

9 is an exemplary hardware configuration diagram that may implement a computing device in various embodiments.

The computing device 1000 according to the present embodiment includes one or more processors 1100 , a system bus 1600 , a communication interface 1200 , and a memory for loading a computer program 1500 executed by the processor 1100 . 1400 and a storage 1300 for storing the computer program 1500 may be included. In Fig. 9, only the components related to the embodiment are shown. Accordingly, those skilled in the art to which the embodiments of the present specification pertain can know that other general-purpose components other than those shown in FIG. 9 may be further included.

The processor 1100 controls the overall operation of each component of the computing device 1000 . The processor 1100 includes at least one of a central processing unit (CPU), a micro processor unit (MPU), a micro controller unit (MCU), a graphic processing unit (GPU), or any type of processor well known in the art. may be included. In addition, the processor 1100 may perform an operation on at least one application or program for executing the method/operation according to various embodiments. The computing device 1000 may include two or more processors.

The memory 1400 stores various data, commands, and/or information. The memory 1400 may load one or more programs 1500 from the storage 1300 to execute methods/operations according to various embodiments of the present specification. An example of the memory 1400 may be a RAM, but is not limited thereto.

The communication interface 1200 may communicate with an external communication device such as a mobile communication terminal, a personal computer, or a server using a network such as a mobile communication network or a wired Internet network. The communication interface 1200 may receive input information from a communication device. The computing device 1000 according to an embodiment of the present invention may be applied in a network environment using the communication interface 1200 and may identify a person by analyzing input information received from the outside.

The system bus 1600 provides a communication function between components of the computing device 1000 . The system bus 1600 may be implemented as various types of buses such as an address bus, a data bus, and a control bus.

The storage 1300 may non-temporarily store one or more computer programs 1500 . The storage 1300 may include a non-volatile memory such as a flash memory, a hard disk, a removable disk, or any type of computer-readable recording medium well known in the art to which embodiments of the present specification pertain. .

The computer program 1500 may include one or more instructions in which methods/operations according to various embodiments of the present specification are implemented. When the computer program 1500 is loaded into the memory 1400 , the processor 1100 may execute the one or more instructions to perform methods/operations according to various embodiments of the present specification. The computer program 1500 may include instructions for the user authentication information processing method described with reference to FIGS. 3 to 8 .

In one embodiment, the computer program 1500 performs a user authentication procedure between the first application 110-1 executed in the user terminal 100 and the server 200, and then the user from the server 200 In response to the acquisition of the token transmitted to the terminal 100, the operation of automatically executing a second application (110-2) different from the first application (110-1) in the user terminal (100) and the second The application 110 - 2 may include instructions for performing an operation of obtaining authentication information from the server 200 using the token.

Although embodiments of the present invention have been described above with reference to the accompanying drawings, those of ordinary skill in the art to which the present invention pertains can realize that the present invention can be embodied in other specific forms without changing the technical spirit or essential features. can understand Therefore, it should be understood that the embodiments described above are illustrative in all respects and not restrictive.

Claims (20)

As a user authentication information processing method in a user terminal,
In response to obtaining a token transmitted from the server to the user terminal after performing a user authentication procedure between the first application running in the user terminal and the server, the second application different from the first application in the user terminal is automatically step executed as; and
The second application comprising the step of obtaining authentication information from the server using the token,
How to handle user credentials. The method of claim 1,
The first application sends a user authentication request to the server according to a first protocol, and the server transmits the processing result of the user authentication request through a URL string designated to be accessed according to a second protocol different from the first protocol. transmitted to the user terminal,
How to handle user credentials. The method of claim 1,
Further comprising the step of the second application communicating with the server or a computing device sharing authentication information with the server based on the authentication information,
How to handle user credentials. The method of claim 1,
executing a third application in the user terminal;
obtaining, by the third application, the authentication information from the second application; and
Further comprising the step of the third application communicating with the server or a computing device sharing authentication information with the server based on the authentication information,
How to handle user credentials. 5. The method of claim 4,
the third application is automatically executed by the second application;
How to handle user credentials. 5. The method of claim 4,
terminating and restarting the third application;
if the authentication state is maintained between the first application and the server, acquiring the authentication information again from the second application; and
Further comprising the step of the third application communicating back to the server or the computing device based on the authentication information,
How to handle user credentials. 5. The method of claim 4,
After the user state between the first application and the server is released, the step of the third application releasing the authentication state with the server or the computing device according to an instruction of the second application,
How to handle user credentials. 5. The method of claim 4,
obtaining, by the second application, authentication information of the other user when an authentication procedure of another user is performed between the first application and the server; and
Further comprising the step of the third application communicating with the server or a computing device sharing authentication information with the server based on the authentication information of the other user,
How to handle user credentials. 9. The method of claim 8,
Outputting a message inquiring whether to switch from the user to the other user and receiving an affirmative input, further comprising the step of obtaining, by the third application, authentication information of the other user from the second application,
How to handle user credentials. 9. The method of claim 8,
Further comprising the step of obtaining, by the second application, the authentication information of the other user from the server using a token transmitted from the server to the user terminal according to the authentication procedure of the other user,
How to handle user credentials. The method of claim 1,
transmitting another token from the server to the user terminal after the user's authentication procedure is performed between a fourth application executed in the user terminal and the server; and
Further comprising the step of updating the token with the other token,
How to handle user credentials. 12. The method of claim 11,
The step of updating to the other token is,
When the user identification information used for authentication between the first application and the server and the user identification information used for authentication between the fourth application and the server are the same, updating the token to the other token containing,
How to handle user credentials. The method of claim 1,
Further comprising the step of identifying the token from the URL string received from the server by the user terminal,
How to handle user credentials. 14. The method of claim 13,
The URL string includes an identifier indicating a custom protocol,
The second application is an application pre-registered in the user terminal as an application for processing the user-specified protocol,
How to handle user credentials. 15. The method of claim 14,
When the second application is installed in the user terminal, further comprising the step of registering the second application as an application for processing the user-specified protocol in the user terminal,
How to handle user credentials. The method of claim 1,
The step of obtaining the authentication information includes:
modulating, by the second application, the token according to a preset rule; and
and the second application sending the tampered token to the server.
How to handle user credentials. The method of claim 1,
The step of obtaining the authentication information includes:
receiving, by the second application, the encrypted authentication information from the server; and
Comprising the step of the second application decrypting the encrypted authentication information,
How to handle user credentials. The method of claim 1,
After the user state between the first application and the server is released, the user terminal further comprises the step of releasing the authentication state of the second application based on the URL string received from the server,
How to handle user credentials. one or more processors;
a memory for loading a computer program executed by the processor; and
a storage for storing the computer program;
The computer program is
In response to obtaining a token transmitted from the server to the user terminal after performing a user authentication procedure between the first application running in the user terminal and the server, the second application different from the first application in the user terminal is automatically actions executed with
including instructions for the second application to perform an operation of obtaining authentication information from the server by using the token,
computing device. A process of obtaining a token transmitted from a server to a first application that has succeeded in user authentication;
obtaining authentication information of the user from the server using the token;
providing the authentication information to a third application so that authentication is performed between the third application and the server; and
When the authentication state between the first application and the server is released, a program for controlling the third application to release the authentication state between the third application and the server is recorded,
A computer-readable recording medium.

Images