TW202331563A - Identity authentication method, device and equipment and computer readable storage medium - Google Patents

Abstract

The invention discloses an identity authentication method, device and equipment and a computer readable storage medium. The payment method comprises the steps that a service request sent by a client side for a first mechanism is received, the service request comprises multiple tokens, the multiple tokens are tokens distributed to a target user under the condition that multiple servers conduct identity authentication on the target user and the identity authentication is passed, and the target user is a user logged in the client side; matching the plurality of tokens with tokens stored in the block chain, and determining whether the target user is an authenticated user; and when it is determined that the target user is the authenticated user, forwarding the service request to a first server corresponding to the first mechanism, so that the first server responds to the service request. According to the embodiment of the invention, the login times required by a user to obtain services of different mechanisms can be reduced while the service security is ensured, network resources are saved, and the user operation process is simplified.

Description

Identity authentication method, device, equipment and computer-readable storage medium

The invention belongs to the field of computer technology, and in particular relates to an identity authentication method, device, equipment and computer-readable storage medium.

With the continuous development of science and technology, more and more institutions are gradually moving their offline services to online, so that users can conduct business inquiries, business processing and other operations anytime and anywhere. Before each organization provides online services to users, it needs to authenticate the user's identity to ensure business security.

At present, since the identity authentication systems of each organization are independent of each other, users need to log in with their user names and passwords on the service platforms of each organization to complete identity authentication, which leads to waste of network resources and cumbersome user operations. .

Embodiments of the present invention provide an identity authentication method, device, equipment, and computer-readable storage medium, which can reduce the number of login times required for users to obtain services from different institutions while ensuring business security, save network resources, and simplify user operations process.

In a first aspect, an embodiment of the present invention provides an identity authentication method, which is applied to an identity authentication server, and the method includes:

Receive a service request for the first organization sent by the client, wherein the service request includes multiple tokens, and the multiple tokens are for multiple servers to perform identity authentication on the target user, and if the identity authentication is passed, The token assigned to the target user, which is the user logged in in the client;

Match multiple tokens with tokens stored in the blockchain to determine whether the target user is an authenticated user;

If it is determined that the target user is an authenticated user, the service request is forwarded to the first server corresponding to the first organization, so that the first server responds to the service request.

In a second aspect, an embodiment of the present invention provides an identity authentication method applied to a first server, the method comprising:

Receive the service request forwarded by the identity authentication server, wherein the service request includes multiple tokens, and the multiple tokens are for multiple servers to authenticate the target user respectively, and if the identity authentication passes, they are allocated to the target user The token of the user, the target user is the user logged in in the client that sends the service request to the identity authentication server;

Match multiple tokens with tokens stored in the blockchain to determine whether the target user is an authenticated user;

Respond to the service request if the target user is determined to be an authenticated user.

In a third aspect, an embodiment of the present invention provides an identity authentication method, which is applied to a second server, and the method includes:

Receive the user identity information corresponding to the target user collected by the client;

Authenticate the target user based on the user's identity information;

If the authentication is passed, allocate a second token to the target user, send the second token to the client, and upload the second token to the blockchain, so that the servers of other institutions Multiple tokens, including tokens, determine whether the target user is an authenticated user.

In a fourth aspect, an embodiment of the present invention provides an identity authentication device, which is applied to an identity authentication server, and the device includes:

The first receiving module is used to receive the service request for the first organization sent by the client, wherein the service request includes a plurality of tokens, and the plurality of tokens are for multiple servers to respectively authenticate the target user, and When the identity authentication is passed, the token assigned to the target user, the target user is the user logged in on the client;

The first matching module is used to match multiple tokens with tokens stored in the block chain to determine whether the target user is an authenticated user;

The request forwarding module is used to confirm that the target user is an authenticated user In some cases, the service request is forwarded to the first server corresponding to the first organization, so that the first server responds to the service request.

In a fifth aspect, an embodiment of the present invention provides an identity authentication device, which is applied to a first server, and the device includes:

The second receiving module is used to receive the service request forwarded by the identity authentication server, wherein the service request includes a plurality of tokens, and the plurality of tokens are for multiple servers to perform identity authentication on the target user respectively, and when the identity authentication passes In the case of , the token assigned to the target user is the user logged in in the client that sends the service request to the identity authentication server;

The second matching module is used to match multiple tokens with tokens stored in the block chain to determine whether the target user is an authenticated user;

The service response module is used to respond to the service request when the target user is determined to be an authenticated user.

In a sixth aspect, an embodiment of the present invention provides an identity authentication device, which is applied to a second server, and the device includes:

The third receiving module is used to receive the user identity information corresponding to the target user collected by the client;

The first identity authentication module is used to authenticate the target user according to the user identity information;

The first token allocation module is used to allocate a second token to the target user when the authentication is passed, send the second token to the client, and upload the second token to the block chain to Make the server of other institutions determine whether the target user is an authenticated user according to multiple tokens including the second token.

In a seventh aspect, an embodiment of the present invention provides an electronic device, which includes: a processor and a memory storing computer program instructions;

When the processor executes the computer program instructions, the steps of the identity authentication method described in any one embodiment of the first aspect, the second aspect and/or the third aspect are realized.

In an eighth aspect, the embodiment of the present invention provides a computer-readable storage medium, Computer program instructions are stored on the brain-readable storage medium, and when the computer program instructions are executed by the processor, the steps of the identity authentication method described in any embodiment of the first aspect, the second aspect and/or the third aspect are realized .

In the identity authentication method, device, device, and computer-readable storage medium in the embodiments of the present invention, when receiving the service request sent by the client for the first institution, using the service request included in the service request, which is composed of multiple servers respectively After the target user is authenticated, the tokens assigned to the target user are matched with the tokens stored in the blockchain to determine whether the target user is an authenticated user, thereby When it is determined that the target user is an authenticated user, the service request is forwarded to the first server corresponding to the first organization, and further, when the user does not need to log in to the service platform of the first organization, the first server communicates with the client. Responses to Service Requests. In this way, since multiple servers have authenticated the identity of the target user, a reliable identity endorsement is provided for the user, and the blockchain is used to share the tokens allocated by the target user after the identity authentication is passed, so that the user's identity The authentication result can be shared with other institutions on the chain, and then the first server can respond to the service request of the client without the user needing to log in to the service platform of the first institution. The number of times users need to log in to obtain services from different institutions saves network resources and simplifies the user's operation process.

10: Client

11: Identity authentication server

12: Institutional server

600,700,800: identity authentication device

601: The first receiving module

602: The first matching module

603: request forwarding module

701: The second receiving module

702: The second matching module

703: Service response module

801: The third receiving module

802: The first identity authentication module

803: The first token allocation module

900: Electronic equipment

901: Processor

902: memory

903: communication interface

904: busbar

S210,S220,S230,S310,S320,S330,S410,S420,S430: steps

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the diagrams that need to be used in the embodiments of the present invention will be briefly introduced below. Other schemas can be derived from these schemas.

Fig. 1 is an applicable architecture diagram of the identity authentication method provided by the embodiment of the present invention;

Fig. 2 is a schematic flowchart of an embodiment of the identity authentication method provided by the first aspect of the present invention;

Fig. 3 is a schematic flowchart of an embodiment of an identity authentication method provided by the second aspect of the present invention;

Fig. 4 is a schematic flowchart of an embodiment of an identity authentication method provided by the third aspect of the present invention;

Fig. 5 is a schematic flowchart of an embodiment of an identity authentication method provided by an embodiment of the present invention;

Fig. 6 is a schematic structural diagram of an embodiment of the identity authentication device provided by the first aspect of the present invention;

Fig. 7 is a schematic structural diagram of an embodiment of the identity authentication device provided by the second aspect of the present invention;

Fig. 8 is a schematic structural diagram of an embodiment of the identity authentication device provided by the third aspect of the present invention;

FIG. 9 is a schematic structural diagram of an electronic device provided by an embodiment of the present invention.

The characteristics and exemplary embodiments of various aspects of the present invention will be described in detail below. In order to make the purpose, technical solutions and advantages of the present invention clearer, the present invention will be further described in detail below in conjunction with the drawings and specific embodiments. It should be understood that the specific embodiments described here are only intended to explain the present invention rather than limit the present invention. It will be apparent to one skilled in the art that the present invention may be practiced without some of these specific details. The following description of the embodiments is only to provide a better understanding of the present invention by showing examples of the present invention.

It should be noted that in this article, relational terms such as first and second are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply that there is a relationship between these entities or operations. There is no such actual relationship or order between them. Furthermore, the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article, or apparatus comprising a set of elements includes not only those elements, but also includes elements not expressly listed. other elements of or also include elements inherent in such a process, method, article, or device. Without further limitations, an element defined by the statement "comprising..." does not exclude the presence of additional same elements in the process, method, article or device comprising said element.

At present, the main way for users to obtain online services of multiple institutions is to open the service platforms of different institutions respectively, enter the user name and password corresponding to each platform to log in and pass the identity authentication, and then use the corresponding service functions. In this way, the user needs to log in repeatedly, causing problems such as waste of network resources and cumbersome operations for the user. For example, since the identity authentication services of various banks cannot be used universally, in the initial public offering (IPO) flow verification project, users need to query the account fund flow of multiple banks. According to the usual technical implementation plan, the user needs Entering the user name and password to log in repeatedly in multiple banks makes the user experience extremely unfriendly.

In order to solve the problems in the prior art, embodiments of the present invention provide an identity authentication method, device, equipment and computer-readable storage medium. The identity authentication method provided by the present invention can be applied to the architecture shown in FIG. 1 , and will be described in detail with reference to FIG. 1 .

Fig. 1 shows an architecture diagram of an example of identity authentication provided by the present invention.

As shown in FIG. 1 , the architecture diagram may include at least one client terminal 10 , an identity authentication server 11 and multiple institution servers 12 . The identity authentication server 11 provides a unified service interface for the client 10, and the client 10 can request services from multiple institutional servers 12 through the service interface. Among them, the client 10, the identity authentication server 11 and the organization server 12 can establish a connection and exchange information through the network. In addition, the client terminal 10 can be installed in a device with a communication function such as a mobile phone, a tablet computer, and an all-in-one machine, or it can be installed in a device similar to a virtual machine or a simulator. The identity authentication server 11 and the institution server 12 may be cloud servers or server clusters and other devices with storage and computing functions. In addition, the identity authentication server 11 and multiple institutional servers 12 can be servers on the same block chain, so that any server in multiple institutional servers 12 can share the user identity authentication results through the block chain, and other servers on the chain User identities can be verified through the blockchain.

Here, the plurality of institution servers 12 may include a first server corresponding to a first institution and a second server corresponding to a second institution.

It should be noted that the identity authentication server 11 may be a server corresponding to the client 10, or a server set up by a third-party organization for providing a unified service interface.

In addition, the identity authentication method provided by the present invention can be applied to the scenario of authenticating the user requesting the service. The identity authentication method provided by the present invention will be introduced below in combination with the above-mentioned framework and scenarios.

Fig. 2 shows a schematic flowchart of an embodiment of an identity authentication method provided by the present invention. The identity authentication method can be applied to an identity authentication server. As shown in Figure 2, the identity authentication method may specifically include the following steps:

S210. Receive a service request for the first organization sent by the client, wherein the service request includes multiple tokens, and the multiple tokens are used by multiple servers to perform Identity authentication, and in the case of passing the identity authentication, the token assigned to the target user, the target user is the user logged in on the client.

S220, matching the multiple tokens with the tokens stored in the blockchain to determine whether the target user is an authenticated user.

S230. If it is determined that the target user is an authenticated user, forward the service request to the first server corresponding to the first institution, so that the first server responds to the service request.

Thus, when receiving the service request sent by the client for the first organization, using the service request included in the service request, the target user is authenticated by multiple servers, and the token allocated to the target user , match the multiple tokens with the tokens stored in the blockchain to determine whether the target user is an authenticated user, so that if the target user is an authenticated user, the service request The information is forwarded to the first server corresponding to the first organization, and then the first server responds to the service request of the client without the user needing to log in to the service platform of the first organization. In this way, since multiple servers have authenticated the identity of the target user, a reliable identity endorsement is provided for the user, and the blockchain is used to share the tokens allocated by the target user after the identity authentication is passed, so that the user's identity The authentication result can be shared with other institutions on the chain, and then the first server can respond to the service request of the client without the user needing to log in to the service platform of the first institution. The number of times users need to log in to obtain services from different institutions saves network resources and simplifies the user's operation process.

The specific implementation of each of the above steps is introduced below.

In some implementations, in S210, the token (token) may be, for example, a session token returned after the user successfully logs in to the service platform of the corresponding institution. Since each organization has set up corresponding servers, users need to enter the user name and password to log in before calling the service of a certain organization. After the user successfully logs in, the server will return a session token. The session token is valid for a period of time, and users do not need to log in again when accessing the service with a valid session token.

Exemplarily, the target user in the logged-in client needs to request the first organization For a certain service, the token assigned by the server that the user has logged in and has passed the identity authentication can be carried in the service request. In this way, the identity authentication server, as the technology transfer server, can pass the The multiple tokens carried directly verify the identity of the target user to confirm whether it is an authenticated user.

In some implementations, the plurality of servers may include an identity authentication server and a second server corresponding to the second organization, and the plurality of tokens may include a first token assigned by the identity authentication server and a second token assigned by the second server. Card.

That is to say, the user can complete two authentications through two login operations, and can obtain the services of the first institution without login. There may be multiple first institutions. Specifically, the identity authentication server and the second server may respectively perform identity authentication on the target user, and when the identity authentication server passes the identity authentication of the target user, the identity authentication server assigns the first token to the target user, When the second server passes the identity authentication of the target user, the second server allocates the second token to the target user. The first token may be a credential that the target user has passed the identity authentication of the identity authentication server, and the second token may be the credential that the target user has passed the identity authentication of the second server. With the help of the first token and the second token, services of any first organization can be obtained without login.

In this way, the user only needs to log in twice to obtain the service of any first institution without logging in, which simplifies the user's operation process and improves the user experience.

In some implementation manners, before the above S210, the method may further include:

Receive the user identity information corresponding to the target user collected by the client;

Authenticate the target user based on the user's identity information;

If the authentication is passed, assign the first token to the target user, send the first token to the client, and upload the first token to the block chain.

Here, before receiving the service request for the first organization sent by the client, the target user needs to be authenticated twice, namely the identity authentication server for the target user and the second server for the target user. Authentication.

Among them, the identity authentication server can receive the user identity of the target user information, and based on the user identity information to authenticate the target user, if the authentication is passed, assign the first token to the target user, send the first token to the client, and upload the first token to blockchain. The user identity information may be information that can uniquely determine the identity of the target user, such as information filled in by the target user when performing real-name authentication on the client terminal, and the user identity information can be used for identity authentication of the target user. Allocating the first token to the target user, and sending the first token to the client can enable the target user to use the first token to prove that the target user has passed the identity authentication of the identity authentication server. Uploading the first token to the block chain can enable both the first server and the second server to receive the first token, so that the first server and the second server can determine whether the target user is based on the first token Authenticated by the authentication server.

In some specific examples, after the target user logs in to the client terminal through the user name and password, he can enter the user identity information for real-name authentication, and the identity authentication server can receive the user identity information, and according to the user identity information The user performs real-name authentication, that is, identity authentication. After the authentication is passed, the first token can be allocated to the target user, the first token is sent to the client, and the first token is uploaded to the blockchain.

In this way, the target user is authenticated through the user identity information, and if the authentication is passed, the target user is assigned a first token, the first token is sent to the client, and the first token Uploading to the block chain can enable the target user to prove that the target user has passed the identity authentication of the identity authentication server with the first token, and can make the first server and the second server determine the target user according to the first token Whether it has been authenticated by the authentication server.

In some implementations, in S220, since multiple servers also upload tokens to the blockchain when they distribute tokens to target users, multiple tokens are also stored in the blockchain, and the Multiple tokens included in the service request are matched against tokens stored in the blockchain to determine whether the target user is an authenticated user. Here, the authenticated user may be a user who has been authenticated by the identity authentication server and the second server.

In some implementations, the above S220 may include:

matching the second token with tokens stored in the blockchain;

If there is a token in the blockchain that matches the second token, obtain user identity information corresponding to the first token, and determine the second institution that distributes the second token, from the second Obtain the user identity information corresponding to the second token from the second server corresponding to the institution;

comparing the user identity information corresponding to the first token with the user identity information corresponding to the second token;

When the user identity information is consistent, determine the target user as an authenticated user;

If there is no token matching the second token in the block chain, or the user identity information is inconsistent, it is determined that the target user is not an authenticated user.

Here, first match the second token allocated by the second server with the token stored in the blockchain, if there is no token matching the second token in the blockchain, it can be determined that the target user is not An authenticated user; if there is a token matching the second token in the block chain, it can be further determined whether the target user is an authenticated user by comparing the user identity information.

Specifically, user identity information corresponding to the first token and user identity information corresponding to the second token may be acquired first. Since the first token is allocated by the identity authentication server after receiving the user identity information and passing the authentication, the identity authentication server stores the user identity information corresponding to the first token and can be obtained directly. The second token is allocated by the second server corresponding to the second organization after receiving the user identity information and passing the authentication. Therefore, the user identity information corresponding to the second token is stored in the second server, so it is necessary to determine the allocation first. The second organization of the second token obtains the user identity information corresponding to the second token from the second server corresponding to the second organization. The second token may carry the identifier of the second organization, so the second organization that distributes the second token can be determined according to the second token.

Then, by comparing the user identity information corresponding to the first token with the user identity information corresponding to the second token, it can be determined whether the target user who initiates the service request is a faker carrying another user token. If the user identity information is consistent, it can be confirmed Target users as authenticated users. If the user identity information is inconsistent, it can be determined that the target user is not an authenticated user.

In some specific examples, the identity authentication server matches token A, that is, the second token, with tokens stored in the blockchain. If there is no token matching token A in the blockchain, then Determine that the target user is not an authenticated user; if there is a token matching token A in the blockchain, then obtain token B, that is, the first token, the corresponding user identity information, and obtain the corresponding user identity information from token A Analyze the organization a that allocates token A, that is, the second organization, and then obtain the user identity information corresponding to token B from organization a, and use the user identity information corresponding to token A and token B If the comparison is consistent, it is determined that the target user is an authenticated user; if the comparison is inconsistent, it is determined that the target user is not an authenticated user.

In this way, the target is determined by judging whether there is a token matching the second token in the blockchain, and judging whether the user identity information corresponding to the first token is consistent with the user identity information corresponding to the second token Whether the user is an authenticated user can be determined through two judgments to determine whether the target user is an authenticated user, which improves the security of user login.

In some implementations, the second token may be a token obtained by encrypting the original token distributed to the target user by the organization server of the second organization using the public key of the identity authentication server. Matching with tokens stored in the blockchain can include:

Using the public key to decrypt the second token to obtain the original token;

Match the original token with the one stored in the blockchain;

The above determination of the second institution for allocating the second token may include:

A second authority to distribute the second token is determined based on the original token.

Here, in order to ensure the security of user information in each organization and prevent a certain organization from obtaining user information from other organizations by forging tokens of other organizations, the public key pair of the identity authentication server can be used to distribute the original token of the target user. The token is encrypted to obtain a second token.

Since the authentication server needs to parse out the second token from the second token Therefore, it is necessary to use the public key to decrypt the second token to obtain the original token, and determine the second organization that distributes the second token according to the original token.

In some specific examples, the identity authentication server can decrypt the token A according to the public key to obtain the original token C, and parse out the organization identifier from the original token C, so as to determine the corresponding token A according to the organization. Institution a.

In this way, encrypting the original token can prevent an organization from obtaining user information from other organizations by forging the tokens of other organizations after uploading the encrypted second token to the blockchain, ensuring the security of each organization. information security.

In some implementations, in S230, the first organization can be the organization that the user wants to obtain the service. If the identity authentication server determines that the target user is an authenticated user, the service request can be forwarded to the organization corresponding to the first organization. the first server, so that the first server responds to the service request. Both the first institution and the second institution may be banks. The service request may be a request to inquire about the fund flow of the account of the first institution, or a request to inquire about the account balance or bank card number, or of course other requests, which are not limited here.

In some implementations, after the above S230, the method may further include:

receiving the identity information acquisition request sent by the first server;

In response to the identity information acquisition request, send the user identity information corresponding to the target user to the first server, so that the first server responds to the service request according to the user identity information and generates response information;

receiving response information returned by the first server;

Forward the response information to the client.

Here, after determining that the target user is an authenticated user and forwarding the service request to the first server, the first server needs to generate response information according to the user identity information, so it needs to send an identity information acquisition request to the identity authentication server , after receiving the identity information acquisition request, the identity authentication server responds to the identity information acquisition request, and sends the user identity information corresponding to the target user to the first server, and the first server responds to the service request according to the user identity information, generating Response information, and then send the response information to the authentication server server, the authentication server forwards the response information to the client for display to the target user.

In some specific examples, after the identity authentication server determines that the target user is an authenticated user, it forwards the service request for querying the account balance to the first server, and the first server sends the user ID of the target user to the identity authentication server. An identity information acquisition request for identity information. After receiving the identity information acquisition request, the identity authentication server responds to the identity information acquisition request and sends the user identity information corresponding to the target user to the first server. The identity information responds to the service request, generates response information such as "account balance: 3500", and then sends the response information to the identity authentication server, and the identity authentication server forwards the response information to the client for display to the target user.

In this way, through the above process, the service of the first server can be obtained without logging into the service platform corresponding to the first organization, which simplifies the user operation process.

Fig. 3 shows a schematic flowchart of an embodiment of an identity authentication method provided by the present invention. The identity authentication method can be applied to the first server.

As shown in Figure 3, the identity authentication method may specifically include the following steps:

S310. Receive the service request forwarded by the identity authentication server, wherein the service request includes multiple tokens, and the multiple tokens are for multiple servers to perform identity authentication on the target user respectively, and if the identity authentication passes, the tokens are allocated to The token of the target user, the target user is the user logged in in the client that sends the service request to the identity authentication server;

S320, matching multiple tokens with tokens stored in the block chain to determine whether the target user is an authenticated user;

S330. Respond to the service request when it is determined that the target user is an authenticated user.

Thus, after receiving the service request forwarded by the identity authentication server, using the tokens allocated to the target user after the multiple servers respectively authenticate the target user included in the service request, the multiple tokens Match with the token stored in the blockchain to determine whether the target user is an authenticated user, so as to respond to the service request if the target user is determined to be an authenticated user. Since multiple servers have compromised the identity of the target user The user has been authenticated, providing a reliable identity endorsement for the user, and using the blockchain to share the tokens allocated by the target user after the identity authentication is passed, so that the user's identity authentication result can be shared with other institutions on the chain, and then In the case that the user does not need to log in to the service platform of the first organization, the response of the first server to the service request of the user end is realized. Therefore, the number of logins required for the user to obtain the services of different organizations is reduced while ensuring business security. It saves network resources and simplifies the user operation process.

The specific implementation of each of the above steps is introduced below.

In some implementations, in S310, after determining that the target user is an authenticated user, the identity authentication server forwards the service request to the first server, and the first server receives the service request forwarded by the identity authentication server.

In some implementations, the plurality of servers may include an identity authentication server and a second server corresponding to the second organization, and the plurality of tokens may include a first token assigned by the identity authentication server and a second token assigned by the second server. Card.

That is to say, the user can complete two authentications through two login operations, and can obtain the services of the first institution without login. There may be multiple first institutions. Specifically, the identity authentication server and the second server may respectively perform identity authentication on the target user, and when the identity authentication server passes the identity authentication of the target user, the identity authentication server assigns the first token to the target user, When the second server passes the identity authentication of the target user, the second server allocates the second token to the target user. The first token may be a credential that the target user has passed the identity authentication of the identity authentication server, and the second token may be the credential that the target user has passed the identity authentication of the second server. With the help of the first token and the second token, services of any first organization can be obtained without login.

In this way, the user only needs to log in twice to obtain the service of any first institution without logging in, which simplifies the user's operation process and improves the user experience.

In some implementation manners, in S320, after the identity authentication server completes the identity authentication of the target user, the first server also needs to authenticate the identity of the target user. Since multiple servers have also uploaded tokens to the block when assigning tokens to target users In the chain, therefore, multiple tokens are also stored in the blockchain. After receiving the service request forwarded by the identity authentication server, the first server can compare the multiple tokens included in the service request, that is, the first token and the second token, with the tokens stored in the block chain. Match to determine whether the target user is an authenticated user.

In some implementations, the above S320 may include:

matching the first token and the second token respectively with tokens stored in the blockchain;

determining that the target user is an authenticated user if there is a token matching the first token and a token matching the second token in the block chain;

In case there is no token matching the first token or no token matching the second token in the block chain, it is determined that the target user is not an authenticated user.

Here, if there is both a token matching the first token and a token matching the second token in the block chain, it can be determined that the target user is an authenticated user; if the block chain If there is no token matching the first token, or no token matching the second token, it can be determined that the target user is not an authenticated user.

In this way, through the above process, the first server can complete the confirmation of whether the target user is an authenticated user, so as to confirm whether to respond to the service request of the target user.

In some implementations, in S330, if the target user is an authenticated user, respond to the above service request. The explanation of the authenticated user and the service request can be found in the relevant expressions in the foregoing embodiments, and for the sake of brevity, details are not repeated here.

In some implementations, the above S330 may include:

Send an identity information acquisition request to the identity authentication server;

Receive the user identity information corresponding to the target user sent by the identity authentication server;

Respond to service requests based on user identity information and generate response information;

Send response information to the authentication server, so that the authentication server forwards the response information to the client.

Here, reference may be made to the relevant descriptions in the preceding embodiments, for the sake of brevity, no Let me repeat.

Fig. 4 shows a schematic flowchart of an embodiment of an identity authentication method provided by the present invention. The identity authentication method can be applied to the second server.

As shown in Figure 4, the identity authentication method may specifically include the following steps:

S410, receiving user identity information corresponding to the target user collected by the client;

S420, performing identity authentication on the target user according to the user identity information;

S430, if the authentication is passed, allocate a second token to the target user, send the second token to the client, and upload the second token to the block chain, so that the servers of other organizations can Multiple tokens including two tokens determine whether the target user is an authenticated user.

Therefore, by receiving the user identity information corresponding to the target user collected by the client terminal and performing identity authentication on the target user according to the user identity information, and assigning a second token to the target user if the authentication is passed, Sending the second token to the client and uploading the second token to the blockchain can enable the server of other institutions to determine whether the target user is an authenticated user based on multiple tokens including the second token , and then realize the response of the server of other organizations to the service request of the client without the user needing to log in to the service platform of other organizations. Therefore, it is possible to reduce the login required for users to obtain services of different organizations while ensuring business security. The number of times saves network resources and simplifies the user's operation process.

The specific implementation of each of the above steps is introduced below.

In some implementations, in S410, S420, and S430, before receiving the service request for the first organization sent by the client, the target user needs to be authenticated twice, respectively, the identity authentication server authenticates the target user and the identity authentication of the target user by the second server.

Wherein, the second server can receive the user identity information of the target user and perform identity authentication on the target user based on the user identity information. The card is sent to the client, and the second token uploaded to the blockchain. The user identity information may be information that can uniquely determine the identity of the target user, such as information filled in by the target user when performing real-name authentication on the client terminal, and the user identity information can be used for identity authentication of the target user. Allocating the second token to the target user, and sending the second token to the client can enable the target user to use the second token to prove that the target user has passed the identity authentication of the second server. Uploading the second token to the block chain can enable the server of other institutions to determine whether the target user is an authenticated user based on multiple tokens including the second token.

In some specific examples, after the target user logs in to the client terminal through the user name and password, he can enter the user identity information for real-name authentication, and the second server can receive the user identity information, and according to the user identity information, the target The user performs real-name authentication, that is, identity authentication. After the authentication is passed, a second token can be allocated to the target user, sent to the client, and uploaded to the blockchain.

In some implementation manners, the above S430 may specifically include:

Assign raw tokens to target consumers;

The original token is encrypted with the public key of the identity authentication server to obtain the second token.

Here, in order to ensure the security of user information in each organization and prevent a certain organization from obtaining user information from other organizations by forging tokens of other organizations, the public key pair of the identity authentication server can be used to distribute the original token of the target user. The token is encrypted to obtain a second token. .

In some specific examples, the second server can distribute token C, which is the original token, to the target user, and encrypt token C with the public key of the identity authentication server to obtain token A, which is the first Two tokens.

In this way, encrypting the original token can prevent an organization from obtaining user information from other organizations by forging the tokens of other organizations after uploading the encrypted second token to the blockchain, ensuring the security of each organization. information security.

In order to better describe the whole scheme, based on the above-mentioned embodiments, a specific example.

As shown in Figure 5, the target user enters the user name and password registered in the identity authentication server on the client side to log in, and enters the user identity information for real-name authentication. After receiving the user identity information, the identity authentication server The identity information authenticates the target user. After the authentication is passed, the target user is assigned a first token and the first token is sent to the client, and the first token is uploaded to the block chain.

Then, the target user selects the second organization on the client terminal to jump to the login interface of the second organization. The target user enters the user name and password registered on the second server on the client terminal to log in, and enters the user identity information for real name verification. Authentication, after the second server receives the user identity information, it authenticates the target user according to the user identity information, and after passing the authentication, assigns a second token to the target user and sends the second token to the client, And uploading the second token to the block chain, the second token is an encrypted token.

After completing the above two identity authentications, the target user can send a service request for the first institution to the identity authentication server through the client, and the identity authentication server will match the second token with the token stored in the block chain. If there is a token matching the second token in the blockchain, the user identity information corresponding to the first token and the user identity information corresponding to the second token are obtained, and the The user identity information is compared with the user identity information corresponding to the second token, and if the comparison is consistent, it is determined that the target user is an authenticated user. After determining that the target user is an authenticated user, the identity authentication server forwards the service request to the first server corresponding to the first institution, and the first server compares the first token and the second token with the stored in the block chain respectively. Tokens are matched, and if there is both a token matching the first token and a token matching the second token in the block chain, it is determined that the target user is an authenticated user. Then, the first server sends an identity information acquisition request to the identity authentication server, and the identity authentication server responds to the identity information acquisition request by sending the user identity information corresponding to the target user to the first server. Respond to the service request, generate the response information, and send the response information to the identity authentication server, and the identity authentication server forwards the response information to the client and displays it to the user.

Based on this, since multiple servers have authenticated the identity of the target user, a reliable identity endorsement is provided for the user, and the blockchain is used to share the tokens allocated by the target user after the identity authentication is passed, so that the user's The identity authentication result can be shared with other institutions on the chain, and then the first server can respond to the service request of the client without the user needing to log in to the service platform of the first institution. It reduces the number of logins required for users to obtain services from different institutions, saves network resources, and simplifies the user's operation process.

It should be noted that the application scenarios described in the above-mentioned embodiments of the present invention are for more clearly illustrating the technical solutions of the embodiments of the present invention, and do not constitute limitations on the technical solutions provided by the embodiments of the present invention. Those skilled in the art know that, With the emergence of new application scenarios, the technical solutions provided by the embodiments of the present invention are also applicable to similar technical problems.

Based on the same inventive concept, the present invention also provides an identity authentication device. It will be described in detail with reference to FIG. 6 .

Fig. 6 shows a schematic structural diagram of an embodiment of an identity authentication device provided by the present invention. The identity authentication device can be applied to an identity authentication server.

As shown in Figure 6, the identity authentication device 600 may include:

The first receiving module 601 is configured to receive a service request for the first organization sent by the client, wherein the service request includes a plurality of tokens, and the plurality of tokens are for multiple servers to respectively authenticate the target user, And in the case of passing the identity authentication, the token allocated to the target user, the target user is the user logged in in the client;

The first matching module 602 is used to match a plurality of tokens with tokens stored in the blockchain to determine whether the target user is an authenticated user;

The request forwarding module 603 is configured to forward the service request to the first server corresponding to the first organization when it is determined that the target user is an authenticated user, so that the first server responds to the service request.

The above-mentioned identity authentication device 600 will be described in detail below, specifically as follows:

In some of these embodiments, the plurality of servers includes an authentication server and an For the second server corresponding to the second organization, the multiple tokens include a first token allocated by the identity authentication server and a second token allocated by the second server.

In some of these embodiments, the identity authentication device 600 also includes:

The fourth receiving module is used to receive the user identity information corresponding to the target user collected by the client before receiving the service request sent by the client for the first organization;

The second identity authentication module is used to authenticate the target user according to the user identity information;

The second token distribution module is used to distribute the first token to the target user when the authentication is passed, send the first token to the client, and upload the first token to the block chain.

In some of these embodiments, the first matching module 602 includes:

The first matching submodule is used to match the second token with the token stored in the block chain;

The obtaining sub-module is used to obtain the user identity information corresponding to the first token when there is a token matching the second token in the block chain, and to determine the second token that is allocated to the second token. The second institution obtains the user identity information corresponding to the second token from the second server corresponding to the second institution;

A comparison sub-module is used to compare the user identity information corresponding to the first token with the user identity information corresponding to the second token;

The first determination sub-module is used to determine that the target user is an authenticated user when the user identity information is compared;

The second determination sub-module is used to determine that the target user is not an authenticated user when there is no token matching the second token in the block chain, or the user identity information is inconsistent.

In some of these embodiments, the second token is the token obtained after the organization server of the second organization encrypts the original token assigned to the target user with the public key of the identity authentication server; the first matching submodule include:

A decryption unit, configured to use the public key to decrypt the second token to obtain the original token;

A matching unit for matching the original token with the token stored in the blockchain;

Get submodules include:

A determining unit, configured to determine a second institution that distributes the second token according to the original token.

In some of these embodiments, the identity authentication device 600 also includes:

The fifth receiving module is used to receive the identity information acquisition request sent by the first server after forwarding the service request to the first server corresponding to the first institution;

The sending module is used to send the user identity information corresponding to the target user to the first server in response to the identity information acquisition request, so that the first server responds to the service request according to the user identity information and generates response information;

The sixth receiving module is used to receive the response information returned by the first server;

The response information forwarding module is used to forward the response information to the client.

Thus, when receiving the service request sent by the client for the first organization, using the service request included in the service request, the target user is authenticated by multiple servers, and the token allocated to the target user , match the multiple tokens with the tokens stored in the blockchain to determine whether the target user is an authenticated user, so that if the target user is an authenticated user, the service request The information is forwarded to the first server corresponding to the first organization, and then the first server responds to the service request of the client without the user needing to log in to the service platform of the first organization. In this way, since multiple servers have authenticated the identity of the target user, a reliable identity endorsement is provided for the user, and the blockchain is used to share the tokens allocated by the target user after the identity authentication is passed, so that the user's identity The authentication result can be shared with other institutions on the chain, and then the first server can respond to the service request of the client without the user needing to log in to the service platform of the first institution. The number of times users need to log in to obtain services from different institutions saves network resources and simplifies the user's operation process.

Fig. 7 shows the structure diagram of an embodiment of the identity authentication device provided by the present invention intention. The identity authentication device can be applied to the first server.

As shown in Figure 7, the identity authentication device 700 may include:

The second receiving module 701 is used to receive the service request forwarded by the identity authentication server, wherein the service request includes a plurality of tokens, and the plurality of tokens are for the plurality of servers to perform identity authentication on the target user respectively, and in the identity authentication If passed, the token allocated to the target user, the target user is the user logged in in the client that sends the service request to the identity authentication server;

The second matching module 702 is used to match a plurality of tokens with tokens stored in the block chain to determine whether the target user is an authenticated user;

The service response module 703 is configured to respond to the service request when the target user is determined to be an authenticated user.

The above-mentioned identity authentication device 700 will be described in detail below, specifically as follows:

In some of these embodiments, the multiple servers include an identity authentication server and a second server corresponding to the second organization, and the multiple tokens include a first token allocated by the identity authentication server and a second token allocated by the second server.

In some of these embodiments, the second matching module 702 includes:

The second matching submodule is used to match the first token and the second token with the tokens stored in the block chain respectively;

The third determining submodule is used to determine that the target user is an authenticated user when there is a token matching the first token and a token matching the second token in the block chain ;

The fourth determination sub-module is used to determine whether the target user is not an existing token when there is no token matching the first token or no token matching the second token Authenticated users.

In some of these embodiments, the service response module 703 includes:

The first sending sub-module is used to send an identity information acquisition request to the identity authentication server;

The receiving sub-module is used to receive the user identity information corresponding to the target user sent by the identity authentication server;

Generate sub-modules for responding to service requests and generating response information based on user identity information;

The second sending sub-module is used to send response information to the identity authentication server, so that the identity authentication server forwards the response information to the client.

Thus, after receiving the service request forwarded by the identity authentication server, using the tokens allocated to the target user after the multiple servers respectively authenticate the target user included in the service request, the multiple tokens Match with the token stored in the blockchain to determine whether the target user is an authenticated user, so as to respond to the service request if the target user is determined to be an authenticated user. Since multiple servers have authenticated the identity of the target user, a reliable identity endorsement is provided for the user, and the block chain is used to share the tokens allocated by the target user after the identity authentication is passed, so that the user's identity authentication result It can be shared with other institutions on the chain, and then the first server can respond to the service request of the client without the user needing to log in to the service platform of the first institution. Therefore, it can reduce the number of users while ensuring business security. The number of login times required to obtain services of different institutions saves network resources and simplifies the user's operation process.

Fig. 8 shows a schematic structural diagram of an embodiment of an identity authentication device provided by the present invention. The identity authentication device can be applied to the second server.

As shown in Figure 8, the identity authentication device 800 may include:

The third receiving module 801 is used to receive the user identity information corresponding to the target user collected by the client;

The first identity authentication module 802 is used to authenticate the target user according to the user identity information;

The first token allocation module 803 is used to allocate a second token to the target user when the authentication is passed, send the second token to the client, and upload the second token to the block chain, to enable servers of other institutions to determine the destination based on multiple tokens including the second token Whether the target user is an authenticated user.

The above-mentioned identity authentication device 800 will be described in detail below, specifically as follows:

In some of these embodiments, the first token allocation module 803 includes:

Assignment submodule for assigning raw tokens to target users;

The encryption sub-module is used to encrypt the original token with the public key of the identity authentication server to obtain the second token.

Therefore, by receiving the user identity information corresponding to the target user collected by the client terminal and performing identity authentication on the target user according to the user identity information, and assigning a second token to the target user if the authentication is passed, Sending the second token to the client and uploading the second token to the blockchain can enable the server of other institutions to determine whether the target user is an authenticated user based on multiple tokens including the second token , and then realize the response of the server of other organizations to the service request of the client without the user needing to log in to the service platform of other organizations. Therefore, it is possible to reduce the login required for users to obtain services of different organizations while ensuring business security. The number of times saves network resources and simplifies the user's operation process.

FIG. 9 shows a schematic diagram of a hardware structure of an embodiment of an electronic device provided by the present invention.

The electronic device 900 may include a processor 901 and a memory 902 storing computer program instructions.

Specifically, the above-mentioned processor 901 may include a central processing unit (Central Processing Unit, CPU), or a specific integrated circuit (Application Specific Integrated Circuit, ASIC), or may be configured to implement one or more integrated circuits of the embodiments of the present invention. body circuit.

Memory 902 may include a large number of storage areas for data or instructions. For example and not limitation, the memory 902 may include a hard disk drive (Hard Disk Drive, HDD), a floppy disk drive, a flash memory, an optical disk, a magneto-optical disk, a magnetic tape, or a Universal Serial Bus (Universal Serial Bus, USB) drive or a combination of two or more of the above. Memory 902 may include removable or non-removable (or fixed) media, where appropriate. in the right situation In some cases, the memory 902 can be inside or outside the comprehensive gateway disaster recovery device. In a particular embodiment, memory 902 is a non-volatile solid-state memory.

The memory can include read-only memory (Read Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk storage medium equipment, optical storage medium equipment, flash memory equipment, electrical, optical or Other physical/tangible memory storage devices. Thus, in general, memory includes one or more tangible (non-transitory) computer-readable storage media (e.g., memory devices) encoded with software comprising computer-executable instructions, and when the software is executed (e.g., by one or more processors) operable to perform the operations described with reference to the method according to an aspect of the present invention.

The processor 901 reads and executes the computer program instructions stored in the memory 902 to implement any identity authentication method in the above-mentioned embodiments.

In some examples, the electronic device 900 may further include a communication interface 903 and a bus 910 . Wherein, as shown in FIG. 9 , the processor 901 , the memory 902 , and the communication interface 903 are connected through a bus 904 to complete mutual communication.

The communication interface 903 is mainly used to realize the communication between various modules, devices, units and/or devices in the embodiment of the present invention.

The bus 904 includes hardware, software or both, and couples the components of the online data traffic billing device to each other. By way of example and not limitation, the bus 904 may include an Accelerated Graphics Port (AGP) or other graphics bus, an Enhanced Industry Standard Architecture (EISA) bus, a Front Side Bus (Front Side Bus, FSB), hyper-threading (Hyper-Threading, HT) interconnect, Industry Standard Architecture (Industry Standard Architecture, ISA) bus, unlimited bandwidth interconnect, low pin count (Low Pin Count Bus, LPC) bus , memory bus, Micro Channel Architecture (Micro Channel Architecture, MCA) bus, peripheral component connection (Peripheral Component Interconnection, PCI) bus, PCI-Express (PCI-X) bus, serial advanced technology accessories (Serial Advanced Technology Attachment, SATA) bus, Video Electronics Standards Association Local (Video Electronics Standards Association Local Bus, VLB) busbar or other suitable busbar or a combination of two or more of these. Bus bar 904 may include one or more bus bars, where appropriate. Although the embodiments of the invention describe and illustrate particular bus bars, the invention contemplates any suitable bus bars or interconnects.

Exemplarily, the electronic device 900 may be a mobile phone, a tablet computer, a notebook computer, a palmtop computer, a vehicle electronic device, an ultra-mobile personal computer (Ultra-mobile Personal Computer, UMPC), a netbook or a personal digital assistant (Personal Digital Assistant, PDA) etc.

The electronic device 900 can execute the identity authentication method in the embodiment of the present invention, so as to implement the identity authentication method and apparatus described in conjunction with FIG. 1 and FIG. 8 .

In addition, in combination with the identity authentication method in the foregoing embodiments, the embodiment of the present invention may provide a computer-readable storage medium for implementation. The computer-readable storage medium stores computer program instructions; when the computer program instructions are executed by a processor, any one of the identity authentication methods in the above-mentioned embodiments is implemented. Examples of computer readable storage media include non-transitory computer readable storage media such as portable disks, hard disks, random access memory (RAM), read only memory (ROM), erasable programmable Read memory (Erasable Programmable Read Only Memory, EPROM or flash memory), portable compact disc read only memory (Compact Disc Read Only Memory, CD-ROM), optical memory parts, magnetic memory parts, etc.

It is to be understood that the invention is not limited to the specific arrangements and processes described above and shown in the drawings. For conciseness, detailed descriptions of known methods are omitted here. In the above embodiments, several specific steps are described and shown as examples. However, the method process of the present invention is not limited to the specific steps described and shown, and those skilled in the art can make various changes, modifications and additions, or change the sequence of steps after understanding the spirit of the present invention.

The functional blocks shown in the structural block diagrams above can be realized as hardware, software, firmware or a combination thereof. When implemented in hardware, it may be, for example, an electronic circuit, an application specific integrated circuit (ASIC), suitable firmware, a plug-in, a function card, or the like. When implemented in software, the elements of the invention are the programs or code segments used to perform the required tasks. Programs or program code segments may be stored on a machine-readable medium or transmitted over a transmission medium or communication link by a data signal carried in a carrier wave. "Machine-readable medium" may include any medium that can store or transmit information. Examples of machine-readable media include electronic circuits, semiconductor memory devices, ROM, flash memory, erasable ROM (EROM), floppy disks, CD-ROMs, optical disks, hard disks, fiber optic media, radio frequency (RF) links Road, wait. Code snippets may be downloaded via computer networks such as the Internet, Intranet, and the like.

It should also be noted that the exemplary embodiments mentioned in the present invention describe some methods or systems based on a series of steps or devices. However, the present invention is not limited to the order of the above steps, that is to say, the steps may be performed in the order mentioned in the embodiment, or may be different from the order in the embodiment, or several steps may be performed simultaneously.

Aspects of the present invention are described above with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It should be understood that each block in the flowchart and/or block diagrams, and combinations of blocks in the flowchart and/or block diagrams can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing device to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing device make The function/action specified in one or more blocks of the flowchart and/or block diagram can be realized. Such processors may be, but are not limited to, general purpose processors, special purpose processors, application specific processors, or field programmable logic circuits. It can also be understood that each block in the block diagrams and/or flowcharts and combinations of blocks in the block diagrams and/or flowcharts can also be realized by dedicated hardware for performing specified functions or actions, or can be implemented by It is realized by a combination of special hardware and computer instructions.

The above is only a specific implementation of the present invention, and those skilled in the art can clearly understand that for the convenience and simplicity of description, the specific working process of the system, modules and units described above can be implemented by referring to the aforementioned method The corresponding process in the example will not be repeated here. It should be understood that the protection scope of the present invention is not limited thereto, and any person skilled in the art can easily think of various equivalent modifications or replacements within the technical scope disclosed in the present invention, and these modifications or replacements should all be covered in within the protection scope of the present invention.

S210, S220, S230: steps

Claims (17)

An identity authentication method applied to an identity authentication server, characterized in that it includes: Receive a service request for the first organization sent by the client, wherein the service request includes a plurality of tokens, and the plurality of tokens are for multiple servers to respectively authenticate the target user, and when the identity authentication passes In the case of , the token allocated to the target user, the target user is the user logged in in the client; Matching the plurality of tokens with tokens stored in the blockchain to determine whether the target user is an authenticated user; If it is determined that the target user is an authenticated user, the service request is forwarded to a first server corresponding to the first institution, so that the first server responds to the service request. The method according to claim 1, wherein the plurality of servers include the identity authentication server and a second server corresponding to the second institution, and the plurality of tokens include the first token assigned by the identity authentication server card and the second token assigned by the second server. The method as described in claim 2, wherein, before receiving the service request for the first institution sent by the client, the method further includes: receiving user identity information corresponding to the target user collected by the client; Authenticate the target user according to the user identity information; If the authentication is passed, allocate the first token to the target user, send the first token to the client, and upload the first token to the block chain . The method according to claim 2, wherein said matching said plurality of tokens with tokens stored in a block chain to determine whether said target user is an authenticated user comprises: matching said second token with tokens stored in said blockchain; In the event that there is a token matching the second token in the block chain, obtaining the same The user identity information corresponding to the first token, and determining the second organization that distributes the second token, and obtaining information related to the second token from the second server corresponding to the second organization The user identity information corresponding to the second token; comparing the user identity information corresponding to the first token with the user identity information corresponding to the second token; If the user identity information is consistent, determine that the target user is an authenticated user; If there is no token matching the second token in the block chain, or the user identity information is inconsistent, it is determined that the target user is not an authenticated user. The method according to claim 4, wherein the second token is the original token distributed to the target user encrypted by the organization server of the second organization using the public key of the identity authentication server The token obtained after; The matching the second token with the token stored in the block chain includes: Decrypting the second token by using the public key to obtain the original token; matching said original token with tokens stored in said blockchain; Said determining said second agency to allocate said second token comprises: The second authority to assign the second token is determined based on the original token. The method according to claim 1, wherein, after forwarding the service request to the first server corresponding to the first institution, the method further comprises: receiving an identity information acquisition request sent by the first server; In response to the identity information acquisition request, sending user identity information corresponding to the target user to the first server, so that the first server responds to the service request according to the user identity information, Generate response information; receiving the response information returned by the first server; Forwarding the response information to the client. An identity authentication method applied to a first server, characterized in that it includes: Receive the service request forwarded by the identity authentication server, wherein the service request includes a plurality of tokens, and the plurality of tokens are for multiple servers to perform identity authentication on the target user respectively, and when the identity authentication is passed, a token allocated to the target user, the target user is a user logged in at the client terminal that sends the service request to the identity authentication server; Matching the plurality of tokens with tokens stored in the blockchain to determine whether the target user is an authenticated user; If it is determined that the target user is an authenticated user, respond to the service request. The method according to claim 7, wherein the plurality of servers include the identity authentication server and a second server corresponding to the second institution, and the plurality of tokens include the first token assigned by the identity authentication server card and the second token assigned by the second server. The method according to claim 8, wherein said matching said plurality of tokens with tokens stored in a blockchain to determine whether said target user is an authenticated user comprises: matching the first token and the second token with tokens stored in the blockchain, respectively; determining that the target user is an authenticated user if there is a token matching the first token and a token matching the second token in the block chain; Determining that the target user is not authenticated if there is no token in the blockchain that matches the first token, or if there is no token that matches the second token user. The method according to claim 7, wherein the responding to the service request includes: Sending an identity information acquisition request to the identity authentication server; receiving user identity information corresponding to the target user sent by the identity authentication server; Respond to the service request according to the user identity information, and generate response information; sending the response information to the identity authentication server, so that the identity authentication server Forwarding the response information to the client. An identity authentication method applied to a second server, characterized in that it includes: receiving user identity information corresponding to the target user collected by the client; Authenticate the target user according to the user identity information; In the case of passing the authentication, allocate a second token to the target user, send the second token to the client, and upload the second token to the block chain, so that other The institution's server determines whether the target user is an authenticated user based on a plurality of tokens including the second token. The method according to claim 11, wherein the allocating the second token to the target user includes: Allocate raw tokens to said target consumer; Encrypting the original token with the public key of the identity authentication server to obtain the second token. An identity authentication device applied to an identity authentication server, characterized in that the device includes: The first receiving module is used to receive the service request for the first organization sent by the client, wherein the service request includes a plurality of tokens, and the plurality of tokens are performed by multiple servers on the target user respectively. Identity authentication, and in the case of passing the identity authentication, a token assigned to the target user, the target user being the user logged in at the client; The first matching module is used to match the plurality of tokens with the tokens stored in the blockchain to determine whether the target user is an authenticated user; A request forwarding module, configured to forward the service request to the first server corresponding to the first organization when it is determined that the target user is an authenticated user, so that the first server responds The service request. An identity authentication device applied to a first server, characterized in that the device includes: The second receiving module is used to receive the service request forwarded by the identity authentication server, wherein the service request includes a plurality of tokens, and the plurality of tokens are for multiple servers to perform identity authentication on the target user respectively, and In the case of passing the identity authentication, a token assigned to the target user, the target user is a user logged in at the client terminal that sends the service request to the identity authentication server; The second matching module is used to match the plurality of tokens with the tokens stored in the blockchain to determine whether the target user is an authenticated user; The service response module is used for responding to the service request when the target user is determined to be an authenticated user. An identity authentication device applied to a second server, characterized in that the device includes: The third receiving module is used to receive the user identity information corresponding to the target user collected by the client; a first identity authentication module, configured to authenticate the target user according to the user identity information; The first token allocation module is used to allocate a second token to the target user when the authentication is passed, send the second token to the client, and send the second token The card is uploaded to the block chain, so that the server of other institutions determines whether the target user is an authenticated user according to a plurality of tokens including the second token. An electronic device, characterized in that the device includes: a processor and a memory storing computer program instructions; When the processor executes the computer program instructions, the steps of the identity authentication method described in any one of claims 1-6 or 7-10 or 11-12 are realized. A computer-readable storage medium, characterized in that computer program instructions are stored on the computer-readable storage medium, and when the computer program instructions are executed by a processor, requirements 1-6 or 7-10 or 11-12 are realized. The steps of any one of the identity authentication methods.

Images