WO2010072158A1 - Procédé, dispositif et système pour authentifier une identité d'utilisateur dans une chaîne de service - Google Patents

Procédé, dispositif et système pour authentifier une identité d'utilisateur dans une chaîne de service Download PDF

Info

Publication number
WO2010072158A1
WO2010072158A1 PCT/CN2009/075961 CN2009075961W WO2010072158A1 WO 2010072158 A1 WO2010072158 A1 WO 2010072158A1 CN 2009075961 W CN2009075961 W CN 2009075961W WO 2010072158 A1 WO2010072158 A1 WO 2010072158A1
Authority
WO
WIPO (PCT)
Prior art keywords
service
user
service chain
identity
service node
Prior art date
Application number
PCT/CN2009/075961
Other languages
English (en)
Chinese (zh)
Inventor
常恒
石晓旻
马其锋
陈维亮
王环
李彦
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2010072158A1 publication Critical patent/WO2010072158A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • the present invention relates to the field of communications, and in particular, to a user identity verification method, an identity identification creation request method, a device, and a system. Background technique
  • the Open Service Architecture Specification Parlay API interface is proposed, which shields the complexity of the underlying telecommunication network protocol, enabling third-party service developers to develop and use telecom networks without the need to master the knowledge of professional telecommunication networks.
  • Network capacity business In addition, with the rapid development of Web technologies, Service-oriented Architecture (SOA) has become a development trend of business systems. The externally exposed interface of the service is completely separated from its internal implementation. In a standard way, different services call each other to complete a specific business logic. This is the business combination technology.
  • SOA Service-oriented Architecture
  • Business combination refers to the integration and integration of several existing businesses into a new business.
  • Business combinations can be divided into centralized mode and distributed mode.
  • Centralized mode generally has a centralized control combination engine, through which each service is called to combine these services.
  • the distributed mode the business portfolio does not have a centralized control combination engine, but each service acts as a business node, and the service nodes call each other to form a business call chain (called a business chain) and combine these services.
  • a business chain the former service node is the service requester, and the latter service node is the corresponding service provider.
  • One way of currently accessing a service is anonymous access, ie no authentication is required and any user can access the service.
  • the service needs to authenticate the identity of the user, and the user is authorized to use the service after the verification is passed.
  • For a service chain if the user has an account and a pair on each service node The account login credentials, when the user invokes the service chain, each service node in the service chain needs to authenticate the identity account to be called.
  • the user directly calls the first service node of the service chain through the user client, but after the service chain is called, the previous service node calls the latter service node instead of the client of the user. Make a direct call.
  • the user can inform the service node of the user account and the login credentials at the latter service node in advance, and the service node directly uses the user's Identity, that is, the user account and login credentials it obtains to access the successor business node.
  • This method can implement service chain authentication, but the process is very cumbersome. Each service node needs to know the account and login credentials of the user at the next service node. In the process of calling the service chain, users need to use different service nodes. Different account and login credentials. Moreover, this method still has a great security risk. Because the user needs to expose his account and login credentials to the service node, the service node can access the latter service node as the user even when the non-service chain is called. The security of the user's use of the business.
  • the user starting from the first service node of the service chain, the user only informs the service node of the user account at the latter service node in advance, and the service node accesses the subsequent service node with the user account.
  • the subsequent service node In order to authenticate the user account, the subsequent service node directly communicates with the user, and the user directly provides the login credentials to the subsequent service node.
  • this method reduces the security risk, because calling each service node ultimately requires the user to confirm the login credentials to avoid the user's business being illegally used. However, each service node still needs to know the account of the user at the next service node.
  • an embodiment of the present invention provides a user identity verification method, an identity identification creation request method, a device, and a system, and a simple process can be used to implement a user identity.
  • the service node receives a service chain call request including a service chain user identity
  • the request includes the service chain user identity and the service node identifier of the service node; the service node determines the service chain user identity according to the received first identity resolution result information sent by the service chain manager.
  • the corresponding user is authenticated, and the first identity resolution result information includes an account number and login credential information of the user accessing the service node.
  • the user identity authentication method in another service chain includes: receiving a user identity resolution request sent by a service node, where the user identity resolution request includes the service chain user identity identifier and the The service node identifier of the service node;
  • the service chain user identity and the service node identifier Querying, according to the service chain user identity and the service node identifier, the user corresponding to the service chain user identity to access the account of the service node, and obtaining the login credential information corresponding to the account according to the queried account. And sending the first identity resolution result information including the account number and the login credential information to the service node, so that the service node determines the service chain user identity identifier according to the received first identity resolution result information.
  • the corresponding user is authenticated.
  • the user identity authentication method in another service chain includes: sending a service chain invocation request including a service chain user identity to a service node; so that the service node sends the service node to the service chain manager. a user identity resolution request including the service chain user identity and the service node identifier of the service node, and determining the service chain user identity according to the received first identity resolution result information sent by the service chain manager.
  • the corresponding user is authenticated, and the first identity resolution result information includes an account number and login credential information of the user accessing the service node.
  • a receiving unit configured to receive a service chain invocation request including a service chain user identity and receive identity analysis result information sent by the service chain manager;
  • An identity resolution requesting unit configured to send a user identity resolution request to the service chain manager, where the user identity resolution request includes the service chain user identity identifier and a service node identity of the service node;
  • a verification result determining unit configured to determine, according to the first identity analysis result information sent by the service chain manager that is received by the receiving unit, that the user corresponding to the service chain user identity is authenticated, the first
  • the identity resolution result information includes an account number and login credential information of the user accessing the service node.
  • a service chain manager provided by an embodiment of the present invention includes: a receiving unit, configured to receive a user identity resolution request sent by the service node, where the user identity resolution request includes the service chain user identity identifier and a service node identifier of the service node;
  • An identity resolution management unit configured to query, according to the service chain user identity and the service node identifier, a user corresponding to the service chain user identity to access an account of the service node, and obtain an account when the account is queried Login credential information corresponding to the account;
  • a sending unit configured to send the first identity resolution result information to the service node, where the first identity resolution result information includes an account number and login credential information of the user accessing the service node.
  • a service chain communication system provided by an embodiment of the present invention includes: a plurality of service nodes and a service chain manager constituting a service chain, where:
  • the service node is configured to send a user identity resolution request to the service chain manager after receiving the service chain invocation request including the service chain user identity, where the user identity resolution request includes the service chain user identity and the service a service node identifier of the node; and when receiving the first identity resolution result information sent by the service chain manager, determining that the user corresponding to the service chain user identity is authenticated, and the first identity resolution result information includes The user accesses an account number and login credential information of the service node.
  • the service chain manager is configured to: after receiving the user identity resolution request sent by the service node, obtain an account and a login credential of the user accessing the service node according to the service chain user identity and the service node identifier. Information, and sending the first identity resolution result information to the service node.
  • the service node when the service node receives the call request of the service node by using the service chain user identity, the service node requests the user identity resolution from the service chain manager, when the service node is When the user chain and the login credential of the user at the service node are obtained, the service chain manager determines that the user identity verification is passed, and the user identity verification is based on a unified service chain user identity identifier, and is unified by The service chain manager performs user identity resolution, which simplifies the process compared to prior art solutions.
  • FIG. 1 is a schematic flow chart of an embodiment of a method for user identity verification in a service chain according to an embodiment of the present invention
  • FIG. 2 is a schematic flow chart of still another embodiment of a method for analyzing user identity in a service chain according to an embodiment of the present invention
  • FIG. 4 is a schematic flowchart of another embodiment of a method for user identity verification in a service chain according to an embodiment of the present invention
  • FIG. 5 is a schematic structural diagram of an embodiment of a service chain communication system according to an embodiment of the present invention
  • 6 is a schematic structural diagram of an embodiment of a service node in an embodiment of the present invention
  • FIG. 7 is a schematic structural diagram of an embodiment of a service chain manager in an embodiment of the present invention
  • FIG. 8 is a user access in an embodiment of the present invention
  • FIG. 9 is a schematic flowchart of a method for a service chain manager to create a service chain user identity for a user;
  • Figure 10 is a flow diagram of one embodiment of a method for a service chain manager to delete a service chain user identity. detailed description
  • the user client and each service node use the same service chain user identity to invoke the service node in the service chain, and the service node is from the service chain manager.
  • Requesting user identity resolution when the service node obtains the user account and the login credential at the service node from the service chain manager, determining that the user identity verification passes.
  • the method of the embodiment of the present invention is described below by taking a method of user identity verification by a service node in the service chain as an example.
  • FIG. 1 is a schematic flowchart of an embodiment of a method for user identity verification in a service chain according to an embodiment of the present invention; as shown in FIG. 1, the method in this embodiment includes:
  • the service node receives a service chain call request that includes a service chain user identity.
  • the service chain user identity may be used to uniquely distinguish a service chain user identity, such as a service chain user ID, and may be The business chain manager is created for the user.
  • the service node in the service chain may receive a service chain call request that is sent by the user client and includes a service chain user identity; or, may receive a service chain call that is sent by the service chain manager and includes a service chain user identity. Request; or may receive a service chain call request containing a service chain user identity sent by another service node (previous service node in the service chain).
  • Step S102 the service node sends a user identity resolution request to the service chain manager, where the user identity resolution request includes the service chain user identity identifier and the service node identifier of the service node.
  • the service node The identity can be used to uniquely distinguish a business node, such as a business node name.
  • Step S104 the service node determines, according to the received first identity analysis result information sent by the service chain manager, that the user corresponding to the service chain user identity identifies the user, and the first identity analysis result
  • the information includes an account number and login credential information of a user corresponding to the service chain user identity accessing the service node.
  • the login credential information may be password information, or digital signature information, required by the user to access the service node.
  • the service node when the service node receives the call request of the service node by using the service chain user identity, the service node requests the user identity resolution from the service chain manager, when the service node is from the service.
  • the chain manager determines that the user identity verification is passed, because the user identity verification is based on a unified service chain user identity, and is unified by the service chain.
  • the manager performs user identity resolution, which simplifies the process compared to prior art solutions.
  • the service node in the service chain only obtains the account and login credentials of the user at the service node from the service chain manager, and does not know the account and login credentials of the user at other service nodes. It avoids the identity association when users access different services, and effectively realizes the isolation of multiple identity accounts of users.
  • FIG. 2 is a schematic flowchart of still another embodiment of a method for analyzing user identity in a service chain according to an embodiment of the present invention; as shown in FIG. 2, the method in this embodiment includes:
  • Step S110 The service chain manager receives a user identity resolution request sent by the service node, where
  • the user identity resolution request includes the service chain user identity and the service node identifier of the service node;
  • Step S112 the service chain manager queries the user corresponding to the service chain user identity to access the account of the service node according to the service chain user identity and the service node identifier, and obtains the account according to the queried account.
  • Step S114 Send, to the service node, first identity analysis result information including the account number and login credential information, so that the service node determines the service chain user according to the received first identity resolution result information.
  • the user corresponding to the identity is authenticated.
  • the service chain management after receiving the request for the user identity analysis sent by the service node, the service chain management performs the user identity resolution, and then sends the analysis result to the corresponding service node, where the service node determines whether the user passes the identity verification.
  • the user is not involved in the authentication process, and the process is centralized.
  • FIG. 3 is a schematic flowchart of still another embodiment of a method for analyzing user identity in a service chain according to an embodiment of the present invention.
  • the method in this embodiment includes S121, and a user terminal sends a user including a service chain to a service node.
  • the service chain of the identity invokes the request; so that the service node sends a user identity resolution request including the service chain user identity and the service node identity of the service node to the service chain manager, according to the received service
  • the first identity resolution result information sent by the chain manager, and the information includes an account number and login credential information of the user accessing the service node.
  • FIG. 4 is a schematic flowchart of another embodiment of a method for user identity verification in a service chain according to an embodiment of the present invention. As shown in FIG. 4, the method in this embodiment includes:
  • Step S200 The service node in the service chain receives a service chain call request that includes a service chain user identity.
  • Step S202 the service node sends a user identity resolution request to the service chain manager, where the user identity resolution request includes the service chain user identity identifier and the service node identifier of the service node.
  • Step S204 the service chain manager queries, according to the received service chain user identity, the user name of the user who invokes the service chain.
  • the service chain manager may store the service chain usage information, where the service chain usage information is used to indicate the service chain user identity used by each user to access each service chain, and each user corrects each page (Details 91) article)
  • the call status of the service chain includes the user name, the service chain identifier, the service chain user identity, and the corresponding relationship between the call states.
  • the specific service chain usage information may be stored in a graph form, and the following Table 1 is used for one. a service chain usage table indicating the use of business chain information,
  • the user name is used to uniquely distinguish one user;
  • the service chain name is a service chain identifier;
  • the service chain user ID is a service chain user identity identifier;
  • the ID usage status is used to represent the service chain user ID.
  • a state in which the ID usage state includes a normal state indicating that the service chain user ID is available, a pause indicating that the service chain user ID is unavailable, and the like, and the ID usage status is the service chain usage table.
  • the call status is used to indicate the user's call to a specific service chain. For example, the current user User1 call status of the service chain A is that the service node S1 and the service node in the service chain A have been called. S2, and first call the service node S1 and then call the service node S2.
  • the representation state of the call state may be a sequence mode, that is, a sequence of calls between service nodes that have been called during a current call of the service chain, such as a form of S1->S2.
  • the other is the collection method, which describes the set of service nodes that have been called during the current call of the service chain, and the number of times each service node has been called.
  • other forms of call state representation can also be employed.
  • step S204 the service chain manager queries the service chain usage information according to the received service chain user identity to determine the user name of the user who invokes the service chain, for example, in conjunction with Table 1, when the service chain user identity When the identifier is Ua, after querying Table 1, it is determined that the user name of the service chain A is called Userl.
  • Step S206 the service chain manager queries the call status of the user to the service chain according to the received service chain user identity identifier.
  • the service chain manager when the user does not invoke a service chain, the service chain manager The calling state of the user to the service chain is initialized by setting a calling state of the user to the service chain to be empty. Therefore, when the user accesses the first service node in the service chain, in step S206, the result of the query is that the calling state of the user to the service chain is empty, for example, the query result is an empty "NULL" identifier.
  • the service chain manager may further query the service chain usage information to determine the calling state of the user to the service chain, for example, in conjunction with Table 1, in step S206, according to Ua, the user User1 may be queried to determine the service chain A.
  • the current calling state is S1->S2.
  • Step S208 the service chain manager determines, according to the service node identifier, the calling state, and a predefined service chain calling rule, whether the call to the service node meets the predefined service chain calling rule.
  • step S210 is performed; when the determination result is no, step S220 is performed;
  • the service chain manager may store a predefined service chain calling rule, where the service chain calling rule is used to indicate a calling relationship between each service node in the service chain, including a service chain identifier and a calling relationship definition
  • the method further includes a usage policy, where the calling relationship definition is used to indicate a calling relationship between each service node in the service chain, and may be in a sequence manner, that is, a complete call between service nodes describing the entire service chain.
  • a sequence such as the form of S1->S2->S3->S4. It is also possible to use a collection method, that is, a set of service nodes describing the entire service chain, and the number of times each service node is called.
  • the usage policy is some of the policies used for the business chain, such as which users can use the service chain.
  • the specific service chain calling rules may also be stored in the form of a chart.
  • Table 2 below is a service chain description table for indicating the service chain calling rules.
  • Step S210 the service chain manager adds the service node to the calling state
  • Steps S208 and S210 are described in conjunction with Tables 1 and 2.
  • the service node S1 sends a service chain call request to the service node S2 by using Ua, and after receiving the call request, the service node S2 sends the service chain manager to the service chain manager.
  • Sending an identity resolution request the identity resolution request includes a Ua and a service node identifier S2, and the current call state of the service chain A in Table 1 is S1, and the service chain manager knows the user Userl according to the call state in step S208.
  • the call of the current service chain A has completed the call to the service node S1,
  • Step S212 The service chain manager determines, according to the user name and the service node identifier determined by the query, the account that the user accesses the service node, and generates login credential information according to the account;
  • the service chain manager may store user service account information, which is used to indicate an account of each user in each service node, including a user name, a service node identifier, and an account number.
  • the specific user service account information may also be stored in the form of a chart.
  • Table 3 below is a list of service accounts used to indicate user service account information.
  • the service chain manager can query the user service account information to determine the account of the user in the service node.
  • the user name is determined according to the user name User1 and the service node name S1.
  • the account number is Idl.
  • Step S214 the service chain manager sends the first identity resolution result information to the service node, where the first identity resolution result information includes an account and a login of the user corresponding to the service chain user identity to access the service node.
  • the first identity resolution result information includes an account and a login of the user corresponding to the service chain user identity to access the service node.
  • Step S216 when the service node receives the first identity resolution result information sent by the service chain manager, determining that the user corresponding to the service chain user identity identifies the user, and then ends the service node to the user identity.
  • Step S220 the service chain manager sends, to the service node, second identity analysis result information that the user identity verification fails;
  • Step S222 when the service node receives the second identity resolution result information sent by the service chain manager, determining that the user corresponding to the service chain user identity does not pass the identity verification, the identity verification fails, and then the end The calling process of the business chain.
  • the service node when the service node receives the call request of the service node by using the service chain user identity, the service node requests the user identity resolution from the service chain manager, when the service node is from the service node.
  • the service chain manager determines that the user identity verification is passed, and the user identity verification is based on a unified service chain user identity identifier, and is unified by the service.
  • the chain manager performs user identity analysis and compares the process with the prior art solution.
  • the service node in the service chain only obtains the account and login credentials of the user at the service node from the service chain manager, and does not know the account and login credentials of the user at other service nodes.
  • the service chain manager needs to verify whether the call of the service chain conforms to the calling rule of the service chain when the identity is resolved, and only sends the user account and the login credential of the user at the corresponding service node if the calling rule is met. The validity of the service node call is guaranteed.
  • the embodiment of the present invention provides a service chain communication system, a service node in a service chain, and a service chain manager.
  • the device according to the embodiment of the present invention is described below with reference to FIG. 5 to FIG.
  • FIG. 5 is a schematic structural diagram of an embodiment of a service chain communication system according to an embodiment of the present invention.
  • the system in this embodiment includes multiple service nodes constituting a service chain (in a specific implementation, a service chain)
  • the communication system may include multiple service chains, which is illustrated by only one service chain) and the service chain manager, and the user client and the service node (the first node) in the service chain and the service chain management respectively. Connected.
  • the user client and each service node use the same service chain user identity to invoke the service node in the service chain, specifically,
  • the service node After the service node receives the service chain invocation request including the service chain user identity, the service node sends a user identity resolution request to the service chain manager, where the user identity resolution request includes the service chain user identity identifier and the The service node identifier of the service node; and when receiving the first identity resolution result information sent by the service chain manager, determining that the user corresponding to the identity identifier of the service chain passes the identity verification, and the first identity analysis result information Including the service chain user identity corresponding to
  • Correction page (Article 91) The user accesses the account number and login credential information of the service node.
  • the service chain manager is configured to: after receiving the user identity resolution request sent by the service node, obtain the user access corresponding to the service chain user identity according to the service chain user identity and the service node identifier. The account of the service node and the login credential information, and send the first identity resolution result information to the service node.
  • the service chain user identity is used to invoke the service node in the service chain, and the service node requests the user identity resolution from the service chain manager, and the service node obtains the location from the service chain manager. Determining, by the user, the user account and the login credential at the service node, the user identity verification is passed, because the user identity identifier of the same service chain is used for calling, and unified to the service chain manager for user identity resolution, and Compared with the prior art solution, user authentication is implemented by a simple process. And the service node in the service chain only obtains the account and login credentials of the user at the service node from the service chain manager, and does not know the account and login credentials of the user at other service nodes. It avoids the identity association when users access different services, and effectively realizes the isolation of multiple identity accounts of users.
  • FIG. 6 is a schematic structural diagram of an embodiment of a service node (for example, the service node 1, the service node 2, or the service node 3 in FIG. 5) in the embodiment of the present invention.
  • the service in this embodiment is shown in FIG.
  • the node includes a receiving unit 40, an identity resolution requesting unit 42, and a verification result determining unit 44, where:
  • the receiving unit 40 is configured to receive a service chain call request that includes a service chain user identity identifier.
  • the service node in the service chain may receive a service chain call request that is sent by the user client and includes a service chain user identity identifier ( The first node in the service chain, such as the service node 1 in FIG. 5; or, can receive the service chain call request sent by the service chain manager including the service chain user identity (the first node in the service chain, by the service chain) The manager initiates the service chain call instead of the user; or can receive another service node (the previous service node in the service chain, for example, the service node 2 in FIG. 5 receives the service chain call sent by the service node 1) A service chain call request that contains the identity of the business chain user.
  • the identity resolution requesting unit 42 is configured to send a user identity resolution request to the service chain manager, where the user identity resolution request includes the service chain user identity identifier and a service node identifier of the service node;
  • the verification result determining unit 44 is configured to receive the first body sent by the service chain manager
  • the user corresponding to the service chain user identity is determined to be authenticated, and the first identity resolution result information includes an account corresponding to the service chain user identity and a login certificate of the user accessing the service node. information.
  • the service chain user identity is used to invoke the service node in the service chain, and the service node requests the user identity resolution from the service chain manager, and the service node obtains the location from the service chain manager.
  • the user account and the login credential at the service node are determined, the user identity verification is determined, and the call is performed by using the same service chain user identity, and unified to the service chain manager for user identity resolution, and Compared with the technical solution, the process of using the single ticket realizes user authentication.
  • the service node in the service chain only obtains the account and login credentials of the user at the service node from the service chain manager, and does not know the account and login credentials of the user at other service nodes. It avoids the identity association when users access different services, and effectively realizes the isolation of multiple identity accounts of users.
  • FIG. 7 is a schematic structural diagram of an embodiment of a service chain manager according to an embodiment of the present invention.
  • the service chain manager of this embodiment includes a receiving unit 50, an identity resolution management unit 52, and a sending unit 54, among them:
  • the receiving unit 50 is configured to receive a user identity resolution request sent by the service node, where the user identity resolution request includes the service chain user identity identifier and a service node identifier of the service node; the identity resolution management unit 52, And the user corresponding to the service chain user identity is queried according to the service chain user identity and the service node identifier to access an account of the service node, and when the account is queried, the account corresponding to the account is obtained.
  • Login voucher information
  • the sending unit 54 is configured to send the first identity resolution result information to the service node, where the first identity resolution result information includes an account and a login credential of a user corresponding to the service chain user identity to access the service node. information.
  • the identity resolution management unit 52 includes a storage unit 520, a first identity management unit 522, a second identity management unit 524, and a credential generation unit 526, where:
  • the storage unit 520 is configured to store service chain usage information and user service account information, where the service chain usage information is used to indicate a service chain user identity used by each user to access each service chain, and each user is used for each service.
  • the user service account information is used to indicate the account number of each user in each service node; the specific content and storage form included in the service chain usage information and the user service account information in this embodiment are consistent with the foregoing method. I will not go into details here.
  • the first identity management unit 522 is configured to query, according to the service chain user identity received by the receiving unit 50, the service chain usage information in the storage unit 520, and determine a user that invokes the service chain;
  • the second identity management unit 524 is configured to query, according to the first verification management unit 522, the determined user name of the user and the service node identifier received by the receiving unit 50, and query the user in the storage unit 520.
  • the service account information is used to determine the account number of the user accessing the service node.
  • the voucher generation unit 526 is configured to generate login voucher information according to the account determined by the second identity management unit 524.
  • the storage unit 520 of the embodiment is further configured to store a predefined service chain calling rule, where the service chain calling rule is used to indicate a calling relationship between service nodes in the service chain;
  • the specific content and storage form included in the chain calling rule are consistent with the foregoing methods, and are not described herein.
  • the identity resolution management unit 52 further includes:
  • the third identity management unit 523 is configured to query the service chain usage information stored in the storage unit 520 according to the service chain user identity received by the receiving unit 50, and determine the calling state of the service chain by the user; Determining whether the call to the service node meets a predefined calling rule according to the service node identifier received by the receiving unit 50, the call status determined by the query, and a predefined service chain calling rule stored in the storage unit. And when the judgment result is yes, adding the service node to the calling state;
  • the second identity management unit 524 queries the determined user name of the user and the received by the receiving unit 50 according to the first verification management unit 522.
  • the service node identifier is used to query the user service account information in the storage unit 520, and determine the account that the user accesses the service node.
  • the sending unit 54 of the embodiment is further configured to: when the determining result of the third identity management unit 523 is negative, send, to the service node, a second identity resolution result message that the user identity verification fails.
  • the service chain manager of this embodiment further includes:
  • the service chain identity management unit 56 is configured to manage the service chain user identity.
  • the service chain identity management unit 56 may include a service chain user identity creation unit for creating a service chain user identity for the user.
  • the service chain identity management unit may also create a service chain user.
  • the identity is managed, such as pause, resume, and delete.
  • the service chain manager of this embodiment further includes:
  • the calling state initializing unit is configured to set the calling state of the user to the service chain to be empty.
  • the receiving unit 50 and the sending unit 54 of the embodiment may be integrally configured as an interface module for performing communication interaction between the service chain manager and other devices, and receiving and transmitting various request and response messages.
  • the first identity management unit 522, the second identity management unit 524, and the third identity management unit 523 and the service chain identity management unit 56 can be integrally configured as an identity management module.
  • FIG. 8 is a schematic flowchart of a method for a user to access a service chain according to an embodiment of the present invention; this embodiment uses a user User1 to invoke the service chain A as an example, and combines Table 1, Table 2, and Table 3 to illustrate As shown in FIG. 8, the method of this embodiment includes:
  • Step S600 The user logs in to the service chain manager with his user name Userl through the user client, and requests to call the service chain A once.
  • Step S601 the service chain manager receives the call request of the service chain A through the interface module, and the identity management module queries the service chain usage table according to the user name Userl, the name A of the service chain A, and determines that the corresponding service chain user ID is Ua. . If multiple service chain user IDs are queried, the user determines the Ua used by the service chain call. If the ID usage status of Ua is normal, set its calling state to NULL, indicating that Userl initializes the calling process of service chain A with the service chain user ID Ua. Then notify
  • Step S602 if it can be executed, the client of the user User1 requests to invoke the service chain A with Ua, and the request is sent to the first service node S1 of the service chain A.
  • Step S603 the service node SI sends a user identity resolution request to the service chain manager, where the request includes the service chain user ID Ua and the service node name Sl. If the SI does not know its successor service node in service chain A, it also requests its subsequent service node and its access mode from the service chain manager.
  • Step S604 the service chain manager receives the request through the interface module, and the identity management module queries the service chain usage table according to the service chain user ID Ua, and determines that the user that invokes the service chain A through Ua is Userl.
  • Step S605 The identity management module queries the service chain description table to obtain the call relationship definition of the service chain A.
  • Step S606 If the call to the SI is in accordance with the call relationship definition of the service chain A, the identity management module queries the service account list, and learns that the account of Userl in S1 is Idl, and then performs step S607. If the SI does not meet the calling relationship definition, the service chain manager rejects the identity resolution request and sends the second identity resolution result information that the user identity verification failed to S1. When the second identity analysis result information is sent in step S606, the following steps S607, S608, and S609 are not performed, and step S610 is directly executed.
  • Step S607 the identity management module invokes the credential generating unit to generate the account authentication credential Auth(Idl) of the login S1 for the account ID Idl of the user1 in S1, where the Auth(Idl) includes the account ID1 and the login credential of the user in S1.
  • Step S608 the identity management module adds S1 to the calling state of Ua.
  • S1 is added to the first called service node.
  • S1 is added to the called service node set.
  • Step S609 the interface module sends the account verification credential Auth(Idl) as the first identity resolution result to the Sl. If the SI does not know its successor service node in the service chain A, the first identity analysis result will also specify the subsequent service node of the S1 in the service chain A and its access mode (for example, the node name S2 containing the service node 2 and Call the access method of service node 2).
  • Step S610 when S1 receives Auth(Id1), it can be determined that the identity verification of the account ID of the User1 at S1 is passed, then S1 normally executes the service logic, and then calls the next service node S2 of S1 on the service chain A with Ua, ie Sending a service chain invocation request containing Ua to S2, and S2 becomes a new called service node in the process of calling the service chain A by the user. If S1 receives the second identity resolution result information of the verification failure, it is determined that the identity verification cannot pass, S1 does not execute the service logic, and the service chain A execution process is terminated here, and the subsequent steps are not executed.
  • Step S611 the service node S2 sends an identity resolution request to the service chain manager, where the request includes a service.
  • Step S612 the service chain manager receives the request through the interface module. Similarly, the identity management module queries the service chain usage table according to the service chain user ID Ua, and determines that the user who invokes the service chain A through Ua is Userl.
  • Step S613 the identity management module queries the service chain usage table to determine whether the calling state of Ua conforms to the calling relationship definition of the service chain A.
  • the calling state is that only S 1 has been called, and the current service node for requesting identity resolution is S2.
  • the calling relationship definition of the sequence mode if S2 is the subsequent business node of S1 in the sequence, the calling relationship definition is met.
  • the call relationship definition of the collection mode if S2 belongs to the node set, it conforms to the call relationship definition.
  • Step S614 If the call to S2 is consistent with the call relationship definition of the service chain A, the identity management module queries the service account list, learns that the account of Userl in S2 is Id2, and then performs step S615. If the S2 does not meet the call relationship definition, the service chain manager rejects the identity resolution request, and sends the second identity resolution result information of the user identity verification failure to S1, and the following steps S615, S616, and S617 are not performed, and the direct jump is performed. Go to step S618.
  • Step S615 the identity management module invokes the credential generating unit to generate the account authentication credential Auth(Id2) of the login S2 for the account ID Id2 of the userl in S2, where the Auth(Id2) includes the account 2 and the login credential of the user in S2.
  • Step S616, the identity management module adds S2 to the calling state of Ua.
  • S2 is added to the invoked service node of S1.
  • S2 is added to the called service node set.
  • Step S617 the interface module sends the account verification credential Auth(Id2) as the first identity resolution result to S2. If S2 does not know its successor service node in service chain A, the first identity resolution result will also specify the subsequent service node of S2 in service chain A and its access mode.
  • S2 when S2 receives the Auth (Id2), it can be determined that the identity verification of the account ID2 of User1 at S2 is passed, then S2 normally executes the service logic, and then calls the next service node of S2 on the service chain A with Ua, the service node Become the new called service node in the process of calling the service chain A by the user. If S2 receives verification
  • each service node will request user identity resolution from the service chain manager in turn.
  • the request includes the service chain user ID Ua and the service node name. If the service node does not know its successor service node in service chain A, it simultaneously requests its successor service node and its access mode until the last service node to service chain A is executed.
  • the service chain manager performs a similar process: If the service node meets the call relationship definition of the service chain A, the user Userl generates the account authentication credentials of the login service node in the account of the service node, and increases the service node to the service chain usage table. In the call state of Ua. For the sequence mode, the service node is added to the tail of the called service node sequence.
  • the service node is added to the called service node set, or the number of times the service node has been called is increased.
  • the service node does not know its successor service node in service chain A
  • the first identity resolution result will also specify the successor service node of the service node in service chain A and its access mode.
  • the last service node of the service chain A is reached.
  • the calling state of the Ua in the service chain usage table is equivalent to the calling relationship definition of the service chain A, indicating that all the service nodes of the service chain A have been called, then Userl The call of this service chain A ends normally.
  • FIG. 9 is a schematic flowchart of a method for a service chain manager to create a service chain user identity for a user. As shown in FIG. 9, the embodiment includes:
  • Step S700 The user user logs in to the service chain manager and requests to create a service chain user ID of the service chain A.
  • Step S701 the service chain manager receives the request through the interface module. If the service chain A meets the relevant policies that can be invoked in the way of the service chain user ID, the identity management module can query the service chain description of the service chain A in the service chain description table. If the user user meets the usage policy in the service chain description, the identity management module assigns the service chain user ID to the user, or the user user can generate the service chain user ID that meets the requirements.
  • Step S702 the identity management module accesses the service chain usage table, adds a record to the user in the service chain usage table, registers the user name of the user, the name of the service chain A, the service chain user ID assigned to the user, and marks the service chain.
  • the ID usage status of the user ID is normal.
  • Step S703 the interface module notifies the user of the result of the user ID creation process of the service chain
  • the embodiment of the present invention further provides a service chain user identification creation request method, including: the user terminal sends a service chain user identity creation request to the service chain manager, so that the service chain manager is The user creates the identity of the user of the service chain, and when receiving the user identity resolution request sent by the service node, queries the user access corresponding to the service chain user identity according to the service chain user identity and the service node identifier.
  • the account of the service node obtains the login credential information corresponding to the account according to the queried account, and sends the first identity resolution result information including the account and the login credential information to the service node;
  • the request includes the service chain user identity and a service node identity of the service node.
  • FIG. 10 is a schematic flowchart of a method for a service chain manager to delete a service chain user identity; as shown in FIG. 10, the embodiment includes:
  • Step S800 The user user logs in to the service chain manager to request to delete a service chain user ID.
  • Step S801 the service chain manager receives the request through the interface module, and the identity management module queries the record corresponding to the service chain user ID in the service chain usage table: deleting the record in the service chain usage table, the service chain user The ID will not be used anymore.
  • Step S802 the interface module notifies the user of the processing result of the request.
  • the operations such as suspending and restoring the service chain user ID are the same as the deletion operation, except that, for the suspension request, the ID usage status of the record is set to be suspended.
  • the service chain manager rejects all identity resolution requests for it; for the recovery request, sets the ID usage status of the record to be normal; and for the delete operation, deletes the service chain usage table. For this record, the service chain user ID will not be used.
  • the storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), or a random access memory (RAM).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Telephonic Communication Services (AREA)

Abstract

L'invention concerne un procédé, un dispositif et un système pour authentifier une identité d'utilisateur dans une chaîne de service, le procédé comprenant les étapes suivantes : un nœud de service dans la chaîne de service reçoit une demande d'appel de chaîne de service, qui comprend l'identifiant d'une identité d'utilisateur dans la chaîne de service ; le nœud de service transmet une demande d'analyse d'identité d'utilisateur au gestionnaire de chaînes de service, et la demande d'analyse d'identité d'utilisateur comprend l'identifiant de l'identité d'utilisateur dans la chaîne de service et l'identifiant de nœud de service du nœud de service ; lorsque le nœud de service reçoit les premières informations de résultat d'analyse d'identité transmises par le gestionnaire de chaînes de service, il détermine que l'utilisateur correspondant à l'identifiant de l'identité d'utilisateur dans la chaîne de service est authentifié, et les premières informations de résultat d'analyse d'identité comprennent les informations de justification de compte et de connexion pour l'utilisateur, qui correspondent à l'identifiant de l'identité d'utilisateur dans la chaîne de service, pour accéder au nœud de service. L'invention a l'avantage de réaliser une authentification d'identité d'utilisateur par l'emploi d'une procédure simple.
PCT/CN2009/075961 2008-12-24 2009-12-24 Procédé, dispositif et système pour authentifier une identité d'utilisateur dans une chaîne de service WO2010072158A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN 200810220345 CN101764791B (zh) 2008-12-24 2008-12-24 一种业务链中的用户身份验证方法、设备及系统
CN200810220345.2 2008-12-24

Publications (1)

Publication Number Publication Date
WO2010072158A1 true WO2010072158A1 (fr) 2010-07-01

Family

ID=42286910

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/075961 WO2010072158A1 (fr) 2008-12-24 2009-12-24 Procédé, dispositif et système pour authentifier une identité d'utilisateur dans une chaîne de service

Country Status (2)

Country Link
CN (1) CN101764791B (fr)
WO (1) WO2010072158A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014015525A1 (fr) * 2012-07-27 2014-01-30 华为技术有限公司 Procédé et dispositif pour interroger un état en ligne d'utilisateur
CN109495432A (zh) * 2017-09-13 2019-03-19 腾讯科技(深圳)有限公司 一种匿名账户的鉴权方法及服务器

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104811326A (zh) * 2014-01-24 2015-07-29 中兴通讯股份有限公司 一种管理业务链的方法、系统及装置
CN107018119B (zh) * 2016-08-30 2020-11-24 创新先进技术有限公司 身份验证系统、方法和平台

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1635738A (zh) * 2003-12-26 2005-07-06 鸿富锦精密工业(深圳)有限公司 通用认证授权服务系统及方法
CN101136747A (zh) * 2006-08-30 2008-03-05 中兴通讯股份有限公司 一种信息验证的系统及方法
CN101160906A (zh) * 2005-04-14 2008-04-09 国际商业机器公司 涉及跨分布式目录的组成员资格的访问授权的方法和系统
CN101262342A (zh) * 2007-03-05 2008-09-10 松下电器产业株式会社 分布式授权与验证方法、装置及系统

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100349413C (zh) * 2004-11-15 2007-11-14 华为技术有限公司 智能网中的业务调用方法
CN101212792B (zh) * 2006-12-27 2010-12-08 中国移动通信集团公司 融合类业务的计费信息处理方法

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1635738A (zh) * 2003-12-26 2005-07-06 鸿富锦精密工业(深圳)有限公司 通用认证授权服务系统及方法
CN101160906A (zh) * 2005-04-14 2008-04-09 国际商业机器公司 涉及跨分布式目录的组成员资格的访问授权的方法和系统
CN101136747A (zh) * 2006-08-30 2008-03-05 中兴通讯股份有限公司 一种信息验证的系统及方法
CN101262342A (zh) * 2007-03-05 2008-09-10 松下电器产业株式会社 分布式授权与验证方法、装置及系统

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014015525A1 (fr) * 2012-07-27 2014-01-30 华为技术有限公司 Procédé et dispositif pour interroger un état en ligne d'utilisateur
CN103797751A (zh) * 2012-07-27 2014-05-14 华为技术有限公司 一种用户在线状态的查询方法和装置
CN103797751B (zh) * 2012-07-27 2017-01-25 华为技术有限公司 一种用户在线状态的查询方法和装置
CN109495432A (zh) * 2017-09-13 2019-03-19 腾讯科技(深圳)有限公司 一种匿名账户的鉴权方法及服务器
WO2019052328A1 (fr) * 2017-09-13 2019-03-21 腾讯科技(深圳)有限公司 Procédé d'authentification pour compte anonyme, et serveur
CN109495432B (zh) * 2017-09-13 2021-05-25 腾讯科技(深圳)有限公司 一种匿名账户的鉴权方法及服务器
US11394748B2 (en) 2017-09-13 2022-07-19 Tencent Technology (Shenzhen) Company Ltd Authentication method for anonymous account and server

Also Published As

Publication number Publication date
CN101764791B (zh) 2013-08-28
CN101764791A (zh) 2010-06-30

Similar Documents

Publication Publication Date Title
US9866556B2 (en) Common internet file system proxy authentication of multiple servers
US8978100B2 (en) Policy-based authentication
US10623272B2 (en) Authenticating connections and program identity in a messaging system
US7860883B2 (en) Method and system for distributed retrieval of data objects within multi-protocol profiles in federated environments
JP4832822B2 (ja) データ処理システム、方法およびコンピュータ・プログラム(連合ユーザ・ライフサイクル管理用の信頼インフラストラクチャ・サポートを可能にする方法およびシステム)
JP5714690B2 (ja) 複数のウェブサービスにわたって認証を実施するプラグ可能なトークンプロバイダモデル
EP3694185B1 (fr) Procédé pour faciliter l'authentification unique fédérée (single sign-on) pour les applications web internes
US7860882B2 (en) Method and system for distributed retrieval of data objects using tagged artifacts within federated protocol operations
US8887296B2 (en) Method and system for object-based multi-level security in a service oriented architecture
US8893244B2 (en) Application-based credential management for multifactor authentication
US9219733B2 (en) Software-based aliasing for accessing multiple shared resources on a single remote host
WO2019029327A1 (fr) Procédé et dispositif de découverte pour un service de fonction de réseau
WO2022022253A1 (fr) Procédé, appareil, dispositif et système d'authentification de service, et support de stockage
JP2003208404A (ja) ネットワークユーザセッションのためのグラニュラ認証
CN112352411B (zh) 利用不同的云服务网络的相同域的注册
JP4625270B2 (ja) 信頼範囲外の所与の外部接続によって複数のソースからの通信を行うことができるプロトコル・ベースの信頼範囲内の分散認証
CN114615071A (zh) 一种微服务架构下对RESTful API统一鉴权的方法
WO2010072158A1 (fr) Procédé, dispositif et système pour authentifier une identité d'utilisateur dans une chaîne de service
JP2002324051A (ja) ユーザ認証方法および装置
CN113015164B (zh) 应用程序认证方法及装置
US11870767B1 (en) Methods for providing adaptive authentication for federated environment and devices thereof
US20100180329A1 (en) Authenticated Identity Propagation and Translation within a Multiple Computing Unit Environment
CN113760395A (zh) 接口鉴权的方法、装置、设备和计算机可读介质
WO2009076887A1 (fr) Procédé, système et dispositif pour obtenir des informations utilisateur pour un sous-système de contrôle de ressources et d'admission

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09834111

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09834111

Country of ref document: EP

Kind code of ref document: A1